tec 401 session three joseph lewis aguirre human factors in technology

TEC 401 Session Three

Joseph Lewis Aguirre

Human Factors In TechnologyHuman Factors In Technology Human Factors In TechnologyHuman Factors In Technology

Objectives- WS3Objectives- WS3 Organizational and Social Impact of Technology•Examine the “new social contract.”•Identify ethical information policies within the organization.•Describe the application of technology to HR functions.

Technology and HR FunctionsTechnology and HR Functions

The Technology is increasingly being used for knowledge management in order to provide just-in-time information and skills in the workforce.

•Electronic publishing (e.g., company newsletters).

•Television and video (e.g., corporate advertisements to families and friends).

•Audio teleconferencing

•Interactive multimedia (e.g., computer-based training for employee skills upgrade).

•Simulation and virtual reality

•Authoring aids (e.g., policy and procedures templates, online surveys, keyword searches for resume generation).

•Electronic performance support systems (e.g., employee evaluation input, sales quota productivity).

New Social Contract – (NSC)New Social Contract – (NSC) NSC: (ethical organization information policies)A social contract for the Information Age deals with key social tensions peculiar to the use of information:

•Ownership of intellectual output.

•Privacy of personal information and internal organizational communications.

•Accuracy and quality of information.

•Access to information.

•Flow and content of information.

•Obligations of organizations created by the use of information.

Automobile monitoringAutomobile monitoring

Progressive Corp. is offering 25% discounts to drivers who allow it to install a monitoring device in their cars and keep a digital driving diary of their moves

Tracing NanoparticlesTracing Nanoparticles

Nanotechnology: manipulation, precision placement, measurement and modeling or manufacture of sub-100 nanometer scal matter

Common TruthCommon Truth

Everything we say and do represents a choice, &

How we decide determines the shape of our lives.

- Josephson Institute of Ethics

Vice Crime

Prudence BenevolenceGood

Bad

Self Others

ChoicesChoices

B D

A CEthical

Legal

Legal Illegal

ChoicesChoices

Security Vs PrivacySecurity Vs Privacy

Biggest Problem isn’t about privacy…it is sloppy security

-----Lee Gomes, Wall Street Journal

Risk Exposure by IndustryRisk Exposure by Industry

Degree of exposure to risk

REGULATORY

• The Regulatory Landscape

• The Security Landscape

• Information Security

• Resources

Regulatory OverviewRegulatory Overview

Privacy of Student Records= FERPA

Privacy of Student Records= FERPA

“Traditional” Higher Education regulations for Information Security

Registration of Foreign Students= SEVIS

Registration of Foreign Students= SEVIS

Privacy of Medical Records= HIPAA

Privacy of Medical Records= HIPAA

Regulatory LandscapeRegulatory Landscape

“Non Traditional” Higher Education regulations for Information Security

Student / Faculty Lending= GBL / FTC

Student / Faculty Lending= GBL / FTC

Homeland Security= Patriot Act

Homeland Security= Patriot Act

Accounting Scandals= Sarbanes Oxley

Accounting Scandals= Sarbanes Oxley

Internet/Service Provider= COPPA, DMCA

Internet/Service Provider= COPPA, DMCA

State/Local Privacy Initiatives= Local regulations

State/Local Privacy Initiatives= Local regulationsPrivate privacy rules

= Visa, ACHPrivate privacy rules

= Visa, ACH

Regulatory Landscape (Cont)Regulatory Landscape (Cont)

HIPPA ComplianceHIPPA Compliance

HIPPA - Health Insurance Portability and Accountability Act of 1996

Under HIPAA, large integrated delivery networks to individual physician offices must put in place physical and technical data security measures to ensure against illegal access to communications networks, databases and applications.

The criminal and civil penalties for non-compliance are severe, and present healthcare firms and their executives with significant liability issues

FERPAFERPA

20 U.S.C. § 1232g; 34 CFR Part 99 is a Federal law that protects the privacy of student education records.

Applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

Family Educational Rights and Privacy Act

• Higher education institutions as “lenders”– Student loans– Faculty / real estate loans– Short term cash loans (?)

