UNIT 6: INFORMATION SYSTEMS

ECONOMICS AND SECURITY

Structure
6.1 Introduction: Growing Need of Information
6.2 Objectives
6.3 Data, Information and Knowledge
6.4 Value and Cost of Information
6.5 Ethics in Information Society and Right to Information
6.6 Protecting Computer Resources and Disaster Recovery
6.7 Information Systems: Success and Failure
6.8 Summary
6.9 Unit End Exercises
6.10 References and Suggested Further Readings.

6.1 INTRODUCTION: GROWING NEED OF

INFORMATION
Maintaining records for use, as and when, has been in practice right from
the ancient times. Initially people were required to keep record of their
possession so that governing body could take tax from them. Government and
traders kept records to plan their activities better. With the industrialization,
it became necessary for industry owners and managers to keep records
of inventory and accounts. Management needed more information for
internal decisions. Investors, on the other hand, needed information about
the organizations, its soundness, and health. In spite of the technological
developments, there is an ever-increasing demand for more and more
information.
Information and Information Technology have become a strategic
necessity. The business environment has become much more competitive.
It has become mandatory on the part of the organizations to make full use
of information with the help of technology to service. In an organization,
information and technology exist in the form of an information system.
Whenever, an external or internal demand is anticipated or felt by the
organization, information system (IS) helps the organization to plan critical
response activities. The individuals are supported by IS to fulfill their roles.
The organizations use IS to track consumer behavior. With the availability
of technology, even in the form of hand held smart devices, it has become
possible to disseminate information at any time in case organization has
IS in place. The organization may take proactive measures rather than
firefighting measures based on the information provided.
Typical scenario in an organization is closer to what is shown below in
Figure 6.1

82
 Information systems
Economics and Security
Level I

Level II

Level III

Level IV

Figure 6.1: An organization as a hierarchical unit and hierarchical

communication channels

At Level I is the owner i.e. Chief of the organization or top level management,
Level II has middle management, Level III is lower level management and
at level IV are the workers.
With increased size of organization, the volume of data generated within the
organization also increased and IS became a necessity for rational decision-
making by providing information at all levels by extracting from the pile of
data.

6.2 OBJECTIVES
After reading this unit, you should be able to:
●● Define data, information, knowledge and relationship between them;
●● Explain the concepts like cost and value of information;
●● Illustrate the main reasons for success and failure of an MIS;
●● Describe ethical issues involved in information society and right to
information; and
●● Explain the need and mechanism to protect and safeguard computer
resources from unauthorized access, computer viruses, and
cybercrimes.

