外包信息系统脆弱性评价模型研究

针对外包信息系统脆弱性评价问题,从技术脆弱性和管理脆弱性两个方面提出了信息系统脆弱评价指标体系。在此基础上,给出外包信息系统脆弱性评价流程,构建基于技术脆弱性和管理脆弱性的二维评价矩阵模型。最后通过一个制造企业的电子商务外包案例说明该评价模型的科学性和有效性。     

Developing an information systems strategy

The pervasiveness of information technology and the development of information economies has been heralded as an ‘information’ revolution. Few organizations can avoid the implications of this revolution and, with the falling cost of hardware and the increased scope of applications, the number of firms needing a strategy for information systems has increased by an order of magnitude. An awareness of the benefits of planning, the dangers of technology which can trap the unwary, and the general characteristics of the DP development cycle, should all convince management of the need for a strategy for information systems. However, while information systems literature has many references to information systems strategy, definitions are elusive. This article describes a basic planning model for developing an information systems strategy. The model is specifically structured to ensure that the necessary strategic issues have been examined, before information systems management are asked to draw up detailed tactical and operational plans.     

Risk and Systems Theory

The last few decades have seen increasingly widespread use of risk assessment and management techniques as aids in making complex decisions. However, despite the progress that has been made in risk science, there still remain numerous examples of risk-based decisions and conclusions that have caused great controversy. In particular, there is a great deal of debate surrounding risk assessment: the role of values and ethics and other extra-scientific factors, the efficacy of quantitative versus qualitative analysis, and the role of uncertainty and incomplete information. Many of the epistemological and methodological issues confronting risk assessment have been explored in general systems theory, where techniques exist to manage such issues. However, the use of systems theory and systems analysis tools is still not widespread in risk management. This article builds on the Alachlor risk assessment case study of Brunk, Haworth, and Lee to present a systems-based view of the risk assessment process. The details of the case study are reviewed and the authors' original conclusions regarding the effects of extra-scientific factors on risk assessment are discussed. Concepts from systems theory are introduced to provide a mechanism with which to illustrate these extra-scientific effects The role of a systems study within a risk assessment is explained, resulting in an improved view of the problem formulation process The consequences regarding the definition of risk and its role in decision making are then explored.     

Are Individual Differences Germane to the Acceptance of New Information Technologies?

Persuading users to adopt new information technologies persists as an important problem confronting those responsible for implementing new information systems. In order to better understand and manage the process of new technology adoption, several theoretical models have been proposed, of which the technology acceptance model (TAM) has gained considerable support. Beliefs and attitudes represent significant constructs in TAM. A parallel research stream suggests that individual difference factors are important in information technology acceptance but does not explicate the process by which acceptance is influenced. The objective of this paper is to clarify this process by proposing a theoretical model wherein the relationship between individual differences and IT acceptance is hypothesized to be mediated by the constructs of the technology acceptance model. In essence then, these factors are viewed as influencing an individual's beliefs about an information technology innovation; this relationship is further supported by drawing upon extensive research in learning. The theoretical model was tested in an empirical study of 230 users of an information technology innovation. Results confirm the basic structure of the model, including the mediating role of beliefs. Results also identify several individual difference variables that have significant effects on TAM's beliefs. Theoretical contributions and practical implications that follow are discussed.     

Supplier quality assessment to identify depth technical knowledge of component reliability

As a result of global competition, international companies that manufacture photocopiers, printers or car navigation systems have to purchase low-cost electronic components such as semiconductors and hard disk drives by outsourcing production. However, it is often difficult for these companies to evaluate the quality of their suppliers through interviews and technical documentations. This article proposes new measures for supplier assessment and a systematic approach to select suppliers that have in-depth knowledge of component reliability and technology. The measures for selection not only include the physical quality of components but also information disclosures provided by suppliers, which consist of failure analysis, reliability data and details of the design-manufacturing process. The proposed measures are applied to real data of photocopier manufacturing enterprises. Experiments conducted show that a systematic assessment will enable selecting appropriate suppliers with a lower failure rate.     

