Saturday, 15 December 2007

HRM, it’s not just hiring for compliance

The greatest threat to an organisation’s security comes from inside its own walls. Staff, ex-staff and consultants are the greatest risk faced by any organisation. Most of the risk is a direct result of inadequate HRM processes and awareness. The rise in IT governance legislation and other requirements has driven organisations to monitor and implement controls over the Human Resources operations.

Not only does this process make them more effective when implemented appropriately, it is helping make the organisation more secure.

Security, a cost now leads to savings later. Through the effective management of Human Resources may be an expenditure now, it leads to reduced risk and long term savings.

The drive for compliance
Compliance has become a prime business concern across most sectors[1]. Changes to reporting and regulatory regimes such as Sarbanes Oxley, BASEL II, FISMA, and the changes to the privacy legislation have changed the face of business in general and information technology’s role in governance.

Grembergen (2004) in the chapter, “Governing Information Technology through COBIT’ asserts that “the four main focus areas for IT Governance are driven by stakeholder value. Two are outcomes: value delivery and risk mitigation. Two are drivers: strategic alignment and performance measurement.”

Protiviti (2003) assert that entry level considerations for compliance with Sarbanes Oxley legislation hinges on the effective management of human resources. Control frameworks to achieve statutory compliance all require HR control implementation and monitoring.
These changes to compliance requirements have focussed a growth in IT recruitment not experienced since before the dot-com crash of 2001. This has even led to the Sarbanes Oxley act being dubbed the zero unemployment for auditors act (Apani 2002).

With these changes and the rapid growth in staff complements, it is essential to remember that the skill set of IT staff is a key determinant in measuring how effective they are likely to be in implementing and maintaining an organisation’s business requirements. In addition, training may also function as a set of golden handcuffs (Treen 2001) to IT Staff helping retain them in times of mobility.

Hawkins et al describe and interpret several central existing suppositions, models and practices in the IT Governance domain. Further, they support a goal of increasing the comprehension and knowledge of IT Governance. In particular they detail the role of Human Resources management from both an IT and overall perspective as it applies to IT Governance.

Organisational security awareness is determined to be essential to achieving compliance. It is also important to remember that IT governance applies to all staff and not just those involved in IT.

Minimising the IT Governance breach has become essential (Coe 2003). It has turned out to be increasingly difficult for many organisation's to divide overall tactical operations from the contributory IT plan that facilitates the business mission to be satisfied.

COSO and COBIT define effective IT Governance[2] as including:

  • Protection of shareholder/stakeholder value,
  • Quantification and comprehension of IT risks,
  • Organising IT ventures, opportunity, return and risk,
  • Aligning IT with the goals of the organisation while accepting IT as a critical input to and component of the strategic plan,
  • Maintaining current operations and plans for the future
COSO[3] asks the question of organisation’s as to whether their IT function subscribes to a philosophy of continuous learning. COSO further details that organisations provide “necessary training and skill development to its members” in order to be compliant. As COSO is the foundation for many of the Sarbanes Oxley baselines, most large US organisations and their international subsidiaries have to come to terms with HRM and training issues which they have thus far been able to sweep under the carpet.

Personal requirements are a key requirement in many sections of COBIT[4]. Of particular importance is the section “PO7 - Manage Human Resources”. The ISACA has defined the control of managing human recourses as:

The control over the IT process of managing human resources that satisfies the business requirement to acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes is enabled by sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss.

The control framework, PO7 requires that an organisation implements processes to monitor and maintain:
  • Recruitment and promotion
  • Training and qualification requirements
  • Awareness building
  • Cross-training and job rotation
  • Hiring, vetting and dismissal procedures
  • Objective and measurable performance evaluation
  • Responsiveness to technical and market changes
  • Proper balance of internal and external resources
  • Succession plan for key positions
Other than the baseline of meeting statutory requirements, organisations should look to the benefits they can obtain from these controls (ISACA). Adequate staffing of the IT section within an organisation has been shown to provide effective and efficient operations throughout the business. Other paybacks comprise of improved motivation, retention and development of individuals and teams within the organisation (NSF Project #9708399).

It has been further demonstrated that employee inclusiveness; increased personnel contribution; and improved resilience and information security within operations all return beneficial results within an organisation far exceeding the compliance requirements (Romeo 2002 and O’Bryan et al 1995). Many organisations have provided testimonial support to benefits delivered to the management of the organisation including cost savings and superior effectiveness of operations (Mead 1998).

BS 7799.2:2002 or AS/NZS 7799.2:2003[5] has been adopted as a model for many organisations within both the commercial and government sectors. The NSW state government has mandated compliance with this framework for all state owned bodies.
Human resource management is a key control within the ISMS framework. In particular, section 5.2.2 (below) deals almost exclusively with the control over Human Resource Management:

Section 5.2.2 Training, awareness and competency
The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by:

a) determining the necessary competencies for personnel performing work effecting the ISMS;
b) providing competent training and, if necessary, employing competent personnel to satisfy these needs;
c) evaluating the effectiveness of the training provided and actions taken;
d) maintaining records of education, training, skills, experience and qualifications.

The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.

Organisations seeking certification or compliance against ISO 17799 need to have integrated the Human Resources and security functions in order to maintain an effective training and awareness system. Further, they need to evaluate training in order to implement system of continuous learning within the organisation.

In order to mandate the implementation of ISO 17799, the NSW Government OIT[6] has developed a set of standards and guidelines for any NSW government agency to use in developing an ISO 17799 compliant strategy.