6.3 DATA – INFORMATION - KNOWLEDGE

Data is raw material with which we start and information is the finished
product. For example, look at the following links:
1234 5000.00
2345 7000.00
3456 4500.00
2571 8000.00
Above lines just contain data as there is no meaning associated. Let us now
put the data in the proper context as follows:
Account Number Money Withdrawn on a day
1234 Rs. 5000.00
2345 Rs. 7000.00
3456 Rs. 4500.00
2571 Rs. 8000.00
Total Rs.24500.00
83
Information Systems The data is now usable and we can process it to extract information such
as the amount withdrawn from account number 1234 is Rs. 5000.00. We
can consolidate the data and extract the information that 24500.00 Rs. were
withdrawn on the day.
Information has been defined as
Data that have been put into a meaningful and useful context and
communicated to a recipient who uses it to make decisions it reduces
uncertainty, reveals additional alternatives or helps eliminate irrelevant or
poor ones.
Returning back to our example, the bank manager may decide the amount
of required cash based on the information of total money withdrawn.
The information makes a person more knowledgeable. Knowledge is an
awareness and understanding of a set of information that help decision-
making. Knowledge makes a person wise. The sequence is the following –
Data is processed to get Information; Information makes a person
Knowledgeable, Knowledge so created adds to the Wisdom (abbreviated as
DIKW). This is the relationship between DIKW.
The information should have certain characteristics to be valuable to
its recipient. These characteristics vary from being accurate to secure.
If information is not accurate, the decision maker may not rely on the
information. The situation becomes worse if the recipient of the information
is not aware of its inaccuracy. The decision maker may use inaccurate
information assuming it to be accurate. The following is a comprehensive
list of desired characteristics:
1. Accurate: The information should be accurate and error free. The
information may be inaccurate due to incorrect data that has been
used to generate information. The data may be inaccurate due to
human error. This is commonly referred to as garbage-in-garbage-out
(GIGO).
2. Complete: The information must be complete. The information
should not have been filtered that presents a biased picture to the
recipient. Let us say, salespersons of organizations are reporting sales
information to the sales manager. The sales they make for the month
of July are exceptionally low. They delete this information from their
report whereas the sales manager might be interested in July sales
just as much as in other month’s sales. He might even be aware of the
reasons for the low sales and might be planning to boost sales in July.
The incomplete information may be useless for him.
3. Economical: We all understand that information has an associated
cost and it is expected to be beneficial for the recipient. The benefit
must be much greater than the cost.
4. Flexibility: Let us understand flexibility through an example. In a
bank, the bank manager would like to know the total amount withdrawn
and deposited through transactions, loans given and recovered by the
bank. A client would like to check the total money he withdraws from
his account and his present balance. The information that the bank
84
 possesses should be flexible enough to present different views of data Information systems
to different people. Economics and Security

5. Reliable and verifiable: Information is said to be reliable if one

can depend on it. Both, data and information should be reliable. In
case, there is any doubt or the user wants to be absolutely sure, he
might like to verify.
6. Relevant: This Characteristic is self-explanatory. No one would like
to have irrelevant data or information.
7. Simple: The information must be presented in proper format to make
it simple for user. Too much information may result in information
overload. The user may not be able to extract important information.
8. Timely: The information may loose its value if it is not received in a
timely manner. Imagine reading yesterday’s newspaper today.
9. Accessible and secure: The information should be easily accessible
to authorized persons. At the same time, the information should be
secure from unauthorized users.
To summarize, information is the result or product of processing data as
depicted below.

Data Processor Information

Data life cycle:

We can think of data having their own life cycle namely, data generation, data
manipulation, transmission of data (and communication of information),
storing/retrieving, archiving/purging and reproduction of data.
The generation of data could take place internally and/or externally. This
data has to be captured by recording of data from an event or occurrence in
some from such as sales slips, personnel forms, purchase order etc.
Stored data would have to be retrieved by searching out and gaining access
to specific data elements from the medium where it is stored.
Retrieved data may be converted or reproduced to different form or
presentation format by way of documents reports etc.
Data are also constantly transported to the user in processed from. It is
transferred to storage from the source, then processed and passed on to the
user, who again returns it to storage after working on it, which becomes
available for further retrieval.
The randomly accumulated data has to be sorted and classified to reveal
appropriate information. For example, sales data can be classified product-
wise, territory-wise, salesperson-wise etc. Such a classification will give the
sales data more meaning.
Processing of data might entail quite a bit of manipulation and calculations
involving addition, subtraction, multiplication, division etc. based on
certain formulae. Computations might have to be performed for deriving
employee’s pay, customer’s bill, financial ratios, hospital bills, insurance
claim etc. Management science/operational research models might be used
85
Information Systems for determining optional product mix, aggregate planning, and economic
order quantity determination.
Data stored must be utilized on some occasion by some one at some point
of time; otherwise there is no point in storing it. When data is finally put in
a usable form it can be retrieved and turned into information at appropriate
time for decision-making.
It is important to destroy data following its evaluation for use in future.
Destruction/purging of data records may be accomplished on a purely routine
basis following one time use or may occur in review of old records. This
is done by following the organization’s policy. Destruction is the terminal
stage or the end of the data life cycle. The data life cycle is portrayed in
Figure 6.2:

Store Retrieve

Sort

Evaluate
Generate for future Manipulate Utilize
use

Synthesize

Destroy

Figure 6.2: Date Life Cycle

Broken lines in above Figure indicate that unusable data should be destroyed/
purged.

