Chapter 6 Foundations of Business Intelligence: Databases and Information Management
6.1
ORGANIZING DATA IN A TRADITIONAL FILE
ENVIRONMENT
A
n effective information system provides users with accurate, timely,
and relevant information. Accurate information is free of errors.
Information is timely when it is available to decision makers when it
is needed. Information is relevant when it is useful and appropriate
for the types of work and decisions that require it.
You might be surprised to learn that many businesses don’t have timely,
accurate, or relevant information because the data in their information systems
have been poorly organized and maintained. That’s why data management is so
essential. To understand the problem, let’s look at how information systems
arrange data in computer files and traditional methods of file management.
FILE ORGANIZATION TERMS AND CONCEPTS
A computer system organizes data in a hierarchy that starts with bits and
bytes and progresses to fields, records, files, and databases (see Figure 6-1).
A bit represents the smallest unit of data a computer can handle. A group of
bits, called a byte, represents a single character, which can be a letter, a
FIGURE 6-1
THE DATA HIERARCHY
A computer system organizes data in a hierarchy that starts with the bit, which represents either a 0
or a 1. Bits can be grouped to form a byte to represent one character, number, or symbol. Bytes can be
grouped to form a field, and related fields can be grouped to form a record. Related records can be
collected to form a file, and related files can be organized into a database.
209
210
Part Two Information Technology Infrastructure
number, or another symbol. A grouping of characters into a word, a group of
words, or a complete number (such as a person’s name or age) is called a
field. A group of related fields, such as the student’s name, the course taken,
the date, and the grade, comprises a record; a group of records of the same
type is called a file.
For example, the records in Figure 6-1 could constitute a student course file.
A group of related files makes up a database. The student course file illustrated
in Figure 6-1 could be grouped with files on students’ personal histories and
financial backgrounds to create a student database.
A record describes an entity. An entity is a person, place, thing, or event on
which we store and maintain information. Each characteristic or quality
describing a particular entity is called an attribute. For example, Student_ID,
Course, Date, and Grade are attributes of the entity COURSE. The specific
values that these attributes can have are found in the fields of the record
describing the entity COURSE.
PROBLEMS WITH THE TRADITIONAL FILE
ENVIRONMENT
In most organizations, systems tended to grow independently without a
company-wide plan. Accounting, finance, manufacturing, human resources,
and sales and marketing all developed their own systems and data files.
Figure 6-2 illustrates the traditional approach to information processing.
FIGURE 6-2
TRADITIONAL FILE PROCESSING
The use of a traditional approach to file processing encourages each functional area in a corporation
to develop specialized applications. Each application requires a unique data file that is likely to be a
subset of the master file. These subsets of the master file lead to data redundancy and inconsistency,
processing inflexibility, and wasted storage resources.
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
Each application, of course, required its own files and its own computer
program to operate. For example, the human resources functional area might
have a personnel master file, a payroll file, a medical insurance file, a pension
file, a mailing list file, and so forth until tens, perhaps hundreds, of files and
programs existed. In the company as a whole, this process led to multiple
master files created, maintained, and operated by separate divisions or departments. As this process goes on for 5 or 10 years, the organization is saddled with
hundreds of programs and applications that are very difficult to maintain and
manage. The resulting problems are data redundancy and inconsistency,
program-data dependence, inflexibility, poor data security, and an inability to
share data among applications.
Data Redundancy and Inconsistency
Data redundancy is the presence of duplicate data in multiple data files so
that the same data are stored in more than place or location. Data
redundancy occurs when different groups in an organization independently
collect the same piece of data and store it independently of each other. Data
redundancy wastes storage resources and also leads to data inconsistency,
where the same attribute may have different values. For example, in
instances of the entity COURSE illustrated in Figure 6-1, the Date may be
updated in some systems but not in others. The same attribute, Student_ID,
may also have different names in different systems throughout the organization. Some systems might use Student_ID and others might use ID, for
example.
Additional confusion might result from using different coding systems to
represent values for an attribute. For instance, the sales, inventory, and manufacturing systems of a clothing retailer might use different codes to represent
clothing size. One system might represent clothing size as “extra large,”
whereas another might use the code “XL” for the same purpose. The resulting
confusion would make it difficult for companies to create customer relationship
management, supply chain management, or enterprise systems that integrate
data from different sources.
Program-Data Dependence
Program-data dependence refers to the coupling of data stored in files and the
specific programs required to update and maintain those files such that changes
in programs require changes to the data. Every traditional computer program
has to describe the location and nature of the data with which it works. In a
traditional file environment, any change in a software program could require a
change in the data accessed by that program. One program might be modified
from a five-digit to a nine-digit ZIP code. If the original data file were changed
from five-digit to nine-digit ZIP codes, then other programs that required the
five-digit ZIP code would no longer work properly. Such changes could cost
millions of dollars to implement properly.
L ack of Flexibility
A traditional file system can deliver routine scheduled reports after extensive
programming efforts, but it cannot deliver ad hoc reports or respond to
unanticipated information requirements in a timely fashion. The information
required by ad hoc requests is somewhere in the system but may be too expensive to retrieve. Several programmers might have to work for weeks to put
together the required data items in a new file.
211
212
Part Two Information Technology Infrastructure
Poor Security
Because there is little control or management of data, access to and dissemination of information may be out of control. Management may have no way
of knowing who is accessing or even making changes to the organization’s
data.
Lack of Data Sharing and Availability
Because pieces of information in different files and different parts of the
organization cannot be related to one another, it is virtually impossible for
information to be shared or accessed in a timely manner. Information cannot
flow freely across different functional areas or different parts of the organization. If users find different values of the same piece of information in two
different systems, they may not want to use these systems because they cannot
trust the accuracy of their data.
6.2
THE DATABASE APPROACH TO DATA
MANAGEMENT
Database technology cuts through many of the problems of traditional file
organization. A more rigorous definition of a database is a collection of data
organized to serve many applications efficiently by centralizing the data and
controlling redundant data. Rather than storing data in separate files for each
application, data are stored so as to appear to users as being stored in only one
location. A single database services multiple applications. For example, instead
of a corporation storing employee data in separate information systems and
separate files for personnel, payroll, and benefits, the corporation could create
a single common human resources database.
DATABASE MANAGEMENT SYSTEMS
A database management system (DBMS) is software that permits an
organization to centralize data, manage them efficiently, and provide access
to the stored data by application programs. The DBMS acts as an interface
between application programs and the physical data files. When the application program calls for a data item, such as gross pay, the DBMS finds this item
in the database and presents it to the application program. Using traditional
data files, the programmer would have to specify the size and format of each
data element used in the program and then tell the computer where they
were located.
The DBMS relieves the programmer or end user from the task of understanding where and how the data are actually stored by separating the logical
and physical views of the data. The logical view presents data as they would be
perceived by end users or business specialists, whereas the physical view
shows how data are actually organized and structured on physical storage
media.
The database management software makes the physical database available
for different logical views required by users. For example, for the human
resources database illustrated in Figure 6-3, a benefits specialist might require a
view consisting of the employee’s name, social security number, and health
insurance coverage. A payroll department member might need data such as the
employee’s name, social security number, gross pay, and net pay. The data for
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
FIGURE 6-3
HUMAN RESOURCES DATABASE WITH MULTIPLE VIEWS
A single human resources database provides many different views of data, depending on the information requirements of the user. Illustrated here are two possible views, one of interest to a benefits
specialist and one of interest to a member of the company’s payroll department.
all these views are stored in a single database, where they can be more easily
managed by the organization.
H o w a D B M S S o l v e s t h e P r o b l e m s o f t h e Tr a d i t i o n a l
File Environment
A DBMS reduces data redundancy and inconsistency by minimizing isolated
files in which the same data are repeated. The DBMS may not enable the
organization to eliminate data redundancy entirely, but it can help control
redundancy. Even if the organization maintains some redundant data, using
a DBMS eliminates data inconsistency because the DBMS can help the
organization ensure that every occurrence of redundant data has the same
values. The DBMS uncouples programs and data, enabling data to stand on
their own. Access and availability of information will be increased and
program development and maintenance costs reduced because users
and programmers can perform ad hoc queries of data in the database.
The DBMS enables the organization to centrally manage data, their use, and
security.
Relational DBMS
Contemporary DBMS use different database models to keep track of entities,
attributes, and relationships. The most popular type of DBMS today for PCs as
well as for larger computers and mainframes is the relational DBMS.
Relational databases represent data as two-dimensional tables (called
relations). Tables may be referred to as files. Each table contains data on an
entity and its attributes. Microsoft Access is a relational DBMS for desktop
systems, whereas DB2, Oracle Database, and Microsoft SQL Server are
relational DBMS for large mainframes and midrange computers. MySQL is a
popular open-source DBMS, and Oracle Database Lite is a DBMS for small
handheld computing devices.
213
214
Part Two Information Technology Infrastructure
Let’s look at how a relational database organizes data about suppliers and
parts (see Figure 6-4). The database has a separate table for the entity
SUPPLIER and a table for the entity PART. Each table consists of a grid of
columns and rows of data. Each individual element of data for each entity is
stored as a separate field, and each field represents an attribute for that entity.
Fields in a relational database are also called columns. For the entity
SUPPLIER, the supplier identification number, name, street, city, state, and ZIP
code are stored as separate fields within the SUPPLIER table and each field represents an attribute for the entity SUPPLIER.
The actual information about a single supplier that resides in a table is called
a row. Rows are commonly referred to as records, or in very technical terms, as
tuples. Data for the entity PART have their own separate table.
The field for Supplier_Number in the SUPPLIER table uniquely identifies
each record so that the record can be retrieved, updated, or sorted and it is
called a key field. Each table in a relational database has one field that is
designated as its primary key. This key field is the unique identifier for all the
information in any row of the table and this primary key cannot be duplicated.
FIGURE 6-4
RELATIONAL DATABASE TABLES
A relational database organizes data in the form of two-dimensional tables. Illustrated here are tables for the entities SUPPLIER and PART
showing how they represent each entity and its attributes. Supplier_Number is a primary key for the SUPPLIER table and a foreign key for
the PART table.
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
Supplier_Number is the primary key for the SUPPLIER table and Part_Number
is the primary key for the PART table. Note that Supplier_Number appears in
both the SUPPLIER and PART tables. In the SUPPLIER table, Supplier_Number
is the primary key. When the field Supplier_Number appears in the PART table
it is called a foreign key and is essentially a lookup field to look up data about
the supplier of a specific part.
Operations of a Relational DBMS
Relational database tables can be combined easily to deliver data required by
users, provided that any two tables share a common data element. Suppose we
wanted to find in this database the names of suppliers who could provide us
with part number 137 or part number 150. We would need information from
two tables: the SUPPLIER table and the PART table. Note that these two files
have a shared data element: Supplier_Number.
In a relational database, three basic operations, as shown in Figure 6-5,
are used to develop useful sets of data: select, join, and project. The select
operation creates a subset consisting of all records in the file that meet stated
criteria. Select creates, in other words, a subset of rows that meet certain
criteria. In our example, we want to select records (rows) from the PART table
where the Part_Number equals 137 or 150. The join operation combines
relational tables to provide the user with more information than is available in
individual tables. In our example, we want to join the now-shortened PART
table (only parts 137 or 150 will be presented) and the SUPPLIER table into a
single new table.
The project operation creates a subset consisting of columns in a table,
permitting the user to create new tables that contain only the information
required. In our example, we want to extract from the new table only the following
columns: Part_Number, Part_Name, Supplier_Number, and Supplier_Name.
Object-Oriented DBMS
Many applications today and in the future require databases that can store and
retrieve not only structured numbers and characters but also drawings, images,
photographs, voice, and full-motion video. DBMS designed for organizing
structured data into rows and columns are not well suited to handling graphicsbased or multimedia applications. Object-oriented databases are better suited
for this purpose.
An object-oriented DBMS stores the data and procedures that act on those
data as objects that can be automatically retrieved and shared. Object-oriented
database management systems (OODBMS) are becoming popular because they
can be used to manage the various multimedia components or Java applets used
in Web applications, which typically integrate pieces of information from a variety
of sources.
Although object-oriented databases can store more complex types of information than relational DBMS, they are relatively slow compared with relational
DBMS for processing large numbers of transactions. Hybrid object-relational
DBMS systems are now available to provide capabilities of both object-oriented
and relational DBMS.
Databases in the Cloud
Suppose your company wants to use cloud computing services. Is there a way
to manage data in the cloud? The answer is a qualified “Yes.” Cloud computing
providers offer database management services, but these services typically
have less functionality than their on-premises counterparts. At the moment,
215
216
THE THREE BASIC OPERATIONS OF A RELATIONAL DBMS
The select, join, and project operations enable data from two different tables to be combined and only selected attributes to be displayed.
Part Two Information Technology Infrastructure
FIGURE 6-5
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
the primary customer base for cloud-based data management consists of Webfocused start-ups or small to medium-sized businesses looking for database
capabilities at a lower price than a standard relational DBMS.
Amazon Web Services has both a simple non-relational database called
SimpleDB and a Relational Database Service, which is based on an online
implementation of the MySQL open source DBMS. Amazon Relational Database
Service (Amazon RDS) offers the full range of capabilities of MySQL. Pricing is
based on usage. (Charges run from 11 cents per hour for a small database using
1.7 GB of server memory to $3.10 per hour for a large database using 68 GB of
server memory.) There are also charges for the volume of data stored, the number of input-output requests, the amount of data written to the database, and
the amount of data read from the database.
Amazon Web Services additionally offers Oracle customers the option to
license Oracle Database 11g, Oracle Enterprise Manager, and Oracle Fusion
Middleware to run on the Amazon EC2 (Elastic Cloud Compute) platform.
Microsoft SQL Azure Database is a cloud-based relational database service
based on Microsoft’s SQL Server DBMS. It provides a highly available, scalable
database service hosted by Microsoft in the cloud. SQL Azure Database helps
reduce costs by integrating with existing software tools and providing symmetry with on-premises and cloud databases.
TicketDirect, which sells tickets to concerts, sporting events, theater performances, and movies in Australia and New Zealand, adopted the SQL Azure
Database cloud platform in order to improve management of peak system loads
during major ticket sales. It migrated its data to the SQL Azure database. By
moving to a cloud solution, TicketDirect is able to scale its computing resources
in response to real-time demand while keeping costs low.
CAPABILITIES OF DATABASE MANAGEMENT SYSTEMS
A DBMS includes capabilities and tools for organizing, managing, and accessing
the data in the database. The most important are its data definition language,
data dictionary, and data manipulation language.
DBMS have a data definition capability to specify the structure of the content
of the database. It would be used to create database tables and to define the
characteristics of the fields in each table. This information about the database
would be documented in a data dictionary. A data dictionary is an automated or
manual file that stores definitions of data elements and their characteristics.
Microsoft Access has a rudimentary data dictionary capability that displays
information about the name, description, size, type, format, and other properties of each field in a table (see Figure 6-6). Data dictionaries for large corporate
databases may capture additional information, such as usage, ownership (who
in the organization is responsible for maintaining the data), authorization;
security, and the individuals, business functions, programs, and reports that
use each data element.
Quer ying and Reporting
DBMS includes tools for accessing and manipulating information in databases.
Most DBMS have a specialized language called a data manipulation language
that is used to add, change, delete, and retrieve the data in the database.
This language contains commands that permit end users and programming
specialists to extract data from the database to satisfy information requests and
develop applications. The most prominent data manipulation language today is
Structured Query Language, or SQL. Figure 6-7 illustrates the SQL query that
217
218
Part Two Information Technology Infrastructure
FIGURE 6-6
MICROSOFT ACCESS DATA DICTIONARY FEATURES
Microsoft Access has a rudimentary data dictionary capability that displays information about the size,
format, and other characteristics of each field in a database. Displayed here is the information maintained
in the SUPPLIER table. The small key icon to the left of Supplier_Number indicates that it is a key field.
would produce the new resultant table in Figure 6-5. You can find out more
about how to perform SQL queries in our Learning Tracks for this chapter.
Users of DBMS for large and midrange computers, such as DB2, Oracle, or
SQL Server, would employ SQL to retrieve information they needed from the
database. Microsoft Access also uses SQL, but it provides its own set of
user-friendly tools for querying databases and for organizing data from
databases into more polished reports.
In Microsoft Access, you will find features that enable users to create
queries by identifying the tables and fields they want and the results, and
then selecting the rows from the database that meet particular criteria. These
actions in turn are translated into SQL commands. Figure 6-8 illustrates how
FIGURE 6-7
EXAMPLE OF AN SQL QUERY
Illustrated here are the SQL statements for a query to select suppliers for parts 137 or 150.
They produce a list with the same results as Figure 6-5.
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
FIGURE 6-8
AN ACCESS QUERY
Illustrated here is how the query in Figure 6-7 would be constructed using Microsoft Access querybuilding tools. It shows the tables, fields, and selection criteria used for the query.
the same query as the SQL query to select parts and suppliers would be
constructed using the Microsoft query-building tools.
Microsoft Access and other DBMS include capabilities for report generation
so that the data of interest can be displayed in a more structured and polished
format than would be possible just by querying. Crystal Reports is a popular
report generator for large corporate DBMS, although it can also be used with
Access. Access also has capabilities for developing desktop system applications.
These include tools for creating data entry screens, reports, and developing the
logic for processing transactions.
DESIGNING DATABASES
To create a database, you must understand the relationships among the data,
the type of data that will be maintained in the database, how the data will be
used, and how the organization will need to change to manage data from a
company-wide perspective. The database requires both a conceptual design and
a physical design. The conceptual, or logical, design of a database is an abstract
model of the database from a business perspective, whereas the physical design
shows how the database is actually arranged on direct-access storage devices.
Normalization and Entity-Relationship Diagrams
The conceptual database design describes how the data elements in the
database are to be grouped. The design process identifies relationships among
data elements and the most efficient way of grouping data elements together to
meet business information requirements. The process also identifies redundant
data elements and the groupings of data elements required for specific
219
220
Part Two Information Technology Infrastructure
FIGURE 6-9
AN UNNORMALIZED RELATION FOR ORDER
An unnormalized relation contains repeating groups. For example, there can be many parts and suppliers for each order. There is
only a one-to-one correspondence between Order_Number and Order_Date.
application programs. Groups of data are organized, refined, and streamlined
until an overall logical view of the relationships among all the data in the
database emerges.
To use a relational database model effectively, complex groupings of data
must be streamlined to minimize redundant data elements and awkward manyto-many relationships. The process of creating small, stable, yet flexible and
adaptive data structures from complex groups of data is called normalization.
Figures 6-9 and 6-10 illustrate this process.
In the particular business modeled here, an order can have more than one
part but each part is provided by only one supplier. If we build a relation called
ORDER with all the fields included here, we would have to repeat the name and
address of the supplier for every part on the order, even though the order is for
parts from a single supplier. This relationship contains what are called repeating
data groups because there can be many parts on a single order to a given
supplier. A more efficient way to arrange the data is to break down ORDER into
smaller relations, each of which describes a single entity. If we go step by step
and normalize the relation ORDER, we emerge with the relations illustrated in
Figure 6-10. You can find out more about normalization, entity-relationship
diagramming, and database design in the Learning Tracks for this chapter.
Relational database systems try to enforce referential integrity rules to
ensure that relationships between coupled tables remain consistent. When one
table has a foreign key that points to another table, you may not add a record to
the table with the foreign key unless there is a corresponding record in the linked
table. In the database we examined earlier in this chapter, the foreign key
FIGURE 6-10
NORMALIZED TABLES CREATED FROM ORDER
After normalization, the original relation ORDER has been broken down into four smaller relations. The relation ORDER is left with only two
attributes and the relation LINE_ITEM has a combined, or concatenated, key consisting of Order_Number and Part_Number.
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
Supplier_Number links the PART table to the SUPPLIER table. We may not add a
new record to the PART table for a part with Supplier_Number 8266 unless there
is a corresponding record in the SUPPLIER table for Supplier_Number 8266.
We must also delete the corresponding record in the PART table if we delete the
record in the SUPPLIER table for Supplier_Number 8266. In other words, we
shouldn’t have parts from nonexistent suppliers!
Database designers document their data model with an entity-relationship
diagram, illustrated in Figure 6-11. This diagram illustrates the relationship
between the entities SUPPLIER, PART, LINE_ITEM, and ORDER. The boxes
represent entities. The lines connecting the boxes represent relationships. A line
connecting two entities that ends in two short marks designates a one-to-one
relationship. A line connecting two entities that ends with a crow’s foot topped by
a short mark indicates a one-to-many relationship. Figure 6-11 shows that one
ORDER can contain many LINE_ITEMs. (A PART can be ordered many times and
appear many times as a line item in a single order.) Each PART can have only one
SUPPLIER, but many PARTs can be provided by the same SUPPLIER.