From the perspective of the Human Resources professional, the key sections which need to be addressed in the guidelines are:
  1. Segregation of duties,
  2. Recruitment, and
  3. The Monitoring of personal.
Many of these controls are essential requirements for either COSO or COBIT. It is thus possible to conclude that Human Resource management is an essential function in achieving IT Governance. Banerjee et al, further assert that HR management is not only a stage in IT Governance, but is essential to ensuring continued ethical behaviour from staff.
Christopher (2003) demonstrates that a lack of training can lead to employees making “one of the worst mistakes” and “giving out sensitive data”. He highlights the point that training and education are essential components which may be used to effectively empower staff to make correct decisions.

He further states that most breaches of corporate security are caused as a result of “weakness in human firewalls”. This details the need for awareness training for staff as technology will fail where staff are not fully educated in stopping attacks against the organisations information infrastructure.

It is emphasised that training and technology needs to be used together to ensure strategic security in corporations is successfully deployed. To achieve this effectively, horizontal teams need to be implemented from IT, HR and department heads to develop effective security management strategies[7]. “Policy setting is a give and take between business and security”[8].
The key issue at stake is that management needs to educate and communicate both the corporate policy itself, and the need for its being, across the organisation (O’Brien 1999). Management must place channels for feedback within the organisation (Mitnick and Simon 2002) to ensure that the message of security is being communicated.

Turnbull (2004) argues that organisations face new challenges and that they need to plan for these to be successful. Best practice is achieved through a process of knowledge and empowerment across all staff. New domestic and global HR privacy demands are driving many of these changes adding yet another layer to the compliance framework.

Defining the roles, HR needs to work with Info Sec
Kovacich, presents a total systems approach to the all the topics needed for the “infosec professional”. He asserts that defining the position of the information systems security officer (ISSO) is just a beginning.

Compliance is just the foundation for HR security controls; there are numerous reasons to ensure that Human Resources have defined the roles within IT and in particular Security (Dhillon 2001).

One concern influencing HR practice recently has resulted from a widespread shortage of security, audit and compliance skills (McCarthey 2001). The compliance drive detailed in the previous paragraphs has led to a debate amongst many professionals (not just those from HR) over the practice of hiring criminal hackers.

The claim that hackers are the proverbial “fox in the henhouse” (Savage 2004) strongly supports the claim that criminal hackers should not be hired into the security industry. Being that these people are able to utilise their skills productively within the information industry without being involved in security and that there are others who are trustworthy in the industry leads strongly to the conclusion that past convictions should exclude one from employment within the security industry.

“Trust has to be evaluated on a case by case basis" has been touted as a reason for hiring hackers on a case by case basis. Mitnick, the president of an information security firm and past convicted “hacker” uses this stating that his clients are happy with his services. He has said that he should be judged by his actions (Savage 2004).

Mitnick’s actions speak for themselves as he committed several felony offences while on parole for earlier offences (Associated Press 2004). The example may have been extreme, hiring criminals and handing them the keys, but the practice is not uncommon which further emphasises the need for high-quality practice and compliance within a organisations HR function (Wood 1997).

Good hiring policy, detailed background checks and controls should all be designed to increase the chances of hiring the correct person for the role and ensuring that they remain satisfied and effective (Wood 1993). This creates a series of processes that help reduce risk and improve efficiency within an organisation.

Awareness – where does this take us
Dhillon (2001) stated that “education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment”.

Further, “a mismatch between the needs and goals of the organization could potentially be detrimental to the health of an organization and to the information systems in place…. organizational processes such as communications, decision making, change and power are culturally ingrained and failure to comprehend these could lead to problems in the security of information systems"

Mitnick and Simon state that there are three key steps that should be instilled within employees thought process:
  • Step One: Verification of Identity
  • Step Two: Verification of Employment Status
  • Step Three: Verification of Need to Know
They further state that deceptive tactics are generally used to access or obtain private company information by masquerading as a trusted party. For this reason it is essential to verify the legitimacy of employees, contractors, vendors, or business partners.

It is further stated by Mitnick and Simon that effective information security is maintained only if an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

For this reason, a well-rounded awareness program must cover as many of the following key areas as possible[9]:
  • Security policies related to systems passwords (these include computer and voice mail).
  • The procedure for disclosing sensitive information or materials.
  • Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.
  • Physical security requirements such as wearing a badge.
  • The responsibility to challenge people on the premises who aren't wearing a badge.
  • Best security practices of voice mail usage.
  • How to determine the classification of information, and the proper safeguards for protecting sensitive information.
  • Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.
Additionally, the awareness program relies on the following tasks to be successful:
  • The development and distribution of an IT security policy that reflects business needs tempered by known risks;
  • Informing users of their IT security responsibilities, as documented in the organisation’s security policy and procedures; and
  • Establishing processes for monitoring and reviewing the program.
The NIST manual states that effective IT security awareness and training programs explain the appropriate conventions of conduct for the use of the organisation’s IT systems and information.

HRM is crucial as changing peoples’ attitudes and behaviour in terms of IT security can be a challenging task (NIST 800-50). New controls often appear to conflict with the way staff have done their job for years. An awareness and training program is crucial in that it is the vehicle for disseminating information that employee’s, including managers, need in order to do their job.
Coe (2003) has stated that “recurring evaluation and maintenance of employee awareness, specialized training and management awareness are all required components of a successful security program”. An effective information security program needs to properly account for the strengths and limitations of employees to successfully secure an organisation’s data.

Keeping your network safe, HR must protect sensitive data from internal and external security threats” (Romeo, 2002).

Peter Hind (2004) has asked the question of, “why the IT department has responsibility for IT security?” General training is essential and should be amortised as a cost over the entire organisation.

Human Resources Management is an often overlooked, but essential component of information security within an organisation. Information security personal and Human resources need to work together to ensure the overall effectiveness of controls. Technology is no longer the panacea it has been touted to be.

The increase in threats coupled with the growing need to ensure compliance make HR’s involvement with security all the more crucial to an organisation’s continued success. With the greatest threat to an organisation’s security inside its own walls, the majority of information security risk is a direct result of inadequate HRM processes and awareness.