• Protection of non-public “customer information”– Paper or electronic form– Prevent unauthorized use or access – Includes you, affiliates, and third party vendors

GBL and FTC EnforcementGBL and FTC Enforcement

• Privacy requirements of GLB/FTC met by complying with FERPA

• Comprehensive written information security program requirement must still be met– Risk assessment– Design and implement information safeguards– Prevent unauthorized use or access


• Internal control of “customer information”– Good internal controls

• Third party control:– Due diligence before selection– Data protection, information security audit clauses in

contracts– Periodic outside verification of third party systems,

protections


• Enhanced “Know Your Customer” regulations placed on financial institutions

• Account opening / entity identification procedures for new accounts

• No common practices yet developed–Some banks are very intrusive, wanting personal

identification of corporate officers–Some banks are very liberal

• Where are your corporate documents?

PATRIOT ACTPATRIOT ACT

TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM

TITLE II--ENHANCED SURVEILLANCE PROCEDURESSec. 201. Authority to intercept wire, oral, and electronic communications

relating to terrorism.

Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.

Sec. 204. Clarification of intelligence exceptions from limitations on interception and disclosure of wire, oral, and electronic communications.

Sec. 208. Designation of judges.

Sec. 209. Seizure of voice-mail messages pursuant to warrants.

Sec. 217. Interception of computer trespasser communications.

USA Patriot ActUSA Patriot Act

TITLE VI--PROVIDING FOR VICTIMS OF TERRORISM, PUBLIC SAFETY OFFICERS, AND THEIR FAMILIES

Subtitle A--Aid to Families of Public Safety OfficersSubtitle B--Amendments to the Victims of Crime Act of 1984

TITLE VII--INCREASED INFORMATION SHARING FOR CRITICAL INFRASTRUCTURE PROTECTION

TITLE VIII--STRENGTHENING THE CRIMINAL LAWS AGAINST

TERRORISM TITLE IX--IMPROVED INTELLIGENCE TITLE X--MISCELLANEOUS SEC. 2. CONSTRUCTION; SEVERABILITY.

TITLE I--ENHANCING DOMESTIC SECURITY AGAINST TERRORISM

USA Patriot Act (Cont) USA Patriot Act (Cont)

Keep America Safe and Free

Certain ACLU Allegations re. Patriot Act:• The FBI can investigate United States persons based in part

on their exercise of First Amendment rights, and it can investigate non-United States persons based solely on their exercise of First Amendment rights.

• Section 215 might also be used to obtain material that implicates privacy interests other than those protected by the First Amendment. For example, the FBI could use Section 215 to obtain medical records.

ACLUACLU

Sarbanes Oxley Act (Sox)Sarbanes Oxley Act (Sox)

Corporate Certification of Financial Statements•Correct•Complete•Effective underlying controls

Requires organizations governed by the SEC to establish and maintain an audit committee responsible for the appointment, compensation and oversight of any employed registered public accounting firm

Does not apply directly to information security or non-publicly held entities (but...)Sets minimum standards for accountability and integrity of accounting systems/records

ISO 17799ISO 17799

ISO/IEC 17799 Part 1: Is a guide containing advice and recommendations to ensure the security of a company’s information according to ten fields of application.

BS7799 Part 2: Information security management -- specifications with guidance for use provides recommendations for establishing an effective Information Security Management System (ISMS). At audit time, this document serves as the assessment guide for certification.

ISO 17799ISO 17799The goal is to “provide a common base for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”

• Online collection of personal information from children under 13

• Requires privacy policy, consent from parent, and protection of data

COPPA (Children's Online Privacy Protection Act)

COPPA (Children's Online Privacy Protection Act)

• Protection of intellectual property and property rights–Identification of covered information–Steps to prevent abuse of covered information

• Posting of appropriate notices on institutional/department web sites

Digital Millennium Copyright Act (DMCA)

Digital Millennium Copyright Act (DMCA)

• If electronic information includes social security number and/or banking information

• AND electronic systems suffer a security breach• Consumer customers who are residents of

California must be notified of the security breach

California Privacy Legislation (SB 1386)


• How are we “doing business with residents of California”?