6.4 VALUE AND COST OF INFORMATION

The value of information is measured in terms of benefits to the organization.
The benefits may be tangible that can be easily quantified. For example, 5%
increase in sales is a tangible benefit, which corresponds to ,say, Rs. 50,000.
If the cost of the information that led to this additional profit is Rs. 20,000
then the value of the information is Rs. 30,000. Sometimes, the benefits may
be intangible and cannot be easily quantified. For instance, the information
may help consumers to connect to a company better. The employees may
feel respected in an organization if more information is shared with them. In
both the cases, the attrition rate will decrease and the corresponding benefit
cannot be directly measured in terms of financial benefit to the organization.
For using information to its advantage, organization develops an information
system. However before developing the system, a cost/benefit analysis
is done to figure out net benefit of the system. There are many methods
to assess value of information system. The most commons are explained
below.
1. Cost-benefit analysis:
IT projects require investments in advance, before getting its outcomes.
Many times it becomes difficult for organizations to take decisions on
such investments. Over the years, however, it is clear now about the
advantages of information and hence the need for the IS. Now a days
86
 IT projects are less risky provided all resources including the human Information systems
resource are well planned and put in place. Economics and Security

The Cost-benefit analysis method is comprehensive and explicit in

understanding the investment and gain out of it hence it is covered in
detail.
Identification of IT Costs
Earlier IT cost used to be so hard to estimate because of excessive
overhead. With the advancements in IT and availability of human
resources in much easier way than it used to be earlier the task has
become uncomplicated. There are options available for investments
on IT. Third party resources available, also through internet in terms
of Cloud services, has helped the organizations in setting up IT
infrastructure in simple way. One may go for establishments in phases
based on it’s preparedness of taking up the load and usability. The
Table 6.1 below gives the cost involved for the organization which
decides to establish its own IT infrastructure i.e. without hiring.
(a) Direct Cost
Table 6.1: Cost involved in IT

Environmental
Various items detail
operating cost
Servers
Computers and Printers
Hardware cost
Backup devices
Network and security equipments
Operating system
Software cost RDBMS
Networking and security software
Network wiring and configuration
Installation and
Security software configuration
configuration
In-house customizing time
costs
Re-engineering business process
Electricity, UPS, air-conditioning, printing paper,
Overheads
printer toner/ cartridges, disks and backup devices
Cost for preparing the workforce by training and
Training cost
re-training
Maintenance Yearly service contract for hardware
cost Software upgrades, and maintenance fee

(b) Indirect Human Costs

Indirect human cost is more significant than direct cost and it
is very illusive in nature. Following is the taxonomy of indirect
human costs:
● Management Time
87
Information Systems ● Management effort and dedication
● Employee Training, re-training and human resource
development
● Management Resources
● Personnel Issues
● Cost of ownership
● Employee Time
● Employee Motivation
(c) Indirect Organizational Costs
● Losses in productivity
● Organizational Productivity
● Strains on Organizational Resources
● Opportunity Cost and Risk
● Business Process Reengineering and integration of
services
● Covert Resistance
Identification of Benefits
The following are the potential benefits of an IT system:
● Reduced Head Count
● Reduced manufacturing cost
● Reduced inventory cost
● Reduced down time
● Better quality control
● Additional new customers
● Increased sales from existing customers
● Better image of the Organization
● Higher employee morale
● Reduced attrition rate
● The ability to recruit better employees
● Eliminate data duplicacy
This approach of doing cost-benefit analysis is known as Total Cost of
Ownership (TCO). The model attempts to include all costs including
direct and indirect costs of owing the information system. One can
include non-business uses of a computer system as a cost factor. This
model is versatile and gives you complete freedom to include any
relevant cost or benefits. It has been used to assess the net benefits
of owing a computer system. TCO, in many cases, has revealed
weaknesses of an information system in terms of under-utilization or
mismanagement of IS.