It can’t be emphasized enough: If the business doesn’t get its data model
right, the system won’t be able to serve the business well. The company’s
systems will not be as effective as they could be because they’ll have to
work with data that may be inaccurate, incomplete, or difficult to retrieve.
Understanding the organization’s data and how they should be represented in a
database is perhaps the most important lesson you can learn from this course.
For example, Famous Footwear, a shoe store chain with more than 800
locations in 49 states, could not achieve its goal of having “the right style of shoe
in the right store for sale at the right price” because its database was not
properly designed for rapidly adjusting store inventory. The company had an
Oracle relational database running on an IBM AS/400 midrange computer, but
the database was designed primarily for producing standard reports for
management rather than for reacting to marketplace changes. Management
could not obtain precise data on specific items in inventory in each of its stores.
The company had to work around this problem by building a new database
where the sales and inventory data could be better organized for analysis and
inventory management.
6.3
USING DATABASES TO IMPROVE BUSINESS
PERFORMANCE AND DECISION MAKING
Businesses use their databases to keep track of basic transactions, such as paying
suppliers, processing orders, keeping track of customers, and paying employees.
But they also need databases to provide information that will help the company
FIGURE 6-11
AN ENTITY-RELATIONSHIP DIAGRAM
This diagram shows the relationships between the entities SUPPLIER, PART, LINE_ITEM, and ORDER that might be used to model the
database in Figure 6-10.
221
222
Part Two Information Technology Infrastructure
run the business more efficiently, and help managers and employees make better decisions. If a company wants to know which product is the most popular or
who is its most profitable customer, the answer lies in the data.
For example, by analyzing data from customer credit card purchases,
Louise’s Trattoria, a Los Angeles restaurant chain, learned that quality was
more important than price for most of its customers, who were collegeeducated and liked fine wine. Acting on this information, the chain introduced
vegetarian dishes, more seafood selections, and more expensive wines, raising
sales by more than 10 percent.
In a large company, with large databases or large systems for separate
functions, such as manufacturing, sales, and accounting, special capabilities
and tools are required for analyzing vast quantities of data and for accessing
data from multiple systems. These capabilities include data warehousing, data
mining, and tools for accessing internal databases through the Web.
DATA WAREHOUSES
Suppose you want concise, reliable information about current operations,
trends, and changes across the entire company If you worked in a large
company, obtaining this might be difficult because data are often maintained in
separate systems, such as sales, manufacturing, or accounting. Some of the data
you need might be found in the sales system, and other pieces in the
manufacturing system. Many of these systems are older legacy systems that
use outdated data management technologies or file systems where information
is difficult for users to access.
You might have to spend an inordinate amount of time locating and
gathering the data you need, or you would be forced to make your decision
based on incomplete knowledge. If you want information about trends, you
might also have trouble finding data about past events because most firms only
make their current data immediately available. Data warehousing addresses
these problems.
W h a t I s a D a t a Wa r e h o u s e ?
A data warehouse is a database that stores current and historical data of
potential interest to decision makers throughout the company. The data
originate in many core operational transaction systems, such as systems
for sales, customer accounts, and manufacturing, and may include data
from Web site transactions. The data warehouse consolidates and standardizes
information from different operational databases so that the information can be
used across the enterprise for management analysis and decision making.
Figure 6-12 illustrates how a data warehouse works. The data warehouse
makes the data available for anyone to access as needed, but it cannot be
altered. A data warehouse system also provides a range of ad hoc and
standardized query tools, analytical tools, and graphical reporting facilities.
Many firms use intranet portals to make the data warehouse information
widely available throughout the firm.
Catalina Marketing, a global marketing firm for major consumer packaged
goods companies and retailers, operates a gigantic data warehouse that includes
three years of purchase history for 195 million U.S. customer loyalty program
members at supermarkets, pharmacies, and other retailers. It is the largest
loyalty database in the world. Catalina’s retail store customers analyze this
database of customer purchase histories to determine individual customers’
buying preferences. When a shopper checks out at the cash register of one of
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
FIGURE 6-12
COMPONENTS OF A DATA WAREHOUSE
The data warehouse extracts current and historical data from multiple operational systems inside the
organization. These data are combined with data from external sources and reorganized into a central
database designed for management reporting and analysis. The information directory provides users
with information about the data available in the warehouse.
Catalina’s retail customers, the purchase is instantly analyzed along with that
customer’s buying history in the data warehouse to determine what coupons
that customer will receive at checkout along with a receipt.
The U.S. Internal Revenue Service (IRS) maintains a Compliance Data
Warehouse that consolidates taxpayer data that had been fragmented among
many different legacy systems, including personal information about taxpayers and archived tax returns. These systems had been designed to process tax
return forms efficiently but their data were very difficult to query and
analyze. The Compliance Data Warehouse integrates taxpayer data from
many disparate sources into a relational structure, which makes querying
and analysis much easier. With a complete and comprehensive picture of
taxpayers, the warehouse helps IRS analysts and staff identify people who
are most likely to cheat on their income tax payments and respond rapidly to
taxpayer queries.
Data Marts
Companies often build enterprise-wide data warehouses, where a central data
warehouse serves the entire organization, or they create smaller, decentralized warehouses called data marts. A data mart is a subset of a data warehouse in which a summarized or highly focused portion of the organization’s
data is placed in a separate database for a specific population of users. For
example, a company might develop marketing and sales data marts to deal
with customer information. Before implementing an enterprise-wide data
warehouse, bookseller Barnes & Noble maintained a series of data marts—one
for point-of-sale data in retail stores, another for college bookstore sales, and a
third for online sales. A data mart typically focuses on a single subject area or
line of business, so it usually can be constructed more rapidly and at lower
cost than an enterprise-wide data warehouse.
223
224
Part Two Information Technology Infrastructure
TOOLS FOR BUSINESS INTELLIGENCE:
MULTIDIMENSIONAL DATA ANALYSIS AND DATA
MINING
Once data have been captured and organized in data warehouses and data marts,
they are available for further analysis using tools for business intelligence,
which we introduced briefly in Chapter 2. Business intelligence tools enable
users to analyze data to see new patterns, relationships, and insights that are
useful for guiding decision making.
Principal tools for business intelligence include software for database querying
and reporting, tools for multidimensional data analysis (online analytical
processing), and tools for data mining. This section will introduce you to these
tools, with more detail about business intelligence analytics and applications in
the Chapter 12 discussion of decision making.
Online Analytical Processing (OLAP)
Suppose your company sells four different products—nuts, bolts, washers, and
screws—in the East, West, and Central regions. If you wanted to ask a fairly
straightforward question, such as how many washers were sold during the past
quarter, you could easily find the answer by querying your sales database.
But what if you wanted to know how many washers sold in each of your sales
regions and compare actual results with projected sales?
To obtain the answer, you would need online analytical processing
(OLAP). OLAP supports multidimensional data analysis, enabling users to
view the same data in different ways using multiple dimensions. Each aspect
of information—product, pricing, cost, region, or time period—represents a
different dimension. So, a product manager could use a multidimensional data
analysis tool to learn how many washers were sold in the East in June, how that
compares with the previous month and the previous June, and how it compares
with the sales forecast. OLAP enables users to obtain online answers to ad hoc
questions such as these in a fairly rapid amount of time, even when the data are
stored in very large databases, such as sales figures for multiple years.
Figure 6-13 shows a multidimensional model that could be created to
represent products, regions, actual sales, and projected sales. A matrix of
actual sales can be stacked on top of a matrix of projected sales to form a cube
with six faces. If you rotate the cube 90 degrees one way, the face showing will
be product versus actual and projected sales. If you rotate the cube 90 degrees
again, you will see region versus actual and projected sales. If you rotate 180
degrees from the original view, you will see projected sales and product versus
region. Cubes can be nested within cubes to build complex views of data. A
company would use either a specialized multidimensional database or a tool
that creates multidimensional views of data in relational databases.
Data Mining
Traditional database queries answer such questions as, “How many units of
product number 403 were shipped in February 2010?” OLAP, or multidimensional analysis, supports much more complex requests for information, such as
“Compare sales of product 403 relative to plan by quarter and sales region for
the past two years.” With OLAP and query-oriented data analysis, users need to
have a good idea about the information for which they are looking.
Data mining is more discovery-driven. Data mining provides insights into
corporate data that cannot be obtained with OLAP by finding hidden patterns and
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
FIGURE 6-13
MULTIDIMENSIONAL DATA MODEL
The view that is showing is product versus region. If you rotate the cube 90 degrees, the face will
show product versus actual and projected sales. If you rotate the cube 90 degrees again, you will see
region versus actual and projected sales. Other views are possible.
relationships in large databases and inferring rules from them to predict future
behavior. The patterns and rules are used to guide decision making and forecast
the effect of those decisions. The types of information obtainable from data
mining include associations, sequences, classifications, clusters, and forecasts.
• Associations are occurrences linked to a single event. For instance, a study of
supermarket purchasing patterns might reveal that, when corn chips are
purchased, a cola drink is purchased 65 percent of the time, but when there
is a promotion, cola is purchased 85 percent of the time. This information
helps managers make better decisions because they have learned the
profitability of a promotion.
• In sequences, events are linked over time. We might find, for example, that if
a house is purchased, a new refrigerator will be purchased within two weeks
65 percent of the time, and an oven will be bought within one month of the
home purchase 45 percent of the time.
• Classification recognizes patterns that describe the group to which an item
belongs by examining existing items that have been classified and by
inferring a set of rules. For example, businesses such as credit card or
telephone companies worry about the loss of steady customers. Classification
helps discover the characteristics of customers who are likely to leave and
can provide a model to help managers predict who those customers are so
that the managers can devise special campaigns to retain such customers.
• Clustering works in a manner similar to classification when no groups have yet
been defined. A data mining tool can discover different groupings within data,
such as finding affinity groups for bank cards or partitioning a database into
groups of customers based on demographics and types of personal investments.
• Although these applications involve predictions, forecasting uses predictions in
a different way. It uses a series of existing values to forecast what other values
will be. For example, forecasting might find patterns in data to help managers
estimate the future value of continuous variables, such as sales figures.
These systems perform high-level analyses of patterns or trends, but they
can also drill down to provide more detail when needed. There are data mining
225
226
Part Two Information Technology Infrastructure
applications for all the functional areas of business, and for government and
scientific work. One popular use for data mining is to provide detailed analyses
of patterns in customer data for one-to-one marketing campaigns or for
identifying profitable customers.
For example, Harrah’s Entertainment, the second-largest gambling company
in its industry, uses data mining to identify its most profitable customers and
generate more revenue from them. The company continually analyzes data
about its customers gathered when people play its slot machines or use
Harrah’s casinos and hotels. Harrah’s marketing department uses this information to build a detailed gambling profile, based on a particular customer’s
ongoing value to the company. For instance, data mining lets Harrah’s know
the favorite gaming experience of a regular customer at one of its Midwest
riverboat casinos, along with that person’s preferences for room accomodations,
restaurants, and entertainment. This information guides management decisions about how to cultivate the most profitable customers, encourage those
customers to spend more, and attract more customers with high revenue-generating potential. Business intelligence has improved Harrah’s profits so much
that it has become the centerpiece of the firm’s business strategy.
Predictive analytics use data mining techniques, historical data, and assumptions about future conditions to predict outcomes of events, such as the probability a customer will respond to an offer or purchase a specific product. For example, the U.S. division of The Body Shop International plc used predictive analytics
with its database of catalog, Web, and retail store customers to identify customers
who were more likely to make catalog purchases. That information helped the
company build a more precise and targeted mailing list for its catalogs, improving
the response rate for catalog mailings and catalog revenues.
Te x t M i n i n g a n d We b M i n i n g
Business intelligence tools deal primarily with data that have been structured in
databases and files. However, unstructured data, most in the form of text files,
is believed to account for over 80 percent of an organization’s useful information. E-mail, memos, call center transcripts, survey responses, legal cases,
patent descriptions, and service reports are all valuable for finding patterns and
trends that will help employees make better business decisions. Text mining
tools are now available to help businesses analyze these data. These tools are
able to extract key elements from large unstructured data sets, discover
patterns and relationships, and summarize the information. Businesses might
turn to text mining to analyze transcripts of calls to customer service centers to
identify major service and repair issues.
Text mining is a relatively new technology, but what’s really new are the
myriad ways in which unstructured data are being generated by consumers and
the business uses for these data. The Interactive Session on Technology
explores some of these business applications of text mining.
The Web is another rich source of valuable information, some of which can
now be mined for patterns, trends, and insights into customer behavior.
The discovery and analysis of useful patterns and information from the World
Wide Web is called Web mining. Businesses might turn to Web mining to help
them understand customer behavior, evaluate the effectiveness of a particular
Web site, or quantify the success of a marketing campaign. For instance,
marketers use Google Trends and Google Insights for Search services, which
track the popularity of various words and phrases used in Google search
queries, to learn what people are interested in and what they are interested in
buying.
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
Suppose, for example, a customer with a Web browser wants to search an online
retailer’s database for pricing information. Figure 6-14 illustrates how that customer might access the retailer’s internal database over the Web. The user
accesses the retailer’s Web site over the Internet using Web browser software on
his or her client PC. The user’s Web browser software requests data from the organization’s database, using HTML commands to communicate with the Web server.
Because many back-end databases cannot interpret commands written in
HTML, the Web server passes these requests for data to software that translates
HTML commands into SQL so that they can be processed by the DBMS working
with the database. In a client/server environment, the DBMS resides on a
dedicated computer called a database server. The DBMS receives the SQL
requests and provides the required data. The middleware transfers information
from the organization’s internal database back to the Web server for delivery in
the form of a Web page to the user.
Figure 6-14 shows that the middleware working between the Web server and
the DBMS is an application server running on its own dedicated computer (see
Chapter 5). The application server software handles all application operations,
including transaction processing and data access, between browser-based
computers and a company’s back-end business applications or databases. The
application server takes requests from the Web server, runs the business logic to
process transactions based on those requests, and provides connectivity to the
organization’s back-end systems or databases. Alternatively, the software for
handling these operations could be a custom program or a CGI script. A CGI
script is a compact program using the Common Gateway Interface (CGI) specification for processing data on a Web server.
There are a number of advantages to using the Web to access an organization’s internal databases. First, Web browser software is much easier to use than
proprietary query tools. Second, the Web interface requires few or no changes
to the internal database. It costs much less to add a Web interface in front of a
legacy system than to redesign and rebuild the system to improve user access.
Accessing corporate databases through the Web is creating new efficiencies,
opportunities, and business models. ThomasNet.com provides an up-to-date
online directory of more than 600,000 suppliers of industrial products, such as
chemicals, metals, plastics, rubber, and automotive equipment. Formerly called
Thomas Register, the company used to send out huge paper catalogs with this
information. Now it provides this information to users online via its Web site
and has become a smaller, leaner company.
Other companies have created entirely new businesses based on access to
large databases through the Web. One is the social networking site MySpace,
which helps users stay connected with each other or meet new people.
FIGURE 6-14
LINKING INTERNAL DATABASES TO THE WEB
Users access an organization’s internal database through the Web using their desktop PCs and Web
browser software.
229
230
Part Two Information Technology Infrastructure
MySpace features music, comedy, videos, and “profiles” with information
supplied by 122 million users about their age, hometown, dating preferences,
marital status, and interests. It maintains a massive database to house and
manage all of this content. Facebook uses a similar database.
6.4
MANAGING DATA RESOURCES
Setting up a database is only a start. In order to make sure that the data for your
business remain accurate, reliable, and readily available to those who need it,
your business will need special policies and procedures for data management.
ESTABLISHING AN INFORMATION POLICY
Every business, large and small, needs an information policy. Your firm’s data
are an important resource, and you don’t want people doing whatever they
want with them. You need to have rules on how the data are to be organized and
maintained, and who is allowed to view the data or change them.
An information policy specifies the organization’s rules for sharing,
disseminating, acquiring, standardizing, classifying, and inventorying information. Information policy lays out specific procedures and accountabilities,
identifying which users and organizational units can share information, where
information can be distributed, and who is responsible for updating and
maintaining the information. For example, a typical information policy would
specify that only selected members of the payroll and human resources
department would have the right to change and view sensitive employee data,
such as an employee’s salary or social security number, and that these departments are responsible for making sure that such employee data are accurate.
If you are in a small business, the information policy would be established and
implemented by the owners or managers. In a large organization, managing and
planning for information as a corporate resource often requires a formal data
administration function. Data administration is responsible for the specific
policies and procedures through which data can be managed as an organizational
resource. These responsibilities include developing information policy, planning
for data, overseeing logical database design and data dictionary development, and
monitoring how information systems specialists and end-user groups use data.
You may hear the term data governance used to describe many of these
activities. Promoted by IBM, data governance deals with the policies and
processes for managing the availability, usability, integrity, and security of the
data employed in an enterprise, with special emphasis on promoting privacy,
security, data quality, and compliance with government regulations.
A large organization will also have a database design and management group
within the corporate information systems division that is responsible for
defining and organizing the structure and content of the database, and
maintaining the database. In close cooperation with users, the design group
establishes the physical database, the logical relations among elements, and the
access rules and security procedures. The functions it performs are called
database administration.
ENSURING DATA QUALITY
A well-designed database and information policy will go a long way toward
ensuring that the business has the information it needs. However, additional
Chapter 6 Foundations of Business Intelligence: Databases and Information Management
steps must be taken to ensure that the data in organizational databases are
accurate and remain reliable.
What would happen if a customer’s telephone number or account balance
were incorrect? What would be the impact if the database had the wrong price
for the product you sold or your sales system and inventory system showed
different prices for the same product? Data that are inaccurate, untimely, or
inconsistent with other sources of information lead to incorrect decisions, product recalls, and financial losses. Inaccurate data in criminal justice and national
security databases might even subject you to unnecessarily surveillance or
detention, as described in the chapter-ending case study.
According to Forrester Research, 20 percent of U.S. mail and commercial
package deliveries were returned because of incorrect names or addresses.
Gartner Inc. reported that more than 25 percent of the critical data in large
Fortune 1000 companies’ databases is inaccurate or incomplete, including bad
product codes and product descriptions, faulty inventory descriptions,
erroneous financial data, incorrect supplier information, and incorrect
employee data. (Gartner, 2007).
Think of all the times you’ve received several pieces of the same direct mail
advertising on the same day. This is very likely the result of having your name
maintained multiple times in a database. Your name may have been misspelled
or you used your middle initial on one occasion and not on another or the information was initially entered onto a paper form and not scanned properly into
the system. Because of these inconsistencies, the database would treat you as
different people! We often receive redundant mail addressed to Laudon,
Lavdon, Lauden, or Landon.
If a database is properly designed and enterprise-wide data standards
established, duplicate or inconsistent data elements should be minimal. Most
data quality problems, however, such as misspelled names, transposed
numbers, or incorrect or missing codes, stem from errors during data input.
The incidence of such errors is rising as companies move their businesses to
the Web and allow customers and suppliers to enter data into their Web sites
that directly update internal systems.
Before a new database is in place, organizations need to identify and correct
their faulty data and establish better routines for editing data once their
database is in operation. Analysis of data quality often begins with a data
quality audit, which is a structured survey of the accuracy and level of
completeness of the data in an information system. Data quality audits can be
performed by surveying entire data files, surveying samples from data files, or
surveying end users for their perceptions of data quality.
Data cleansing, also known as data scrubbing, consists of activities for
detecting and correcting data in a database that are incorrect, incomplete,
improperly formatted, or redundant. Data cleansing not only corrects errors
but also enforces consistency among different sets of data that originated in
separate information systems. Specialized data-cleansing software is available
to automatically survey data files, correct errors in the data, and integrate the
data in a consistent company-wide format.
Data quality problems are not just business problems. They also pose serious
problems for individuals, affecting their financial condition and even their jobs.
The Interactive Session on Organizations describes some of these impacts, as it
details the data quality problems found in the companies that collect and report
consumer credit data. As you read this case, look for the management, organization, and technology factors behind this problem, and whether existing
solutions are adequate.
231
Chapter 8 Securing Information Systems
8.1
SYSTEM VULNERABILITY AND ABUSE
C
an you imagine what would happen if you tried to link to the Internet
without a firewall or antivirus software? Your computer would be
disabled in a few seconds, and it might take you many days to recover.
