Make your own free website on

Introduction to Information Systems

Session 13

Session 1

Session 2

Session 3

Session 4

Session 5

Session 6

Session 7

Session 8

Session 9

Session 10

Session 11

Session 12

Session 13

Session 14

Session 15



  1. 10 minutes of instructor evaluation.
  2. Finish the uncovered material in Session 12. (Build versus Buy Considerations.)
  3. Describe some examples of waste and mistakes in information systems, their causes, and possible solutions.
  4. Explain the types and effects of computer crime.
  5. Identify specific measures to prevent computer crime.
  6. Discuss the principles and limits of an individual's right to privacy.
  7. Identify specific actions that must be taken to ensure the health and safety of employees.

A. Build vs. Buy Considerations: 30 minutes

Software Build Versus Buy—Making the Right Decision

Tough Decisions

Many project teams have faced the time when they need to make a major decision. Should one try to custom build a solution or buy an off-the-shelf product and customize it? These solutions can run the gamut of being a full enterprise-class package that does nearly everything but feed the dog to small programs or libraries that do something very specialized such as drawing graphs or providing encryption functions. Frequently, a wrong decision can result in cost overruns, project delays, or a solution that does not fit business needs very well.

In my experience, I have seen two extremes of behavior among teams charged with making the "build vs. buy" decision. One believes that they can build everything needed and that no off-the-shelf solution will fit their needs. The other side of the coin is a belief that an off-the-shelf package will be much cheaper and will be able to fit one's needs. Unfortunately, both paths frequently can lead to disappointments if not carefully considered. At times, going the package route may make sense while at other times, a custom-built solution will be better and more often a hybrid solution that uses both will be the best solution.

Making the Decision

A first step to making the decision is to get an idea of what needs you are trying to satisfy. This involves meeting with customers or business units to find out their specific needs and goals. Try to avoid going to a very detailed requirement level unless they are very crucial and can make or break a project. However, the more information you get, the better. Break them up into long term, medium term, and immediate needs. Also, classify them by priority—high, medium, and low. Make sure that stakeholders agree with this assessment.

Now that you have some idea of what needs you must satisfy, you can proceed to the next step. Estimate how much time, effort, and money this will involve, based on different options. Options typically fall within the range of complete packaged solutions to fully custom-built solutions with hybrid solutions in the middle.



Packaged Solution(s)

Custom-Built Solution(s)

Hybrid Solution(s)

What it means

A complete or nearly complete solution provided by a vendor; for example, ERP packages, CRM packages, and so on.

A solution that is custom built from scratch with few external components.

An intermediate solution that uses different packaged components from different vendors as well as custom code to integrate them into a solution.

Some potential benefits

Can be cheaper. Software quality can be better if it is a widely used package. May be easier to migrate to newer options in the future.

Will better fit business needs. Much more control over the solution. Can be customized for maximum business advantage.

Can provide the best of custom-built solutions and packaged solutions. More customization to business needs possible. Usually cheaper than a custom-built solution.

Potential risks

Vendor is financially unsound, product is immature, additional expensive customization needed to meet business needs, requires major changes in existing business processes, and so forth.

The technology platform to be used may be immature, skills with the platform are hard to find, bug fixes & enhancements can become very expensive, and so on.

Vendor is financially unsound, technology platform is immature, people with the skills needed are hard to find, integration issues, and the like.

Costs to consider

Ongoing licensing costs, infrastructure costs (servers, databases, networks, and so forth), support costs, training and customization required, quality assurance, and so on.

Infrastructure costs (development, testing, and operations), development costs, training if the team is using new technology, quality assurance, and so on.

Ongoing licensing, infrastructure costs (development, testing, and operations), support, development costs, and training if the team is using new technology, quality assurance, and so on.

Note: An option to consider when looking at custom or hybrid solutions is to work with an external consultant that may already have many parts of the solution you need. Many consulting companies have previously built frameworks that can be used to build a solution at less cost than starting from scratch.

At the end of this process, we may realize that we have found several different options. Based on the costs and risks associated with them, we can rank the different options based on a combination of the priorities of the different needs that have been identified earlier on, the costs involved and the risks associated with each option. Run these by your stakeholders and project team. This is a good way to communicate what you are trying to achieve and the upside and downside of each option. Try to get an agreement on the best option with an alternate option if things do not go as expected. Once a consensus has been reached, you can proceed with working on the chosen option. However, do not be unduly surprised if things change as you move along. This is a typical risk with any software project. A good way to handle this is to use an iterative development style. If things do not work as expected, the iterative style will help you change a particular decision before too much time & resources are spent. Realizing that a particular path is unsuitable before too much time and money has been spent still has value.


Making build vs. buy decisions frequently can be a challenge. Often, we do not have enough information and things can change during the decision-making process. However, it must be remembered that the aim should be to make a "good decision," not necessarily the "best decision." The business is a driver for making this decision and taking too much or too little time to make a decision can have bad long-term effects for the business. This also means that one should be willing to change a decision in terms of new information and changes in the environment.

Web Exercise:

1. Accounting programs can be developed or purchased. Using the Internet and a search engine, such as Yahoo!, find one or more companies that sell accounting software, such as payroll, billing, order processing, or inventory control software. Describe the software package and the company that sells it. Describe the features of the software package. What are the advantages of purchasing this software package versus developing the software?