Human Resources operations and controls over information security increase an organisation’s effectiveness when implemented appropriately.

[1] IT Governance Institute
[2] COBIT Version 3.2
[3] COSO, Committee of Sponsoring Organisations of the Treadway Commission
[4] COBIT, is maintained by the ISACA
[5] Information security management (ISMS) Part 2: Specification for information security management systems (Australian Standards Institute)
[6] OIT, Office of Information and Communications Technology, NSW Department of commerce [7] NIST 800-50, “Building an Information Technology Security Awareness and Training Program”
[8] Christopher (2003), The Human Firewall.
[9] Modified from the controls listed in NIST Special Publication 800-50

1. Australian Standards Institute, AS/NZS 7799.2:2003,BS 7799.2:2002, “Information security management systems; Part 2: Specification for information security management systems” [BS title: Information security management systems, Part 2: Specification with guidance for use]
2. Apani Networks 2002 “Sarbanes-Oxley Act and its impact on IT Security”, 2004 CNET Networks
3. Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 “The association of demographic variables and ethical behaviour of information system personnel”, Industrial Management & Data Systems 96/3 [1996] 3–10 MCB University Press
4. Coe, Kathleen, Aug 2003, “Closing the Security Gap, Data Protection initiatives should include employee training”, “HR Magazine – Vol 48 No8”
5. Dhillon, Gurpreet (ed), 2001, “Information Security Management: Global Challenges in the New Millennium” Idea Group Publishing, ISBN:1878289780
6. Grembergen, Wim Van (ed), 2004, “Strategies for Information Technology Governance” Idea Group Publishing, ISBN:1591402840
7. Hawkins, Steve; Yen, David C. and Chou, David C. 2000 “Awareness and challenges of Internet security”, Information Management & Computer Security 8/3 [2000] 131-143 MCB University Press
8. Hind, Peter; 2004 “Give it Away, Take my security please… (At the Coal Face)”, CIO Magazine, IDG Communications NSW Australia, May 2004, ISSN 1328-4045
9. Kovacich, Gerald L. “The Information Systems Security Officer's Guide: Establishing and Managing an Information Protection Program, Second Edition”, ISBN:0750676566, Butterworth Heinemann © 2003
10. Information Systems Audit and Control Association, ISACA, “COBIT”, IL 60008 USA,
11. IT Governance Institute, “IT CONTROL OBJECTIVES FOR SARBANES-OXLEY” Rolling Meadows, IL 60008 USA, ISBN: 1-893209-67-9
12. Mead, Richard, 1998, ‘International Management, Cross-Cultural Dimensions‘, 2nd Edn, Blackwell Publishing, UK
13. Mitchell, Ruth C. and Marcella, Rita, and Baxter, Graeme, 1999 “Corporate information security management” New Library World Volume 100. Number 1150. 1999. pp. 213-227, MCB University Press
14. Mitnick, Kevin D. and Simon, William L. 2002, “The Art of Deception: Controlling the Human Element of Security” John Wiley & Sons, USA, ISBN:0471237124
15. National Science Foundation, 1999, “NSF Research Needs Workshop: Building Systems Integration for Performance and Environmental Quality Final Report 99”, NSF Project #9708399, “Results from Oct. 97 Workshop and Research Community” Center of Building Performance and Diagnostics, Carnegie Mellon Univeristy
16. NSW Government (OIT)
Information Security Guideline for NSW Government
· Part 1 Information Security Risk Management
· Part 3 Information Security Baseline Controls
17. O’Brien, James A., 1999, ‘Management Information Systems, Managing Information Technology in the Internetworked Enterprise‘, 4th Edn, Irwin McGraw-Hill Ltd, US
18. O’Bryan, Bernard Burch and Pick, Roger Alan, 1995 ‘Keeping information systems staff (happy)’, Emerald - The International Journal of Career Management, Volume 7 · Number 2 · 1995 · 17–20
19. Protiviti (Independent Risk Consulting), Guide to the Sarbanes-Oxley Act IT Risks and Controls (FAQ) Dec 2003
Publications from the National Institute of Standards and Technology (NIST)
20. NIST Special Publication 800-50, “Building an Information Technology Security Awareness and Training Program”
21. NIST Special Publication 800-35, “Guide to Information Technology Security Services“
22. NIST Special Publication 800-36, “Guide to Selecting Information Technology Security Products”
23. Romeo , Jim, Dec 2002, “Keeping your network safe, HR must protect sensitive data from internal and external security threats”, “HR Magazine – Vol 47 No12”
24. Treen, Doug, 2001, “The HR Challenge for the high-tech start-up”, JANUARY/FEBRUARY 2001, IVEY BUSINESS JOURNAL, The University of Western Ontario Press
25. Turnbull, Ian, “Privacy in the Canadian Workplace — Best Practices”, Paper from HR Privacy 2004: Managing the New Challenges, Society for Human Resource Management/ HR Technology
26. Wood, Charles Cresson, 1997 ” Securely handling staff terminations”, Information Management & Computer Security, Vol. 5 No. 3, 1997, pp. 21-22, MCB University Press Limited, 0968-5227
27. Wood, Charles Cresson, 1993 ” Background checks for employees in computer-related positions of trust (A further contribution on security system checks for employees)”, Information Management & Computer Security, Vol. 3 No. 5, 1995, pp. 21-22, MCB University Press Limited, 0968-5227

