Monday, August 11, 2008
Government policy in UK has over recent years, strongly encouraged the growth of small companies
As a result, there are many possible sources of funding or finance
However, they can all grouped under three headings: Grants, Loans & Sale of equity
Financial Structure of a organization
A grant is a sum of money given to the company; while the company is obliged (thankful) to demonstrate that it has been used for purposes for which it was intended, it is not intended that grant should ever be paid back to the organization which gave it.
Surprisingly, grants are only available from government (local or national) and European Commission sources or, very occasionally, from charities.
Very often, grants are limited to a certain proportion of the money spent on a particular development and are conditional upon the reminder being raised from other sources.
A loan is a sum of money lent to the company; interest is payable on it, at a rate that may be fixed or variable, and the loan is usually for a fixed period.
The company is liable to pay back the loan, if the company goes into liquidation (bankruptcy); the lender is entitled to recover the loan from the sale of the assets of the company.
In most cases security is required for the loan; that is the loan is associated with assets owned by the company in much the same way that a mortgage is associated with a house
Equity (justice, fairness) capital (assets) is money paid to the company in exchange for a share in the ownership of the company.
Shareholders are at a much greater risk of getting a poor return on their capital or even losing it completely than are lenders but, in compensation for this, they stand to make a greater profit than lenders if all goes well.
Read example on page-64 in text book
Human Resource Issues
Recruitment and Selection
It is Concern policy to ensure all aspects of the recruitment and selection process (i.e. job analysis, advertising, documentation, interviews, interview evaluation, medical examinations, job offers) promote equality, fairness and transparency at all times.
Concern aims to recruit staff that satisfies as far as possible the requirements of the job, as outlined in the staff requisition (apply for) form.
The main criteria for employment are the candidate’s ability to fulfill the role, relevant work experience, education and/or qualifications, other related skills and motivation as applicable to working with concern.
It is Concern policy to fill vacancies from within the organization whenever possible, however, Concern reserves the right to recruit externally to the organization.
In exceptional circumstances, concern also reserves the right to ‘head-hunt’ potential candidates if they are unable to recruit a suitably qualified candidate following the advertisement of the position.
Staff training and development
Concern Worldwide is fully committed to ensuring that all members of staff have the relevant knowledge, skills and expertise to perform their work to consistently high standards; and to achieve their full potential compatible with Concern’s policy.
Training and development of staff members is fundamental to ensure the effective provision and quality of its work within the communities where we work.
The organization is committed to allocating a percentage of its salary budget per annum to invest in training and development.
An effective way of determining the relative value of each position within an organization. By rank-ordering jobs using a point system, you can then accurately assign salaries in a defensible manner.
The usual end result of job evaluation is a hierarchy of jobs or groups of jobs in the organization. The hierarchy is usually based on job content, or value, or a combination of both. Job content refers to the skills required and the degree of responsibilities assumed. The value of a job refers to its relative contribution to the organization's goals or to their external market rates. Focusing on job content improving employee understanding of job content and what is valued in their work.
While not automatically determining the pay of a job, job evaluation provides a basis for establishing equitable pay differentials between jobs. In other words, it can help integrate pay with a job's relative contributions to the organization.
Job evaluation gives you a structured and consistent base from which to build your pay scale and/or a system of performance review and merit increases. If staff know where their jobs rank and where their salaries rank, you have a great base from which to allocate raises where you see fit. This is an excellent way to establish a workable, agreed-upon pay structure.
Appraisal What is performance appraisal?
A process of systematically evaluating performance and providing feedback upon which performance adjustments can be made.
Performance appraisal should be based on job analysis, job description, and job specifications.
What is performance appraisal?
Performance appraisal methods.
Seek to identify a person’s relative standing among those people being rated.
Specify precise measurement standards.
What is performance appraisal?
Comparative methods of performance appraisal.
What is performance appraisal?
Consists of rank ordering individuals from best to worst on each performance dimension.
Relatively simple to use.
Can be burdensome when evaluating a large number of people.
What is performance appraisal?
Each person is directly compared with every other person being rated.
Final performance ranking reflects the frequency of endorsement across all pairs.
Can be very tedious when many people must be compared.
What is performance appraisal?
Uses a small number of performance categories, and rater assigns a specific proportion of employees to each category.
Can be problematic if most of the employees perform similarly.
What is performance appraisal?
Absolute methods of performance appraisal.
Graphic rating scales.
Critical incident diary.
Behaviorally anchored rating scales.
Management by objectives (MBO).
What is performance appraisal?
Graphic rating scales.
List of dimensions related to high performance, and the rater assigns an individual score on each dimension.
Easy and efficient to use.
What is performance appraisal?
Critical incident diary.
Record of incidents of each subordinate’s behavior that led to unusual success or failure in a give performance aspect.
Behaviorally anchored rating scales (BARS).
Developed through the careful collection of observable job behaviors that describe both superior and inferior performance.
A rating scale is developed that anchors specific critical behaviors, each of which reflects a different degree of performance effectiveness.
What is performance appraisal?
Management by objectives (MBO).
Subordinates work with their supervisor to establish specific task-related objectives.
MBO is the most individualized appraisal method .
MBO works well with counseling, provided the goals focus on important activities.
It is Concern policy to ensure that remuneration (salary) packages are internally equitable, (fair) within the context of the jurisdiction that the appointment is being made and externally competitive with like organizations.