If you used the computer to run your business, you might not be able
to sell to your customers or place orders with your suppliers while it was down.
And you might find that your computer system had been penetrated by
outsiders, who perhaps stole or destroyed valuable data, including confidential
payment data from your customers. If too much data were destroyed or
divulged, your business might never be able to operate!
In short, if you operate a business today, you need to make security and
control a top priority. Security refers to the policies, procedures, and technical
measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems. Controls are methods, policies, and organizational
procedures that ensure the safety of the organization’s assets; the accuracy and
reliability of its records; and operational adherence to management standards.
WHY SYSTEMS ARE VULNERABLE
When large amounts of data are stored in electronic form, they are vulnerable
to many more kinds of threats than when they existed in manual form.
Through communications networks, information systems in different locations
are interconnected. The potential for unauthorized access, abuse, or fraud is
not limited to a single location but can occur at any access point in the network.
Figure 8-1 illustrates the most common threats against contemporary information systems. They can stem from technical, organizational, and environmental
factors compounded by poor management decisions. In the multi-tier
client/server computing environment illustrated here, vulnerabilities exist at
each layer and in the communications between the layers. Users at the client
layer can cause harm by introducing errors or by accessing systems without
FIGURE 8-1
CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES
The architecture of a Web-based application typically includes a Web client, a server, and corporate
information systems linked to databases. Each of these components presents security challenges and
vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any
point in the network.
293
294
Part Two Information Technology Infrastructure
authorization. It is possible to access data flowing over networks, steal valuable
data during transmission, or alter messages without authorization. Radiation
may disrupt a network at various points as well. Intruders can launch denial-ofservice attacks or malicious software to disrupt the operation of Web sites.
Those capable of penetrating corporate systems can destroy or alter corporate
data stored in databases or files.
Systems malfunction if computer hardware breaks down, is not configured
properly, or is damaged by improper use or criminal acts. Errors in programming, improper installation, or unauthorized changes cause computer software
to fail. Power failures, floods, fires, or other natural disasters can also disrupt
computer systems.
Domestic or offshore partnering with another company adds to system vulnerability if valuable information resides on networks and computers outside
the organization’s control. Without strong safeguards, valuable data could be
lost, destroyed, or could fall into the wrong hands, revealing important trade
secrets or information that violates personal privacy.
The popularity of handheld mobile devices for business computing adds to
these woes. Portability makes cell phones, smartphones, and tablet computers
easy to lose or steal. Smartphones share the same security weaknesses as other
Internet devices, and are vulnerable to malicious software and penetration
from outsiders. In 2009, security experts identified 30 security flaws in software
and operating systems of smartphones made by Apple, Nokia, and BlackBerry
maker Research in Motion.
Even the apps that have been custom-developed for mobile devices are capable of turning into rogue software. For example, in December 2009, Google
pulled dozens of mobile banking apps from its Android Market because they
could have been updated to capture customers’ banking credentials.
Smartphones used by corporate executives may contain sensitive data such as
sales figures, customer names, phone numbers, and e-mail addresses. Intruders
may be able to access internal corporate networks through these devices.
I n t e r n e t Vu l n e r a b i l i t i e s
Large public networks, such as the Internet, are more vulnerable than internal
networks because they are virtually open to anyone. The Internet is so huge
that when abuses do occur, they can have an enormously widespread impact.
When the Internet becomes part of the corporate network, the organization’s
information systems are even more vulnerable to actions from outsiders.
Computers that are constantly connected to the Internet by cable modems or
digital subscriber line (DSL) lines are more open to penetration by outsiders
because they use fixed Internet addresses where they can be easily identified.
(With dial-up service, a temporary Internet address is assigned for each
session.) A fixed Internet address creates a fixed target for hackers.
Telephone service based on Internet technology (see Chapter 7) is more
vulnerable than the switched voice network if it does not run over a secure
private network. Most Voice over IP (VoIP) traffic over the public Internet is not
encrypted, so anyone with a network can listen in on conversations. Hackers
can intercept conversations or shut down voice service by flooding servers
supporting VoIP with bogus traffic.
Vulnerability has also increased from widespread use of e-mail, instant
messaging (IM), and peer-to-peer file-sharing programs. E-mail may contain
attachments that serve as springboards for malicious software or unauthorized
access to internal corporate systems. Employees may use e-mail messages to
transmit valuable trade secrets, financial data, or confidential customer informa-
Chapter 8 Securing Information Systems
tion to unauthorized recipients. Popular IM applications for consumers do not
use a secure layer for text messages, so they can be intercepted and read by outsiders during transmission over the public Internet. Instant messaging activity
over the Internet can in some cases be used as a back door to an otherwise secure
network. Sharing files over peer-to-peer (P2P) networks, such as those for illegal
music sharing, may also transmit malicious software or expose information on
either individual or corporate computers to outsiders.
Wireless Security Challenges
Is it safe to log onto a wireless network at an airport, library, or other public
location? It depends on how vigilant you are. Even the wireless network in your
home is vulnerable because radio frequency bands are easy to scan. Both
Bluetooth and Wi-Fi networks are susceptible to hacking by eavesdroppers.
Although the range of Wi-Fi networks is only several hundred feet, it can be
extended up to one-fourth of a mile using external antennae. Local area
networks (LANs) using the 802.11 standard can be easily penetrated by outsiders armed with laptops, wireless cards, external antennae, and hacking software. Hackers use these tools to detect unprotected networks, monitor network
traffic, and, in some cases, gain access to the Internet or to corporate networks.
Wi-Fi transmission technology was designed to make it easy for stations to
find and hear one another. The service set identifiers (SSIDs) identifying the
access points in a Wi-Fi network are broadcast multiple times and can be picked
up fairly easily by intruders’ sniffer programs (see Figure 8-2). Wireless
networks in many locations do not have basic protections against war driving,
FIGURE 8-2
WI-FI SECURITY CHALLENGES
Many Wi-Fi networks can be penetrated easily by intruders using sniffer programs to obtain an
address to access the resources of a network without authorization.
295
296
Part Two Information Technology Infrastructure
in which eavesdroppers drive by buildings or park outside and try to intercept
wireless network traffic.
A hacker can employ an 802.11 analysis tool to identify the SSID. (Windows
XP, Vista, and 7 have capabilities for detecting the SSID used in a network and
automatically configuring the radio NIC within the user’s device.) An intruder
that has associated with an access point by using the correct SSID is capable of
accessing other resources on the network, using the Windows operating system
to determine which other users are connected to the network, access their
computer hard drives, and open or copy their files.
Intruders also use the information they have gleaned to set up rogue access
points on a different radio channel in physical locations close to users to force a
user’s radio NIC to associate with the rogue access point. Once this association
occurs, hackers using the rogue access point can capture the names and
passwords of unsuspecting users.
The initial security standard developed for Wi-Fi, called Wired Equivalent
Privacy (WEP), is not very effective. WEP is built into all standard 802.11 products, but its use is optional. Many users neglect to use WEP security features,
leaving them unprotected. The basic WEP specification calls for an access point
and all of its users to share the same 40-bit encrypted password, which can be
easily decrypted by hackers from a small amount of traffic. Stronger encryption
and authentication systems are now available, such as Wi-Fi Protected Access 2
(WPA2), but users must be willing to install them.
MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN
HORSES, AND SPYWARE
Malicious software programs are referred to as malware and include a variety
of threats, such as computer viruses, worms, and Trojan horses. A computer
virus is a rogue software program that attaches itself to other software
programs or data files in order to be executed, usually without user knowledge
or permission. Most computer viruses deliver a “payload.” The payload may be
relatively benign, such as the instructions to display a message or image, or it
may be highly destructive—destroying programs or data, clogging computer
memory, reformatting a computer’s hard drive, or causing programs to run
improperly. Viruses typically spread from computer to computer when
humans take an action, such as sending an e-mail attachment or copying an
infected file.
Most recent attacks have come from worms, which are independent
computer programs that copy themselves from one computer to other computers over a network. (Unlike viruses, they can operate on their own without
attaching to other computer program files and rely less on human behavior in
order to spread from computer to computer. This explains why computer
worms spread much more rapidly than computer viruses.) Worms destroy data
and programs as well as disrupt or even halt the operation of computer
networks.
Worms and viruses are often spread over the Internet from files of
downloaded software, from files attached to e-mail transmissions, or from
compromised e-mail messages or instant messaging. Viruses have also invaded
computerized information systems from “infected” disks or infected machines.
E-mail worms are currently the most problematic.
Malware targeting mobile devices is not as extensive as that targeting
computers, but is spreading nonetheless using e-mail, text messages, Bluetooth,
Chapter 8 Securing Information Systems
and file downloads from the Web via Wi-Fi or cellular networks.There are now
more than 200 viruses and worms targeting mobile phones, such as Cabir,
Commwarrior, Frontal.A, and Ikee.B. Frontal.A installs a corrupted file that
causes phone failure and prevents the user from rebooting, while Ikee.B turns
jailbroken iPhones into botnet-controlled devices. Mobile device viruses pose
serious threats to enterprise computing because so many wireless devices are
now linked to corporate information systems.
Web 2.0 applications, such as blogs, wikis, and social networking sites such as
Facebook and MySpace, have emerged as new conduits for malware or
spyware. These applications allow users to post software code as part of the
permissible content, and such code can be launched automatically as soon as a
Web page is viewed. The chapter-opening case study describes other channels
for malware targeting Facebook. In September 2010, hackers exploited a Twitter
security flaw to send users to Japanese pornographic sites and automatically
generated messages from other accounts (Coopes, 2010).
Table 8-1 describes the characteristics of some of the most harmful worms
and viruses that have appeared to date.
Over the past decade, worms and viruses have caused billions of dollars of
damage to corporate networks, e-mail systems, and data. According to
Consumer Reports’ State of the Net 2010 survey, U.S. consumers lost $3.5 billion
TABLE 8-1 EXAMPLES OF MALICIOUS CODE
NAME
TYPE
DESCRIPTION
Conficker (aka
Downadup,
Downup)
Worm
First detected in November 2008. Uses flaws in Windows software to take over machines
and link them into a virtual computer that can be commanded remotely. Has more than 5
million computers worldwide under its control. Difficult to eradicate.
Storm
Worm/
Trojan horse
First identified in January 2007. Spreads via e-mail spam with a fake attachment.
Infected up to 10 million computers, causing them to join its zombie network of computers
engaged in criminal activity.
Sasser.ftp
Worm
First appeared in May 2004. Spread over the Internet by attacking random IP addresses.
Causes computers to continually crash and reboot, and infected computers to search for
more victims. Affected millions of computers worldwide, disrupting British Airways flight
check-ins, operations of British coast guard stations, Hong Kong hospitals, Taiwan post office
branches, and Australia’s Westpac Bank. Sasser and its variants caused an estimated $14.8
billion to $18.6 billion in damages worldwide.
MyDoom.A
Worm
First appeared on January 26, 2004. Spreads as an e-mail attachment. Sends e-mail to
addresses harvested from infected machines, forging the sender’s address. At its peak this
worm lowered global Internet performance by 10 percent and Web page loading times by as
much as 50 percent. Was programmed to stop spreading after February 12, 2004.
Sobig.F
Worm
First detected on August 19, 2003. Spreads via e-mail attachments and sends massive
amounts of mail with forged sender information. Deactivated itself on September 10, 2003,
after infecting more than 1 million PCs and doing $5 to $10 billion in damage.
ILOVEYOU
Virus
First detected on May 3, 2000. Script virus written in Visual Basic script and transmitted as
an attachment to e-mail with the subject line ILOVEYOU. Overwrites music, image, and other
files with a copy of itself and did an estimated $10 billion to $15 billion in damage.
Melissa
Macro virus/
worm
First appeared in March 1999. Word macro script mailing infected Word file to first 50
entries in user’s Microsoft Outlook address book. Infected 15 to 29 percent of all business
PCs, causing $300 million to $600 million in damage.
297
298
Part Two Information Technology Infrastructure
because of malware and online scams, and the majority of these losses came
from malware (Consumer Reports, 2010).
A Trojan horse is a software program that appears to be benign but then
does something other than expected, such as the Zeus Trojan described in the
chapter-opening case. The Trojan horse is not itself a virus because it does not
replicate, but it is often a way for viruses or other malicious code to be introduced into a computer system. The term Trojan horse is based on the huge
wooden horse used by the Greeks to trick the Trojans into opening the gates to
their fortified city during the Trojan War. Once inside the city walls, Greek soldiers hidden in the horse revealed themselves and captured the city.
At the moment, SQL injection attacks are the largest malware threat. SQL
injection attacks take advantage of vulnerabilities in poorly coded Web application software to introduce malicious program code into a company’s systems
and networks. These vulnerabilities occur when a Web application fails to properly validate or filter data entered by a user on a Web page, which might occur
when ordering something online. An attacker uses this input validation error to
send a rogue SQL query to the underlying database to access the database, plant
malicious code, or access other systems on the network. Large Web applications
have hundreds of places for inputting user data, each of which creates an
opportunity for an SQL injection attack.
A large number of Web-facing applications are believed to have SQL injection
vulnerabilities, and tools are available for hackers to check Web applications for
these vulnerabilities. Such tools are able to locate a data entry field on a Web
page form, enter data into it, and check the response to see if shows vulnerability to a SQL injection.
Some types of spyware also act as malicious software. These small programs
install themselves surreptitiously on computers to monitor user Web surfing
activity and serve up advertising. Thousands of forms of spyware have been
documented.
Many users find such spyware annoying and some critics worry about its
infringement on computer users’ privacy. Some forms of spyware are especially nefarious. Keyloggers record every keystroke made on a computer to
steal serial numbers for software, to launch Internet attacks, to gain access to
e-mail accounts, to obtain passwords to protected computer systems, or to pick
up personal information such as credit card numbers. Other spyware programs
reset Web browser home pages, redirect search requests, or slow performance
by taking up too much memory. The Zeus Trojan described in the chapteropening case uses keylogging to steal financial information.
HACKERS AND COMPUTER CRIME
A hacker is an individual who intends to gain unauthorized access to a computer system. Within the hacking community, the term cracker is typically used
to denote a hacker with criminal intent, although in the public press, the terms
hacker and cracker are used interchangeably. Hackers and crackers gain unauthorized access by finding weaknesses in the security protections employed by
Web sites and computer systems, often taking advantage of various features of
the Internet that make it an open system that is easy to use.
Hacker activities have broadened beyond mere system intrusion to include
theft of goods and information, as well as system damage and cybervandalism,
the intentional disruption, defacement, or even destruction of a Web site or
corporate information system. For example, cybervandals have turned many of
the MySpace “group” sites, which are dedicated to interests such as home beer
Chapter 8 Securing Information Systems
brewing or animal welfare, into cyber-graffiti walls, filled with offensive
comments and photographs.
Spoofing and Sniffing
Hackers attempting to hide their true identities often spoof, or misrepresent,
themselves by using fake e-mail addresses or masquerading as someone else.
Spoofing also may involve redirecting a Web link to an address different from the
intended one, with the site masquerading as the intended destination. For example, if hackers redirect customers to a fake Web site that looks almost exactly like
the true site, they can then collect and process orders, effectively stealing
business as well as sensitive customer information from the true site. We provide
more detail on other forms of spoofing in our discussion of computer crime.
A sniffer is a type of eavesdropping program that monitors information
traveling over a network. When used legitimately, sniffers help identify
potential network trouble spots or criminal activity on networks, but when
used for criminal purposes, they can be damaging and very difficult to
detect. Sniffers enable hackers to steal proprietary information from
anywhere on a network, including e-mail messages, company files, and
confidential reports.
Denial-of-Service Attacks
In a denial-of-service (DoS) attack, hackers flood a network server or Web
server with many thousands of false communications or requests for services to
crash the network. The network receives so many queries that it cannot keep
up with them and is thus unavailable to service legitimate requests. A distributed denial-of-service (DDoS) attack uses numerous computers to inundate
and overwhelm the network from numerous launch points.
For example, during the 2009 Iranian election protests, foreign activists
trying to help the opposition engaged in DDoS attacks against Iran’s government. The official Web site of the Iranian government (ahmadinejad.ir) was
rendered inaccessible on several occasions.
Although DoS attacks do not destroy information or access restricted areas of
a company’s information systems, they often cause a Web site to shut down,
making it impossible for legitimate users to access the site. For busy
e-commerce sites, these attacks are costly; while the site is shut down,
customers cannot make purchases. Especially vulnerable are small and midsize
businesses whose networks tend to be less protected than those of large corporations.
Perpetrators of DoS attacks often use thousands of “zombie” PCs infected
with malicious software without their owners’ knowledge and organized into a
botnet. Hackers create these botnets by infecting other people’s computers
with bot malware that opens a back door through which an attacker can give
instructions. The infected computer then becomes a slave, or zombie, serving a
master computer belonging to someone else. Once a hacker infects enough
computers, her or she can use the amassed resources of the botnet to launch
DDos attacks, phishing campaigns, or unsolicited “spam” e-mail.
The number of computers that are part of botnets is variously estimated to
be from 6 to 24 million, with thousands of botnets operating worldwide. The
largest botnet attack in 2010 was the Mariposa botnet, which started in Spain
and spread across the world. Mariposa had infected and controlled about 12.7
million computers in its efforts to steal credit card numbers and online banking
passwords. More than half the Fortune 1000 companies, 40 major banks, and
numerous government agencies were infected—and did not know it.
299
300
Part Two Information Technology Infrastructure
The chapter-ending case study describes multiple waves of DDoS attacks targeting a number of Web sites of government agencies and other organizations
in South Korea and the United States in July 2009. The attacker used a botnet
controlling over 65,000 computers, and was able to cripple some of these sites
for several days. Most of the botnet originated from China, and North Korea.
Botnet attacks thought to have originated in Russia were responsible for crippling the Web sites of the Estonian government in April 2007 and the Georgian
government in July 2008.
Computer Crime
Most hacker activities are criminal offenses, and the vulnerabilities of systems
we have just described make them targets for other types of computer crime
as well. For example, in early July 2009, U.S. federal agents arrested Sergey
Aleynikov, a computer programmer at investment banking firm Goldman
Sachs, for stealing proprietary computer programs used in making lucrative
rapid-fire trades in the financial markets. The software brought Goldman many
millions of dollars of profits per year and, in the wrong hands, could have been
used to manipulate financial markets in unfair ways. Computer crime is
defined by the U.S. Department of Justice as “any violations of criminal law
that involve a knowledge of computer technology for their perpetration, investigation, or prosecution.” Table 8-2 provides examples of the computer as a
target of crime and as an instrument of crime.
No one knows the magnitude of the computer crime problem—how many
systems are invaded, how many people engage in the practice, or the total
economic damage. According to the 2009 CSI Computer Crime and Security
Survey of 500 companies, participants’ average annual loss from computer crime
and security attacks was close to $234,000 (Computer Security Institute, 2009).
Many companies are reluctant to report computer crimes because the crimes may
involve employees, or the company fears that publicizing its vulnerability will
hurt its reputation. The most economically damaging kinds of computer crime are
TABLE 8-2 EXAMPLES OF COMPUTER CRIME
COMPUTERS AS TARGETS OF CRIME
Breaching the confidentiality of protected computerized data
Accessing a computer system without authority
Knowingly accessing a protected computer to commit fraud
Intentionally accessing a protected computer and causing damage, negligently or deliberately
Knowingly transmitting a program, program code, or command that intentionally causes damage to a
protected computer
Threatening to cause damage to a protected computer
COMPUTERS AS INSTRUMENTS OF CRIME
Theft of trade secrets
Unauthorized copying of software or copyrighted intellectual property, such as articles, books, music, and
video
Schemes to defraud
Using e-mail for threats or harassment
Intentionally attempting to intercept electronic communication
Illegally accessing stored electronic communications, including e-mail and voice mail
Transmitting or possessing child pornography using a computer
Chapter 8 Securing Information Systems
DoS attacks, introducing viruses, theft of services, and disruption of computer systems.
Identity Theft
With the growth of the Internet and electronic commerce, identity theft has
become especially troubling. Identity theft is a crime in which an imposter
obtains key pieces of personal information, such as social security identification
numbers, driver’s license numbers, or credit card numbers, to impersonate
someone else. The information may be used to obtain credit, merchandise, or
services in the name of the victim or to provide the thief with false credentials.