88
 Activity A Information systems
Economics and Security
Pick an information system that you have used and do a cost-benefit
analysis. Make educated guess for cost and benefit figures.
………………………………………………………………………
………………………………………………………………………
………………………………………………………………………
2. Return on Investment (ROI)
Another measure of IS value is return on investment (ROI). This
method tries to quantify additional profits that are generated as a
percentage of the investment in information system technology. For
an example, a manufacturing firm invested 5 Crore rupees in IS and
an additional benefit due to increased sales is 50 Lakh rupees, then the
return on investment is
50,000 1
=
5,00,000 10
1
In percentage it will be × 100 = 10%. In other words, the return on
10
investment is 10%. The company might perform this analysis before
installing the information system with an objective of determining the
utility of the system. The same analysis may be performed after the
installation to check the delivered benefits of the IS against expected
benefits.
3. Earning Growth
Another measure of IS value is the increase in earnings growth. Let us
say, an organization experienced 7% sales growth in year 2015. After
installing IS, the sales growth became 15%. Assuming that no other
factors affected sales, 8% increase in the sales are due to IS.
4. Market Share
Similar to earning growth one can also evaluate value of IS in
terms of increased market share. Organisational growth depends on
information and IS plays the role of backbone for the organization in
taking decisions.
5. Customer Awareness and Satisfaction
Customer satisfaction is one of the most valued intangible benefits
of an information system. In present days, when we have online
services by almost all organizations, IS helps customer track status
of their orders. Customer may check the stock status before he places
an order. All the leading companies that conduct survey on behalf
of their client company’s to determine the satisfaction level of their
customers.

6.5 ETHICS IN INFORMATION SOCIETY AND

RIGHT TO INFORMATION
While using IS everyone is supposed to follow ethics to refrain from
committing crimes by unauthorized use as unethical use could be devastating
89
Information Systems for the organization. To control such unauthorized use, countries have
predefined rules to be followed mandatorily. India being a leader in IT
industry, has IT Act which came up in the year 2000. It is widely known as
IT Act 2000. Further amendments have been made for better control. Use of
social media using the digital technology has also seen tremendous increase
in near past. Following information shows the number of social media users
only in India, in early 2021 –
WhatsApp users - 53 Crores (530 Millions)
YouTube users - 44.8Crores (448 Millions)
FaceBook users - 41 Crores (410 Millions)
Instagram users - 21 Crores (210 Millions)
Twitter users - 1.75 Crores (17.5 Millions).
With the increase in use of IT, whenever felt necessary the Government
of India issues guidelines through modifications in the IT Act. In February
2021, by modifying the IT Rules 2000 and 2011, Intermediary Guidelines
and Digital Media Ethics Code were notified. As per the Act, if any person,
without permission of the owner or any other person who is in charge of a
computer, computer system or computer network -
●● accesses or secures access to such computer, computer system or
computer network.
●● downloads, copies or extracts any data, computer data base or
information from such computer, computer system or computer
network including information or data held or stored in any removable
storage medium
●● introduces or causes to be introduced any computer contaminant or
computer virus into any computer, computer system or computer
network.
●● damages or causes to be damaged any computer, computer system or
computer network, data, computer data base or any other programs
residing in such computer, computer system or computer network.
●● disrupts or causes disruption of any computer, computer system or
computer network
●● denies or causes the denial of access to any person authorized to access
any computer, computer system or computer network by any means
●● provides any assistance to any person to facilitate access to a
computer, computer system or computer network in contravention of
the provisions of this Act, rules or regulations made there under
●● charges the services availed of by a person to the account of another
person by tampering with or manipulating any computer, computer
system, or computer network then the person shall be liable to pay
damages by way of compensation to the person so affected.
With the code of conduct as above, if a person accesses some data without
proper authorization then the person is held responsible and could be
punished. The information system and their impact must be audited and
users must be aware of the risks involved.
90
Privacy is an important social issue involved in information society. Privacy Information systems
deals with the collection and use or misuse of data. Today, there is not Economics and Security
even a single organization not using IT. Customer data is constantly being
collected and stored. This data is often distributed, sold or used without our
knowledge. The health sector and retail shops, for instance, have data on
its clients and customers. The fundamental question is “who owns this data
and information?” We know for sure that we would not like to share our
medical records with others, definitely not with insurance company or our
employers.
With Right to Information Act, which came up in 2005, the Government
of has empowered the citizens by giving right to be informed about the
activities of the Government as informed citizen is better equipped to keep
necessary vigil on governance. This Act, known as RTI Act, has further
amendments for better ease and control. This Act is very useful because of
digitization nationwide. Internet with the continuous developments in IT
and digitization has made information flow very high. Doing online business
using IT i.e. ecommerce generates lots of data. IT Act has made ecommerce
more adaptive and useful. Privacy of IT consumers and electronic documents
created require a comprehensive mechanism to check and control.