Remuneration packages will be applied consistently throughout the organization and will be fair, adequate (sufficient).
Salaries are reviewed on an annual basis in light of cost of living increases.
Concern salaries scales will be observed/reviewed on an ongoing basis to ensure competitiveness with like organizations.
Any proposed salary changes in light of cost of living in each country of operation should have the approval of the Regional Director, in consultation with the Human Resources Director, prior to any changes being implemented.
When salary reviews take place, staff will be informed of
what the review is based on
who is responsible for conducting it
and who will make the final decision on whether any increase will be rewarded.
Procedures and review mechanisms for assessing/reviewing remuneration packages will be drawn up and made known to staff.
Dismissal and Grievances
Dismissal is a serious matter and a course of action that is not entered into lightly. The principles of natural justice must be followed in all cases of disciplinary action.
Disciplinary procedures should not commence without prior reference to the relevant Human Resource Directorate and relevant line manager. Advice will then be given on the procedures to be followed.
However, immediate dismissal may occur in certain circumstances i.e. in cases of gross misconduct/gross incompetence (unpleasant misbehavior/lack of skill) .
Gross misconduct/incompetence is any action, which is serious enough to be interpreted as a fundamental breach (violation) of the Contract of Employment.
Dismissal may be with or without notice depending on the circumstances.
The following examples of gross misconduct/incompetence
Use of violence
Being at work under the influence of alcohol or drugs.
Misuse of Concern’s systems, including the viewing/ transmission of the following materials:
-Pornographic, Offensive (nasty), Harassing (Irritating)
Concern recognizes that there is no real substitute for a good day-to-day manager/employee relationship for resolving work-related problems.
Nevertheless, if this relationship fails to resolve a grievance informally, there is a formal process called the Grievance Procedure, where employees have a right to bring any grievances (complaint, criticism) to the attention of management and expect a response within working days.
Formal grievance procedures, which comply with local employment legislation and Concern best practice standards, are outlined in each country Human Resource Procedures Manual.
All staff should have access to and be aware with the grievance procedures, from commencement of employment.
Contracts of employment
National Staff are staff employed by Concern in each country of operation.
The terms and conditions of employment for national staff are based on local legislation and should also comply with Concern’s best practice standards.
While contracts of employment may vary from country to country in order to comply with the national legislation (lawmaking) under which they are governed
Full name and address of both the relevant Concern office and the employee
The place of work
The date of joining
Any terms or conditions relating to hours of work, paid leave & pension schemes and retirement plans etc
Employee is also required to comply (obey) with Concern policies and procedures as outlined in relevant documentation i.e. Human Resource Policy Document, Human Resource Procedures Manual and Health and Safety Statement.
Types of Contracts
Fixed Term/Temporary Contracts
Discrimination means treating some people less
favorably than others on the grounds of
personal traits, like
Race, color, nationality
Discrimination and The Law
The law in Europe, the USA, and other countries
What does this mean for IT professionals?
Much of the legislation concerns the
workplace. People in managerial and
supervisory positions (i.e. most professionals,
sooner or later), must be fully aware of the
legal obligations (pressure).
Some of the legislation has implications (inference) for how information systems are built.
Anti-discriminatory laws related to Disability
1995: The Disability Discrimination Act
2001: Special Educational Needs and
What does the law say?
Illegal to treat disabled employees or
applicants less favorably because of their
disability without substantial (considerable) justification.
Employer required to make reasonable
adjustments to accommodate a disabled
employee or applicant.
Illegal for businesses and organizations
providing goods and services to treat
disabled people less favorably.
Discrimination on the grounds of sex, race, religion
1975: Sex Discrimination Act
1976: Race Relations Act
Direct discrimination occurs where a person is treated less favorably than another person (sex or gender) is, has been, or would be, treated on any of the said six grounds out.
Indirect discrimination occurs where a provision (whether in the nature of a requirement, practice or otherwise) which relates to the employment of a person is not explicitly discriminatory but nevertheless impacts negatively on a
It unlawful to discriminate on the grounds of sex, race or religion.
Discrimination is not allowed in employment, education, advertising or when providing housing, goods, services and facilities.
The term professional code of conduct and code of ethics both are used.
The code of ethics is seen as being more aspirational and less regulatory than a professional code of conduct.
Both professional code of conduct and code of ethics is distinct from code of practice, which is concerned with good practice in doing the job.
Ethical code of conduct
It is not possible to develop a detailed set of rules, policies or procedures that cover all circumstances. The best guidelines are individual integrity, common sense and compliance with law.
The code of ethics provides a basic guide to assist our management, employees and others acting on our behalf in understanding their responsibilities.
Code applies to each of our directors, officers, employees and other representatives.
Individuals should have legal and ethical behavior is one of our most valuable assets. We are responsible for safeguarding this important assets.
Company should have a policy of strict compliance with all laws, whether federal, state, local or foreign. The highest standards of moral and ethical behavior are essential to maintaining a good reputation. We do not tolerate unethical or dishonest conduct.
Professional codes of conduct: are particularly valuable in addressing conduct which can be seen as an abuse of the professional status.
For e.g. Doctors can be struck off, that is deprived of their registration, for entering into sexual relationships with their patients or for drug taking.