• Does it apply to businesses outside California?–Will not know for decade or more–Behave as if it does

• Model for Federal legislation applicable to all states



• Colorado legislature passed law prohibiting use of SSNO or credit card numbers as identification for check payments–Revision of cashiering procedures

–More difficulty researching returned checks / payments

• Indicative of trend across all states

Prohibition of use of SSNProhibition of use of SSN

• Visa, Mastercard, Discover, American Express, Diners, JCB

• Visa has most specific information security rules–Other card associations follow Visa’s lead

• Probable penalties assessed for noncompliance–Eventually Visa will get to given sector for compliance

monitoring–Most likely to occur after you receive serious publicity

for a breach

Credit Card AssociationCredit Card Association

• Specific security requirements for Internet-, telephone-initiated transactions–WEB, TEL Standard Entry Class codes

• Web site security requirements–128 bit Secure Sockets Layer–Specific transaction authorization–“Commercially reasonable” security standards

Automated Clearing House (ACH) Rules

Automated Clearing House (ACH) Rules

http://www.brainstorming.co.uk/tutorials/creativethinkingcontents.html

http://www.brainstorming.co.uk/tutorials/creativethinkingcontents.html

• Treasury Institute for Higher Education–http://www.treasuryinstitute.org/default.asp

• Association for Financial Professionals–http://www.afponline.org/

Assessing Security of Sensitive Systems - More Info

Assessing Security of Sensitive Systems - More Info

• Protecting your own system–http://www.afponline.org/Information_Center/

Publications/AFP_Exchange/tinuccisup/tinuccisup.html

• Graham Leach Bliley / FTC–http://www.ftc.gov/os/2002/05/67fr36585.pdf (Final

Rule)–http://www.nacubo.org/business_operations/

safeguarding_compliance/index.html–http://www.ftc.gov/privacy/glbact/index.html

Assessing Security of Sensitive Systems - Resources


• USA PATRIOT Act Analysis–http://www.afponline.org/ohc/

082003/219_article_13/219_article_13.html

• Sarbanes Oxley–http://www.afponline.org/FRACpublic/sox/sox.html

–http://www.treasurystrategies.com/resources/articles/HowILearnedSarbanes.pdf



• COPPA–http://www.ftc.gov/bcp/conline/pubs/buspubs/

coppa.htm–http://www.ftc.gov/bcp/conline/edcams/coppa/

index.html

• DMCA–http://www.educause.edu/ir/library/html/cem9913.html–http://www.educause.edu/issues/issue.asp?issue=dmca–http://www.copyright.gov/legislation/dmca. pdf



• California Privacy Bill SB 1386–http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-

1400/sb_1386_bill_20020926_chaptered. html

• Colorado Prohibition on SSN for identification–http://www.state.co.us/gov_dir/leg_dir/olls/sl2003a/

sl_180.htm



• Visa Cardholder Information Security Program (CISP)–http://www.usa.visa.com/business/merchants/

cisp_index.html

• MasterCard Electronic Commerce Best Practices–http://www.mastercardmerchant.com/

preventing_fraud/website_security.html–http://www.mastercardmerchant.com/docs/

best_practices.pdf



• ACH WEB transaction requirements–ACH Rules, Operating Guidelines, Section IV, Chapter VI

(Special Topics, Internet-Initiated Entries)

• SANS SCORE Project homepage–http://www.sans.org/score/–Assessing the security of third party vendors (ASP

checklist) http://www.sans.org/score/asp_checklist.php–(BS 7799 / ISO 17799 checklist)

http://www.sans.org/score/checklists/ISO_17799_checklist.pdf



ETHICS

Common TruthCommon Truth

Everything we say and do represents a choice, &

How we decide determines the shape of our lives.

- Josephson Institute of Ethics

Vice Crime

Prudence BenevolenceGood

Bad

Self Others

ChoicesChoices

B D

A CEthical

Legal

Legal Illegal

ChoicesChoices

ETHICS – NOT!ETHICS – NOT!