6.6 PROTECTING COMPUTER RESOURCES

AND DISASTER RECOVERY
Crimes involving illegal system access and use of computer services,
network, smart devices used over internet has increased. Hackers make use
of their knowledge to gain access to others systems. An intruder may alter
the data or destroy the data or may even have full control of the systems
making them unusable and useless just by writing a small program. To have
control over such intrusions and malpractices, organizations use various
methods. For personal identification use of biometrics like finger print, iris
and retina scan, face recognition are popular apart from the legacy system
of user-id and password. One Time Password (OTP) is also used, based on
the nature of user’s business. For example, a bank may use OTP for each
transaction by its customers. OTP is sent to the registered mobile of the
user. Unless both the transaction password and the OTP is correctly entered,
banking system will not allow to move further. Depending on the nature
of computer crime that an organization anticipates, it may adopt controls.
Proper access mechanism should be in place with good security devices
like firewall, intrusion detection and protection system etc. in terms of both
hardware and software security solutions. To summarize, suggestive control
guidelines are given below –
a) Install strong user authentication and encryption capabilities on your
firewall.
b) Upgrade your software with the help of patches, which are developed
by vendors whenever a security gap is found in the software.
c) Every employee in the organization should be given unique log-in
credentials i.e. user-id and password. All such credentials should be
changed regularly by the individual. System should prompt users to
change the password periodically ,say, after every 90 days.
91
Information Systems e) Separate zones should be created and maintained for different
category of users. For example, an academic institutions should have
separate access zones for its employees, students, and general public.
Dedicated servers for applications that communicate with outside
world may be deployed.
f) Audit trail must be used to track access log. A document once created
cannot be changed without leaving an audit trail. Integrated software
solutions like ERP packages, for instance, maintain audit trail. In case
of a crime, the audit trail is of immense help.
g) Install good antivirus software on all systems. Mobilize users to
periodically scan the systems they are using. Email attachments should
be scanned before opening and downloading files from suspicious
websites must be avoided.
Information system performs key functions for an organization. If for some
reason, the system becomes non-functional for some time, the consequences
may be unacceptable. Organizations usually have a set of emergency
procedures for critical functions. In best scenario, the end user will not be
able to discover the failure of regular system. Threats to the system could
be power failure, data corruption, storage failure, network failure, nature’s
threats in the form of a fire, flood or earthquake. In addition, labour unrest
or human errors may also render system unusable.
One of first stops of disaster planning is to identify threats. After identifying
the threats, appropriate disaster recovery plans for computer resources
should be implemented.
Hardware backup
In case of a natural disaster or due to technology failure, the hardware may
become unusable. There are companies and firms that provide disaster
recovery services. A company may provide a backup system that could be
used in case the primary system fails. Some companies also provide data
storage services. This could be used to keep a copy of data. With cloud
facility over internet backup system has become very easy to maintain.
Software Backup
Software programs are precious assets of an organization that must be
protected. A human error may delete a software package or a hardware
failure may make it inaccessible. A simple strategy is to make copies of
software and keep them safely. In addition, one may like to keep another
copy of-site in a safe environment.
Regular periodic backup should be adopted in practice. If the data is too
large, incremental backups can be taken or selected data may be backed up
at regular intervals.
The smart strategy is to be in pro-active mode rather than reactive mode. It