According to Javelin Strategy and Research, losses from identity theft rose to
$54 billion in 2009, and over 11 million U.S. adults were victims of identity
fraud (Javelin Strategy & Research, 2010).
Identify theft has flourished on the Internet, with credit card files a major
target of Web site hackers. Moreover, e-commerce sites are wonderful sources
of customer personal information—name, address, and phone number. Armed
with this information, criminals are able to assume new identities and establish
new credit for their own purposes.
One increasingly popular tactic is a form of spoofing called phishing. Phishing
involves setting up fake Web sites or sending e-mail or text messages that look
like those of legitimate businesses to ask users for confidential personal data. The
message instructs recipients to update or confirm records by providing social
security numbers, bank and credit card information, and other confidential data
either by responding to the e-mail message, by entering the information at a
bogus Web site, or by calling a telephone number. EBay, PayPal, Amazon.com,
Walmart, and a variety of banks, are among the top spoofed companies.
New phishing techniques called evil twins and pharming are harder to
detect. Evil twins are wireless networks that pretend to offer trustworthy Wi-Fi
connections to the Internet, such as those in airport lounges, hotels, or coffee
shops. The bogus network looks identical to a legitimate public network.
Fraudsters try to capture passwords or credit card numbers of unwitting users
who log on to the network.
Pharming redirects users to a bogus Web page, even when the individual
types the correct Web page address into his or her browser. This is possible if
pharming perpetrators gain access to the Internet address information stored
by Internet service providers to speed up Web browsing and the ISP companies
have flawed software on their servers that allows the fraudsters to hack in and
change those addresses.
In the largest instance of identity theft to date, Alberto Gonzalez of Miami
and two Russian co-conspirators penetrated the corporate systems of TJX
Corporation, Hannaford Brothers, 7-Eleven, and other major retailers, stealing
over 160 million credit and debit card numbers between 2005 and 2008. The
group initially planted “sniffer” programs in these companies’ computer
networks that captured card data as they were being transmitted between
computer systems. They later switched to SQL injection attacks, which we
introduced earlier in this chapter, to penetrate corporate databases. In March
2010, Gonzalez was sentenced to 20 years in prison. TJX alone spent over $200
million to deal with its data theft, including legal settlements.
The U.S. Congress addressed the threat of computer crime in 1986 with the
Computer Fraud and Abuse Act. This act makes it illegal to access a computer
system without authorization. Most states have similar laws, and nations in
Europe have comparable legislation. Congress also passed the National
Information Infrastructure Protection Act in 1996 to make virus distribution
301
302
Part Two Information Technology Infrastructure
and hacker attacks that disable Web sites federal crimes. U.S. legislation, such
as the Wiretap Act, Wire Fraud Act, Economic Espionage Act, Electronic
Communications Privacy Act, E-mail Threats and Harassment Act, and Child
Pornography Act, covers computer crimes involving intercepting electronic
communication, using electronic communication to defraud, stealing trade
secrets, illegally accessing stored electronic communications, using e-mail for
threats or harassment, and transmitting or possessing child pornography.
Click Fraud
When you click on an ad displayed by a search engine, the advertiser typically
pays a fee for each click, which is supposed to direct potential buyers to its
products. Click fraud occurs when an individual or computer program fraudulently clicks on an online ad without any intention of learning more about the
advertiser or making a purchase. Click fraud has become a serious problem at
Google and other Web sites that feature pay-per-click online advertising.
Some companies hire third parties (typically from low-wage countries) to
fraudulently click on a competitor’s ads to weaken them by driving up their
marketing costs. Click fraud can also be perpetrated with software programs
doing the clicking, and botnets are often used for this purpose. Search engines
such as Google attempt to monitor click fraud but have been reluctant to
publicize their efforts to deal with the problem.
Global Threats: Cyberterrorism and Cyberwarfare
The cybercriminal activities we have described—launching malware, denial-ofservice attacks, and phishing probes—are borderless. Computer security firm
Sophos reported that 42 percent of the malware it identified in early 2010
originated in the United States, while 11 percent came from China, and 6 percent from Russia (Sophos, 2010). The global nature of the Internet makes it possible for cybercriminals to operate—and to do harm—anywhere in the world.
Concern is mounting that the vulnerabilities of the Internet or other
networks make digital networks easy targets for digital attacks by terrorists,
foreign intelligence services, or other groups seeking to create widespread
disruption and harm. Such cyberattacks might target the software that runs
electrical power grids, air traffic control systems, or networks of major banks
and financial institutions. At least 20 countries, including China, are believed to
be developing offensive and defensive cyberwarfare capabilities. The chapterending case study discusses this problem in greater detail.
INTERNAL THREATS: EMPLOYEES
We tend to think the security threats to a business originate outside the organization. In fact, company insiders pose serious security problems. Employees
have access to privileged information, and in the presence of sloppy internal
security procedures, they are often able to roam throughout an organization’s
systems without leaving a trace.
Studies have found that user lack of knowledge is the single greatest cause of
network security breaches. Many employees forget their passwords to access
computer systems or allow co-workers to use them, which compromises the
system. Malicious intruders seeking system access sometimes trick employees
into revealing their passwords by pretending to be legitimate members of the
company in need of information. This practice is called social engineering.
Both end users and information systems specialists are also a major source of
errors introduced into information systems. End users introduce errors by
Chapter 8 Securing Information Systems
entering faulty data or by not following the proper instructions for processing
data and using computer equipment. Information systems specialists may
create software errors as they design and develop new software or maintain
existing programs.
SOFTWARE VULNERABILITY
Software errors pose a constant threat to information systems, causing untold
losses in productivity. Growing complexity and size of software programs, coupled with demands for timely delivery to markets, have contributed to an
increase in software flaws or vulnerabilities For example, a database-related
software error prevented millions of JP Morgan Chase retail and small-business
customers from accessing their online bank accounts for two days in September
2010 (Dash, 2010).
A major problem with software is the presence of hidden bugs or program
code defects. Studies have shown that it is virtually impossible to eliminate all
bugs from large programs. The main source of bugs is the complexity of decision-making code. A relatively small program of several hundred lines will contain tens of decisions leading to hundreds or even thousands of different paths.
Important programs within most corporations are usually much larger, containing tens of thousands or even millions of lines of code, each with many times
the choices and paths of the smaller programs.
Zero defects cannot be achieved in larger programs. Complete testing simply
is not possible. Fully testing programs that contain thousands of choices and
millions of paths would require thousands of years. Even with rigorous testing,
you would not know for sure that a piece of software was dependable until the
product proved itself after much operational use.
Flaws in commercial software not only impede performance but also create
security vulnerabilities that open networks to intruders. Each year security
firms identify thousands of software vulnerabilities in Internet and PC software. For instance, in 2009, Symantec identified 384 browser vulnerabilities:
169 in Firefox, 94 in Safari, 45 in Internet Explorer, 41 in Chrome, and 25 in
Opera. Some of these vulnerabilities were critical (Symantec, 2010).
To correct software flaws once they are identified, the software vendor
creates small pieces of software called patches to repair the flaws without
disturbing the proper operation of the software. An example is Microsoft’s
Windows Vista Service Pack 2, released in April 2009, which includes some
security enhancements to counter malware and hackers. It is up to users of the
software to track these vulnerabilities, test, and apply all patches. This process
is called patch management.
Because a company’s IT infrastructure is typically laden with multiple
business applications, operating system installations, and other system
services, maintaining patches on all devices and services used by a company is
often time-consuming and costly. Malware is being created so rapidly that
companies have very little time to respond between the time a vulnerability
and a patch are announced and the time malicious software appears to exploit
the vulnerability.
The need to respond so rapidly to the torrent of security vulnerabilities even
creates defects in the software meant to combat them, including popular
antivirus products. What happened in the spring of 2010 to McAfee, a leading
vendor of commercial antivirus software is an example, as discussed in the
Interactive Session on Management.
303
308
Part Two Information Technology Infrastructure
8.3
ESTABLISHING A FRAMEWORK FOR SECURITY
AND CONTROL
Even with the best security tools, your information systems won’t be reliable
and secure unless you know how and where to deploy them. You’ll need to
know where your company is at risk and what controls you must have in place
to protect your information systems. You’ll also need to develop a security
policy and plans for keeping your business running if your information systems
aren’t operational.
INFORMATION SYSTEMS CONTROLS
Information systems controls are both manual and automated and consist of
both general controls and application controls. General controls govern the
design, security, and use of computer programs and the security of data files in
general throughout the organization’s information technology infrastructure.
On the whole, general controls apply to all computerized applications and
consist of a combination of hardware, software, and manual procedures that
create an overall control environment.
General controls include software controls, physical hardware controls,
computer operations controls, data security controls, controls over implementation of system processes, and administrative controls. Table 8-3 describes the
functions of each of these controls.
Application controls are specific controls unique to each computerized
application, such as payroll or order processing. They include both automated
and manual procedures that ensure that only authorized data are completely
and accurately processed by that application. Application controls can be
classified as (1) input controls, (2) processing controls, and (3) output controls.
Input controls check data for accuracy and completeness when they enter
the system. There are specific input controls for input authorization, data
conversion, data editing, and error handling. Processing controls establish that
data are complete and accurate during updating. Output controls ensure that
TABLE 8-3 GENERAL CONTROLS
TYPE OF GENERAL CONTROL
DESCRIPTION
Software controls
Monitor the use of system software and prevent unauthorized access of software programs, system
software, and computer programs.
Hardware controls
Ensure that computer hardware is physically secure, and check for equipment malfunction. Organizations
that are critically dependent on their computers also must make provisions for backup or continued
operation to maintain constant service.
Computer operations controls
Oversee the work of the computer department to ensure that programmed procedures are consistently
and correctly applied to the storage and processing of data. They include controls over the setup of
computer processing jobs and backup and recovery procedures for processing that ends abnormally.
Data security controls
Ensure that valuable business data files on either disk or tape are not subject to unauthorized access,
change, or destruction while they are in use or in storage.
Implementation controls
Audit the systems development process at various points to ensure that the process is properly
controlled and managed.
Administrative controls
Formalize standards, rules, procedures, and control disciplines to ensure that the organization’s general
and application controls are properly executed and enforced.
Chapter 8 Securing Information Systems
the results of computer processing are accurate, complete, and properly
distributed. You can find more detail about application and general controls in
our Learning Tracks.
RISK ASSESSMENT
Before your company commits resources to security and information systems
controls, it must know which assets require protection and the extent to which
these assets are vulnerable. A risk assessment helps answer these questions
and determine the most cost-effective set of controls for protecting assets.
A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Not all risks can be anticipated and
measured, but most businesses will be able to acquire some understanding of
the risks they face. Business managers working with information systems
specialists should try to determine the value of information assets, points of
vulnerability, the likely frequency of a problem, and the potential for damage.
For example, if an event is likely to occur no more than once a year, with a
maximum of a $1,000 loss to the organization, it is not be wise to spend $20,000
on the design and maintenance of a control to protect against that event.
However, if that same event could occur at least once a day, with a potential
loss of more than $300,000 a year, $100,000 spent on a control might be
entirely appropriate.
Table 8-4 illustrates sample results of a risk assessment for an online order
processing system that processes 30,000 orders per day. The likelihood of each
exposure occurring over a one-year period is expressed as a percentage. The
next column shows the highest and lowest possible loss that could be expected
each time the exposure occurred and an average loss calculated by adding the
highest and lowest figures together and dividing by two. The expected annual
loss for each exposure can be determined by multiplying the average loss by its
probability of occurrence.
This risk assessment shows that the probability of a power failure occurring
in a one-year period is 30 percent. Loss of order transactions while power is
down could range from $5,000 to $200,000 (averaging $102,500) for each occurrence, depending on how long processing is halted. The probability of embezzlement occurring over a yearly period is about 5 percent, with potential losses
ranging from $1,000 to $50,000 (and averaging $25,500) for each occurrence.
User errors have a 98 percent chance of occurring over a yearly period, with
losses ranging from $200 to $40,000 (and averaging $20,100) for each occurrence.
Once the risks have been assessed, system builders will concentrate on the
control points with the greatest vulnerability and potential for loss. In this case,
controls should focus on ways to minimize the risk of power failures and user
errors because anticipated annual losses are highest for these areas.
TABLE 8-4 ONLINE ORDER PROCESSING RISK ASSESSMENT
EXPOSURE
PROBABILITY OF
OCCURRENCE (%)
LOSS RANGE/
AVERAGE ($)
EXPECTED
ANNUAL LOSS ($)
Power failure
30%
$5,000–$200,000 ($102,500)
$30,750
Embezzlement
5%
$1,000–$50,000 ($25,500)
$1,275
98%
$200–$40,000 ($20,100)
$19,698
User error
309
310
Part Two Information Technology Infrastructure
SECURITY POLICY
Once you’ve identified the main risks to your systems, your company will need
to develop a security policy for protecting the company’s assets. A security
policy consists of statements ranking information risks, identifying acceptable
security goals, and identifying the mechanisms for achieving these goals. What
are the firm’s most important information assets? Who generates and controls
this information in the firm? What existing security policies are in place to protect the information? What level of risk is management willing to accept for
each of these assets? Is it willing, for instance, to lose customer credit data once
every 10 years? Or will it build a security system for credit card data that can
withstand the once-in-a-hundred-year disaster? Management must estimate
how much it will cost to achieve this level of acceptable risk.
The security policy drives policies determining acceptable use of the firm’s
information resources and which members of the company have access to its
information assets. An acceptable use policy (AUP) defines acceptable uses of
the firm’s information resources and computing equipment, including desktop
and laptop computers, wireless devices, telephones, and the Internet. The policy
should clarify company policy regarding privacy, user responsibility, and personal use of company equipment and networks. A good AUP defines unacceptable and acceptable actions for every user and specifies consequences for noncompliance. For example, security policy at Unilever, the giant multinational
consumer goods company, requires every employee equipped with a laptop or
mobile handheld device to use a company-specified device and employ a password or other method of identification when logging onto the corporate network.
Security policy also includes provisions for identity management. Identity
management consists of business processes and software tools for identifying
the valid users of a system and controlling their access to system resources. It
includes policies for identifying and authorizing different categories of system
users, specifying what systems or portions of systems each user is allowed to
access, and the processes and technologies for authenticating users and
protecting their identities.
Figure 8-3 is one example of how an identity management system might capture the access rules for different levels of users in the human resources function. It specifies what portions of a human resource database each user is permitted to access, based on the information required to perform that person’s
job. The database contains sensitive personal information such as employees’
salaries, benefits, and medical histories.
The access rules illustrated here are for two sets of users. One set of users
consists of all employees who perform clerical functions, such as inputting
employee data into the system. All individuals with this type of profile can
update the system but can neither read nor update sensitive fields, such as
salary, medical history, or earnings data. Another profile applies to a divisional
manager, who cannot update the system but who can read all employee data
fields for his or her division, including medical history and salary. We provide
more detail on the technologies for user authentication later on in this chapter.
DISASTER RECOVERY PLANNING AND BUSINESS
CONTINUITY PLANNING
If you run a business, you need to plan for events, such as power outages,
floods, earthquakes, or terrorist attacks that will prevent your information systems and your business from operating. Disaster recovery planning devises
Chapter 8 Securing Information Systems
FIGURE 8-3
ACCESS RULES FOR A PERSONNEL SYSTEM
These two examples represent two security profiles or data security patterns that might be found in a
personnel system. Depending on the access rules, a user would have certain restrictions on access to
various systems, locations, or data in an organization.
plans for the restoration of computing and communications services after they
have been disrupted. Disaster recovery plans focus primarily on the technical
issues involved in keeping systems up and running, such as which files to back
up and the maintenance of backup computer systems or disaster recovery
services.
For example, MasterCard maintains a duplicate computer center in Kansas
City, Missouri, to serve as an emergency backup to its primary computer center
in St. Louis. Rather than build their own backup facilities, many firms contract
with disaster recovery firms, such as Comdisco Disaster Recovery Services in
Rosemont, Illinois, and SunGard Availability Services, headquartered in Wayne,
Pennsylvania. These disaster recovery firms provide hot sites housing spare
computers at locations around the country where subscribing firms can run
their critical applications in an emergency. For example, Champion
Technologies, which supplies chemicals used in oil and gas operations, is able
to switch its enterprise systems from Houston to a SunGard hot site in
Scottsdale, Arizona, in two hours.
Business continuity planning focuses on how the company can restore business operations after a disaster strikes. The business continuity plan identifies
critical business processes and determines action plans for handling mission-critical functions if systems go down. For example, Deutsche Bank, which provides
investment banking and asset management services in 74 different countries, has
a well-developed business continuity plan that it continually updates and refines.
It maintains full-time teams in Singapore, Hong Kong, Japan, India, and Australia
311
312
Part Two Information Technology Infrastructure
to coordinate plans addressing loss of facilities, personnel, or critical systems so
that the company can continue to operate when a catastrophic event occurs.
Deutsche Bank’s plan distinguishes between processes critical for business
survival and those critical to crisis support and is coordinated with the company’s
disaster recovery planning for its computer centers.
Business managers and information technology specialists need to work
together on both types of plans to determine which systems and business
processes are most critical to the company. They must conduct a business
impact analysis to identify the firm’s most critical systems and the impact a
systems outage would have on the business. Management must determine the
maximum amount of time the business can survive with its systems down and
which parts of the business must be restored first.
THE ROLE OF AUDITING
How does management know that information systems security and controls
are effective? To answer this question, organizations must conduct comprehensive and systematic audits. An MIS audit examines the firm’s overall security
environment as well as controls governing individual information systems. The
auditor should trace the flow of sample transactions through the system and
perform tests, using, if appropriate, automated audit software. The MIS audit
may also examine data quality.
Security audits review technologies, procedures, documentation, training,
and personnel. A thorough audit will even simulate an attack or disaster to test
the response of the technology, information systems staff, and business
employees.
The audit lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact
of each threat. Figure 8-4 is a sample auditor’s listing of control weaknesses for
a loan system. It includes a section for notifying management of such weaknesses and for management’s response. Management is expected to devise a
plan for countering significant weaknesses in controls.
8.4
TECHNOLOGIES AND TOOLS FOR PROTECTING
INFORMATION RESOURCES
Businesses have an array of technologies for protecting their information
resources. They include tools for managing user identities, preventing unauthorized access to systems and data, ensuring system availability, and ensuring
software quality.
IDENTITY MANAGEMENT AND AUTHENTICATION
Large and midsize companies have complex IT infrastructures and many
different systems, each with its own set of users. Identity management software
automates the process of keeping track of all these users and their system
privileges, assigning each user a unique digital identity for accessing each
system. It also includes tools for authenticating users, protecting user identities,
and controlling access to system resources.
To gain access to a system, a user must be authorized and authenticated.
Authentication refers to the ability to know that a person is who he or she
Chapter 10 E-commerce: Digital Markets, Digital Goods
10.1 E-COMMERCE AND THE INTERNET
H
ave you ever purchased music over the Web or streamed a movie?
Have you ever used the Web to search for information about your
sneakers before you bought them in a retail store? If so, you’ve
participated in e-commerce. In 2010, 133 million adult Americans
bought something online, as did millions of others worldwide. And although
most purchases still take place through traditional channels, e-commerce
continues to grow rapidly and to transform the way many companies do
business. In 2010, e-commerce represents about 6 percent of all retail sales in
the United States, and is growing at 12 percent annually (eMarketer, 2010a).
E-COMMERCE TODAY
E-commerce refers to the use of the Internet and the Web to transact business.
More formally, e-commerce is about digitally enabled commercial transactions
between and among organizations and individuals. For the most part, this
means transactions that occur over the Internet and the Web. Commercial
transactions involve the exchange of value (e.g., money) across organizational
or individual boundaries in return for products and services.
E-commerce began in 1995 when one of the first Internet portals,
Netscape.com, accepted the first ads from major corporations and popularized
the idea that the Web could be used as a new medium for advertising and sales.
No one envisioned at the time what would turn out to be an exponential growth
curve for e-commerce retail sales, which doubled and tripled in the early years.
E-commerce grew at double-digit rates until the recession of 2008–2009 when
growth slowed to a crawl. In 2009, e-commerce revenues were flat (Figure 10-1),
not bad considering that traditional retail sales were shrinking by 5 percent
annually. In fact, e-commerce during the recession was the only stable segment
in retail. Some online retailers forged ahead at a record pace: Amazon’s 2009
revenues were up 25 percent over 2008 sales. Despite the recession, in 2010, the
FIGURE 10-1
THE GROWTH OF E-COMMERCE
Retail e-commerce revenues grew 15–25 percent per year until the recession of 2008–2009, when they slowed measurably. In 2010,
e-commerce revenues are growing again at an estimated 12 percent annually.