• Religion;• Political stance;• Fad• Laws• Absolutes• Something that can only be understood by extremely intelligent people.

ETHICS IS:ETHICS IS:

• What we believe, why we believe it, and how we act out those beliefs;

• Personal & public display of personal attitudes and beliefs;

• Fluid through different situations;• An aid in decision making; and• According to Aristotle:

a) A standard of behavior; &b) An area of study exploring the nature of

morality. .

Act with integrity– Protect the privacy and confidentiality of

information– Do not misrepresent or withhold information– Do not misuse resources– Do not exploit weakness of systems– Set high standards– Advance the health and welfare of general public

Standard of ConductStandard of Conduct

Ethics Decision Tree for CPAs

CPA’s Taxes and Code of Ethics

http://www.banksystems.com/cap2000.html

http://www.aph.gov.au/library/pubs/rn/2003-04/04rn06.pdf

• If It is Necessary, it is Ethical-justify-the-means reasoning

• The False Necessity Trap - As Nietzsche put it, "Necessity is an interpretation, not a fact."

• If It’s Legal and Permissible, It’s Proper-. Ethical people often choose to do less than the maximally allowable, and more than the minimally acceptable.

• It’s Just Part of the Job- Fundamentally decent people feel justified doing things at work that they know to be wrong in other contexts.

• It’s All for a Good Cause- is a seductive rationale that loosens interpretations of deception, concealment, conflicts of interest, favoritism and violations of established rules and procedures.

ETHICS - OBSTACLESETHICS - OBSTACLES

• It’s All for a Good Cause- is a seductive rationale that loosens interpretations of deception, concealment, conflicts of interest, favoritism and violations of established rules and procedures.

• I Was Just Doing It for You -n"little white lies" or withholding important information in personal or professional relationships, such as performance reviews.

• I’m Just Fighting Fire With Fire- This is the false assumption that promise-breaking, lying and other kinds of misconduct are justified if they are routinely engaged in by those with whom you are dealing.

• It Doesn’t Hurt Anyone - Used to excuse misconduct,


• Everyone’s Doing It - This is a false, "safety in numbers" rationale fed by the tendency to uncritically treat cultural, organizational or occupational behaviors as if they were ethical norms, just because they are norms.

• It’s OK If I Don’t Gain Personally - This justifies improper conduct done for others or for institutional purposes on the false assumption that personal gain is the only test of impropriety.

• I’ve Got It Coming - People who feel they are overworked or underpaid rationalize that minor "perks"

• I Can Still Be Objective - By definition, if you’ve lost your objectivity, you can’t see that you’ve lost your objectivity!


– Proportionality: good must outweigh harm– Informed Consent: understand and accept

risk– Justice: fair distribution– Minimized Risk: avoid unnecessary risk

Ethical Considerations- PrinciplesEthical Considerations- Principles

1. Trustworthiness.

2. Respect.

3. Responsibility.

4. Fairness.

5. Caring.

6. Citizenship.

Ethical Considerations – 6 Pillars of Character

Ethical Considerations – 6 Pillars of Character

Ethics Decisions - RequirementsEthics Decisions - Requirements

Making ethical decisions requires the ability to make distinctions between competing choices.

It requires training, in the home and beyond

Ethics Decisions - ConclusionEthics Decisions - Conclusion

No one can simply read about ethics and become ethical.

People have to make many decisions under economic, professional and social pressure.

Rationalization and laziness are constant temptations.

But making ethical decisions is worth it, if you want a better life and a better world.

Keep in mind that whether for good or ill, change is always just a decision away.

SecurityEthics andSociety

•Employment -Computer monitoring

•Working Conditions-Upgrade

•Individuality-Loss of individuality

•Health-Ergonomics

Ethical ChallengesEthical Challenges

– Proportionality: good must outweigh harm– Informed Consent: understand and accept

risk– Justice: fair distribution– Minimized Risk: avoid unnecessary risk

Ethical Considerations- PrinciplesEthical Considerations- Principles

Security

The BCS Code of Practice says:

“A system is at risk from the moment that the project which develops it is first conceived.