Web Sites
1. Christopher, Abby, CIO Magazine, “The human firewall”, 28/10/2003
2. “Computer Security Awareness – Quiz from the Fermi National Accelerator Laboratory”,
3. Countering financial crime risks in information security [Financial Crime Sector Report]
4. Hay/McBer (2000). “Research into teacher effectiveness: A model of teacher effectiveness report by Hay McBer to the Department for Education and Employment”. Report prepared by Hay/McBer for the government of the United Kingdom,
5. McCarthey, John, CIO Magazine, Nov. 15, 2001 “RISK MANAGEMENT, Plan for People, Not Just Systems”
6. McLelland, Ross (2004), “Emotional intelligence in the Australian context”, Pacific Consulting,
7. Savage, Marcia, Hiring Hackers, A Heated Debate, 16th Apr 2003, CRN, viewed 06th Mar 2004, <>.
8. The Associated Press. “Famous hacker Kevin Mitnick gets hacked”, 11th Feb 2003, CNN, viewed 22nd Mar 2004 <>
9. The House of Representatives (H.R. 5005)Homeland Security Act of 2002, November 19, 2002, viewed 6th March 2005 <>

Friday, 14 December 2007

Principles of Database, Datawarehouse and Repository Development

As the main repository of an organisation’s historical data, the data warehouse is evolving into the memory of a corporation[1]. Through storage of a wide variety of data sources in an integrated format, the data warehouse is becoming both the storeroom of past events, and the central predictive engine.

The data warehouse contains the unrefined substance that when fed through a decision support system can provide management with up-to-date analytics and corporate predictors. The data analyst can use this technology to perform complex queries and analysis of information without adversely impacting operational systems.

Through both the rise in computational speed and power and the growth of data storage, data warehouses have pressed other technologies into greater levels of development[2]. Technologies such as data mining have grown symbiotically with data warehouses due to the benefits that they can provide. To understand data warehousing it is necessary to have knowledge of both data warehouse technologies and the associated analytical analysis methods used to access, report and present on the data.

The data warehouse architecture illustrates the entire organisational process from a variety of points of view[3]. These include the data, processes and infrastructure of the organisation and can mirror the structure, function and interrelationships of each constituent element of the organisation.

Data warehousing and Data analysis
The infrastructure or technology viewpoint reflects the choice of hardware and software products as they are implemented by the distinct components which derive the overall system. The data perspective characteristically epitomizes the source and target data formation and can assist the members of the organisation to comprehend the data assets and functional relationships which make up the organisation’s operations. The process viewpoint is principally focused on the communication of the progression of data from the originating source database through to the procedure to load the data into data warehouse and finally to analyse and extract data from the warehouse.

To be able to explore the effect of the rise of data warehouses on business and society, one first needs to characterise what the concept encompasses. William H. Inmon[4], known as one of the fathers of data warehousing, has stated that data warehouses are required to be subject orientated. In this, the data and thus database is organised in a manner such that all data relations relating to the same event or object are associated correspondingly in a manner that is concurrently time variant, non-volatile and integrated.

Whereas operational systems are necessarily optimised for ease of use and the rapidity of response, the data warehouse is optimised for reporting and analysis. Online transaction processing (OLTP), crucial to the operational system, is of less importance to the data warehouse. Rather, on line analytical processing (OLAP) and the necessity to access unusual data patterns results in heavily denormalised or dimension based models that may not be required to achieve acceptable query response times[5].

By time variant, is meant that changes to the objects and tables within the database are tracked and evidenced. This process allows for the statistical analysis of the data over time to produce reports on time variant trends. Heteroscadastic (including ARIMA, GARCH and ARCH) time series analysis of data is one of the newer avenues of research.

A data warehouse requires that once data is committed to the database, it is stored as read only. In this it is used for future reporting and any point in time data becomes an individual snapshot of the database over time. This process allows both for historical analysis and also future predictions.

To be effective, and data warehouse needs to contain data from as many if not all of an organisations operational applications and individual databases[6]. Further, to be of any effective use, the data in the warehouse must be contained in a consistent manner. A failure to either constrain data consistently or to provide an adequate sample of the organisation’s data leads to the GIGO issue[7]. That is, garbage in, garbage out.

Research into data warehousing has expanded into what has been termed the Corporate Information Factory (or "CIF"). A CIF[8] is an organisational data structure which encompasses ERP, eCommerce, customer relationship management (CRM) and many other formerly separate reporting structures. In some cases, a CIF has been known to encompass data marts, exploration warehouses, ODS, both nearline and secondary storage, and project warehouses.

However, the volumes of data, expense and lack of enterprise support leave CIF implementations is an idea for the future. There are still a number of difficulties associated with data warehousing which make their implementation less widespread then maybe expected in the future. Of particular concern, the process of extracting, cleaning and processing data is both time-consuming and difficult. The failure to implement and adhere to corporate wide naming standards amongst many organisations as only exasperated this problem.

Widespread incompatibility between many database products has slowed down the broadening of data warehousing across organisations. Technologies such as OLAP have aided in the development of Cross-application data warehouses[9], but issues of table structure, normalisation and the type of data stored within individual databases remains an issue.
Another issue that has hampered the implementation of data warehousing is security. In a world that is increasingly becoming reliant on the Internet and the Web, security could develop into a serious issue. With links into the data warehouse from the Internet, an organisations key informational assets are at risk from both discovery and compromise.

There are a number of clear advantages to the adoption of data warehouse technologies[10]. It is easy to see that organisations which adopt these new technologies successfully will gain a clear competitive advantage. These technologies enhance end user access to data and reports in a manner that allows for greater creativity and more informed evaluations.

The ability to create trend reports and use statistical methods to accurately forecast probabilistic events based on the past occurrences and experience provides for more focused corporate activity[11]. For instance, marketing information from a particular sales push can be compared across different regions to evaluate the impact of differing advertising initiatives.
Data warehousing technology can also significantly increase the effectiveness of several commercial business applications. In particular, customer relationship management (CRM) benefits greatly from this technology. The ability to both gain an overall view and to be able to drill down to specific areas and individuals provides a significant advantage to many organisations. CRM has been one of the principal applications to make early use of data warehousing.