373
374
Part Three Key System Applications for the Digital Age
number of online buyers increased by 6 percent to 133 million, and the average
annual purchase is up 5 percent to $1,139. Amazon’s sales grew by 28 percent
in the year.
Mirroring the history of many technological innovations, such as the
telephone, radio, and television, the very rapid growth in e-commerce in the
early years created a market bubble in e-commerce stocks. Like all bubbles, the
“dot-com” bubble burst (in March 2001). A large number of e-commerce companies failed during this process. Yet for many others, such as Amazon, eBay,
Expedia, and Google, the results have been more positive: soaring revenues,
fine-tuned business models that produce profits, and rising stock prices. By
2006, e-commerce revenues returned to solid growth, and have continued to be
the fastest growing form of retail trade in the United States, Europe, and Asia.
• Online consumer sales grew to an estimated $225 billion in 2010, an increase
of more than 12 percent over 2009 (including travel services and digital downloads), with 133 million people purchasing online and 162 million shopping
and gathering information but not necessarily purchasing (eMarketer, 2010a).
• The number of individuals of all ages online in the United States expanded to
221 million in 2010, up from 147 million in 2004. In the world, over 1.9
billion people are now connected to the Internet. Growth in the overall
Internet population has spurred growth in e-commerce (eMarketer, 2010b).
• Approximately 80 million households have broadband access to the Internet
in 2010, representing about 68 percent of all households.
• About 83 million Americans now access the Internet using a smartphone
such as an iPhone, Droid, or BlackBerry. Mobile e-commerce has begun a
rapid growth based on apps, ring tones, downloaded entertainment, and
location-based services. In a few years, mobile phones will be the most
common Internet access device.
• On an average day, an estimated 128 million adult U.S. Internet users go
online. About 102 million send e-mail, 81 million use a search engine, and 71
million get news. Around 63 million use a social network, 43 million do
online banking, 38 million watch an online video, and 28 million look for
information on Wikipedia (Pew Internet & American Life Project, 2010).
• B2B e-commerce-use of the Internet for business-to-business commerce and
collaboration among business partners expanded to more than $3.6 trillion.
The e-commerce revolution is still unfolding. Individuals and businesses will
increasingly use the Internet to conduct commerce as more products and
services come online and households switch to broadband telecommunications.
More industries will be transformed by e-commerce, including travel reservations, music and entertainment, news, software, education, and finance.
Table 10-1 highlights these new e-commerce developments.
WHY E-COMMERCE IS DIFFERENT
Why has e-commerce grown so rapidly? The answer lies in the unique nature
of the Internet and the Web. Simply put, the Internet and e-commerce
technologies are much more rich and powerful than previous technology
revolutions like radio, television, and the telephone. Table 10-2 describes the
unique features of the Internet and Web as a commercial medium. Let’s explore
each of these unique features in more detail.
Ubiquity
In traditional commerce, a marketplace is a physical place, such as a retail
store, that you visit to transact business. E-commerce is ubiquitous, meaning
Chapter 10 E-commerce: Digital Markets, Digital Goods
TABLE 10-1 THE GROWTH OF E-COMMERCE
BUSINESS TRANSFORMATION
•
E-commerce remains the fastest growing form of commerce when compared to physical retail stores,
services, and entertainment.
•
The first wave of e-commerce transformed the business world of books, music, and air travel. In the
second wave, nine new industries are facing a similar transformation scenario: marketing and
advertising, telecommunications, movies, television, jewelry and luxury goods, real estate, online travel,
bill payments, and software.
•
The breadth of e-commerce offerings grows, especially in the services economy of social networking,
travel, information clearinghouses, entertainment, retail apparel, appliances, and home furnishings.
•
The online demographics of shoppers broaden to match that of ordinary shoppers.
•
Pure e-commerce business models are refined further to achieve higher levels of profitability, whereas
traditional retail brands, such as Sears, JCPenney, L.L.Bean, and Walmart, use e-commerce to retain
their dominant retail positions.
•
Small businesses and entrepreneurs continue to flood the e-commerce marketplace, often riding on the
infrastructures created by industry giants, such as Amazon, Apple, and Google, and increasingly taking
advantage of cloud-based computing resources.
•
Mobile e-commerce begins to take off in the United States with location-based services and
entertainment downloads including e-books.
TECHNOLOGY FOUNDATIONS
•
Wireless Internet connections (Wi-Fi, WiMax, and 3G/4G smart phones) grow rapidly.
•
Powerful handheld mobile devices support music, Web surfing, and entertainment as well as voice
communication. Podcasting and streaming take off as mediums for distribution of video, radio, and
user-generated content.
•
The Internet broadband foundation becomes stronger in households and businesses as transmission
prices fall. More than 80 million households had broadband cable or DSL access to the Internet in 2010
,about 68 percent of all households in the United States (eMarketer, 2010a).
•
Social networking software and sites such as Facebook, MySpace, Twitter, LinkedIn, and thousands of
others become a major new platform for e-commerce, marketing, and advertising. Facebook hits 500
million users worldwide, and 180 million in the United States (comScore, 2010).
•
New Internet-based models of computing, such as cloud computing, software as a service (SaaS), and
Web 2.0 software greatly reduce the cost of e-commerce Web sites.
NEW BUSINESS MODELS EMERGE
•
More than half the Internet user population have joined an online social network, contribute to social
bookmarking sites, create blogs, and share photos. Together these sites create a massive online
audience as large as television that is attractive to marketers.
•
The traditional advertising business model is severely disrupted as Google and other technology
players such as Microsoft and Yahoo! seek to dominate online advertising, and expand into offline ad
brokerage for television and newspapers.
•
Newspapers and other traditional media adopt online, interactive models but are losing advertising
revenues to the online players despite gaining online readers.
•
Online entertainment business models offering television, movies, music, sports, and e-books surge,
with cooperation among the major copyright owners in Hollywood and New York with the Internet
distributors like Google, YouTube, Facebook, and Microsoft.
that is it available just about everywhere, at all times. It makes it possible to
shop from your desktop, at home, at work, or even from your car, using mobile
commerce. The result is called a marketspace—a marketplace extended
beyond traditional boundaries and removed from a temporal and geographic
location.
375
376
Part Three Key System Applications for the Digital Age
TABLE 10-2 EIGHT UNIQUE FEATURES OF E-COMMERCE TECHNOLOGY
E-commerce Technology Dimension
Business Significance
Ubiquity. Internet/Web technology is
available everywhere: at work, at home,
and elsewhere via mobile devices.
The marketplace is extended beyond traditional
boundaries and is removed from a temporal
and geographic location. “Marketspace” anytime,
is created; shopping can take place anywhere.
Customer convenience is enhanced, and shopping
costs are reduced.
Global reach. The technology reaches
across national boundaries, around the Earth.
Commerce is enabled across cultural and national
boundaries seamlessly and without modification.
The marketspace includes, potentially, billions of
consumers and millions of businesses worldwide.
Universal standards. There is one set of
technology standards, namely Internet standards.
With one set of technical standards across the
globe, disparate computer systems can easily
communicate with each other.
Richness. Video, audio, and text messages
are possible.
Video, audio, and text marketing messages are
integrated into a single marketing message and
consumer experience.
Interactivity. The technology works through
interaction with the user.
Consumers are engaged in a dialog that
dynamically adjusts the experience to the
individual, and makes the consumer a
co-participant in the process of delivering goods to
the market.
Information Density. The technology
reduces information costs and raises quality.
Information processing, storage, and
communication costs drop dramatically, whereas
currency, accuracy, and timeliness improve greatly.
Information becomes plentiful, cheap, and more
accurate.
Personalization/Customization. The technology
allows personalized messages to be delivered
to individuals as well as groups.
Personalization of marketing messages and
customization of products and services are based
on individual characteristics.
Social technology. User content generation
and social networking.
New Internet social and business models enable
user content creation and distribution, and support
social networks.
From a consumer point of view, ubiquity reduces transaction costs—the
costs of participating in a market. To transact business, it is no longer necessary
that you spend time or money traveling to a market, and much less mental
effort is required to make a purchase.
Global Reach
E-commerce technology permits commercial transactions to cross cultural and
national boundaries far more conveniently and cost effectively than is true in
traditional commerce. As a result, the potential market size for e-commerce
merchants is roughly equal to the size of the world’s online population (estimated
to be more than 1.9 billion, and growing rapidly) (Internetworldstats.com, 2010).
In contrast, most traditional commerce is local or regional—it involves local
merchants or national merchants with local outlets. Television and radio
stations and newspapers, for instance, are primarily local and regional institutions with limited, but powerful, national networks that can attract a national
audience but not easily cross national boundaries to a global audience.
Chapter 10 E-commerce: Digital Markets, Digital Goods
Universal Standards
One strikingly unusual feature of e-commerce technologies is that the technical
standards of the Internet and, therefore, the technical standards for conducting
e-commerce are universal standards. They are shared by all nations around the
world and enable any computer to link with any other computer regardless of
the technology platform each is using. In contrast, most traditional commerce
technologies differ from one nation to the next. For instance, television and
radio standards differ around the world, as does cell telephone technology.
The universal technical standards of the Internet and e-commerce greatly
lower market entry costs—the cost merchants must pay simply to bring their
goods to market. At the same time, for consumers, universal standards reduce
search costs—the effort required to find suitable products.
Richness
Information richness refers to the complexity and content of a message.
Traditional markets, national sales forces, and small retail stores have great
richness: They are able to provide personal, face-to-face service using aural and
visual cues when making a sale. The richness of traditional markets makes
them powerful selling or commercial environments. Prior to the development
of the Web, there was a trade-off between richness and reach: The larger the
audience reached, the less rich the message. The Web makes it possible to
deliver rich messages with text, audio, and video simultaneously to large numbers of people.
Interactivity
Unlike any of the commercial technologies of the twentieth century, with the
possible exception of the telephone, e-commerce technologies are interactive,
meaning they allow for two-way communication between merchant and
consumer. Television, for instance, cannot ask viewers any questions or enter
into conversations with them, and it cannot request that customer information
be entered into a form. In contrast, all of these activities are possible on an
e-commerce Web site. Interactivity allows an online merchant to engage a
consumer in ways similar to a face-to-face experience but on a massive, global
scale.
Information Density
The Internet and the Web vastly increase information density—the total
amount and quality of information available to all market participants,
consumers, and merchants alike. E-commerce technologies reduce information
collection, storage, processing, and communication costs while greatly increasing the currency, accuracy, and timeliness of information.
Information density in e-commerce markets make prices and costs more
transparent. Price transparency refers to the ease with which consumers can
find out the variety of prices in a market; cost transparency refers to the
ability of consumers to discover the actual costs merchants pay for products.
There are advantages for merchants as well. Online merchants can discover
much more about consumers than in the past. This allows merchants to
segment the market into groups that are willing to pay different prices and
permits the merchants to engage in price discrimination—selling the same
goods, or nearly the same goods, to different targeted groups at different prices.
For instance, an online merchant can discover a consumer’s avid interest in
expensive, exotic vacations and then pitch high-end vacation plans to that
consumer at a premium price, knowing this person is willing to pay extra for
377
378
Part Three Key System Applications for the Digital Age
such a vacation. At the same time, the online merchant can pitch the same
vacation plan at a lower price to a more price-sensitive consumer. Information
density also helps merchants differentiate their products in terms of cost,
brand, and quality.
Personalization/Customization
E-commerce technologies permit personalization: Merchants can target their
marketing messages to specific individuals by adjusting the message to a
person’s name, interests, and past purchases. The technology also permits
customization—changing the delivered product or service based on a user’s
preferences or prior behavior. Given the interactive nature of e-commerce
technology, much information about the consumer can be gathered in the
marketplace at the moment of purchase. With the increase in information
density, a great deal of information about the consumer’s past purchases and
behavior can be stored and used by online merchants.
The result is a level of personalization and customization unthinkable with
traditional commerce technologies. For instance, you may be able to shape
what you see on television by selecting a channel, but you cannot change the
content of the channel you have chosen. In contrast, the Wall Street Journal
Online allows you to select the type of news stories you want to see first and
gives you the opportunity to be alerted when certain events happen.
S o c i a l Te c h n o l o g y : U s e r C o n t e n t G e n e r a t i o n a n d S o c i a l
Networking
In contrast to previous technologies, the Internet and e-commerce technologies
have evolved to be much more social by allowing users to create and share with
their personal friends (and a larger worldwide community) content in the form
of text, videos, music, or photos. Using these forms of communication, users are
able to create new social networks and strengthen existing ones.
All previous mass media in modern history, including the printing press, use
a broadcast model (one-to-many) where content is created in a central location
by experts (professional writers, editors, directors, and producers) and
audiences are concentrated in huge numbers to consume a standardized
product. The new Internet and e-commerce empower users to create and
distribute content on a large scale, and permit users to program their own
content consumption. The Internet provides a unique many-to-many model of
mass communications.
KEY CONCEPTS IN E-COMMERCE: DIGITAL MARKETS
AND DIGITAL GOODS IN A GLOBAL MARKETPLACE
The location, timing, and revenue models of business are based in some part on
the cost and distribution of information. The Internet has created a digital
marketplace where millions of people all over the world are able to exchange
massive amounts of information directly, instantly, and for free. As a result, the
Internet has changed the way companies conduct business and increased their
global reach.
The Internet reduces information asymmetry. An information asymmetry
exists when one party in a transaction has more information that is important
for the transaction than the other party. That information helps determine
their relative bargaining power. In digital markets, consumers and suppliers
can “see” the prices being charged for goods, and in that sense digital markets
are said to be more “transparent” than traditional markets.
Chapter 10 E-commerce: Digital Markets, Digital Goods
For example, before auto retailing sites appeared on the Web, there was a
significant information asymmetry between auto dealers and customers. Only
the auto dealers knew the manufacturers’ prices, and it was difficult for
consumers to shop around for the best price. Auto dealers’ profit margins
depended on this asymmetry of information. Today’s consumers have access to
a legion of Web sites providing competitive pricing information, and threefourths of U.S. auto buyers use the Internet to shop around for the best deal.
Thus, the Web has reduced the information asymmetry surrounding an auto
purchase. The Internet has also helped businesses seeking to purchase from
other businesses reduce information asymmetries and locate better prices and
terms.
Digital markets are very flexible and efficient because they operate with
reduced search and transaction costs, lower menu costs (merchants’ costs of
changing prices), greater price discrimination, and the ability to change prices
dynamically based on market conditions. In dynamic pricing, the price of a
product varies depending on the demand characteristics of the customer or the
supply situation of the seller.
These new digital markets may either reduce or increase switching costs,
depending on the nature of the product or service being sold, and they may
cause some extra delay in gratification. Unlike a physical market, you can’t
immediately consume a product such as clothing purchased over the Web
(although immediate consumption is possible with digital music downloads and
other digital products.)
Digital markets provide many opportunities to sell directly to the consumer,
bypassing intermediaries, such as distributors or retail outlets. Eliminating
intermediaries in the distribution channel can significantly lower purchase
transaction costs. To pay for all the steps in a traditional distribution channel,
a product may have to be priced as high as 135 percent of its original cost to
manufacture.
Figure 10-2 illustrates how much savings result from eliminating each of these
layers in the distribution process. By selling directly to consumers or reducing
the number of intermediaries, companies are able to raise profits while charging
lower prices. The removal of organizations or business process layers responsible for intermediary steps in a value chain is called disintermediation.
FIGURE 10-2
THE BENEFITS OF DISINTERMEDIATION TO THE CONSUMER
The typical distribution channel has several intermediary layers, each of which adds to the final cost of
a product, such as a sweater. Removing layers lowers the final cost to the consumer.
379
380
Part Three Key System Applications for the Digital Age
Disintermediation is affecting the market for services. Airlines and hotels
operating their own reservation sites online earn more per ticket because they
have eliminated travel agents as intermediaries. Table 10-3 summarizes the
differences between digital markets and traditional markets.
Digital Goods
The Internet digital marketplace has greatly expanded sales of digital goods.
Digital goods are goods that can be delivered over a digital network. Music
tracks, video, Hollywood movies, software, newspapers, magazines, and books
can all be expressed, stored, delivered, and sold as purely digital products.
Currently, most of these products are sold as physical goods, for example, CDs,
DVDs, newspapers, and hard-copy books. But the Internet offers the possibility
of delivering all these products on demand as digital products.
In general, for digital goods, the marginal cost of producing another unit is
about zero (it costs nothing to make a copy of a music file). However, the cost of
producing the original first unit is relatively high—in fact, it is nearly the total
cost of the product because there are few other costs of inventory and distribution. Costs of delivery over the Internet are very low, marketing costs remain
the same, and pricing can be highly variable. (On the Internet, the merchant
can change prices as often as desired because of low menu costs.)
The impact of the Internet on the market for these kinds of digital goods is
nothing short of revolutionary, and we see the results around us every day.
Businesses dependent on physical products for sales—such as bookstores,
book publishers, music labels, and film studios—face the possibility of declining sales and even destruction of their businesses. Newspapers and magazines are losing readers to the Internet, and losing advertisers even as online
newspaper readership soars. Record label companies are losing sales to music
download sites and Internet piracy, and music stores are going out of business. Video rental firms, such as Blockbuster (now in bankruptcy), based on a
physical DVD market and physical stores, lost sales to Netflix using an
Internet catalog and streaming video model. Hollywood studios as well face
the prospect that Internet pirates will distribute their product as a digital
stream, bypassing Hollywood’s monopoly on DVD rentals and sales, which
TABLE 10-3 DIGITAL MARKETS COMPARED TO TRADITIONAL MARKETS
DIGITAL MARKETS
TRADITIONAL MARKETS
Information asymmetry
Asymmetry reduced
Asymmetry high
Search costs
Low
High
Transaction costs
Low (sometimes virtually nothing)
High (time, travel)
Delayed gratification
High (or lower in the case of
a digital good)
Lower: purchase now
Menu costs
Low
High
Dynamic pricing
Low cost, instant
High cost, delayed
Price discrimination
Low cost, instant
High cost, delayed
Market segmentation
Low cost, moderate precision
High cost, less precision
Switching costs
Higher/lower (depending on
product characteristics)
High
Network effects
Strong
Weaker
Disintermediation
More possible/likely
Less possible/unlikely
Chapter 10 E-commerce: Digital Markets, Digital Goods
now accounts for more than half of industry film revenues. To date, pirated
movies have not seriously threatened Hollywood revenues in part because
the major film studios and Internet distributors like YouTube, Amazon, and
Apple are learning how to cooperate. Table 10.4 describes digital goods and
how they differ from traditional physical goods.
10.2 E-COMMERCE: BUSINESS AND TECHNOLOGY
E-commerce has grown from a few advertisements on early Web portals in
1995, to over 6 percent of all retail sales in 2010 (an estimated $255 billion),
surpassing the mail order catalog business. E-commerce is a fascinating combination of business models and new information technologies. Let’s start with a
basic understanding of the types of e-commerce, and then describe
e-commerce business and revenue models. We’ll also cover new technologies
that help companies reach over 221 million online consumers in the United
States, and an estimated 800 million more worldwide.
TYPES OF E-COMMERCE
There are many ways to classify electronic commerce transactions. One is by
looking at the nature of the participants in the electronic commerce transaction.
The three major electronic commerce categories are business-to-consumer
(B2C) e-commerce, business-to-business (B2B) e-commerce, and consumer-toconsumer (C2C) e-commerce.
• Business-to-consumer (B2C) electronic commerce involves retailing
products and services to individual shoppers. BarnesandNoble.com, which
sells books, software, and music to individual consumers, is an example of
B2C e-commerce.
• Business-to-business (B2B) electronic commerce involves sales of goods
and services among businesses. ChemConnect’s Web site for buying and
selling chemicals and plastics is an example of B2B e-commerce.
• Consumer-to-consumer (C2C) electronic commerce involves consumers
selling directly to consumers. For example, eBay, the giant Web auction site,
enables people to sell their goods to other consumers by auctioning their merchandise off to the highest bidder, or for a fixed price. Craigslist is the most
widely used platform used by consumers to buy from and sell directly to others.