Professional codes of conduct are, by their very nature, collectivist and rule-based. Nevertheless, rule-based ethical systems always seem too rigid and restricted to handle complicated situations on their own and they are incapable of handling situations in which rules conflict or several different actions are possible but all in some way violate the rules.
Codes of Conduct of Professional Bodies
Australian Computer Society, Code of Ethics and Professional Conduct. (ACS)
British Computer Society Code of Conduct. (BCS)
Institute of Electrical & Electronic Engineering Code of Ethics (IEEE).
British Computer Society (BCS)
The BCS vision and mission statements
Vision Statement (Long-term aim of BCS)
Our vision is to see the IT profession recognized as being a profession of the highest integrity and competence.
Mission Statement (Core purpose of BCS)
BCS will lead the development and implementation of standards for the IT profession through innovative and valued products and services and by being the respected voice informing and influencing individuals, organizations and society as a whole.
BCS will lead the change in the standing of the IT profession by creating an understanding of what is required to implement successful IT projects and programmes, and to advise, inform and persuade industry and government on what is required to produce successful IT enabled projects.
Focus on serving the profession
Providing superior quality service that meets the individual needs
Developing and delivering valued products and services that makes a difference to people worldwide
Recognition and Concern for People
Respecting the individual
Advocating fair treatment
Rewarding exceptional performance
Showing commitment to personal and professional growth
Maintain High Ethical Standards
Treating customers and suppliers with integrity, fairness and respect
Avoiding even the appearance of conflict of interest
Providing leadership in industry, government and trade and regulatory associations
Innovative and Results-oriented
Dedicating ourselves to maximising the value of the organization for stakeholders
ACS Code of Conduct
The Australian Computer Society (ACS) is the recognized association for Information & Communications Technology (ICT) professionals, attracting a large and active membership from all levels of the ICT industry.
The society was founded in 1966.
ACS members work in all areas of business and industry, government and academia, and are qualified and experienced ICT professionals
Mission and Objective
To advance professional excellence in information technology.
To promote the development of Australian information and communications technology resources.
To advance professional excellence in information and communications technology.
To further the study, science and application of information and communications technology.
To promote, develop and monitor competence in the practice of information and communications technology by persons and organizations.
To define and promote the maintenance of standards of knowledge of information and communications technology for members.
To promote the formulation of effective policies on information and communications technology.
To extend the knowledge and understanding of information and communications technology in the community.
To maintain and promote the observance of a code of ethics for members of the Society.
IEEE Code of Conduct
We, the members of the IEEE, in recognition of the importance of our technologies in affecting the quality of life throughout the world, and in accepting a personal obligation to our profession, its members and the communities we serve, do hereby commit ourselves to the highest ethical and professional conduct and agree:
1. to accept responsibility in making decisions consistent with the safety, health and welfare of the public, and to disclose promptly factors that might endanger the public or the environment;
2. to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected parties when they do exist;
3. to be honest and realistic in stating claims or estimates based on available data;
4. to reject bribery in all its forms;
5. to improve the understanding of technology, its appropriate application, and potential consequences;
to maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations;
7. to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others;
8. to treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin;
9. to avoid injuring others, their property, reputation, or employment by false or malicious action;
10. to assist colleagues and co-workers in their professional development and to support them in following this code of ethics.
Public interest and Social implications
Health and safety issues
Health and safety at work usually only hits the headlines when there is a major disaster. Unfortunately, in recent years there has been an unprecedented number of these.
we can still recall the horror of Zeebruggeferry disaster and Paddington rail crash etc. although all of these involved the activities of people at work, one circumstance that made them particularly news-worthy was that, with exception of Piper Alpha, the majority of people who suffered as a consequence of the incidents were members of the public.
Number of fatal accidents at work has fallen sharply since the beginning of the 1970’s but around 200 employees each year still die as a result of accidents at work and significant number of members of the public lose their lives as a result of work activities.
There is nothing like an accident for motivating people to adopt safe working practices. The problem lies in changing attitudes before disasters occurs and in creating a safe working environment, or at least one that is as safe as is possible.
The best way of achieving this is by building in safety from the start in plant design, factory layout, training and so on, but so often this is compromised by other considerations which may seem to be more important in the short-term, such as pressure of time or financial concerns.
This has obvious implications for the design of the control software that is now everywhere. In many high-risk areas, such as the oil, chemical and nuclear industries, the safety systems themselves are often computer controlled; the software must be of the highest integrity and must handle safety all foreseeable (predictable) eventualities (possibilities).
Similar considerations apply to other applications such as “fly-by-wire” aircraft where proper control is wholly dependent on the correct and safe operation of the aircraft’s computer systems.
To summarize, the main recommendations of the Robens (chairman) Committee on Safety and Health at work (1972) were:
Safety and health objectives should be clearly defined at all levels within firms.
Workers should be more involved in safety and health at their workplace.
There should be a legal duty on employers to consult their employees on safety and health matters necessary at their workplace.
A National Authority for safety and health should be established.
Existing statutory (legal) provisions (terms) should be replaced by provisions under a new enabling Act.
Voluntary (intentional) codes of practice should be introduced.
The scope of the legislation should be extended to include all employees (with minor exceptions) and the self-employed (temporary).
The existing safety and health inspectorates should be amalgamated (merged).
New administrative sanctions should be adopted.
Local authority work should be coordinated with that of the new authority.
The interests of the public should be taken into account in the new legislation.
The Employment Medical Advisory Service should function as part of the new authority.