Data Mining
Data mining is a relatively new development. The use of statistical methods to routinely investigate large capacities of data for patterns by using techniques including classification, decision trees[12], association rule mining, and clustering, has resulted in a new field of computational mathematics[13]. Data mining is a complex subject in itself and has associations with numerous core disciplines together with computer science and appends significance to influential computational techniques from statistics, information retrieval, machine learning and pattern recognition[14].

Too many people, the key issue introduced through the use of data mining is not commercial or technological in nature. It is a social issue. The protection of individual privacy is a concern that has increased exponentially with the rise in data mining. Data mining increases the possibility of an individual’s privacy being violated in some manner.

The processes used to analyse ordinary commercial transactions may be used to compile significant quantities of information about individuals from their purchasing behaviour and lifestyle preferences[15]. In particular, where data is compiled across multiple organisations that need to protect the privacy of individuals identity is compounded.

There are five primary stages to data mining. Initially it is essential that the data is loaded into the data warehouse system. This phase includes the extraction of data from the source databases and any necessary transformations required to reformat the data or cleanse the data such that it is maintained consistently.

The next phase involves storing and managing the data. In this, the data needs to be normalised and formatted such that it fulfils the requirements necessary to maintaining a multidimensional database system. This data must be accessible to the organisation’s business analysts. The process of providing access to the data is the third phase of data mining. No data warehouse project may be considered successful if the business is unable to access the data.
The final two phases of data mining call for analysis and presentation. Using methods such as OLAP, ROLAP and MOLAP[16] to access the data, the business analyst will load the required information from the data base into specialised application software[17]. These products are then able to present the data contained in the data warehouse in a more usable format such as the graph or table.

The Types of Analysis
The data maintained in a data warehouse is of little use if it cannot be accessed and analysed. As a consequence, a number of analysis techniques have developed. Although not exclusive, the following provides a brief summary of the analysis techniques available for use against data warehouses.

Decision tree methodology has been around for a long time as a probabilistic tool. This technique uses tree shaped structures to represent a variety of decisions and possible outcomes. This process generates rules for the classification of data sets. There are a number of specific decision tree methods including Classification and Regression Trees (CART) and Chi Square Automatic Interaction Detection (CHAID) which have been derived from probability theory[18]. These methods provide a set of rules which may be applied to the data set in order to predict or forecast a given outcome from the data.

The CART methodology segments a dataset by creating 2-way splits[19], whereas the CHAID method segments using chi square tests to create multi-directional splits. CART methodologies are more common than CHAID methods as they typically require less data preparation. However, CHAID methods can provide a greater level of statistical precision[20].

Another method is the nearest neighbour method. This technique classifies each record in the dataset using an arrangement of the classes of the “k”[21] records which are the most comparable to it in a historical dataset. This technique is also known as the k-nearest neighbour technique[22].

Rule induction is common in organisations with a strong programming all logic background or focus. This technique uses a variety of predetermined statistical tests to extract data using “if-then-else” rules[23]. Analysis programs such as those provided by SAS and the open source product “R” make extensive use of this method.

A further common method is “data visualisation”. In this involves the generation of crafts and reports which allow for the visual interpretation of compound associations in multidimensional data by the analyst. Graphics tools are used to illustrate relationships between the data in a manner that provides more straightforward reporting than many of the other methods.
With the advances in both computational power and the development of new mathematical techniques, a couple of advanced analysis methodologies have developed including artificial neural networks and genetic algorithms. Artificial neural networks used non linear predictive models which “learn” using training algorithms to provide intricate statistical reports on the data. These techniques are so named as they resemble biological neural networks in their structure.

Genetic algorithms which use optimisation techniques and algorithmic evolution are also developing. These processes use a combination of “genetic combination”, mutation and probabilistic methods to simulate natural selection. These methods commonly integrate stochastic techniques, such as Monte Carlo simulations to provide estimates and forecasts from the data contained in the data warehouse[24].

Due to the exponential growth in the volume of data and the continuing development of new techniques for data analysis, organisations are continuing to bring about changes in the methods they use to both store data and analyse it. Data warehouse architectures which are now primarily used to express the overall configuration of a Business Intelligence system have integrated decision support systems (DSS), management information systems (MIS), into their fold giving businesses access to more information and predictive capability than ever before.
This rapid increase in data presents many problems for organisations, but at the same time provides opportunities for those who know how to use these new technologies and techniques. Those businesses and organisations which most effectively make use of this new technology are likely to gain significant competitive advantages. As a result, the implementation of data warehousing techniques and technologies is only likely to continue.

Coupled with the advances in analytical technologies such as neural network analysis and genetic algorithms, organisations now have greater access to the data than ever before. This increasing level of access has become the new organisational paradigm.