TABLE 10-4 HOW THE INTERNET CHANGES THE MARKETS FOR DIGITAL
GOODS
Marginal cost/unit
DIGITAL GOODS
TRADITIONAL GOODS
Zero
Greater than zero , high
Cost of production
High (most of the cost)
Variable
Copying cost
Approximately 0
Greater than zero, high
Distributed delivery cost
Low
High
Inventory cost
Low
High
Marketing cost
Variable
Variable
Pricing
More variable (bundling,
random pricing games)
Fixed, based on unit costs
381
382
Part Three Key System Applications for the Digital Age
Another way of classifying electronic commerce transactions is in terms of
the platforms used by participants in a transaction. Until recently, most
e-commerce transactions took place using a personal computer connected to
the Internet over wired networks. Two wireless mobile alternatives have
emerged: smartphones and dedicated e-readers like the Kindle using cellular
networks, and smartphones and small tablet computers using Wi-Fi wireless
networks. The use of handheld wireless devices for purchasing goods and services from any location is termed mobile commerce or m-commerce. Both
business-to-business and business-to-consumer e-commerce transactions can
take place using m-commerce technology, which we discuss in detail in
Section 10.3.
E-COMMERCE BUSINESS MODELS
Changes in the economics of information described earlier have created the
conditions for entirely new business models to appear, while destroying older
business models. Table 10-5 describes some of the most important Internet
business models that have emerged. All, in one way or another, use the
Internet to add extra value to existing products and services or to provide the
foundation for new products and services.
Portal
Portals such as Google, Bing, Yahoo, MSN, and AOL offer powerful Web
search tools as well as an integrated package of content and services, such as
news, e-mail, instant messaging, maps, calendars, shopping, music downloads, video streaming, and more, all in one place. Initially, portals were
primarily “gateways” to the Internet. Today, however, the portal business
model provides a destination site where users start their Web searching and
linger to read news, find entertainment, and meet other people, and be
exposed to advertising. Portals generate revenue primarily by attracting very
large audiences, charging advertisers for ad placement, collecting referral
fees for steering customers to other sites, and charging for premium services.
In 2010, portals generated an estimated $13.5 billion in revenues. Although
there are hundreds of portal/search engine sites, the top five sites
(Google, Yahoo, MSN/Bing, AOL, and Ask.com) gather more than 95 percent
of the Internet traffic because of their superior brand recognition (eMarketer,
2010e).
E-tailer
Online retail stores, often called e-tailers, come in all sizes, from giant Amazon
with 2010 revenues of more than $24 billion, to tiny local stores that have Web
sites. An e-tailer is similar to the typical bricks-and-mortar storefront, except
that customers only need to connect to the Internet to check their inventory
and place an order. Altogether, online retail generated about $152 billion in
revenues for 2010. The value proposition of e-tailers is to provide convenient,
low-cost shopping 24/7, offering large selections and consumer choice. Some
e-tailers, such as Walmart.com or Staples.com, referred to as “bricks-and-clicks,”
are subsidiaries or divisions of existing physical stores and carry the same
products. Others, however, operate only in the virtual world, without any ties to
physical locations. Amazon, BlueNile.com, and Drugstore.com are examples of
this type of e-tailer. Several other variations of e-tailers—such as online versions
of direct mail catalogs, online malls, and manufacturer-direct online sales—also
exist.
Chapter 10 E-commerce: Digital Markets, Digital Goods
TABLE 10-5 INTERNET BUSINESS MODELS
CATEGORY
DESCRIPTION
EXAMPLES
E-tailer
Sells physical products directly to consumers
or to individual businesses.
Amazon
RedEnvelope.com
Transaction broker
Saves users money and time by processing online
sales transactions and generating a fee each
time a transaction occurs.
ETrade.com
Expedia
Market creator
Provides a digital environment where buyers
and sellers can meet, search for products,
display products, and establish prices for
those products. Can serve consumers or
B2B e-commerce, generating revenue from
transaction fees.
eBay
Priceline.com
ChemConnect.com
Content provider
Creates revenue by providing digital content,
such as news, music, photos, or video,
over the Web. The customer may pay to
access the content, or revenue may be
generated by selling advertising space.
WSJ.com
GettyImages.com
iTunes.com
Games.com
Community
provider
Provides an online meeting place where
people with similar interests can
communicate and find useful information.
Facebook
MySpace
iVillage , Twitter
Portal
Provides initial point of entry to the Web
along with specialized content and other
services.
Yahoo
Bing
Google
Service provider
Provides Web 2.0 applications such as photo
sharing, video sharing, and user-generated
content as services. Provides other services such
as online data storage and backup.
Google Apps
Photobucket.com
Xdrive.com
Content Provider
While e-commerce began as a retail product channel, it has increasingly turned
into a global content channel. “Content” is defined broadly to include all forms
of intellectual property. Intellectual property refers to all forms of human
expression that can be put into a tangible medium such as text, CDs, DVDs, or
stored on any digital (or other) media, including the Web. Content providers
distribute information content, such as digital video, music, photos, text, and
artwork, over the Web. The value proposition of online content providers is that
consumers can find a wide range of content online, conveniently, and purchase
this content inexpensively, to be played, or viewed, on multiple computer
devices or smartphones.
Providers do not have to be the creators of the content (although sometimes
they are, like Disney.com), and are more likely to be Internet-based distributors
of content produced and created by others. For example, Apple sells music
tracks at its iTunes Store, but it does not create or commission new music.
The phenomenal popularity of the iTunes Store, and Apple’s Internetconnected devices like the iPhone, iPod, and iPad, have enabled new forms of
digital content delivery from podcasting to mobile streaming. Podcasting is a
method of publishing audio or video broadcasts via the Internet, allowing
subscribing users to download audio or video files onto their personal
computers or portable music players. Streaming is a publishing method for
383
384
Part Three Key System Applications for the Digital Age
music and video files that flows a continuous stream of content to a user’s
device without being stored locally on the device.
Estimates vary, but total download and subscription media revenues for 2010
are somewhere between $8 billion and $10 billion annually. They are the
fastest growing segment within e-commerce, growing at an estimated 20
percent annual rate (eMarketer, 2010b).
Tr a n s a c t i o n B r o k e r
Sites that process transactions for consumers normally handled in person, by
phone, or by mail are transaction brokers. The largest industries using this
model are financial services and travel services. The online transaction broker’s
primary value propositions are savings of money and time, as well as providing
an extraordinary inventory of financial products and travel packages, in a single
location. Online stock brokers and travel booking services charge fees that are
considerably less than traditional versions of these services.
Market Creator
Market creators build a digital environment in which buyers and sellers can
meet, display products, search for products, and establish prices. The value
proposition of online market creators is that they provide a platform where
sellers can easily display their wares and where purchasers can buy directly
from sellers. Online auction markets like eBay and Priceline are good
examples of the market creator business model. Another example is
Amazon’s Merchants platform (and similar programs at eBay) where
merchants are allowed to set up stores on Amazon’s Web site and sell goods
at fixed prices to consumers. This is reminiscent of open air markets where
the market creator operates a facility (a town square) where merchants and
consumers meet. Online market creators will generate about $12 billion in
revenues for 2010.
Service Provider
While e-tailers sell products online, service providers offer services online.
There’s been an explosion in online services. Web 2.0 applications, photo
sharing, and online sites for data backup and storage all use a service provider
business model. Software is no longer a physical product with a CD in a box, but
increasingly software as a service (SaaS) that you subscribe to online rather
than purchase from a retailer (see Chapter 5). Google has led the way in
developing online software service applications such as Google Apps, Gmail,
and online data storage services.
Community Provider
Community providers are sites that create a digital online environment
where people with similar interests can transact (buy and sell goods); share
interests, photos, videos; communicate with like-minded people; receive
interest-related information; and even play out fantasies by adopting online
personalities called avatars. The social networking sites Facebook, MySpace,
LinkedIn, and Twitter; online communities such as iVillage; and hundreds of
other smaller, niche sites such as Doostang and Sportsvite all offer users
community-building tools and services. Social networking sites have been
the fastest growing Web sites in recent years, often doubling their audience
size in a year. However, they are struggling to achieve profitability. The
Interactive Session on Organizations explores this topic.
Chapter 10 E-commerce: Digital Markets, Digital Goods
CASE STUDY QUESTIONS
1. Based on your reading in this chapter, how would
you characterize Twitter’s business model?
2. If Twitter is to have a revenue model, which of the
revenue models described in this chapter would
work?
3. What is the most important asset that Twitter has,
and how could it monetize this asset?
4. What impact will a high customer churn rate have
on Twitter’s potential advertising revenue?
387
MIS IN ACTION
1. Go to Twitter.com and enter a search on your
favorite (or least favorite) car. Can you find the
company’s official site? What else do you find?
Describe the results and characterize the potential
risks and rewards for companies that would like to
advertise to Twitter’s audience.
2. How would you improve Twitter’s Web site to
make it more friendly for large advertisers?
3. Teenagers are infrequent users of Twitter because
they use their cell phones for texting, and most
users are adults 18–34 years of age. Find five users
of Twitter and ask them how long they have used
the service, are they likely to continue using the
service, and how would they feel about banner
ads appearing on their Twitter Web screen and
phone screens. Are loyal users of Twitter less
likely (or more likely) to tolerate advertising on
Twitter?
E-COMMERCE REVENUE MODELS
A firm’s revenue model describes how the firm will earn revenue, generate
profits, and produce a superior return on investment. Although there are many
different e-commerce revenue models that have been developed, most companies rely on one, or some combination, of the following six revenue models:
advertising, sales, subscription, free/freemium, transaction fee, and affiliate.
Advertising Revenue Model
In the advertising revenue model, a Web site generates revenue by attracting
a large audience of visitors who can then be exposed to advertisements. The
advertising model is the most widely used revenue model in e-commerce, and
arguably, without advertising revenues, the Web would be a vastly different
experience from what it is now. Content on the Web—everything from news to
videos and opinions—is “free” to visitors because advertisers pay the production
and distribution costs in return for the right to expose visitors to ads.
Companies will spend an estimated $240 billion on advertising in 2010, and an
estimated $25 billion of that amount on online advertising (in the form of a paid
message on a Web site, paid search listing, video, widget, game, or other online
medium, such as instant messaging). In the last five years, advertisers have
increased online spending and cut outlays on traditional channels such as radio
and newspapers. Television advertising has expanded along with online advertising revenues.
Web sites with the largest viewership or that attract a highly specialized,
differentiated viewership and are able to retain user attention (“stickiness”) are
able to charge higher advertising rates. Yahoo, for instance, derives nearly all its
revenue from display ads (banner ads) and to a lesser extent search engine text
ads. Ninety-eight percent of Google’s revenue derives from selling keywords to
388
Part Three Key System Applications for the Digital Age
advertisers in an auction-like market (the AdSense program). The average
Facebook user spends over five hours a week on the site, far longer than other
portal sites.
Sales Revenue Model
In the sales revenue model, companies derive revenue by selling goods,
information, or services to customers. Companies such as Amazon (which sells
books, music, and other products), LLBean.com, and Gap.com, all have sales
revenue models. Content providers make money by charging for downloads of
entire files such as music tracks (iTunes Store) or books or for downloading
music and/or video streams (Hulu.com TV shows—see Chapter 3). Apple has
pioneered and strengthened the acceptance of micropayments. Micropayment
systems provide content providers with a cost-effective method for processing
high volumes of very small monetary transactions (anywhere from $.25 to $5.00
per transaction). MyMISlab has a Learning Track with more detail on micropayment and other e-commerce payment systems.
Subscription Revenue Model
In the subscription revenue model, a Web site offering content or services
charges a subscription fee for access to some or all of its offerings on an ongoing
basis. Content providers often use this revenue model. For instance, the online
version of Consumer Reports provides access to premium content, such as
detailed ratings, reviews, and recommendations, only to subscribers, who have a
choice of paying a $5.95 monthly subscription fee or a $26.00 annual fee. Netflix
is one of the most successful subscriber sites with more that 15 million
subscribers in September 2010. The Wall Street Journal has the largest online
subscription newspaper with more than 1 million online subscribers. To be
successful, the subscription model requires that the content be perceived as a
having high added value, differentiated, and not readily available elsewhere nor
easily replicated. Companies successfully offering content or services online on
a subscription basis include Match.com and eHarmony (dating services),
Ancestry.com and Genealogy.com (genealogy research), Microsoft’s
Xboxlive.com (video games), and Rhapsody.com (music).
Free/Freemium Revenue Model
In the free/freemium revenue model, firms offer basic services or content for
free, while charging a premium for advanced or special features. For example,
Google offers free applications, but charges for premium services. Pandora, the
subscription radio service, offers a free service with limited play time, and a
premium service with unlimited play. The Flickr photo-sharing service offers
free basic services for sharing photos with friends and family, and also sells a
$24.95 “premium” package that provides users unlimited storage, high-definition video storage and playback, and freedom from display advertising. The
idea is to attract very large audiences with free services, and then to convert
some of this audience to pay a subscription for premium services. One problem
with this model is converting people from being “free loaders” into paying
customers. “Free” can be a powerful model for losing money.
Tr a n s a c t i o n Fe e R e v e n u e M o d e l
In the transaction fee revenue model, a company receives a fee for enabling
or executing a transaction. For example, eBay provides an online auction
marketplace and receives a small transaction fee from a seller if the seller is
successful in selling an item. E*Trade, an online stockbroker, receives transac-
Chapter 10 E-commerce: Digital Markets, Digital Goods
tion fees each time it executes a stock transaction on behalf of a customer. The
transaction revenue model enjoys wide acceptance in part because the true
cost of using the platform is not immediately apparent to the user.
Affiliate Revenue Model
In the affiliate revenue model, Web sites (called “affiliate Web sites”) send visitors to other Web sites in return for a referral fee or percentage of the revenue
from any resulting sales. For example, MyPoints makes money by connecting
companies to potential customers by offering special deals to its members.
When members take advantage of an offer and make a purchase, they earn
“points” they can redeem for free products and services, and MyPoints receives
a referral fee. Community feedback sites such as Epinions and Yelp receive
much of their revenue from steering potential customers to Web sites where
they make a purchase. Amazon uses affiliates who steer business to the
Amazon Web site by placing the Amazon logo on their blogs. Personal blogs
may be involved in affiliate marketing. Some bloggers are paid directly by manufacturers, or receive free products, for speaking highly of products and providing links to sales channels.
WEB 2.0: SOCIAL NETWORKING AND THE WISDOM OF
CROWDS
One of the fastest growing areas of e-commerce revenues are Web 2.0 online
services, which we described in Chapter 7. The most popular Web 2.0 service is
social networking, online meeting places where people can meet their friends
and their friends’ friends. Every day over 60 million Internet users in the
United States visit a social networking site like Facebook, MySpace, LinkedIn,
and hundreds of others.
Social networking sites link people through their mutual business or
personal connections, enabling them to mine their friends (and their friends’
friends) for sales leads, job-hunting tips, or new friends. MySpace, Facebook,
and Friendster appeal to people who are primarily interested in extending their
friendships, while LinkedIn focuses on job networking for professionals.
Social networking sites and online communities offer new possibilities for
e-commerce. Networking sites like Facebook and MySpace sell banner, video,
and text ads; sell user preference information to marketers; and sell products
such as music, videos, and e-books. Corporations set up their own Facebook and
MySpace profiles to interact with potential customers. For example, Procter &
Gamble set up a MySpace profile page for Crest toothpaste soliciting “friends”
for a fictional character called “Miss Irresistable.” Business firms can also
“listen” to what social networkers are saying about their products, and obtain
valuable feedback from consumers. At user-generated content sites like
YouTube, high-quality video content is used to display advertising, and
Hollywood studios have set up their own channels to market their products.
The Interactive Session on Management looks more closely at social networking on Facebook, focusing on its impact on privacy.
At social shopping sites like Kaboodle, ThisNext, and Stylehive you can
swap shopping ideas with friends. Facebook offers this same service on a
voluntary basis. Online communities are also ideal venues to employ viral
marketing techniques. Online viral marketing is like traditional word-ofmouth marketing except that the word can spread across an online commu-
389
392
Part Three Key System Applications for the Digital Age
argue that large numbers of people can make better decisions about a wide
range of topics or products than a single person or even a small committee of
experts (Surowiecki, 2004).
Obviously this is not always the case, but it can happen in interesting ways.
In marketing, the wisdom of crowds concept suggests that firms should consult
with thousands of their customers first as a way of establishing a relationship
with them, and second, to better understand how their products and services
are used and appreciated (or rejected). Actively soliciting the comments of your
customers builds trust and sends the message to your customers that you care
what they are thinking, and that you need their advice.
Beyond merely soliciting advice, firms can be actively helped in solving
some business problems using what is called crowdsourcing. For instance, in
2006, Netflix announced a contest in which it offered to pay $1 million to the
person or team who comes up with a method for improving by 10 percent
Netflix’s prediction of what movies customers would like as measured against
their actual choices. By 2009, Netflix received 44,014 entries from 5,169 teams
in 186 countries. The winning team improved a key part of Netflix’s business: a
recommender system that recommends to its customers what new movies to
order based on their personal past movie choices and the choices of millions of
other customers who are like them (Howe, 2008; Resnick and Varian, 1997).
Firms can also use the wisdom of crowds in the form of prediction markets.
Prediction markets are established as peer-to-peer betting markets where
participants make bets on specific outcomes of, say, quarterly sales of a new
product, designs for new products, or political elections. The world’s largest
commercial prediction market is Betfair, founded in 2000, where you bet for or
against specific outcomes on football games, horse races, and whether or not
the Dow Jones will go up or down in a single day. Iowa Electronic Markets
(IEM) is an academic market focused on elections. You can place bets on the
outcome of local and national elections.
E-COMMERCE MARKETING
While e-commerce and the Internet have changed entire industries and enable
new business models, no industry has been more affected than marketing and
marketing communications. The Internet provides marketers with new ways of
identifying and communicating with millions of potential customers at costs far
lower than traditional media, including search engine marketing, data mining,
recommender systems, and targeted e-mail. The Internet enables long tail
marketing. Before the Internet, reaching a large audience was very expensive,
and marketers had to focus on attracting the largest number of consumers with
popular hit products, whether music, Hollywood movies, books, or cars. In
contrast, the Internet allows marketers to inexpensively find potential
customers for which demand is very low, people on the far ends of the bell
(normal) curve. For instance, the Internet makes it possible to sell independent
music profitably to very small audiences. There’s always some demand for
almost any product. Put a string of such long tail sales together and you have a
profitable business.
The Internet also provides new ways—often instantaneous and spontaneous—to gather information from customers, adjust product offerings, and
increase customer value. Table 10-6 describes the leading marketing and
advertising formats used in e-commerce.
Many e-commerce marketing firms use behavioral targeting techniques to
increase the effectiveness of banner, rich media, and video ads. Behavioral
Chapter 10 E-commerce: Digital Markets, Digital Goods
TABLE 10-6 ONLINE MARKETING AND ADVERTISING FORMATS (BILLIONS)
MARKETING FORMAT
2010 REVENUE
DESCRIPTION
Search engine
$12.3
Text ads targeted at precisely what the customer is
looking for at the moment of shopping and purchasing.
Sales oriented.
Display ads
$5.8
Banner ads (pop-ups and leave-behinds) with interactive
features; increasingly behaviorally targeted to individual
Web activity. Brand development and sales.
Classified
$1.9
Job, real estate, and services ads; interactive, rich media,
and personalized to user searches. Sales and branding.
Rich media
$1.57
Animations, games, and puzzles. Interactive, targeted,
and entertaining. Branding orientation.
Affiliate and blog
marketing
$1.5
Blog and Web site marketing steers customers to
parent sites; interactive, personal, and often with video.
Sales orientation.
Video
$1.5
Fastest growing format, engaging and entertaining;
behaviorally targeted, interactive. Branding and sales.
Sponsorships
E-mail
$.4
$.27
Online games, puzzle, contests, and coupon sites
sponsored by firms to promote products. Sales
orientation.
Effective, targeted marketing tool with interactive and
rich media potential. Sales oriented.
targeting refers to tracking the click-streams (history of clicking behavior) of
individuals on thousands of Web sites for the purpose of understanding their
interests and intentions, and exposing them to advertisements that are
uniquely suited to their behavior. Proponents believe this more precise understanding of the customer leads to more efficient marketing (the firm pays for
ads only to those shoppers who are most interested in their products) and
larger sales and revenues. Unfortunately, behavioral targeting of millions of
Web users also leads to the invasion of personal privacy without user consent
(see our discussion in Chapter 4). When consumers lose trust in their Web
experience, they tend not to purchase anything.