The Health and Safety at Work etc. Act 1974
Section 2(1): 'It shall be the duty of every employer to ensure, so far as is reasonably possible, the health, safety and welfare at work of all his employees'.
Section 3 of the Act requires both employers and the self-employed (temporary) to ensure that persons not in their employment (i.e. the general public) are not thereby exposed to risks to their health and safety.
Section 4 of the Act places a similar duty on persons in control of premises.
Section 7 places duties on employees. These duties are to take reasonable care for the health and safety of themselves and of others who might be affected, and also to co-operate with the employer in complying with the relevant statutory provisions (legal terms).
Section 8 contains a global requirement that no person, whether employee or not, adult or child, should deliberately interfere with anything provided to ensure health and safety.
1990: Environmental Protection Act
Environmental law is a body of law, which is a system of complex and interlocking statutes, common law, treaties, conventions, regulations and policies which seek to protect the natural environment which may be affected, impacted or endangered by human activities. Some environmental laws regulate the quantity and nature of impacts of human activities: for example, setting allowable levels of pollution. Other environmental laws are preventive in nature and seek to assess the possible impacts before the human activities can occur.
In this Act,
“adverse effect” means one or more of,
(a) impairment of the quality of the natural environment for any use that can be made of it,
(b) injury or damage to property or to plant or animal life,
(c) harm or material discomfort to any person,
(d) an adverse effect on the health of any person,
(e) impairment of the safety of any person,
(f) rendering any property or plant or animal life unfit for human use,
(g) loss of enjoyment of normal use of property, and
(h) interference with the normal conduct of business; (“consequence préjudiciable”)
For further read that Act from internet
What is a Profession
A profession is an occupation that requires extensive training and the study and mastery of specialized knowledge, and usually has a professional association, ethical code and process of certification or licensing.
Examples are: librarianship, accounting, law, teaching, architecture, medicine, finance, the military and engineering.
What are Professional Ethics?
Professional ethics are a code of conduct that govern how members of a profession deal with each other and with third parties.
Need of Professional Code of Ethics or for professional ethics
A Professional Code of Ethics serves several functions:
Symbolizes (represents) the professionalism of the group.
Defines and promotes a standard for external relations with clients and employers.
Protects the group’s interests.
Codifies members’ rights.
Expresses ideals to aspire to.
Professional or Profession Characteristics and Responsibilities
Engineers are expected to possess a given level of knowledge and skills in an engineering specialty that exceed those of the general public.
Engineers must have a sense of responsibility and service to society, employers and clients.
Engineers are expected to follow established codes of ethics for their profession and to guard their professional integrity and ideals and those of their profession.
Honesty & Integrity
I must not knowingly mislead a client or potential client as to the suitability of a product or service.
I must not misrepresent my skills or knowledge.
I must give opinions which are as far as possible unbiased (neutral, fair) and objective.
I must give realistic estimates for projects under my control.
I must qualify professional opinions which I know are based on limited knowledge or experience.
I must give credit for work done by others where credit is due (unpaid).
Do not breach (violate) public trust in the profession or the specific trust of your clients and employers.
Observance (performance) of utmost (extreme, maximum) honesty and integrity must underlie (lie behind) all your professional decisions and actions. Circumstances will undoubtedly arise during the course of your professional career where it may appear to be beneficial for you to deceive your client in some way. The resultant short term gain from this type of behavior is not acceptable professional practice, nor is it worth eroding (wear away) the confidence and trust that is built up over the longer term.
I must increase my awareness of issues affecting the information technology profession and its relationship with the community.
I must encourage my colleagues, employees and students to continue their own professional development.
Maintain and develop their professional competence (capability).
Participate in and contribute to continuing education and their own and colleagues' professional and scientific growth.
Keep themselves up to date with relevant knowledge, skills, research methods, and techniques, through the reading of relevant literature, peer consultations, and continuing education activities, in order that their service or research activities and conclusions shall benefit and not harm others.
Perform their teaching duties on the basis of careful preparation, so that their instruction shall be current and scholarly.
THE RULES FOR PROFESSIONAL CONDUCT (Professional skills comply with law)
All members shall discharge their professional duties with integrity and shall not undertake work that they are not competent to do.
All members shall have full regard for the public interest, particularly in relation to matters of health and safety, and in relation to the well-being of future generations.
All members shall show due regard for the environment and for the sustainable management of natural resources.
All members shall update and broaden their professional knowledge and skills on a continuing basis and shall give all reasonable assistance to further the education, training and continuing professional development of other members and prospective members of the profession.
All members shall notify the Institute if convicted of a criminal offence or upon becoming bankrupt or disqualified as a Company Director.
Contribute towards advancement of human welfare
Public interest & Public awareness
Members shall in their professional practice safeguard public health and safety and have regard to protection of the environment.
Members shall have due regard to the legitimate rights of third parties.
Members shall ensure that within their chosen fields they have knowledge and understanding of relevant legislation, regulations and standards and those they comply with such requirements.
Members shall in their professional practice have regard to basic human rights and shall avoid any actions that adversely affect such rights.
You shall reject any offer of bribery or inducement.
Hacking, unauthorized access
Types of Computer Crime
Introduction of Viruses
Fraud and types of Computer Fraud
What Is Hacking?