This risk remains until at least after the system is finally discontinued, perhaps indefinitely. Threats to security range from incompetence, accident and carelessness to deliberate theft, fraud, espionage or malicious attack.”

Security and RisksSecurity and Risks

SecuritySecurity

Convenience

Security

Scope

ConvenienceC

ost Q

uality

The $10,000 Fence for the $1.00 Horse

The $10,000 Fence for the $1.00 Horse

LeaksLeaks02-25-05 BoF, 1.2 Million federal government charge cards affected. Computer back up tapes were lost.

LexisNexis - 03-09-05 310 consumers affected. Unauthorized use of customer logins and passwords

MCI - 05-23-05 16,500 current and former employees,. Laptop stolen from MCI financial analyst

CardSystems Solutions 06-17-05 40 million credit card holders affected. Person broke into the computer network of CardSystems

USC - 06-20-05, 270,000 consumers affected. Hackers broke into applications database

CyberMinesCyberMinesTargeted Attacks - mass mailings of worms and viruses. Using keyloggers, security flaws in web browsers - solution: get unplugged

Botnets - robot networks made up of home and business PCs taken over by hackers. ISPs monkey

Net crash - arcane protocol, exploit border gateway protocol to advertise their routs so they can carry their network

Critical infrastructure attacks - cyberattacks that penetrate supervisory control and data acquisition - compliance with rigorous cybersecurity standards.

CyberMines (Cont)CyberMines (Cont)

Phraud - Internet-related fraud accounted for 53% of all consumer fraud complaints to FTC in 2004. In Phising, guard personal information. Evil twins, do not use unsecure attach points. Pharming, how to find Nemo.

Hijacking - Covert control of computer resources. Use firewalls and secure browsers.

Wireless Attacks - smartphones, PDAs, etc.

Cyber EnemyCyber EnemyBot Network Pperators - hackers

Organized Crime Groups

Corporate Spies

Foreign Intelligence Services

Hackers

Insiders

Phishers - trading on sensitive data

Spyware/Malware authors

Terrorists

Who is the enemyWho is the enemy

In-house security breaches account for some 70-90% of all security breaches. Hurwitz Group

57% - Worse breaches occurred when their own users accessed unauthorized information.

Next problem happened when user accounts remained active when users left the company. Digital Research

Only 21% are concerned with external security threats.

Cost of Computer CrimeCost of Computer Crime

Cost of Computer Crimes

$-$1.00$2.00$3.00$4.00$5.00

1997 1998 1999 2000 2001

Mill

ion

s o

f U

S

IP Theft

Fraud

Source: Computer Security Institute

Insurance Council of Australia estimates $3 trillion/year

http://www.riverdeep.net/current/2002/01/011402t_divide.jhtml

Action Taken After BreachAction Taken After Breach

Source: Computer Security Institute

0%20%40%60%80%

100%

Pa

tch

es

Did

no

tre

po

rt

Re

po

rte

d to

law

en

forc

em

en

t

Re

po

rte

d to

leg

al

cou

nse

l


Biggest Problem isn’t about privacy…it is sloppy security

-----Lee Gomes, Wall Street Journal

Worm EvolutionWorm Evolution

1988 - Robert Morris First worm

2001 - Code Red, exploited IIS to infect 359,00 hosts to launch a Denial Of Service attack on the White House site…random propagation caused it to clog and contain

2001 - Code Red authors learned and launched Nimda

2003 - Sapphire - exploited vulnerability in MS SQL Server

2004 - Welchia.C - compiled list of addresses - variant SoBig.F

2005 - BotNets - Worm writers partner with spammers for profit.

Risk Exposure by IndustryRisk Exposure by Industry

Degree of exposure to risk


Mail: 25-30 %Web Traffic: 50-60%

• Hackers, crackers, and thieves, oh my! Viruses, worms, and trojans, oh my!