Behavioral targeting takes place at two levels: at individual Web sites and on
various advertising networks that track users across thousands of Web sites. All
Web sites collect data on visitor browser activity and store it in a database. They
have tools to record the site that users visited prior to coming to the Web site,
where these users go when they leave that site, the type of operating system they
use, browser information, and even some location data. They also record the
specific pages visited on the particular site, the time spent on each page of the
site, the types of pages visited, and what the visitors purchased (see Figure 10-3).
Firms analyze this information about customer interests and behavior to develop
precise profiles of existing and potential customers.
This information enables firms to understand how well their Web site is
working, create unique personalized Web pages that display content or ads for
products or services of special interest to each user, improve the customer’s
experience, and create additional value through a better understanding of the
shopper (see Figure 10-4). By using personalization technology to modify the
Web pages presented to each customer, marketers achieve some of the benefits
of using individual salespeople at dramatically lower costs. For instance,
393
394
Part Three Key System Applications for the Digital Age
FIGURE 10-3
WEB SITE VISITOR TRACKING
E-commerce Web sites have tools to track a shopper’s every step through an online store. Close
examination of customer behavior at a Web site selling women’s clothing shows what the store might
learn at each step and what actions it could take to increase sales.
General Motors will show a Chevrolet banner ad to women emphasizing safety
and utility, while men will receive different ads emphasizing power and
ruggedness.
FIGURE 10-4
WEB SITE PERSONALIZATION
Firms can create unique personalized Web pages that display content or ads for products or services of
special interest to individual users, improving the customer experience and creating additional value.
Chapter 10 E-commerce: Digital Markets, Digital Goods
What if you are a large national advertising company with many different
clients trying to reach millions of consumers? What if you were a large global
manufacturer trying to reach potential consumers for your products? With
millions of Web sites, working with each one would be impractical. Advertising
networks solve this problem by creating a network of several thousand of the
most popular Web sites visited by millions of people, tracking the behavior of
these users across the entire network, building profiles of each user, and then
selling these profiles to advertisers. Popular Web sites download dozens of Web
tracking cookies, bugs, and beacons, which report user online behavior to
remote servers without the users’ knowledge. Looking for young, single
consumers, with college degrees, living in the Northeast, in the 18–34 age range
who are interested purchasing a European car? Not a problem. Advertising
networks can identify and deliver hundreds of thousands of people who fit this
profile and expose them to ads for European cars as they move from one Web
site to another. Estimates vary, but behaviorally targeted ads are 10 times more
likely to produce a consumer response than a randomly chosen banner or video
ad (see Figure 10-5). So-called advertising exchanges use this same technology
to auction access to people with very specific profiles to advertisers in a few
milliseconds.
B2B E-COMMERCE: NEW EFFICIENCIES AND
RELATIONSHIPS
The trade between business firms (business-to-business commerce or B2B)
represents a huge marketplace. The total amount of B2B trade in the United States
in 2009 was about $12.2 trillion, with B2B e-commerce (online B2B) contributing
about $3.6 trillion of that amount (U.S. Census Bureau, 2010; authors’ estimates).
By 2014, B2B e-commerce should grow to about $5.1 trillion in the United States,
assuming an average growth rate of about 7 percent. The process of conducting
trade among business firms is complex and requires significant human interven-
FIGURE 10-5
HOW AN ADVERTISING NETWORK SUCH AS DOUBLECLICK WORKS
Advertising networks have become controversial among privacy advocates because of their ability to
track individual consumers across the Internet. We discuss privacy issues further in Chapter 4.
395
396
Part Three Key System Applications for the Digital Age
tion, and therefore, it consumes significant resources. Some firms estimate that
each corporate purchase order for support products costs them, on average, at
least $100 in administrative overhead. Administrative overhead includes processing paper, approving purchase decisions, spending time using the telephone and
fax machines to search for products and arrange for purchases, arranging for
shipping, and receiving the goods. Across the economy, this adds up to trillions of
dollars annually being spent for procurement processes that could potentially be
automated. If even just a portion of inter-firm trade were automated, and parts of
the entire procurement process assisted by the Internet, literally trillions of dollars might be released for more productive uses, consumer prices potentially
would fall, productivity would increase, and the economic wealth of the nation
would expand. This is the promise of B2B e-commerce. The challenge of B2B
e-commerce is changing existing patterns and systems of procurement, and
designing and implementing new Internet-based B2B solutions.
Business-to-business e-commerce refers to the commercial transactions that
occur among business firms. Increasingly, these transactions are flowing
through a variety of different Internet-enabled mechanisms. About 80 percent
of online B2B e-commerce is still based on proprietary systems for electronic
data interchange (EDI). Electronic data interchange enables the computer-tocomputer exchange between two organizations of standard transactions such as
invoices, bills of lading, shipment schedules, or purchase orders. Transactions
are automatically transmitted from one information system to another through
a network, eliminating the printing and handling of paper at one end and the
inputting of data at the other. Each major industry in the United States and
much of the rest of the world has EDI standards that define the structure and
information fields of electronic documents for that industry.
EDI originally automated the exchange of documents such as purchase orders,
invoices, and shipping notices. Although some companies still use EDI for document automation, firms engaged in just-in-time inventory replenishment and continuous production use EDI as a system for continuous replenishment. Suppliers
have online access to selected parts of the purchasing firm’s production and delivery schedules and automatically ship materials and goods to meet prespecified
targets without intervention by firm purchasing agents (see Figure 10-6).
Although many organizations still use private networks for EDI, they are
increasingly Web-enabled because Internet technology provides a much more
flexible and low-cost platform for linking to other firms. Businesses are able to
extend digital technology to a wider range of activities and broaden their circle
of trading partners.
FIGURE 10-6
ELECTRONIC DATA INTERCHANGE (EDI)
Companies use EDI to automate transactions for B2B e-commerce and continuous inventory replenishment. Suppliers can automatically send data about shipments to purchasing firms. The purchasing
firms can use EDI to provide production and inventory requirements and payment data to suppliers.
Chapter 10 E-commerce: Digital Markets, Digital Goods
Take procurement, for example. Procurement involves not only purchasing
goods and materials but also sourcing, negotiating with suppliers, paying for
goods, and making delivery arrangements. Businesses can now use the Internet
to locate the lowest-cost supplier, search online catalogs of supplier products,
negotiate with suppliers, place orders, make payments, and arrange transportation. They are not limited to partners linked by traditional EDI networks.
The Internet and Web technology enable businesses to create new electronic
storefronts for selling to other businesses with multimedia graphic displays and
interactive features similar to those for B2C commerce. Alternatively,
businesses can use Internet technology to create extranets or electronic
marketplaces for linking to other businesses for purchase and sale transactions.
Private industrial networks typically consist of a large firm using an
extranet to link to its suppliers and other key business partners (see Figure 10-7).
The network is owned by the buyer, and it permits the firm and designated suppliers, distributors, and other business partners to share product design and
development, marketing, production scheduling, inventory management, and
unstructured communication, including graphics and e-mail. Another term for a
private industrial network is a private exchange.
An example is VW Group Supply, which links the Volkswagen Group and its
suppliers. VW Group Supply handles 90 percent of all global purchasing for
Volkswagen, including all automotive and parts components.
Net marketplaces, which are sometimes called e-hubs, provide a single,
digital marketplace based on Internet technology for many different buyers
and sellers (see Figure 10-8). They are industry owned or operate as independent intermediaries between buyers and sellers. Net marketplaces generate revenue from purchase and sale transactions and other services provided
to clients. Participants in Net marketplaces can establish prices through
online negotiations, auctions, or requests for quotations, or they can use
fixed prices.
FIGURE 10-7
A PRIVATE INDUSTRIAL NETWORK
A private industrial network, also known as a private exchange, links a firm to its suppliers, distributors, and other key business partners for efficient supply chain management and other collaborative
commerce activities.
397
398
Part Three Key System Applications for the Digital Age
FIGURE 10-8
A NET MARKETPLACE
Net marketplaces are online marketplaces where multiple buyers can purchase from multiple sellers.
There are many different types of Net marketplaces and ways of classifying
them. Some Net marketplaces sell direct goods and some sell indirect goods.
Direct goods are goods used in a production process, such as sheet steel for auto
body production. Indirect goods are all other goods not directly involved in the
production process, such as office supplies or products for maintenance and
repair. Some Net marketplaces support contractual purchasing based on longterm relationships with designated suppliers, and others support short-term
spot purchasing, where goods are purchased based on immediate needs, often
from many different suppliers.
Some Net marketplaces serve vertical markets for specific industries, such as
automobiles, telecommunications, or machine tools, whereas others serve
horizontal markets for goods and services that can be found in many different
industries, such as office equipment or transportation.
Exostar is an example of an industry-owned Net marketplace, focusing on
long-term contract purchasing relationships and on providing common
networks and computing platforms for reducing supply chain inefficiencies.
This aerospace and defense industry-sponsored Net marketplace was founded
jointly by BAE Systems, Boeing, Lockheed Martin, Raytheon, and Rolls-Royce
plc to connect these companies to their suppliers and facilitate collaboration.
More than 16,000 trading partners in the commercial, military, and government sectors use Exostar’s sourcing, e-procurement, and collaboration tools for
both direct and indirect goods. Elemica is another example of a Net marketplace serving the chemical industry.
Exchanges are independently owned third-party Net marketplaces that
connect thousands of suppliers and buyers for spot purchasing. Many
exchanges provide vertical markets for a single industry, such as food, electronics, or industrial equipment, and they primarily deal with direct inputs. For
example, Go2paper enables a spot market for paper, board, and kraft among
buyers and sellers in the paper industries from over 75 countries.
Exchanges proliferated during the early years of e-commerce but many have
failed. Suppliers were reluctant to participate because the exchanges encour-
Chapter 10 E-commerce: Digital Markets, Digital Goods
aged competitive bidding that drove prices down and did not offer any
long-term relationships with buyers or services to make lowering prices worthwhile. Many essential direct purchases are not conducted on a spot basis
because they require contracts and consideration of issues such as delivery
timing, customization, and quality of products.
10.3 THE MOBILE DIGITAL PLATFORM AND MOBILE
E-COMMERCE
Walk down the street in any major metropolitan area and count how many
people are pecking away at their iPhones or BlackBerrys. Ride the trains, fly the
planes, and you’ll see your fellow travelers reading an online newspaper,
watching a video on their phone, or reading a novel on their Kindle. In five
years, the majority of Internet users in the United States will rely on mobile
devices as their primary device for accessing the Internet. M-commerce has
taken off.
In 2010, m-commerce represented less than 10 percent of all e-commerce,
with about $5 billion in annual revenues generated by selling music, videos,
ring tones, applications, movies, television, and location-based services like
local restaurant locators and traffic updates. However, m-commerce is the
fastest growing form of e-commerce, with some areas expanding at a rate of 50
percent or more per year, and is estimated to grow to $19 billion in 2014
(see Figure 10-9). In 2010, there were an estimated 5 billion cell phone
subscribers worldwide, with over 855 million in China and 300 million in the
United States (eMarketer, 2010d).
M-COMMERCE SERVICES AND APPLICATIONS
The main areas of growth in mobile e-commerce are location-based services,
about $215 million in revenue in 2010; software application sales at stores such
as iTunes (about $1.8 billion); entertainment downloads of ring tones, music,
video, and TV shows (about $1 billion); mobile display advertising ($784
million); direct shopping services such as Slifter ($200 million); and e-book
sales ($338 million).
FIGURE 10-9
CONSOLIDATED MOBILE COMMERCE REVENUES
Mobile e-commerce is the fastest growing type of B2C e-commerce although it represents only a small
part of all e-commerce in 2010.
399
Chapter 12 Enhancing Decision Making
455
12.1 DECISION MAKING AND INFORMATION SYSTEMS
D
ecision making in businesses used to be limited to management.
Today, lower-level employees are responsible for some of these
decisions, as information systems make information available to
lower levels of the business. But what do we mean by better decision
making? How does decision making take place in businesses and other
organizations? Let’s take a closer look.
BUSINESS VALUE OF IMPROVED DECISION MAKING
What does it mean to the business to make better decisions? What is the
monetary value of improved decision making? Table 12-1 attempts to measure
the monetary value of improved decision making for a small U.S. manufacturing firm with $280 million in annual revenue and 140 employees. The firm has
identified a number of key decisions where new system investments might
improve the quality of decision making. The table provides selected estimates
of annual value (in the form of cost savings or increased revenue) from
improved decision making in selected areas of the business.
We can see from Table 12-1 that decisions are made at all levels of the firm
and that some of these decisions are common, routine, and numerous.
Although the value of improving any single decision may be small, improving
hundreds of thousands of “small” decisions adds up to a large annual value for
the business.
TYPES OF DECISIONS
Chapters 1 and 2 showed that there are different levels in an organization. Each
of these levels has different information requirements for decision support and
responsibility for different types of decisions (see Figure 12-1). Decisions are
classified as structured, semistructured, and unstructured.
TABLE 12-1 BUSINESS VALUE OF ENHANCED DECISION MAKING
ESTIMATED VALUE TO
FIRM OF A SINGLE
IMPROVED DECISION
ANNUAL VAUE
12
$ 100,000
$1,200,000
4
150,000
600,000
365
5,000
1,825,000
1
2,000,000
2,000,000
NUMBER OF
ANNUAL DECISIONS
EXAMPLE DECISION
DECISION MAKER
Allocate support to most
valuable customers
Accounts manager
Predict call center
daily demand
Call center management
Decide parts inventory
levels daily
Inventory manager
Identify competitive bids
from major suppliers
Senior management
Schedule production
to fill orders
Manufacturing manager
150
10,000
1,500,000
Allocate labor to
complete a job
Production floor manager
100
4,000
400,000
456
Part Three Key System Applications for the Digital Age
FIGURE 12-1
INFORMATION REQUIREMENTS OF KEY DECISION-MAKING GROUPS
IN A FIRM
Senior managers, middle managers, operational managers, and employees have different types of
decisions and information requirements.
Unstructured decisions are those in which the decision maker must
provide judgment, evaluation, and insight to solve the problem. Each of these
decisions is novel, important, and nonroutine, and there is no well-understood
or agreed-on procedure for making them.
Structured decisions, by contrast, are repetitive and routine, and they
involve a definite procedure for handling them so that they do not have to be
treated each time as if they were new. Many decisions have elements of both
types of decisions and are semistructured, where only part of the problem has
a clear-cut answer provided by an accepted procedure. In general, structured
decisions are more prevalent at lower organizational levels, whereas unstructured problems are more common at higher levels of the firm.
Senior executives face many unstructured decision situations, such as
establishing the firm’s five- or ten-year goals or deciding new markets to enter.
Answering the question “Should we enter a new market?” would require access
to news, government reports, and industry views as well as high-level
summaries of firm performance. However, the answer would also require
senior managers to use their own best judgment and poll other managers for
their opinions.
Middle management faces more structured decision scenarios but their
decisions may include unstructured components. A typical middle-level
management decision might be “Why is the reported order fulfillment report
showing a decline over the past six months at a distribution center in
Minneapolis?” This middle manager will obtain a report from the firm’s
enterprise system or distribution management system on order activity and
operational efficiency at the Minneapolis distribution center. This is the
structured part of the decision. But before arriving at an answer, this middle
manager will have to interview employees and gather more unstructured information from external sources about local economic conditions or sales trends.
Chapter 12 Enhancing Decision Making
Operational management and rank-and-file employees tend to make more
structured decisions. For example, a supervisor on an assembly line has to
decide whether an hourly paid worker is entitled to overtime pay. If the
employee worked more than eight hours on a particular day, the supervisor
would routinely grant overtime pay for any time beyond eight hours that was
clocked on that day.
A sales account representative often has to make decisions about extending
credit to customers by consulting the firm’s customer database that contains
credit information. If the customer met the firm’s prespecified criteria for
granting credit, the account representative would grant that customer credit to
make a purchase. In both instances, the decisions are highly structured and are
routinely made thousands of times each day in most large firms. The answer
has been preprogrammed into the firm’s payroll and accounts receivable
systems.
THE DECISION-MAKING PROCESS
Making a decision is a multistep process. Simon (1960) described four different
stages in decision making: intelligence, design, choice, and implementation
(see Figure 12-2).
FIGURE 12-2
STAGES IN DECISION MAKING
The decision-making process is broken down into four stages.
457
458
Part Three Key System Applications for the Digital Age
Intelligence consists of discovering, identifying, and understanding the
problems occurring in the organization—why a problem exists, where, and
what effects it is having on the firm.
Design involves identifying and exploring various solutions to the problem.
Choice consists of choosing among solution alternatives.
Implementation involves making the chosen alternative work and continuing to monitor how well the solution is working.
What happens if the solution you have chosen doesn’t work? Figure 12-2
shows that you can return to an earlier stage in the decision-making process
and repeat it if necessary. For instance, in the face of declining sales, a sales
management team may decide to pay the sales force a higher commission for
making more sales to spur on the sales effort. If this does not produce sales
increases, managers would need to investigate whether the problem stems
from poor product design, inadequate customer support, or a host of other
causes that call for a different solution.
MANAGERS AND DECISION MAKING IN THE REAL
WORLD
The premise of this book and this chapter is that systems to support decision
making produce better decision making by managers and employees, above
average returns on investment for the firm, and ultimately higher profitability.
However, information systems cannot improve all the different kinds of
decisions taking place in an organization. Let’s examine the role of managers
and decision making in organizations to see why this is so.
M a n a g e r i a l Ro l e s
Managers play key roles in organizations. Their responsibilities range from
making decisions, to writing reports, to attending meetings, to arranging
birthday parties. We are able to better understand managerial functions and
roles by examining classical and contemporary models of managerial behavior.
The classical model of management, which describes what managers do,
was largely unquestioned for the more than 70 years since the 1920s. Henri
Fayol and other early writers first described the five classical functions of
managers as planning, organizing, coordinating, deciding, and controlling. This
description of management activities dominated management thought for a
long time, and it is still popular today.
The classical model describes formal managerial functions but does not
address what exactly managers do when they plan, decide things, and control
the work of others. For this, we must turn to the work of contemporary behavioral scientists who have studied managers in daily action. Behavioral models
state that the actual behavior of managers appears to be less systematic, more
informal, less reflective, more reactive, and less well organized than the classical model would have us believe.
Observers find that managerial behavior actually has five attributes that
differ greatly from the classical description. First, managers perform a great
deal of work at an unrelenting pace—studies have found that managers engage
in more than 600 different activities each day, with no break in their pace.
Second, managerial activities are fragmented; most activities last for less than
nine minutes, and only 10 percent of the activities exceed one hour in
duration. Third, managers prefer current, specific, and ad hoc information
(printed information often will be too old). Fourth, they prefer oral forms of
Chapter 12 Enhancing Decision Making
communication to written forms because oral media provide greater flexibility, require less effort, and bring a faster response. Fifth, managers give high
priority to maintaining a diverse and complex web of contacts that acts as an
informal information system and helps them execute their personal agendas
and short- and long-term goals.
Analyzing managers’ day-to-day behavior, Mintzberg found that it could be
classified into 10 managerial roles. Managerial roles are expectations of the
activities that managers should perform in an organization. Mintzberg found
that these managerial roles fell into three categories: interpersonal, informational, and decisional.
Interpersonal Roles. Managers act as figureheads for the organization when
they represent their companies to the outside world and perform symbolic
duties, such as giving out employee awards, in their interpersonal role.
Managers act as leaders, attempting to motivate, counsel, and support subordinates. Managers also act as liaisons between various organizational levels;
within each of these levels, they serve as liaisons among the members of the
management team. Managers provide time and favors, which they expect to be
returned.
Informational Roles. In their informational role, managers act as the nerve
centers of their organizations, receiving the most concrete, up-to-date information and redistributing it to those who need to be aware of it. Managers are
therefore information disseminators and spokespersons for their organizations.
Decisional Roles. Managers make decisions. In their decisional role, they
act as entrepreneurs by initiating new kinds of activities; they handle disturbances arising in the organization; they allocate resources to staff members
who need them; and they negotiate conflicts and mediate between conflicting
groups.
Table 12-2, based on Mintzberg’s role classifications, is one look at where
systems can and cannot help managers. The table shows that information systems are now capable of supporting most, but not all, areas of management life.