The act of forfeiting individual freedom of action or professional integrity in exchange for wages or other assured reward
At first, “hacker” was a positive term for a person with a mastery of computers who could push programs beyond what they were designed to do
Reasons For Hacking
Theft of services: The first reason is theft of service, if a system offers some type of service and a hacker has a use for it, they will hack the system. Examples of such systems are on-line information networks (CompuServe, AOL etc)
Take valuable files: The second reason a hacker may hack into a system is to take valuable files, e.G., Credit card numbers, or info on operation of telecommunication systems
Vengeance and hate: another reason for hacking is vengeance and hatred
E.g. Hacker pillaged US files to sell secrets Saddam
Thrill and excitement: The fourth reason hackers break into systems is for the thrill and excitement of being somewhere you are not authorized to be
The final reason why hackers do what they do is just for knowledge and experiment. Hackers learn a great deal every time they break into a new type of system
Talking the Talk
Hackers have their own lingo and style of writing
Hacker lingo is so pervasive, there’s even the new hacker’s dictionary, recently published in its third edition
Attacks on the Increase
A study released this spring by the computer security institute and the FBI's international crime squad found that nearly two-thirds of more than 500 organizations reported a computer security breach (violation) within the past year, up from 48 percent a year ago and 22 percent the year before that
Many hacker attacks go unreported because companies want to avoid negative publicity
Other companies stung by hackers feel compelled to tell what happened
What’s Being Done?
While the internet has revolutionized (uprising) business and communication almost overnight, laws regulating its use and misuse haven't developed as swiftly
But in the last few years congress and the courts have started responding to the threat posed by computer crime
There are laws in the federal statutes (act, law) that have been applied to hacker cases. These laws aren't designed specifically to counter computer crime, but have been applied to certain cases when existing law has proved inadequate in scope:
How to Be Vigilant
Get a copy of your credit report
Shred (cut up) all your information that you have offline
Confidential information should be encrypted
Another thing you should do is make sure that you don't give confidential information by cell phone, or by a remote phone, or on the internet unless it's encrypted
And finally, you should put up firewalls so someone can't come in and steal your information from your computer
Eavesdropping on a computer;
Listening to a specific port, snooping the IP etc
Making unauthorized use of computers for personal benefit;
use of company computer for private work
Unauthorized alteration or destruction of information stored on a computer;
Intentionally or recklessly destroys or damages property belonging to another without lawful excuse.
Section 3 of the Computer Misuse Act 1990
1) A person is guilty of an offence if:a) he does any act which causes unauthorized modification of the contents of a computer; andb) at the time when he does the act he has the requisite intent and the requisite knowledge.
Denying access to an authorized user;
The unauthorized removal of information stored on a computer.
U.S. Computer Fraud and Abuse Act
Unauthorized access to a computer containing data protected for the national defense or foreign relations concerns
Unauthorized access to a computer containing certain banking or financial information
Unauthorized access, use, modification, destruction, or disclosure of a computer or information in a computer operated on behalf of the U.S. government
Accessing without permission a “protected computer,” which the courts now interpret to include any computer connected to the Internet
Transmitting code that causes damage to a computer system or network
Trafficking in computer passwords
The vast, interconnected information systems of today are a relatively open territory of crime where the modern computer criminal seems to remain one step ahead of the law enforcing officials.
Crimes are committed by people that have:
Knowledge to gain access to a computer system
Knowledge to manipulate the system to produce the desired result
Generally, the computer is used :
As tool to commit crime
As the object of Crime
Computers as Tools to Commit Crime
Credit card fraud, by illegally gaining access to back accounts (or credit cards)
Making illegal financial transactions like fraudulent payments
Counterfeiting money, bank checks, stock and bond certificates using high-quality printers
Computers as Objects of Crime
Illegal access and use of the organization's computer based information systems by a criminal hacker
Data alteration and destruction many times caused by a virus (application or system virus), a worm, a logic bomb or a Trojan horse
Data and information theft by those that illegally access the system (usually insiders)
Software piracy by illegally duplicating software (patrolled by the Software Publishers Association)
Computer-related scams or cheats especially over the Internet
International computer crime especially crime related to obtaining computer hardware, related technology and trade secrets
Table 1.0: Common Methods Used to Commit Computer Crimes
Types of Computer Crime
Any crime in which computer-related technology is encountered.
The commission of illegal acts through the use of a computer or against a computer system.
Types of Computer Crime
Unauthorized access or hack the business documents and reports of a company for any valid reason.
Unauthorized access or hack the financial or account related documents and reports of a company for any valid reason.
Unauthorized access or hack the any important records, data or computer of a company for the purpose of destruction only.
Unauthorized access or hack the any important records, data or computer of a company for the feeling of dislike or revenge.
Unauthorized access or hack the any important records, data or computer of a company for the feeling of fun.
Computer Virus and its types
Virus: a program that attaches itself to other programs
Worm: an independent program that replicates its own program files until it interrupts the operation of networks and computer systems
Malware: software that is harmful or destructive, such as viruses and worms
Trojan horse: a program that appears to be useful but actually masks a destructive program
Logic bomb: an application or system virus designed to “explode” or execute at a specified time and date
Variant: a modified version of a virus that is produced by the virus’s author or another person who amends the original virus code
What is Fraud?Five Conditions of Fraud
False representation - false statement or disclosure
Material fact - a fact must be substantial (important) in inducing (bring to mind) someone to act
Intent to deceive must exist
The misrepresentation must have resulted in justifiable reliance (dependence) upon information, which caused someone to act
The misrepresentation must have caused injury or loss
2002 Study of Fraud
Why Fraud Occurs
Committed by non-management personnel
Usually consists of: an employee taking cash or other assets for personal gain by circumventing a company’s system of internal controls
It is perpetrated (committed) at levels of management above the one to which internal control structure relates.