may be less expensive to plan ahead to avoid possible down time than suffer
losses.
Virus Protection
Computer viruses – sometimes known as malware – come in many different
forms. Till 2020, these were an incredible 350,000 new pieces of malware,
92
each one being a single piece of intrusive software. Viruses can find their way Information systems
onto just about any device – from computers, smart phones, to network of Economics and Security
an organization. A virus reproduces itself, usually without your permission
or knowledge. In general terms, they have an infection phase where they
reproduce widely and an attack phase where they do whatever damage they
are programmed to do (if any). Another way of looking at viruses is to
consider them to be programs written to create copies of them-selves. These
programs attach these copies onto host programs (infecting these programs).
When one of these hosts is executed, the virus code (which was attached
to the host) executes, and links copies of it-self to even more hosts. Many
viruses do unpleasant things such as deleting files or changing random data
on your disk, simulating typos or merely slowing your system down. Some
viruses infect other programs each time they are executed; other viruses
infect only upon a certain trigger. This trigger could be anything; a day or
time, an external event on your system etc. Viruses often delay revealing
their presence by launching their attack only after they have had ample
opportunity to spread. This means the attack could be delayed for days,
weeks, months, or even years after the initial infection. However, viruses
are only one way your data can be damaged. You must be prepared for all
threats; many of which are more likely to strike than viruses such as storage
failure due to hardware problem. All software and data reside in storage.
There are many other threats to your software and data that are much more
likely to harm you than viruses. There are a large number of virus types. The
most common computer viruses are categorized as below –
Macro Virus - This type of virus is normally found in Microsoft Word
and Excel files. This virus increases the size of files when it infects them
attaching its own generated codes. Once a macro virus infects a file, it can
easily spread to other computers when that file is shared, for example via
email or copied through other storage media.
Boot Sector Virus – This is the oldest virus affecting the startup or ‘boot’
process. Back in 90s, these viruses were spread through floppy disks.
Nowadays, they attach themselves to emails or USB sticks. If your computer
catches one of these, you’ll need to carry out a full system reformat.
Trojan Horses - Used by cyber-criminals, Trojan horses are disguised as
normal programs, tempting you to install them on your computer. Once
installed, the viruses gain access to your computer’s files and capture your
private data – think passwords and online banking information. This can
then be used by hackers to make online purchases with your bank account
or expose your private information.
Overwrite Virus - These viruses typically take over a file and wipe the
original code without you even knowing it. Once deleted, the original files
cannot be recovered and the data is lost. They often spread through emails
via attachments or through file downloads on the internet.
Browser Hijacker – This virus hijacks your internet searches and redirects
you to pages you didn’t even want to visit. While not as harmful as other
types of viruses – they trick you rather than steal from you – browser
hijackers are still an annoying problem since they significantly lower your
system when surfing the internet.
93
Information Systems Web Scripting Virus -Web scripting viruses are very clever little bugs
that blend into the background of popular websites – usually social media
platforms. They disguise themselves as normal links, tempting you to click
on them. Once you click, they steal your information. They can send spam to
your system and damage your data, and can spread faster than most viruses.
Polymorphic Virus - A polymorphic virus modifies whenever it replicates.
This makes it hard for most anti-virus programs to keep up. Once it’s found
its way onto your computer – usually through an email attachment or a
download from a suspicious website – it has free reign to delete your files,