B. Policies and procedures must be established to avoid computer waste and mistakes.

At the corporate level, computer waste and mistakes impose unnecessarily high costs for an information system and drag down profits. Waste often results from poor integration of IS components, leading to duplication of efforts and overcapacity. Inefficient procedures also waste IS resources, as do thoughtless disposal of useful resources and misuse of computer time for games and personal tasks. Inappropriate processing instructions, inaccurate data entry, mishandling of IS output, and poor systems design all cause computer mistakes. Careful programming practices, thorough testing, flexible network interconnections, and rigorous backup procedures can help an information system prevent and recover from many kinds of mistakes. Companies should develop manuals and training programs to avoid waste and mistakes. Company policies should specify criteria for new resource purchases and user-developed processing tools to help guard against waste and mistakes.

Q1. What can organizations do to prevent computer related waste and mistakes?

Q2: Identify four specific actions that can be taken to reduce crimes on the Internet.


Web Exercise:

Have each member of your team access 5 different web sites and summarize his or her findings in terms of the existence of data privacy policy statements – did the site have such a policy, was it easy to find, was it complete and easy to understand?

C. Computer crime is a serious and rapidly growing area of concern requiring management attention.

Some criminals use computers to execute their crimes. The most commonly used approaches include social engineering and dumpster diving .Social engineering is the practice of talking an individual out of a critical computer password. For dumpster diving, the attacker simply go through the garbage -dumpster diving- for important piece of information that can help crack the computers or persuade someone at the company to give them more access.

Other crimes target computer systems, including illegal access to computer systems by criminal hackers, alteration and destruction of data and programs by viruses, and simple theft of commuter resources. A virus is a program that attach itself to other programs. A worm functions as an independent program, replicating its own program files until it destroys other systems and programs or interrupts the operation of computer systems and networks. A logic bomb is designed to "explode" or execute at a specified time and date. Because of increased computer use greater emphasis is placed on the prevention and detection of computer crime. Software piracy and Internet piracy may represent the most common computer crime. Computer scams have cost individuals and companies thousands of dollars. Computer crime is also an international issue.

Preventing computer crime is done by provincial and federal agencies, corporations, and individuals. Security measures, such as using passwords, identification numbers, biometrics, and data encryption, help to guard against illegal access, especially when supported by effective control procedures. Virus scanning software identifies and removes damaging computer programs. Law enforcement agencies armed with new legal tools enacted by Congress now actively pursue computer criminals.

<Figure 13.1 applications of biometrics>


<Figure 13.2 An example of anti viruses software>


Federal law serves as nationwide moral guideline for privacy rights and activities by private organizations. Some provinces supplement federal protections and limit activities within their jurisdictions by private organizations. A business should develop a clear and thorough policy about privacy rights for customers, including database access. The policy should also address the rights of employees, including electronic monitoring systems and e-mail. Fairness in information use for privacy rights emphasize knowledge, control, notice, and consent for people profiled in databases. Individuals should have knowledge of the data that is stored about them and have the ability to correct errors in corporate database systems. If information on individuals is to be used for other purposes, these individuals should be asked to give their consent beforehand. Each individual has the right to know and the ability to decide.

Common Hacking Tactics

Denial of Service

His is becoming a common networking prank. By hammering a website’s equipment with too many requests for information, an attacker can effectively clog the system, slowing performance or even crashing the site. This method of overloading computers is sometimes used to cover up an attack.


Widespread probes of the Internet to determine types of computers, services, and connections. That way the bad guys can take advantage of weaknesses in a particular make of computer or software program.


Programs that covertly search individual packets of data as they pass through the Internet, capturing passwords or the entire content.


Faking an E-mail address or web page to trick user into passing along critical vulnerability like passwords or credit card numbers.

Trojan Horse

A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software.

Back Doors

In case the original entry point has been detected, having a few hidden way back make reentry easy and difficult to detect.

Malicious Applets

Tiny programs, sometimes written in the popular Java computer language, that misuse your computer’s resources, modify files on the hard disk, send fake E-mail, or steal password.

War Dialing

Program that automatically dial thousands of telephone number in search of a way in through a modern connection.

Buffer Overflow

A technique for crashing or gaining control of a computer by sending too much data to the buffer in a computer’s memory.

Password Crackers

Software that can guess passwords.

Social Engineering

A tactic used to gain access to computer system by talking unsuspecting company employees out of valuable information such as passwords.

Dumpster Diving

Sifting through a computer’s garbage to find information to help break into their computers. Sometimes the information is used to make a stab at social engineering more credible.

Q3: How might the computer be the object of crime?

Q4: What are the major problems caused by criminal hackers?

Q5: What is the difference between a worm and a virus?

Q6: What is software piracy, and why is it so common?


Theme: How to prevent viruses? (See the handout for more information.)

Web Exercise:
1. Visit the Web site of McAfee, Symantec, or some other provider of computer security software. Develop a "top ten" list of the current viruses that are rated as having the highest risk assessment. Create a simple chart in spreadsheet that identifies the symptoms or impact of each of these viruses.

2. Several computer-related organizations, including AITP, ACM, IEEE, and CPSR, provide codes of ethics for IT professionals. Locate the Web pages for any two of these associations. Choose one of the codes and modify it to meet the needs of the general computer user. For more details on how to create a code of ethics for your organization

D. Jobs, equipment, and working conditions must be designed to avoid negative health effects.

Computers have changed the makeup of the workforce and even eliminated some jobs, but they have also expanded and enriched employment opportunities in many ways. Some critics blame computer systems for emissions of ozone and electromagnetic radiation.

Computers and related devices affect employees' emotional and physical health, especially by causing repetitive stress injury (RSI). The study of designing and positioning computer equipment, called ergonomics, has suggested a number of approaches to reducing these health problems. For more information on ergonomics, click this.

Work safely at your computer

Q7: What is ergonomics? How can it be applied to office workers?