  1. Agresti, A. (1990), “Categorical Data Analysis”, New York: John Wiley & Sons.
  2. Amado, Carlos Armando (Miami, FL, US) (1997) “Method and apparatus for applying if-then-else rules to data sets in a relational data base and generating from the results of application of said rules a database of diagnostics linked to said data sets to aid executive analysis of financial data” US Patent Office – Application No. 400355 - G06F 015/18
  3. Berson, A & Smith, A (1997) “Data Warehousing, Data Mining and OLAP” McGraw Hill USA
  4. Beynon-Davis, P., 2004. Database systems, 3rd edn, Palgrave McMillan.
  5. Codd, E & Codd, S (1993) “Providing OLAP to User-Analysts: An IT Mandate”, Comshare
  6. Collett, D. (1991), “Modelling Binary Data”, London: Chapman & Hall.
  7. Date, C.J., 2004. An introduction to database systems, 8th edn, Addison Wesley.\
  8. Fair Issac (2003) “A Discussion of Data Analysis, Prediction and Decision Techniques”
  9. Fair Isaac White Paper, May 2003; http://
  10. Frank M. (1994) “A Drill Down Analysis of Multi-dimensional Databases”, DBMS, July.
  11. Hoffer, J., Prescott, M., McFadden, F., 2007. Modern database management, 8th edn, Prentice Hall.
  12. Inmon, W. H. (1995) “What is a Data Warehouse” Prisim Solutions Inc,
  13. Inmon, W. H. (1996) “What is a Data Mart”, Informatiques Magazine. Avril
  14. Inmon, W.H.(1996-2) “User Reaction to the Data Warehouse.” DMR (December 1996).
  15. Inmon, W. H. (2003) “Building the Data Warehouse” Wiley Computer Publishing, USA
  16. Keith, Steven; Kaser, Owen & Lemire, Daniel (2005) “Analyzing Large Collections of Electronic Text Using OLAP”, UNBSJ CSAS, TR-05-001, 2005.
  17. Kimball, Ralph & Ross, Margy (2002) “The Data Warehouse Toolkit: The Complete Guide to Dimensional Modeling” 2nd Ed. Wiley Computer Publishing, USA
  18. Kimball R. (1997) “A Dimensional Modelling Manifesto” DBMS Online,
  19. Kroenke, D., (2003) “Database processing: Fundamentals, design and implementation”, 10th edn, Prentice Hall.
  20. Lehn, R., Lambert, V. & Nachouki, M.-P. (1997) "Data warehousing tool's architecture: from multidimensional analysis to data mining," dexa, p. 636, 8th International Workshop on Database and Expert Systems Applications (DEXA '97).
  21. Ma, Yao (1998) “Data Warehousing, OLAP and Data Mining; An Integrated Strategy for use at FAA”, M.Eng Thesis, MIT 2nd edn, McGraw-Hill.
  22. Hegland, M (2001) “Data mining techniques” Acta Numerica (2001), Volume 10: Pp 313-355 Cambridge University Press
  23. Mento, B & Rapple, B (2003) “Data Mining and Data Warehousing” Association of Research Libraries, US
  24. Nguyen, Tho Manh & Tjoa, A Min (2006) “Zero-Latency Data Warehousing (ZLDWH): the State-of-the-art and experimental implementation approaches” Institute of Software Technology and Interactive Systems, Vienna University of Technology Favoritenstra├če 9-11/188-3 (2. Stock), 1040 Vienna, Austria
  25. Pokorny J. (1998) “Conceptual Modelling in OLAP”, Proceeding of ECIS’98, Aix-en-Provence, Pp 273-288.
  26. Pratt, P. & Adamski, J., (2005). “The concepts of database management”, 5th edn, ITP.
  27. Pulleyblank, W. R. (2002) “Mathematical sciences in the nineties” Systems Journal, IBM Journal of Research and Development, “Mathematical Sciences at 40” IBM, Vol. 47, No. 1, 2003
  28. Service, R & Maddux, H, (1999) “Building competitive advantage through IS: the organizational Information Quotient”, Journal of Information Science25(1) Pp 51-65.
  29. Sullivan, D. (2001) “Document Warehousing and Text Mining: Techniques for Improving Business Operations”, Marketing, and Sales, USA
  30. Thalhammer, T; Schrefl, M. & Mohania, M (2001) “Active Data Warehouses: Complementing OLAP with Analysis Rules”, Data & Knowledge Engineering, Elsevier Science Ltd., Vol. 39(3), Pp. 241–269.
  31. Vassiliadis, P; Quix, C; Vassiliou, Y & Jarke, M (2001) “DATA WAREHOUSE PROCESS MANAGEMENT” Informatik, De
  32. Whitehouse, Peter R. (2006) “Case Studies in Database Design and Implementation” UQ Australia

[1] Ma, 1998
[2] Vassiliadis et al; 2001
[3] Immon, 1996-2
[4] Immon, 1995 (The founder of Prism Solutions in 1991)
[5] Pokorny, 1998
[6] Nguyen & Tjoa, 2006
[7] Immon, 1996
[8] Immon, 2003
[9] Service & Maddux; 1999
[10] Immon, 1995
[11] Lehn, 1997
[12] Tree Modeling Methods, P81 in Fair Issac, 2003
[13] Pulleyblank, 2002; Hegland 2001
[14] Lehn et al, 1997
[15] Kroenke, 2003; Mento, 2003; ,Keith et al 2005.
[16] Lehn et al 1997
[17] There are a number of specialist statistical packages designed to provide data mining services. Vendors such as SAS and SPSS, as well as open source products such as R provide this type of application software product.
[18] Berson & Smith, 1997
[19] Thalhammer, 2001
[20] Thalhammer, 2001
[21] Where “k” is an arbitrary number of records chosen by the analyst.
[22] Agresti 1990
[23] Fair Issac, 2003; Collett, 1991 & Amado 1997
[24] Hegland, 2001

Thursday, 13 December 2007

Rewarding IT staff in a changing environment

Lane (2004) has stated that “once an organisation has selected its employees… it will attempt to find some means to measure and appraise their performance”. He further postulates that “in the absence or presence of a formal appraisal system, informal appraisal of work and behaviour takes place continually”.

In any discussion of reward management it is essential to first define the terms. As such this paper will first look at performance management and the effect of behaviour on performance from a theoretical viewpoint.

Next, we look at reward management as it pertains to information technology staff. This is explored by contrasting performance management techniques and fairness across the organisation, team and the individual. Alternative methods to reward are investigated as a more effective and productive alternative to the typical performance appraisal scheme.
Management’s role is to accomplish production through others. For this reason, management is more comfortable when employees are directed, and committed to achieving the organisations objectives. In this it is essential that management creates the most effective method of developing their employees.