steal your data, and generally sabotage your system.
Resident Virus – This is the most common type of virus. It finds way into
your computer’s memory, completely uninvited, and resides there. Resident
viruses can come from email attachments, infected download or shared files.
Multipartite Virus - They usually spread through .exe files. – so programs
like Word and Excel. These viruses eat up your virtual memory. You start
getting messages like ‘your computer has low virtual memory’ resulting a
sudden slowing down of your computer.
Spacefiller Virus – This is also known as ‘‘cavity virus’. These viruses find
the empty spaces in a program code and add their own code. This way, they
don’t alter the size of files but corrupt the program itself. They are, however,
very rarely found.
Cyber Crime and Cyber Security
With internet overpowering the huge base of population globally, cyber
crime has emerged as a big threat to individual and organizations. Cyber
crime is a criminal activity that either targets or uses a computer, a computer
network or a networked device. Such activities are carried out by individuals
or organizations. Types of cyber crime may involve fraud with individual’s
emails, phishing and sending spam mails, personal or corporate data stealing
and using, cyber-extortion and ransom-ware attacks, cyber-spying to access
government or company data etc. Cybercriminals use viruses and malware
to commit such crimes including the Denial-of-Service (DoS) attack. If
such a situation prevails then total business comes to halt as credentials are
lost and the system goes in control of the cybercriminals.
Cyber security is the application of technologies, processes and controls to
protect systems, networks, programs, devices and data from cyber attacks.
It is to be noted that information security deals with protecting the integrity
and privacy of data, both in storage and in transit, cyber security is required
as a secret weapon against cyber criminals with the aim to reduce the
risk of cyber attacks and protect against the unauthorized exploitation of
systems, networks and other such resources. Since it is applicable to all,
working online through internet, Governments have made it mandatory for
the organizations in their countries to have sufficient control mechanisms
deployed. In India, Companies Rules 2014 framed under the Companies
Act 2013 requires companies to ensure that electronic records and security
systems are secure from unauthorized access and tampering. Similarly
Reserve Bank of India (RBI) provides guidelines for banks to secure banking
businesses. All the banks are supposed to mandatorily follow the ISO/IEC
94
27001 and ISO/IEC 27002 standards for ensuring adequate protection of Information systems
critical functions and processes. Similarly, SEBI requires stock exchanges, Economics and Security
depositories and clearing corporations to follow standards, such as ISO/IEC
27001, ISO/IEC 27002 and COBIT 5. Cybercrime Cells are also available
for individuals and organizations to lodge complaints at governmental level.
There are many organizations which provide cyber security as a service.
They provide complete solutions to mitigate and resolve issues related to
cybercrimes.
CERT –In
In accordance with the IT Rules, the Computer Emergency Response Team
of India (CERT-In) came into existence in 2004 in the Ministry of Electronics
and Information Technology (MEIT), Government of India. It is operational
since January 2004. Cert-In is the nodal agency responsible for collection,
analysis, and dissemination of information on cyber incidents and taking
emergency measures to contain such incidents. It responds to computer
security incidents as and when they occur. CERT-In has been designated to
serve as the national agency to perform the following functions in the area
of cyber security:
●● Collection, analysis and dissemination of information on cyber
incidents,
●● Forecast and alerts of cyber security incidents,
●● Emergency measures for handling cyber security incidents,
●● Coordination of cyber incident response activities,
●● Issue guidelines, advisories, vulnerability notes and whitepapers
relating to information security practices, procedures, prevention,
response and reporting of cyber incidents,
●● Such other functions relating to cyber security as may be prescribed.
(Source https://www.cert-in.org.in, https://www.lexology.com)