A Systems‐Based Risk Assessment Framework for Intentional Electromagnetic Interference (IEMI) on Critical Infrastructures

Modern infrastructures are becoming increasingly dependent on electronic systems, leaving them more vulnerable to electrical surges or electromagnetic interference. Electromagnetic disturbances appear in nature, e.g., lightning and solar wind; however, they may also be generated by man‐made technology to maliciously damage or disturb electronic equipment. This article presents a systematic risk assessment framework for identifying possible, consequential, and plausible intentional electromagnetic interference (IEMI) attacks on an arbitrary distribution network infrastructure. In the absence of available data on IEMI occurrences, we find that a systems‐based risk assessment is more useful than a probabilistic approach. We therefore modify the often applied definition of risk, i.e., a set of triplets containing scenario, probability, and consequence, to a set of quadruplets: scenario, resource requirements, plausibility, and consequence. Probability is “replaced” by resource requirements and plausibility, where the former is the minimum amount and type of equipment necessary to successfully carry out an attack scenario and the latter is a subjective assessment of the extent of the existence of attackers who possess the motivation, knowledge, and resources necessary to carry out the scenario. We apply the concept of intrusion areas and classify electromagnetic source technology according to key attributes. Worst‐case scenarios are identified for different quantities of attacker resources. The most plausible and consequential of these are deemed the most important scenarios and should provide useful decision support in a countermeasures effort. Finally, an example of the proposed risk assessment framework, based on notional data, is provided on a hypothetical water distribution network.     

Coverage, technology assessment, and the courts

Coverage decisions by third-party payers are relying more and more heavily on the conclusions of technology assessment programs about the safety and effectiveness of technologies applied in specific clinical situations. Assessment programs vary markedly in the sophistication and rigor of their methodology. Payers differ as to how such assessment information is integrated into their decision-making processes. Finally, coverage decisions about a specific technology can vary widely across the country.     

Some Limitations of Qualitative Risk Rating Systems

Qualitative systems for rating animal antimicrobial risks using ordered categorical labels such as “high,”“medium,” and “low” can potentially simplify risk assessment input requirements used to inform risk management decisions. But do they improve decisions? This article compares the results of qualitative and quantitative risk assessment systems and establishes some theoretical limitations on the extent to which they are compatible. In general, qualitative risk rating systems satisfying conditions found in real‐world rating systems and guidance documents and proposed as reasonable make two types of errors: (1) Reversed rankings, i.e., assigning higher qualitative risk ratings to situations that have lower quantitative risks; and (2) Uninformative ratings, e.g., frequently assigning the most severe qualitative risk label (such as “high”) to situations with arbitrarily small quantitative risks and assigning the same ratings to risks that differ by many orders of magnitude. Therefore, despite their appealing consensus‐building properties, flexibility, and appearance of thoughtful process in input requirements, qualitative rating systems as currently proposed often do not provide sufficient information to discriminate accurately between quantitatively small and quantitatively large risks. The value of information (VOI) that they provide for improving risk management decisions can be zero if most risks are small but a few are large, since qualitative ratings may then be unable to confidently distinguish the large risks from the small. These limitations suggest that it is important to continue to develop and apply practical quantitative risk assessment methods, since qualitative ones are often unreliable.     

Integrating information systems into business strategies

The role of information systems (IS) in business is changing rapidly. The information revolution, driven by dramatic improvements in cost and performance of the technology is radically altering the business environment of many firms— restructuring whole industries, re-aligning the balance of power and leverage of industry component firms and enabling competitive strategies to be implemented or sustained more effectively. This transformation of role requires strategies for information systems to become an integral part of business strategy formulation. Traditional approaches to the management of IS activities are inappropriate for the determination of business strategies for systems. However, the techniques of corporate strategic analysis and formulation can be used to determine how IS should be managed to gain maximum business benefit.     