It frequently involves using the financial statements to create an illusion that an entity is more healthy and prosperous than it actually is.
If it involves misappropriation (fraud) of assets, it frequently is shrouded (masked) in a maze of complex business transactions.
Three categories of fraud schemes according to the Association of Certified Fraud Examiners:
A. fraudulent statements
C. asset misappropriation
A. Fraudulent Statements
Misstating the financial statements to make the copy appear better than it is
Usually occurs as management fraud
May be tied to focus on short-term financial measures for success
May also be related to management bonus packages being tied to financial statements
Bribery or Corruption
conflicts of interest
C. Asset Misappropriation
Most common type of fraud and often occurs as employee fraud.
making charges to expense accounts to cover theft of asset (especially cash)
lapping: using customer’s check from one account to cover theft from a different account
transaction fraud: deleting, altering, or adding false transactions to steal assets
Theft, misuse, or misappropriation of assets by altering computer data
Theft, misuse, or misappropriation of assets by altering software programming
Theft or illegal use of computer data/information
Theft, corruption, illegal copying or destruction of software or hardware
Theft, misuse, or misappropriation of computer hardware
Data Collection Fraud
This phase of the system is most vulnerable because it is very easy to change data as it is being entered into the system. Also called input fraud (unauthorized alteration of data before it is entered, either directly or by giving incorrect information to an innocent dupe).
Also, GIGO (garbage in, garbage out) reminds us that if the input data is inaccurate, processing will result in inaccurate output.
Data Processing Fraud
altering programs to allow illegal access to and/or manipulation of data files
destroying programs with a virus
misuse of company computer resources, such as using the computer for personal business
Database Management Fraud
Altering, deleting, corrupting, destroying, or stealing an organization’s data
also called processing fraud
writing or altering the program to divert money (e.g. salami slicing)
Oftentimes conducted by disgruntled or ex-employee
Information Generation Fraud
Stealing, misdirecting, or misusing computer output
Also called output fraud
destroying, hiding or altering computer output (e.g. printed reports)
searching through the trash cans on the computer center for discarded output (the output should be shredded, but frequently is not)
Types of Cyber crime:
Unauthorized access by insiders (such as employees)
System penetration by outsiders (such as hackers)
Theft of proprietary information (whether a simple user ID and password or a trade secret worth millions of dollars)
Financial fraud using computers
Sabotage of data or networks
Disruption of network traffic (e.g., denial of service attacks)
Creation and distribution of computer viruses
Hardware theft (e.g., laptop theft).
Terrorists that target critical infrastructures, such as the PSTN, and the air traffic control system.
CSI/FBI Computer Crime and Security Survey Results Revealed:
Organizations are under cyberattack from both inside and outside their electronic perimeters.
A wide range of cyberattacks have been declared.
Cyberattacks can result in serious financial losses.
Defending successfully against such attacks requires more than just the use of information security technologies.
Types of Cyberattacks, by percentage (source- FBI)
Financial fraud: 11%
Sabotage (damage) of data/networks: 17%
Theft of proprietary information: 20%
System penetration from the outside: 25%
Denial of service: 27%
Unauthorized access by insiders: 71%
Employee abuse of internet privileges 79%
Top Cyber Crimes that Attack Business
Industrial Espionage and Hackers
Wi-Fi High Jacking
“Spam accounts for 9 out of every 10 emails in the United States.”
MessageLabs, Inc., an email management and security company based in New York.
“We do not object to the use of this slang term to describe UCE (unsolicited commercial email), although we do object to the use of the word “spam” as a trademark and the use of our product image in association with that term”
Can-Spam Act of 2003
Controlling the Assault of Non-Solicited Pornography and Marketing Act (Can-Spam)
Signed into law by President Bush on Dec 16, 2003
Took effect Jan 1, 2004
Unsolicited commercial email must:
Include Opt-Out instructions
No false headers
www.spamlaws.com –lists all the latest in federal, state, and international laws
Spam is Hostile
You pay for Spam, not Spammers
Email costs are paid by email recipients
Spam can be dangerous
Never click on the opt-out link!
May take you to hostile web site where mouse-over downloads an .exe
Tells spammers they found a working address
They won’t take you off the list anyway
What should you do?
Filter it out whenever possible
Keep filters up to date
If you get it, just delete the email
Viruses and Worms
software that piggybacks (attach, associate, take credit) on other software and runs when you run something else
Macro in excel, word
Transmitted through sharing programs on bulletin boards
Passing around floppy disks
An .exe, .com file in your email
software that uses computer networks to find security holes to get in to your computer – usually in Microsoft OS!! But worm for MAC was recently written
Hackers are Everywhere
Industrial Espionage (spying)
Deleting data for fun
A lot of bored 16 year olds late at night
Turning computers into zombies
To commit crimes
Take down networks
Harass (Irritate) someone
Ethical/white hat hackers exist too
Help break into networks to prevent crimes
Wireless Fidelity (Wi-Fi)
Using antennas to create “hot spots”
Hotspots – Internet Access (sometimes free)
Newport Harbor - All the boats in Harbor have internet access
San Francisco Giants Stadium – Surf the web while catching a game
Wi-Fi High Jacking
60-70% wireless networks are wide open
Why are the Wi-Fi networks unprotected?