6.7 INFORMATION SYSTEM: SUCCESS AND

FAILURE
An Information System is developed to assist management in problem
specific decision-making. IS development and deployment project may
succeed or it may fail. A project is a success if it is completed within time
and budget and delivers all as decided in beginning. It must meet needs of
its users and organization. Over a period of time, the following main success
and failure factors have been identified. These days integrated software
modules are available which are required to be customized to have the
software in place. The software, so customized, may be either installed in in-
house serves or on cloud servers. In cloud servers and storage, organization
does not need to have servers and storage in its premises. Access to the IS is
through internet hence only computer/laptop/smart devices are required to
use the IS. There are many factors that contribute to the success of a project.
They are detailed below.

95
Information Systems 1. The project scope should be stable and well understood. If the scope
of the project changes during the development or customization of the
software, the project is likely to suffer in terms of quality, schedule
and budget overrun.
2. An MIS project that aims at re-engineering the business processes of
an organization faces major challenge. Such projects are high-risk but
at the same time have high potential for major benefits.
3. The technology development platform and development language
exposure are other critical factors. Sometimes, the technology may
be new and the team may have difficulty using the technology. The
platform and language newness may also create trouble for the team.
4. Support from the management is vital for the success of the project.
If management looses interest in the project, budget may be cut, key
people may be moved to another project or the moral support required
by the team may become non-existent.
5. The objective of MIS must be in tune with the objective of the
organization. For instance, objective of an organization is to cut cost.
An MIS that aims to handle financial transactions of the company is
not in tune with the company’s objective.
6. The system should be user friendly and the response time should be
reasonable so that the user feels good to work on the system. User
should never be over-powered by the system.
7. MIS should be developed with a clear objective that must be
documented before the development commences. The objective must
be identified with the help of all stakeholders. The system analyst must
interview concerned people to establish their needs. Inputs should be
consolidated and presentation should be made in front of stakeholders
and the development team. This should go till the user requirements
are fully covered and understood i.e. till the objective becomes clear.
8. An important aspect of an MIS is data. Data policy such as what data
will be included, who will provide the data, who will validate the
data, who will integrate the data and how will the data retire should be
clearly stated. These seemingly trivial issues can turn a success into a
failure.
9. A quality control plan must be in place to ensure quality of specification
and quality of conformance. If required, a third party may be engaged
for this purpose.
10. The concerned people should be adequately trained on the new
system. This skill development process should go on periodically
to overcome gaps due to shifting of human resources or because of
changes made in IS.
11. The system should be properly and explicitly documented so that
attrition does not affect the project or MIS adversely.

6.8 SUMMARY
In this unit, you have been introduced to basic concept of data, information,
and knowledge. You have also learnt the growing need for information in
96
the society, ethical issues and right to information. The life cycle of data was Information systems
introduced. The information has a cost and value associated with it which Economics and Security
was discussed in some detail. Information System should be protected
and secured hence concepts of unauthorized access, cybercrime and cyber
security was discussed. Steps for disaster recovery and threats of virus to
mitigate and resolve security issues were discussed. An information system
depends on many factors for its success. We also discussed the main reasons
for success and failure of an MIS.

6.9 UNIT END EXERCISES

1. Define data and information. What is the difference between the two?
2. What are the main characteristics of information? Why do we require
in organizations?
4. What are various ways of assessing the value of information? Explain
each method briefly?
5. Write a detailed note on data life cycle.
6. What are the main reasons for success and failure of an information
system?
7. Does an organization have a right to collect and share information
without the permission of person concerned? What are the ethical
issues involved in information society.
8. Why should every organization have a disaster recovery plan to
protect itself?
9. Write a brief note on virus threat and a protection strategy.
10. Write a brief note of cyber security and cyber crimes.

6.10 REFERENCES AND SUGGESTED FURTHER

READINGS
Bishop Matt(2002), Computer Security: Art and Science, Addison-Wesley
Pub Co; 1st edition.
Davis, G.B., 2000, MIS Conceptual Foundations, Structure and
Development, McGraw Hill: New York.
Jawadekar, W.S., 5th Edition, Management Information System, Tata
McGraw Hill Education – Europe
Kanter, J., Management Oriented MIS, Prentice Hall Inc: Englewood-Cliffs.
Pfleeger Charles P & Pfleeger Shari L., (2002), Security in Computing, third
edition, Prentice Hall PTR.
Zani, W.S., “A Blue Print for MIS”, Harvard Business Review.
https://www.kaspersky.co.in site accessed on June 9, 2021
https://www.cert-in.org.in site accessed on June 9, 2021
https://www.meity.gov.in/content/icert site accessed on June 10, 2021
https://www.lexology.com site accessed on June 10, 2021
http://www.cknow.com/vtutor/vtintro.htm site accessed on June 10, 2021
97