多重不确定环境下基于证据理论的NIS安全风险评估模型

以证据理论为基础,构造一种能够适应多重不确定环境的网络信息系统安全风险评估模型。在模型中建立安全风险评估指标体系并对指标权重进行量化;重新定义基本概率赋值函数,以适应安全风险评估过程中证据的不确定性描述;实现证据一致性检验并确定调整方法,从而进一步降低评估过程中专家经验的不确定性;最后,通过实证分析验证该模型的正确性和有效性。     

Target Levels—Tools for Prevention

Although occupational exposure limits are sought to establish health-based standards, they do not always give a sufficient basis for planning an indoor air climate that is good and comfortable for the occupants in industrial work rooms. This paper considers methodologies by which the desired level, i.e., target level, of air quality in industrial settings can be defined, taking into account feasibility issues. Risk assessment based on health criteria is compared with risk-assessment based on "Best Available Technology" (BAT). Because health-based risk estimates at low concentration regions are rather inaccurate, the technology-based approach is emphasized. The technological approach is based on information on the prevailing concentrations in industrial work environments and the benchmark air quality attained with the best achievable technology. The prevailing contaminant concentrations are obtained from a contaminant exposure databank, and the benchmark air quality by field measurements in industrial work rooms equipped with advanced ventilation and production technology. As an example, the target level assessment has been applied to formaldehyde, total inorganic dust and hexavalent chromium, which are common contaminants in work room air.     

Where does informatics fit in health care organizations?

Why is medical informatics important to health care leaders? As an emerging science, informatics focuses on applying computing and communication technology to decision making for clinicians and managers. It enhances the understanding of how information and communication systems can impact the work health care managers must accomplish. As the cost of technology for digital information management continues to decline, organizations and individuals will look for ways to offset the human costs of managing and conveying information. The way of the paper medical record is being replaced by the less expensive and more efficient digital information systems. Leaders of health care organizations need to look for every opportunity to deploy networks and computers to reduce the labor costs of data collection, storage, retrieval, and analysis.     

A model of the adoption of radio frequency identification technology: The case of logistics service firms

Globalization and advances in information technology represent both realities and opportunities for enterprises in the 21st century. This paper aims to broaden understanding of service innovation as a critical organizational capability through which the adoption of information technology influences firm performance. This study examines how the adoption of radio frequency identification (RFID) technology influences the operational performance of logistics service firms. We develop the RFID adoption model based on the interorganizational information systems (IOS) view of the firm that integrates the various strands of research into the framework. The study draws from the related information technology and interorganizational information systems literatures to explore organizational factors associated with the adoption of RFID. A model of the associations between information technology and interorganizational information systems use, social support, power structure, organizational readiness, procedural flexibility, and top management support is developed, and hypotheses are advanced about the relationships among these constructs. An empirical survey was conducted among 500 logistics service firms in Taiwan. A total of 131 valid observations were analyzed using the partial least squares technique. Results showed that RFID adoption has positive effects on business practices, which in turn improves operational performance. We address the value of certain interactive firm behaviors in RFID adoption and identify related constructs of RFID adoption in terms of their efficiency and value for logistics service firms. These results have implications for both education and practice.     

Information technology in banking

This paper argues that since the use of information is a fundamental part of all forms of activities, both corporate and private, throughout society the introduction of a new technology for using information inevitably has widespread effects. These effects are particularly far reaching in those service industries, such as banking, the very heart and essence of whose business is the handling of information.A review of the developments so far in the use of the new information technology in payment systems brings out the essential nature of its effects and shows the all-pervasive influence of the form and capability of the technology itself. It tries to illustrate where the benefits are derived and the nature of illusory gains and undesirable effects. An attempt is then made to derive an historical perspective.To try to anticipate future events, current trends in the technology and in the ways in which its use might change, are identified. The change in the technical means by which financial and other information-based services are delivered is seen to be salient feature of these developments and the important influence upon institutional relationships is discussed under the heading of the politics of the technology. Parallels in the introduction of other new technologies are drawn by way of illustration.The final part of the paper tries to develop a broader perspective and sketches out a longer scenario of the development of information technology indicating the major influence which this is likely to exert upon the development of society throughout the world.     

企业核心能力形成过程中信息系统技术的应用

利用基于资源的竞争优势理论分析信息系统技术可能给企业核心能力带来的影响 ,首先分析了企业核心能力的形成过程 ,然后分别分析了核心能力形成过程中各阶段信息系统技术可能的应用领域     

The role of social and intellectual capital in achieving competitive advantage through enterprise resource planning (ERP) systems