• Identity theft running rampant (electronic AND in person)–Internal/external fraud on the rise–Third party vendors selling private information

• Wireless networks broadcasting data• The insecure nature of academic networks

Security LandscapeSecurity Landscape

• Definition of “sensitive data”• Analysis of where sensitive data is used• Assessment of the security of systems with

sensitive data• Securing systems with sensitive data• Developing an information security culture

Sensitive DataSensitive Data

• “Personal information”–Name, address, contact information, gender, age

–Social Security Number–Banking information, including financial institution, account number, credit/debit card number

–Health / medical data


• Corporate information–Operational procedures–Contingency procedures–Bank account and investment information

• Other information that might be used to conduct fraud or impersonation–Often depends on context–Look at as a whole, not specific pieces

individually


• Student systems• Cashiering / Bursar / POS systems• Application, registration, recruitment systems• Accounts Receivable / Payable• Human Resources / Payroll• Medical / clinical systems• Departmental databases

–Treasury workstation–Conference registrations (if keep credit card

numbers)• Research databases

Sensitive Data Found in:Sensitive Data Found in:

• Nontechnical assessments:–Physical security assessment–Location of sensitive records–Logical access to data

(Who has access? Do they really need access?)

–Disaster backup procedures–Contingency procedures–Privacy statement / policies

Assessing Security of Sensitive Systems

Assessing Security of Sensitive Systems

• Third party vendor assessment• Boilerplate language for

–Protection of data–System security–Secure file exchange–Financial penalties for noncompliance

• Use of subcontractors ONLY with your permission

Assessing Security of Sensitive Systems - Contractual Services

Agreement

Assessing Security of Sensitive Systems - Contractual Services

Agreement

• Do our procedures require sensitive data?–SSN on deposited checks–Credit card number on conference registration server–SSN as student ID

• Can we replace the data with nonsensitive data?• Can we change the procedure entirely?

–ACH payments instead of checks

Assessing Security of Sensitive Systems - Operational SecurityAssessing Security of Sensitive Systems - Operational Security

• Does the organization have a master privacy policy?

• Does each departmental web site either have their own privacy policy or link to master?

• Does the policy comply with local law? (California, other states)

• Is data access limited to “need to know”?–Access control lists for everything

Assessing Security of Sensitive Systems - Privacy Policies

Assessing Security of Sensitive Systems - Privacy Policies

• Visa Cardholder Information Security Program Compliance Questionnaire–77 point technical security checklist

• SANS SCORE Project checklists• Form alliance with internal auditors (EDP

auditors)• Hire outside expertise for

assessment

Assessing Security of Sensitive Systems - Technical AssessmentAssessing Security of Sensitive Systems - Technical Assessment

• Implement technical security measures–Firewalls, intrusion detection and response, appropriate

architecture–Visa CISP checklist measures (SSL, data encryption,

etc.)–Access control policies (least possible access to data)

implemented and enforced–Enforce good passwords

• Hire professional security programming expertise (require department to do so)–Particularly if cards accepted over web sites

Assessing Security of Sensitive Systems - Securing

Assessing Security of Sensitive Systems - Securing

• Centralized student systems behind mega-firewall• Firewalls within firewalls• Data inquiries run on server, only results passed

to client–Remote access to student data severely limited

• Web servers never retain credit card information• Look at processes and procedures (sanitize

reports, etc.)

Assessing Security of Sensitive Systems - Centralized Security

Assessing Security of Sensitive Systems - Centralized Security

• Buy-in from the highest levels–Lots of scary stories–Regulatory requirements–Financial liability–Adverse publicity

• Basic security education for all users AND students

• Partnership with internal auditors• Partnership with campus computer departments

Assessing Security of Sensitive Systems - Culture DevelopmentAssessing Security of Sensitive Systems - Culture Development