TABLE 12-2 MANAGERIAL ROLES AND SUPPORTING INFORMATION SYSTEMS
ROLE
BEHAVIOR
SUPPORT SYSTEMS
Interpersonal Roles
Figurehead
Leader
Telepresence systems
Interpersonal
Liaison
Telepresence, social networks, Twitter
Smartphones, social networks
Informational Roles
Nerve center
Management information systems, ESS
Disseminator
Information
E-mail, social networks
Spokesperson
processing
Webinars, telepresence
Entrepreneur
Decision
None exist
Disturbance handler
making
None exist
Decisional Roles
Resource allocator
Business intelligence, DSS systems
Negotiator
None exist
Sources: Kenneth C. Laudon and Jane P. Laudon; and Mintzberg, 1971.
459
460
Part Three Key System Applications for the Digital Age
R e a l - Wo r l d D e c i s i o n M a k i n g
We now see that information systems are not helpful for all managerial roles.
And in those managerial roles where information systems might improve
decisions, investments in information technology do not always produce
positive results. There are three main reasons: information quality, management filters, and organizational culture (see Chapter 3).
Information Quality. High-quality decisions require high-quality information. Table 12-3 describes information quality dimensions that affect the quality
of decisions.
If the output of information systems does not meet these quality criteria,
decision-making will suffer. Chapter 6 has shown that corporate databases and
files have varying levels of inaccuracy and incompleteness, which in turn will
degrade the quality of decision making.
Management Filters. Even with timely, accurate information, some managers make bad decisions. Managers (like all human beings) absorb information
through a series of filters to make sense of the world around them. Managers
have selective attention, focus on certain kinds of problems and solutions, and
have a variety of biases that reject information that does not conform to their
prior conceptions.
For instance, Wall Street firms such as Bear Stearns and Lehman Brothers
imploded in 2008 because they underestimated the risk of their investments in
complex mortgage securities, many of which were based on subprime loans
that were more likely to default. The computer models they and other financial
institutions used to manage risk were based on overly optimistic assumptions
and overly simplistic data about what might go wrong. Management wanted to
make sure that their firms’ capital was not all tied up as a cushion against
defaults from risky investments, preventing them from investing it to generate
profits. So the designers of these risk management systems were encouraged to
measure risks in a way that minimzed their importance. Some trading desks
also oversimplified the information maintained about the mortgage securities
to make them appear as simple bonds with higher ratings than were warranted
by their underlying components (Hansell, 2008).
Organizational Inertia and Politics. Organizations are bureaucracies with
limited capabilities and competencies for acting decisively. When environments change and businesses need to adopt new business models to survive,
TABLE 12-3 INFORMATION QUALITY DIMENSIONS
QUALITY DIMENSION
DESCRIPTION
Accuracy
Do the data represent reality?
Integrity
Are the structure of data and relationships among the entities and attributes
consistent?
Consistency
Are data elements consistently defined?
Completeness
Are all the necessary data present?
Validity
Do data values fall within defined ranges?
Timeliness
Area data available when needed?
Accessibility
Are the data accessible, comprehensible, and usable?
Chapter 12 Enhancing Decision Making
strong forces within organizations resist making decisions calling for major
change. Decisions taken by a firm often represent a balancing of the firm’s
various interest groups rather than the best solution to the problem.
Studies of business restructuring find that firms tend to ignore poor performance until threatened by outside takeovers, and they systematically blame
poor performance on external forces beyond their control such as economic
conditions (the economy), foreign competition, and rising prices, rather than
blaming senior or middle management for poor business judgment (John,
Lang, Netter, et al., 1992).
HIGH-VELOCITY AUTOMATED DECISION MAKING
Today, many decisions made by organizations are not made by managers, or
any humans. For instance, when you enter a query into Google’s search engine,
Google has to decide which URLs to display in about half a second on average
(500 milliseconds). Google indexes over 50 billion Web pages, although it does
not search the entire index for every query it receives. The same is true of other
search engines. The New York Stock Exchange is spending over $450 million in
2010–2011 to build a trading platform that can executes incoming orders in less
that 50 milliseconds. High frequency traders at electronic stock exchanges execute their trades in under 30 milliseconds.
The class of decisions that are highly structured and automated is growing
rapidly. What makes this kind of automated high-speed decision making
possible are computer algorithms that precisely define the steps to be followed
to produce a decision, very large databases, very high-speed processors, and
software optimized to the task. In these situations, humans (including
managers) are eliminated from the decision chain because they are too slow.
This also means organizations in these areas are making decisions faster
than what managers can monitor or control. Inability to control automated
decisions was a major factor in the “Flash Crash” experienced by U.S. stock
markets on May 6, 2010, when the Dow Jones Industrial Average fell over 600
points in a matter of minutes before rebounding later that day. The stock
market was overwhelmed by a huge wave of sell orders triggered primarily by
high-speed computerized trading programs within a few seconds, causing
shares of some companies like Proctor & Gamble to sell for pennies.
How does the Simon framework of intelligence-design-choice-implementation work in high-velocity decision environments? Essentially, the intelligence,
design, choice, and implementation parts of the decision-making process are
captured by the software’s algorithms. The humans who wrote the software have
already identified the problem, designed a method for finding a solution, defined
a range of acceptable solutions, and implemented the solution. Obviously, with
humans out of the loop, great care needs to be taken to ensure the proper operation of these systems lest they do significant harm to organizations and
humans. And even then additional safeguards are wise to observe the behavior
of these systems, regulate their performance, and if necessary, turn them off.
12.2 BUSINESS INTELLIGENCE IN THE ENTERPRISE
Chapter 2 introduced you to the different types of systems used for supporting
management decision making. At the foundation of all of these decision
support systems are business intelligence and business analytics infrastructure
461
462
Part Three Key System Applications for the Digital Age
that supplies the data and the analytic tools for supporting decision making.
In this section, we want to answer the following questions:
• What are business intelligence (BI) and business analytics (BA)
• Who makes business intelligence and business analytics hardware and
software?
• Who are the users of business intelligence?
• What kinds of analytical tools come with a BI/BA suite?
• How do managers use these tools?
• What are some examples of firms who have used these tools?
• What management strategies are used for developing BI/BA capabilities?
WHAT IS BUSINESS INTELLIGENCE?
When we think of humans as intelligent beings we often refer to their ability to
take in data from their environment, understand the meaning and significance
of the information, and then act appropriately. Can the same be said of
business firms? The answer appears to be a qualified “yes.” All organizations,
including business firms, do indeed take in information from their environments, attempt to understand the meaning of the information, and then
attempt to act on the information. Just like human beings, some business firms
do this well, and others poorly.
“Business intelligence” is a term used by hardware and software vendors and
information technology consultants to describe the infrastructure for
warehousing, integrating, reporting, and analyzing data that comes from the
business environment. The foundation infrastructure collects, stores, cleans,
and makes relevant information available to managers. Think databases, data
warehouses, and data marts described in Chapter 6. “Business analytics” is also
a vendor-defined term that focuses more on tools and techniques for analyzing
and understanding data. Think online analytical processing (OLAP), statistics,
models, and data mining, which we also introduced in Chapter 6.
So, stripped to its essentials, business intelligence and analytics are about
integrating all the information streams produced by a firm into a single, coherent enterprise-wide set of data, and then, using modeling, statistical analysis
tools (like normal distributions, correlation and regression analysis, Chi square
analysis, forecasting, and cluster analysis), and data mining tools (pattern
discovery and machine learning), to make sense out of all these data so
managers can make better decisions and better plans, or at least know quickly
when their firms are failing to meet planned targets.
One company that uses business intelligence is Hallmark Cards. The
company uses SAS Analytics software to improve its understanding of buying
patterns that could lead to increased sales at more than 3,000 Hallmark Gold
Crown stores in the United Sates. Hallmark wanted to strengthen its relationship with frequent buyers. Using data mining and predictive modeling, the
company determined how to market to various consumer segments during
holidays and special occasions as well as adjust promotions on the fly.
Hallmark is able to determine which customer segments are most influenced
by direct mail, which should be approached through e-mail, and what specific
messages to send each group. Business intelligence has helped boost Hallmark
sales to its loyalty program members by 5 to 10 percent.
Chapter 12 Enhancing Decision Making
B u s i n e s s I n t e l l i g e n c e Ve n d o r s
It is important to remember that business intelligence and analytics are products
defined by technology vendors and consulting firms. They consist of hardware
and software suites sold primarily by large system vendors to very large Fortune
500 firms. The largest five providers of these products are SAP, Oracle, IBM, SAS
Institute, and Microsoft (see Table 12-4). Microsoft’s products are aimed at small
to medium size firms, and they are based on desktop tools familiar to employees
(such as Excel spreadsheet software), Microsoft Sharepoint collaboration tools,
and Microsoft SQL Server database software. The size of the American BI and BA
marketplace in 2010 is estimated to be $10.5 billion and growing at over 20%
annually (Gartner, 2010). This makes business intelligence and business analytics
one of the fastest-growing and largest segments in the U.S. software market.
THE BUSINESS INTELLIGENCE ENVIRONMENT
Figure 12-3 gives an overview of a business intelligence environment, highlighting the kinds of hardware, software, and management capabilities that the
major vendors offer and that firms develop over time. There are six elements in
this business intelligence environment:
• Data from the business environment: Businesses must deal with both
structured and unstructured data from many different sources, including
mobile devices and the Internet. The data need to be integrated and organized so that they can be analyzed and used by human decision makers.
• Business intelligence infrastructure: The underlying foundation of business intelligence is a powerful database system that captures all the relevant
data to operate the business. The data may be stored in transactional databases or combined and integrated into an enterprise-data warehouse or series
of interrelated data marts.
• Business analytics toolset: A set of software tools are used to analyze data
and produce reports, respond to questions posed by managers, and track the
progress of the business using key indicators of performance.
• Managerial users and methods: Business intelligence hardware and software are only as intelligent as the human beings who use them. Managers
impose order on the analysis of data using a variety of managerial methods
that define strategic business goals and specify how progress will be measured. These include business performance management and balanced scorecard approaches focusing on key performance indicators and industry strategic analyses focusing on changes in the general business environment, with
special attention to competitors. Without strong senior management overTABLE 12-4 MARKET LEADERS AND SHARE FOR THE TOP BUSINESS
INTELLIGENCE VENDORS
VENDOR
MARKET SHARE
BUSINESS INTELLIGENCE SOFTWARE
SAP
25%
SAP BusinessObjects EPM Solutions
SAS Institute
15%
SAS Activity Based Management; financial, human capital,
profitability, and strategy management
Oracle
14%
Enterprise Performance Management System
IBM
11%
IBM Cognos
Microsoft
7%
SQL Server with PowerPivot
463
464
Part Three Key System Applications for the Digital Age
FIGURE 12-3
BUSINESS INTELLIGENCE AND ANALYTICS FOR DECISION SUPPORT
Business intelligence and analytics requires a strong database foundation, a set of analytic tools, and
an involved management team that can ask intelligent questions and analyze data.
sight, business analytics can produce a great deal of information, reports, and
online screens that focus on the wrong matters and divert attention from the
real issues. You need to remember that, so far, only humans can ask intelligent questions.
• Delivery platform—MIS, DSS, ESS. The results from business intelligence
and analytics are delivered to managers and employees in a variety of ways,
depending on what they need to know to perform their jobs. MIS, DSS, and
ESS, which we introduced in Chapter 2, deliver information and knowledge
to different people and levels in the firm—operational employees, middle
managers, and senior executives. In the past, these systems could not share
data and operated as independent systems. Today, one suite of hardware and
software tools in the form of a business intelligence and analytics package is
able to integrate all this information and bring it to managers’ desktop or
mobile platforms.
• User interface: Business people are no longer tied to their desks and desktops. They often learn quicker from a visual representation of data than from
a dry report with columns and rows of information. Today’s business analytics
software suites emphasize visual techniques such as dashboards and scorecards. They also are able to deliver reports on Blackberrys, iPhones, and other
mobile handhelds as well as on the firm’s Web portal. BA software is adding
capabilities to post information on Twitter, Facebook, or internal social media
to support decision making in an online group setting rather than in a face-toface meeting.
BUSINESS INTELLIGENCE AND ANALYTICS
CAPABILITIES
Business intelligence and analytics promise to deliver correct, nearly real-time
information to decision makers, and the analytic tools help them quickly
Chapter 12 Enhancing Decision Making
understand the information and take action. There are 5 analytic functionalities
that BI systems deliver to achieve these ends:
• Production reports: These are predefined reports based on industry-specific requirements (see Table 12-5).
• Parameterized reports. Users enter several parameters as in a pivot table to
filter data and isolate impacts of parameters. For instance, you might want to
enter region and time of day to understand how sales of a product vary by
region and time. If you were Starbucks, you might find that customers in the
East buy most of their coffee in the morning, whereas in the Northwest
customers buy coffee throughout the day. This finding might lead to different
marketing and ad campaigns in each region. (See the discussion of pivot
tables in Section 12.3).
• Dashboards/scorecards: These are visual tools for presenting performance
data defined by users
• Ad hoc query/search/report creation: These allow users to create their
own reports based on queries and searches
• Drill down: This is the ability to move from a high-level summary to a more
detailed view
• Forecasts, scenarios, models: These include the ability to perform linear
forecasting, what-if scenario analysis, and analyze data using standard statistical tools.
Who Uses Business Intelligence and Business
Analytics?
In previous chapters, we have described the different information constituencies in business firms—from senior managers to middle managers, analysts,
and operational employees. This also holds true for BI and BA systems (see
Figure 12-4). Over 80 percent of the audience for BI consists of casual users
who rely largely on production reports. Senior executives tend use BI to
monitor firm activities using visual interfaces like dashboards and scorecards.
Middle managers and analysts are much more likely to be immersed in the data
and software, entering queries and slicing and dicing the data along different
FIGURE 12-4
BUSINESS INTELLIGENCE USERS
Casual users are consumers of BI output, while intense power users are the producers of reports, new
analyses, models, and forecasts.
465
466
Part Three Key System Applications for the Digital Age
dimensions. Operational employees will, along with customers and suppliers,
be looking mostly at prepackaged reports.
Examples of Business Intelligence Applications
The most widely used output of a BI suite of tools are pre-packaged production
reports. Table 12-5 illustrates some common pre-defined reports from Oracle’s
BI suite of tools.
Predictive Analytics
Predictive analytics, which we introduced in Chapter 6, are being built into
mainstream applications for everyday decision making by all types of employees, especially in finance and marketing. For example, Capital One conducts
more than 30,000 experiments each year using different interest rates, incentives, direct mail packaging, and other variables to identify the best potential
customers for targeting its credit card offers. These people are most likely to
sign up for credit cards and to pay back Capital One for the balances they ring
up in their credit card accounts. Predictive analytics have also worked especially well in the credit card industry to identify customers who are at risk for
leaving.
Dealer Services, which offers inventory financing for used-car dealers, is
trying to use predictive analytics to screen potential customers. Thousands of
used-car dealers, who were formerly franchisees for General Motors and
Chrysler, are seeking financing from companies such as Dealer Services so that
they can go into business on their own. Using WebFOCUS software from
Information Builders, the company is building a model that will predict the best
loan prospects and eliminate up to 10 of the 15 hours required to review a
financing application. The model reviews data including dealer size and type,
number of locations, payment patterns, histories of bounced checks, and inventory practices and is revalidated and updated as conditions change.
FedEx is using SAS Institute’s Enterprise Miner and predictive analytic tools
to develop models that predict how customers will respond to price changes
and new services, which customers are most at risk of switching to competitors,
and how much revenue will be generated by new storefront or drop-box locations. The accuracy rate of the predictive analysis system ranges from 65 to 90
percent. FedEx is now starting to use predictive analytics in call centers to help
TABLE 12-5 EXAMPLES OF BUSINESS INTELLIGENCE PRE-DEFINED
PRODUCTION REPORTS
BUSINESS FUNCTIONAL AREA
PRODUCTION REPORTS
Sales
Forecast sales; sales team performance; cross selling; sales cycle times
Service/Call Center
Customer satisfaction; service cost; resolution rates; churn rates
Marketing
Campaign effectiveness; loyalty and attrition; market basket analysis
Procurement and Support
Direct and indirect spending; off-contract purchases; supplier
performance
Supply Chain
Backlog; fulfillment status; order cycle time; bill of materials analysis
Financials
General ledger; accounts receivable and payable; cash flow;
profitability
Human Resources
Employee productivity; compensation; workforce demographics;
retention
Chapter 12 Enhancing Decision Making
467
customer service representatives identify customers with the highest levels of
dissatisfaction and take the necessary steps to make them happy.
Data Visualization and Geographic Information
Systems
By presenting data in visual form, data visualization tools help users see
patterns and relationships in large amounts of data that would be difficult to
discern if the data were presented as traditional lists of text. For example,
managers and employees of Day & Zimmermann, an industrial, defense, and
workforce solutions provider, have detailed, real-time visibility into the
company’s inventory of contractors and workers through a set of dashboards
populated with real-time data from a SAP ERP Human Capital Management
system. The dashboards make it much easier to understand the organization’s
staffing levels than static paper reports. The real-time data indicate exactly
what type of worker is available in what location and when a project is due to
be completed. If a project is ahead of schedule, information from the dashboards helps decision makers rapidly determine when and where to reassign
its workers.
Geographic information systems (GIS) help decision makers visualize
problems requiring knowledge about the geographic distribution of people or
other resources. Their software ties location data to points, lines, and areas on a
map. Some GIS have modeling capabilities for changing the data and automatically revising business scenarios. GIS might be used to help state and local
governments calculate response times to natural disasters and other emergencies or to help banks identify the best location for installing new branches or
ATM terminals.
For example, Columbia, South Carolina-based First Citizens Bank uses GIS
software from MapInfo to determine which markets to focus on for retaining
customers and which to focus on for acquiring new customers. MapInfo also lets
the bank drill down into details at the individual branch level and individualize
Somerset County, New
Jersey, developed a GIS
based on ESRI software to
provide Web access to
geospatial data about flood
conditions. The system provides information that helps
emergency responders and
county residents prepare for
floods and enables emergency managers to make
decisions more quickly.
468
Part Three Key System Applications for the Digital Age
goals for each branch. Each branch is able to see whether the greatest revenue
opportunities are from mining their database of existing customers or from finding new customers. With clearer branch segmentation and more focused service
goals, the bank has moved from making cold sales calls to calls that are more
service- and courtesy-oriented.
Business Intelligence in the Public Sector
Business intelligence systems are also used in the public sector. The Interactive
Session on Organizations describes a school district’s move to quantify and analyze student performance data to make better decisions about how to allocate
resources to enhance student and teacher performance.
MANAGEMENT STRATEGIES FOR DEVELOPING BI AND
BA CAPABILITIES
There are two different strategies for adopting BI and BA capabilities for the
organization: one-stop integrated solutions versus multiple best-of-breed vendor
solutions. The hardware firms (IBM, HP, and now Oracle, which owns Sun
Microsystems) want to sell your firm integrated hardware/software solutions
that tend to run only on their hardware (the totally integrated solution). It’s
called “one stop shopping.” The software firms (SAP, SAS, and Microsoft)
encourage firms to adopt the “best of breed” software and that runs on any
machine they want. In this strategy, you adopt the best database and data
warehouse solution, and select the best business intelligence and analytics
package from whatever vendor you believe is best.
The first solution carries the risk that a single vendor provides your firm’s
total hardware and software solution, making your firm dependent on its pricing power. It also offers the advantage of dealing with a single vendor who can
deliver on a global scale. The second solution offers greater flexibility and independence, but with the risk of potential difficulties integrating the software to
the hardware platform, as well as to other software. Vendors always claim their
software is “compatible” with other software, but the reality is that it can be very
difficult to integrate software from different vendors. Microsoft in particular
emphasizes building on its desktop interface and operating system (Windows),
which are familiar to many users, and developing server applications that run
on Microsoft local area networks. But data from hardware and software produced by different vendors will have to flow seamlessly into Microsoft workstations to make this strategy work. This may not be adequate for Fortune 500
firms needing a global networking solution.
Regardless of which strategy your firm adopts, all BI and BA systems lock the
firm into a set of vendors and switching is very costly. Once you train thousands of employees across the world on using a particular set of tools, it is
extremely difficult to switch. When you adopt these systems, you are in essence
taking in a new partner.
The marketplace is very competitive and given to hyperbole. One BI vendor claims “[Our tools] bring together a portfolio of services, software, hardware and partner technologies to create business intelligence solutions. By
connecting intelligence across your company, you gain a competitive advantage for creating new business opportunities.” As a manager, you will have to
critically evaluate such claims, understand exactly how these systems could
improve your business, and determine whether the expenditures are worth
the benefits.