Enterprise resource planning (ERP) software merges a firm's data, information flows and business processes into a single package. Vendors argue that ERP provides an extremely useful strategic resource to enhance competitiveness and make it possible for a firm to leverage its other resources more effectively and efficiently. In addition, they allege that ERP encourages a system-wide perspective that is a basis for collaboration and a systems orientation. However, an examination of ERP systems using criteria established in research on resource-based views of the firm and chaos/complexity theory indicates that these claims are overstated. Observation suggests that even if ERP is necessary to coordinate complicated, multifaceted operations, it is far from sufficient to promote a strong competitive position over the long term. Moreover, ERP systems fit best within mechanistic, clockwork organizations dominated by routine, highly programmed technologies and operations, yet it is the non-routine learning and change processes found in complex, self-organizing systems that enable firms to create distinctive competitive advantages from ERP outputs. ERP makes possible deep changes in relationships, culture, and behaviors that can be crucial sources of advantage in the knowledge economy, but the structures and cultures most able to achieve this level of change are a poor fit with ERP requirements. To reconcile this paradox, we propose a dual-core, loosely coupled organization that views ERP as an enabling technology to build and augment social and intellectual capital, rather than as an information technology (IT) solution for organizational inefficiencies. Propositions for using ERP as a foundation for social and intellectual capital formation are introduced. Implications for research and practice are discussed.     

A Field Study of RFID Deployment and Return Expectations

Radio Frequency Identification (RFID) technology promises to transform supply chain management. Building on previous research in information systems and supply chain management, this paper proposes a theoretical framework for RFID adoption and benefits, and tests the framework using data on u. s. firms. Our analysis suggests that there is a positive association between information technology (IT) application deployment and RFID adoption. We find that RFID implementation spending and partner mandate are associated with an expectation of early return on RFID investment, and a perceived lack of industry‐wide standards is associated with an expectation of delayed return on RFID investment. These results suggest that firms with broad IT application deployment and a critical mass of RFID implementation spending are more likely to report early returns from RFID deployments. This paper extends previous research to understand the relationship between organization characteristics and adoption and expected benefits of the emerging RFID technology.     

The digital transformation of health care

The arrival of the Internet offers the opportunity to fundamentally reinvent medicine and health care delivery. The "e-health" era is nothing less than the digital transformation of the practice of medicine, as well as the business side of the health industry. Health care is only now arriving in the "Information Economy." The Internet is the next frontier of health care. Health care consumers are flooding into cyberspace, and an Internet-based industry of health information providers is springing up to serve them. Internet technology may rank with antibiotics, genetics, and computers as among the most important changes for medical care delivery. Utilizing e-health strategies will expand exponentially in the next five years, as America's health care executives shift to applying IS/IT (information systems/information technology) to the fundamental business and clinical processes of the health care enterprise. Internet-savvy physician executives will provide a bridge between medicine and management in the adoption of e-health technology.     

EIS—A guide for executives

Although the use of executive information systems (EIS) is increasing, many senior executives have such mixed feelings about them that there is an ‘EIS paradox’. Information managers and software suppliers believe this is because senior executives are intimidated by information technology, but this does not hold up to scrunity. The EIS paradox occurs because of failure to explain coherently how EIS fit with other aspects of the organizational database and what EIS can and cannot do for a senior executive and his or her organization. This article is designed to close the ‘information gap’ about EIS specifically for senior executives. The change in terminology from ‘data processing’ to ‘information technology’ is symptomatic of a change in the way in which computers are used. Rather than being the mere province of the data professional, information technology as exemplified by EIS can be applied to tasks where judgement and selectivity are required. The crucial point about EIS is, however, that computing can complement and increase managerial qualities of imagination and intelligence but not replace them.     

How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts

Traditional probabilistic risk assessment (PRA), of the type originally developed for engineered systems, is still proposed for terrorism risk analysis. We show that such PRA applications are unjustified in general. The capacity of terrorists to seek and use information and to actively research different attack options before deciding what to do raises unique features of terrorism risk assessment that are not adequately addressed by conventional PRA for natural and engineered systems—in part because decisions based on such PRA estimates do not adequately hedge against the different probabilities that attackers may eventually act upon. These probabilities may differ from the defender's (even if the defender's experts are thoroughly trained, well calibrated, unbiased probability assessors) because they may be conditioned on different information. We illustrate the fundamental differences between PRA and terrorism risk analysis, and suggest use of robust decision analysis for risk management when attackers may know more about some attack options than we do.