Defining Performance Management
Performance appraisals are that occasion when, once a year, you are reminded who owns you, (Peter Block quoted by Lee 1996, p 44). For many, this quote sums up the view that performance management is not a tool to help them. Rather it is often seen as a irrational grasp by management to maintain power.

“The essence of the concept of rationality is the relationship between means and ends. In all decision situations, certain ends will be desirable,” Carter & Jackson (2000, p 98).

Stone (2002) and Kramer, McGraw and Schuler (1997) disregard any detailed discussion of performance management in their attempts to differentiate among performance appraisal and performance management practices. It would seem that they infer this approach in order to integrate equally performance management and the concept of performance appraisal in the structure introduced into U.S. organisations around 1914 (Lee 1996, p 43).

Williams (2002, p 10) on the other hand defines performance management as a system based approach to performance for managing employee performance within the organisation as a means of integrating organisational and employee performance and controls. Williams’s performance management system starts with input such as a high end managerial statement (such as corporate policy or a performance plans), a control mechanism for formulating and overseeing performance objectives, and finally a series of controls used to evaluate and remunerate outputs with respect to products and /or services in a fair and effective manner.

Problems with the denotation of performance management
Lane (2004) has postulated that the precise nature of performance management remains ‘indistinct’. He further argues that this can explain why “many textbook writers use the term performance appraisal and performance management interchangeably, as if these concepts were one and the same thing”. It is clear that an effort is made by various authors [Williams (2002); Stone (2002); and Kramer, McGraw and Schuler (1997)] to differentiate performance appraisal and performance management. However an abundance of vagueness over the character of performance management has lead to a discussion of performance appraisal rather than performance management (Lane, 2004).

Primary focus of Performance management
Williams (2002, p 134) has argued that, “even at its most basic performance management isn’t about a single intervention”. Yet, “teamwork and multi-skilling, one main interpretation of performance management continues to dominate practice” (Lane, 2004). This spotlighting of the “individual” has occurred against the move to empowerment. Performance management should be an evolutionary addition to the development of the traditional appraisal practice.

Kramer, McGraw and Schuler (1997) 3rd edition argue that organisations are yet to develop performance management systems that recognise team performance management in organisations. They further hypothesize that performance management systems fail to effectively address participation, continuous improvement or even a concern for employee well-being.

Nankervis & Leece (1997, p 80) conclude that performance management systems meet the needs of management but not the needs and welfare of those most directly affected by performance management. When the primary focus of performance management is focused on the individual they often fail to address a continuous process of improvement and organisational performance.

It is obvious that a clear and concise definition of performance management is lacking and disagreement exists on its meaning.

Performance management starts when the employee commences
Orientation is a commonly used method of introducing a new employee to the organisation. For orientation programs to be effective, new employees must receive specific information about the following three areas (Lane, 2004):

  1. Company standards, expectations, norms, traditions, policies
  2. Social behaviour, work climate, getting to know colleagues and supervisors
  3. Technical aspects of the job
Lane (2004) notes that orientation occurs at two levels, “the company (conducted by HR representative), and departmental (conducted by direct supervisor)”. It is further noted that a successful orientation program includes a process of follow-up and evaluation.

Competence development in employees is a primary goal of performance management (Williams, 2002). To be effective it requires an effective training program which includes assessment, implementation and evaluation.

Performance appraisal interviews, an fundamental component of performance management for many organisations, rely on methodical portrayals of the job-relevant strengths and weaknesses of individuals in the group in order to improve the professional performance of the employees and to disseminate information to management for use in future decision making (Thompson & McHugh, 1995). It is further argued that any dysfunctional aspects of managing employee performance may be solved by a study of organisational behaviour. Continuous feedback could be used as one alternative method of addressing personality conflicts and employee performance monitoring.

Thompson & McHugh, (1995) in their study argue that “organizations, their employees and systems, are rational and reasonable” and as such that performance management works through the above stages to improve organisational behaviour by reducing the dysfunctional aspects of the interactions between the groups while simultaneously “reinforc(ing) the positions, rewards and activities of dominant groups in organisations (managers)”.

A behavioural view of performance
Walker (1992, p 259) details an interlinking framework of strategic contexts/expectations, performance objectives, work, coaching (or mentoring) and training designed as a control process. It is claimed that personal performance, abilities and knowledge mixed with equitable rewards, motivation (or reinforcement) coupled to performance feedback will lead to improved performance and higher levels of motivation.

This view formulates a strategy to reward positive behaviour and discipline negative behaviour in order to modify employee output. These rewards (such as promotions, increases in pay and training opportunities) and punishments (demotion, negative feedback or dismissal) are used by the organisation’s management to shape its workforce. This progression is intended to strategically advance the organisation by improving its competitiveness.

What does this mean for ITC Professionals
As “competency based approaches to management development are most likely to be useful in large, mechanistic bureaucratic organisations which have clearly delineated roles and functions that are well documented” (Toohey, 1995, p125), information technology professionals may face difficulties in adjusting to this style of control.

“Faster and more flexible ways to respond to management development needs may be what is required in the present turbulent management environment” (Toohey, 1995, p126) of IT where change is a daily aspect of the job. IT roles are often fairly autonomous in nature, requiring a large degree of independence. Bureaucratic systems of control generally leave IT professionals feeling they are being watched too closely. Also unless supervisors are given a structure to work from, their observations may reflect their own biases, rather than the objective performance of employees (Lane, 2004) as they are not trained in behavioural assessment skills.

Lansbury (1995) argues that in performance appraisal there are conflicting strains and prospects for both employers and employees. The ideal approach to performance management is thus an intangible goal. Lansbury further remarks that, “a well designed system, based on objective performance criteria negotiated between management and employees, and providing for two-way feedback and communication, may achieve worthwhile outcomes” (Lansbury, 1995, p. 141).

The aim of a performance appraisal is to (Stone, 2002):

  1. Improve employees’ work performance by helping them to realize and use their full potential in carrying out their firm’ s missions;
  2. To provide information to employees and managers for use in making work-related decisions.