FinancialFinancial

Typical Vulnerability Breach

Invalidated Parameters Hijack accounts; steal data; commit fraud

Command Injection Flaws Database dumps all account information

Buffer Overflows Crash the servers; damage app, other mayhem

Cross Site Scripting Steal account and customer information

Broken Accounts/Session Mgmt Hijack accounts; steal data; commit fraud

Information Security Action PlanInformation Security Action Plan

1. Keep it simple

2. Security requirements

3. Assessing threats

4. Establish Security framework

5. Plan for disaster

6. Develop clear security policy

7. Use the right security tools

8. Staff training

9. Monitor

Application ProtectionApplication Protection

Improved QA

Scanning/Vulnerability Assessment

Host Based

•Intrusion Detection (IDS)

•Intrusion Prevention (IPS)

Application Firewall

Application Protection - QAApplication Protection - QA

Right the first time

No runtime performance penalty

Built into application development cost

Time consuming

Protects from known vulnerabilities

Lack of specialized security expertise

ADVANTAGE DIS-ADVANTAGE

Scanning and Vulnerability Assess.Scanning and Vulnerability Assess.

Identifies vulnerabilities

Complement lack of security expertise

VENDORS

•SPI Dynamics

•Sanctum

•Kavedo

Secure as last scan

A challenge fixing vulnerabilities discovered


Host Based ScanningHost Based Scanning

Plugs security holes once discovered

Helps with network level

VENDORS

•Cisco

•NETA

•Sana

May not address OS, platform dependencies and other vulnerabilities


SecuritySecurity

Static Content eCommerce

Risk of Breach

Minimal

Severe

QA

E-COMMERCE

Real Time Protection

Application ProtectionApplication Protection

Stops hacks before they get to the application

Continuous protection

VENDORS

•Teros

•Netcontinuum

•Magnifier/F5

Upfront investment

Increased network complexity


Secure Application Gateway

Web Application Security MarketWeb Application Security Market

DECISION ENVIRONMENTDECISION ENVIRONMENT

Values

GOALS

STRUCTURE

CLIMATE

ENVIRONMENT

MarketplaceOther Teams

CultureCompetition

Pressures

Clarity Commitment

Reward System

Reporting Relationships

Feedback System

Behavior Norm

Decision Making

Competition

Enthusiasm

Stress

Trust

Involvement

Flexibility

Collaboration Mission Philosophy

Accountability

Fund TransfersFund Transfers

42%

46%

2%4%6%

Europe

US& Canada

Asia Pacific

South America

Africa MiddleEast

21%

2%8%

49%

20%

Europe

US& Canada

Asia Pacific

South America

Africa MiddleEast

Origin

Destination

HUMAN RESOURCES

HR PerceptionHR Perception

Focus on retaining high quality workers 40%

Fair performance evaluations 41%

Rate favorable job training 58%

Opportunities of advancement most

What is required to move up? Do not know

Company shows genuine interest I employee well being most

Source: Hay Group, 2005 survey


In a Knowledge economy, finding and nurturing talent is one of the most vital

corporate functions. And that is just what HR does so badly.

--Keith. H. Hammonds, FAST Company’s deputy editor

You are only effective if you add value. That means you are not measured by what

you do, but what you deliver.--David Ulrich, University of Michigan

HR - Walking the TalkHR - Walking the Talk

“ The underlying principle was invariably restricted to the improvements of bottom line performance”

Study of relationship between what companies said about their human assets and how they actually behaved.

--Strategic Human Resources Management (1999)



HR People aren’t the sharpest tacks in the box

HR pursues efficiency in lieu of value

HR is not working for you

The corner office does not get the HR


HR ExamplesHR Examples

A talented young marketing executive accepts a job offer with Time Warner out of a business school. She interviews for openings in several departments - then she is told by HR that only one is interested in her.

--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.

HR ExamplesHR Examples

A talented young marketing executive accepts a job offer with Time Warner out of a business school. She interviews for openings in several departments - then she is told by HR that only one is interested in her.

FACT: She learns later, they all had been interested in her. She had been railroaded inot the job, under the supervision of a widely reviled manager.

--Keith. H. Hammonds, Why We Hate HR, August 2005 FAST CO.

tec 401 session three joseph lewis aguirre human factors in technology

Documents

regulatory slide

technology slide

risk slide

moves slide

use of information

time information

quality of information

content of information