Most people say “Our data is boring”
But… criminals look for wireless networks to commit their crimes
And… the authorities will come knocking on your door…..
Protect your Computers!
Use anti-virus software and firewalls - keep them up to date
Keep your operating system up to date with critical security updates and patches
Don't open emails or attachments from unknown sources
Use hard-to-guess passwords. Don’t use words found in a dictionary. Remember that password cracking tools exist
Back-up your computer data on disks or CDs often
Don't share access to your computers with strangers
If you have a wi-fi network, password protect it
Disconnect from the Internet when not in use
Reevaluate your security on a regular basis
Make sure your employees and family members know this info too!
More and more systems are software controlled
Software engineering is concerned with theories, methods and tools for professional software development
Software costs often dominate system costs. The costs of software on a PC are often greater than the hardware cost
Software costs more to maintain than it does to develop. For systems with a long life, maintenance costs may be several times development costs
Software engineering is concerned with cost-effective software development
What is software?
Computer programs and associated documentation (plus configuration data and user training)
Software products may be developed for a particular customer or developed for a general market
Generic (shrink-wrapped) - developed to be sold to a range of different customers
Bespoke (custom) - developed for a single customer according to their specification
What are the attributes of good software?
The software should deliver the required functionality and performance to the user and should be maintainable, dependable and usable
Software must evolve to meet changing needs
Software must be trustworthy
Software should not make wasteful use of system resources
Software must be usable by the users for which it was designed
...attributes of good software
(these two are not always required)
Software should fail only under extreme conditions
Should be possible to move from one environment to another
The software crisis
Advances in hardware technologies made it possible to build powerful computers
This allowed building of more complex and powerful software
Existing software development methodologies were not capable of handling such large projects.
Hence projects had many problems:
Requirements not met
What is software engineering?
Software engineering is an engineering discipline which is concerned with all aspects of software production (Sommerville, 2001)
Software engineers should adopt a systematic and organised approach to their work and use appropriate tools and techniques depending on the problem to be solved, the development constraints and the resources available
What is the difference between software engineering and system engineering?
System engineering is concerned with all aspects of computer-based systems development including hardware, software and process engineering. Software engineering is part of this process
System engineers are involved in system specification, architectural design, integration and deployment
Why does a software engineer need to understand system engineering aspects?
Many software systems are part of a larger system
System engineering decisions have direct impacts on software
Many systems now have lots of software parts
What is a software process?
A set of activities and associated results whose goal is the development or evolution of a software product
Generic (general) activities in all software processes are:
Specification - what the system should do and its development constraints
Development - production of the software system
Validation - checking that the software is what the customer wants
Evolution - changing the software in response to changing demands
What are software engineering methods?
Structured approaches to software development which include system models, notations, rules, design advice and process guidance
Descriptions of graphical models which should be produced
Constraints applied to system models
Advice on good design practice
What activities to follow
What is CASE ?(Computer-Aided Software Engineering)
Software systems which are intended to provide automated support for software process activities. CASE systems are often used for method support
Tools to support the early process activities of requirements and design
Tools to support later activities such as programming, debugging and testing
What are the costs of software engineering?
Roughly 60% of costs are development costs, 40% are testing costs. For custom software, evolution costs often exceed development costs
Costs vary depending on
the type of system being developed and
the requirements of system attributes such as performance and system reliability
Distribution of costs depends on the development model that is used
What are the key challenges facing software engineering?
Coping with legacy (old) systems, coping with increasing diversity (variety) and coping with demands for reduced delivery times
Old, valuable systems must be maintained and updated
Systems are distributed and include a mix of hardware and software
There is increasing pressure for faster delivery of software
Professional and ethical responsibility
Software engineering involves wider responsibilities than simply the application of technical skills.
Software engineers must behave in an honest and ethically (morel, principled) responsible way if they are to be respected as professionals.
Issues of professional responsibility
Engineers should normally respect the confidentiality (privacy) of their employers or clients irrespective of whether or not a formal confidentiality agreement has been signed.
Engineers should not misrepresent their level of competence (capability). They should not knowingly accept work which is outside their competence.
Issues of professional responsibility
Intellectual property rights
Engineers should be aware of local laws governing the use of intellectual (scholar) property such as patents (exclusive rights), copyright, etc. They should be careful to ensure that the intellectual property of employers and clients is protected.
Software engineers should not use their technical skills to misuse other people’s computers. Computer misuse ranges from relatively trivial (game playing on an employer’s machine, say) to extremely serious (dissemination (distribution) of viruses).
Disagreement in principle with the policies of senior management
Your employer acts in an unethical way and releases a safety-critical system without finishing the testing of the system
Participation in the development of military weapons systems or nuclear systems
Effective software project management focuses on the four P’s:
People, Product, Process and Project
- The manager who forgets the software engineering work is an intensely or extremely human endeavor or effort will never have success in project management.
- The manager who fails to encourage comprehensive or broad customer communication early in the evolution or development of a project with risk of building an elegant solution for wrong problem.
- The manager who pays little attention to technical methods and tools concerning to process run with risk of inserting into a vacuum.
- The manager who embarks or get on without project plan jeopardizes or endanger the success of the product.
· Most important element of a successful project
· The software to be built
· The set of framework activities and software engineering tasks to get the job done
· All work required to make the product a reality
People factor is so important that the Software Engineering Institute (SEI) has developed a People Management Capability Maturity Model (PM-CMM) to enhance the willingness or readiness of software organizations to undertake or take on increasingly complex software applications by helping to attract, grow, motivate, deploy and retain the talent needed to improve their software development capability.
The people management maturity model defines the following areas for software people:
Recruiting, training, selection, performance, management, career development, compensation (repay, return), organization and work design and team/culture development.
Before a project can be planned:
· Product objectives and scope should be established
· Alternative solutions should be considered
· Technical and management constraints (limitations) should be identified
i.e. estimates of cost, effective assessment (evaluation) of risk, realistic breakdown of project tasks, or manageable project schedule.
A software process provides the framework for which a comprehensive plan for software development can be established
- Task sets – task, milestones, work products, and quality assurance points
- Umbrella activities – software quality assurance, software configuration management, and measurement
Reasons for doing a software project
- To manage complexity
- To avoid failure
To develop a common sense approach for planning, monitoring, and controlling the project
- The Players
- Team Leaders
- The Software Team
- Coordination and Communication Issues
· Senior Managers: defines business issues that often have significant influence on the project
· Project (technical) managers: plan, motivate, organize and control the practitioners
· Practitioners: deliver the technical skills that are necessary to engineer, a product or application
· Customers: specify the requirements for the software to be engineered or made
· End-Users: interact with the software once it is released for production use
Project management is a people-intensive activity and for this reason, competent practitioners often make poor team leaders.
· MOI model for leadership:
o Motivation: ability to encourage technical people to produce to their best ability
o Organization: ability to mold existing processes (or inventing new ones) will enable the initial concept to be translated into a final product
o Ideas for innovation (originality): ability to encourage people to create and feel creative even when they must work within bounds established for a particular software product or application.
The following options are available for applying human resources to a project that will require n people working for k years:
· n individuals are assigned to m different functional tasks. Coordination is the responsibility of a software manager who has six other projects to be concerned with.
· n individuals are assigned to m different functional tasks so that informal teams are established. An adhoc team leader may be appointed; coordination is the responsibility of a software manager.
· n individuals are organized into t teams; each team is assigned one or more functional tasks; each team has a specific structure that is defined for all teams working on a project.
Mantei suggests three generic (broad) team organizations:
· Democratic decentralized (DD): no permanent leader, rather than task coordinator are appointed for short duration. Decisions on problems and approach are made by group consensus (cooperation).
· Controlled decentralization (CD): this software engineering team has defined leader who coordinates specific tasks and secondary leaders that have responsibility for subtask. Problem solving is a group activity, but implementation of solutions is partitioned among subgroups by the team leader.
· Controlled Centralized (CC): Top-level problem solving and internal team coordination are managed by a team leader.
Mantei describes seven project factors that should be considered when planning the structure of software engineering teams.
· The difficulty of the problem to be solved
· The size of the resultant program(s) in lines of code or function points
· The time that the team will stay together (team lifetime)
· The degree to which the problem can be modularized
· The required quality and reliability of the system to be built
· The rigidity of the delivery date
· The degree of sociability or friendliness (communication) required for the project
Coordination and Communication Issues
There are many reasons that software projects get into trouble
Scalability: The scale (extent, range) of many development efforts is large, leading to complexity, confusion and significant (important) difficulties in coordinating team members
Uncertainty: Uncertainty is common, resulting in a continuing stream of changes that ratchets (group) the project team.
Interoperability: Interoperability has become a key characteristic of many systems. New software must communicate with existing software and conform to predefined constraint imposed by system or product.
Kraul and Streeter examine a collection of project coordination techniques that are categorized in the following manner.
Formal, impersonal approaches
Include software engineering documents including project milestones, schedules and project control tools, change requests and related documentation, error tracking reports etc.
Formal, interpersonal procedures
Focus on quality assurance activities applied to software engineering work products. These include status review meeting and design and code inspections.
Informal, interpersonal procedures
Include group meetings for information distribution and problem solving
Encompasses electronic mail, electronic bulletin boards and video conferencing systems.
Includes informal discussions with team members and those outside the project who may have experience or insight that can assist team members.
The Airlie Council (a team of software engineering experts chartered by U.S Department of Defense to help to develop guidelines for best practices in software project management and software engineering).
Formal risk management
· What are the top or main risks for the project?
· For each of the risks what is the chance that risk will become a problem and
· What is the impact if it does?
Empirical cost and schedule estimation
· What is the current estimation size of the application software that will be delivered into operation (excluding system software) i.e. what is the development cost estimation.
· How was it derived and can be derived?
Metric-based project management
· Do you have in place a metric program to give an early indication of evolving problems? If so, what is the current requirement instability concerning to problems?
Earned value tracking
· Do you report monthly earned value metrics? If so are these metrics computed from an activity network tasks for the entire effort to the next delivery?
Defect tracking against quality targets
· Do you track and periodically report the number of defects found by inspection (formal technical review) and execution test from the start of program and the number of defects currently closed and open?
People-aware program management
· What is the average staff proceeding for the past three months for each of the developers involved in the development of software for this system?