Specifically, appraisals may be seen to provide legal and formal organizational justification for employment decisions to promote outstanding performers while also to removing the marginal and low performers (Williams, 2002). They are also functional as a method to train, transfer and discipline others while justifying merit increases/no increases. Finally they are also the foundation of a legal method to reduce the size of the workforce.

Toohey (1995) advocates that appraisal results are correlated with test result from management studies in order to evaluate the hypothesis that test scores predict job performance. Appraisals also present feedback to employees allowing them to use the results to further their own personal and career development goals. This may also present both the employee and management with opportunities to develop and instigate training programs.
Toohey (1995) also notes that the appropriate specifications of performance levels developed from appraisals can help detect “organisational problems by identifying training needs and the knowledge, abilities, skills, and other characteristics to consider in hiring”. Appraisals are the commencement of the process, rather than the end result as they provide a basis for distinguishing amongst successful and unproductive employees.

Reward Management, an incentive based approach
Brache & Rummler (1995) have stated that there are three levels of performance:

  1. The organisational level
  2. The business unit /team level
  3. The individual level
Myers and McCaulley (1985) modelled the key determinants of Information Technology staff using the Myers-Briggs Type Indicator (MBTI). Both analysts and programmers are defined to frequently have INTJ (Introverted, Intuitive, Thinking and Judging) personality profiles. Numerous researchers [Lamberth, Rappaport, & Rappaport, (1978); Myers, (1980); Myers & McCaulley, (1985); Vogt & Holder, (1988); Weade & Gritzmacher, (1987); Zeisset, (1989)] agree that this personality type [as is defined by Psychological type theory (Myers & Briggs, 1975)] is generally individualistic and independent.

Although INTJ personality types represent just 2% of the population (Myers & Briggs, 1975) they compose upwards of 10% of Information Technology staff. Other dominant personality types within Information Technology are ENTJ[1], ISTJ[2], and ESTJ[3]. ISTJ and ESTJ personality types feature strongly in many male dominated professions as they represent a large part of the total male population (Myers & McCaulley, 1985).

For this reason, IT has generally been seen as a haven for “geeks”, individualistic, non-social and the fiercely independent. However, researchers such as Sheard & Carbone (2004) have shown that there is a change in the personality profiles of IT workers as more females enter the field [4]. Further it is also demonstrated that the move towards a more team orientated working environment is also changing the fundamental nature of IT.

Does Performance Management improve productivity?
In the past the answer to the question of whether “Performance Management improves productivity” would be no. The move towards a more team focused and formal environment however is shown by Sheard & Carbone (2004) to promote a more collegial environment conducive of productivity improvements.

In this manner as IT becomes more of a mainstream function within businesses, we may see the composition of the personality types of those in the field change. These changes are allowing a progression to occur where the organisational level is supplanting the business unit or team level which has in many cases already replaced the more traditional individualistic attitudes which have defined IT staff. For the time however, the independent IT staff member is still an influence within the workforce.

Expectancy theory (Vroom, 1964) explains that employees will be motivated if they can perceive the limits between their behaviour in meeting performance goals, and that as a consequence, they will receive rewards that they value. The independent and individualistic nature of many IT staff aligns them with this style of motivational style.

Likewise, Equity Theory (Adams, 1965), which envelops the notion of fairness with respect to an organisation’s reward schemes shows some of the motivational issues with IT staff as they often feel the rewards they receive are inequitable when they compare themselves with others. This view comes from a combination of their need to achive with a generalised critical insight into the work of others (Myers & McCaulley, 1985).

Reinforcement theory (Thorndike, 1911) however, with its origins in the behavioural school of psychology, reinforces or abates mannerisms using the consequence of reward and punishment without considering the individual. This system will by nature fail to work in the independent environment of many existing IT departments. The change in IT staff compositions which have been noted above may result in future changes to the fundamental nature of the IT department.

Williams (2002, p 191 – 196) elaborates on the concept of fairness and equity concerning performance management decisions. He states that all performance evaluation systems must be transparent so that employees accept the processes and procedures, used in the evaluation of their performance.

Schuler & Jackson (1999, p 271) note that problems will arise with many performance appraisal systems due to perceptions of fairness and have noted that there is dubious support for appraisal ever being shown to work. Equally, Mabey et al (1998, p 136) details appraisals as a highly political process, with the parties involved in pursuing their own power stratagems.

Individual Performance
Individual Performance is characteristically the focal point of a performance management system and is also the focus of many IT staff (Myers & McCaulley, 1985). Traditionally this involves staff being held responsible for the key result areas and outputs of their job description (Lane, 2004) where “Job descriptions are criticized as being inflexible, static, rigid definitions of responsibilities, and are probably inappropriate for turbulent work environments”.
Job descriptions of this style often ignore multi-skilling for teamwork and have led to an individualistic haven for IT staff seeking an independent view of the organisation.

IT staff often seek a clear notion of individual accountability (Myers & McCaulley, 1985). This allows them to enter into a performance agreement or performance contract which records the work to be done, results to be attained and the attributes (skills, knowledge and expertise), and the competencies required to achieve these results (Armstrong 1994, p 46) in a manner that answers the question asked by many INTJ personality types: How will I know I have achieved what I set out to do?

Performance agreements which concentrate on how to improve those things which are under the IT staffers control need to aim at delivering an improved product or service which is seen as being of value by the key stakeholders (Lane, 2004) to be effective within the organisation.

Team Performance
Sheard & Carbone (2004) noted the evolution of IT environments towards a composition of staff members with less independent and individualistic needs[5]. As the trend towards the normalisation of IT progresses into the mainstream, a more socially focused and team orientated model will develop. This model will ideally start with the team and move to eventually encompass the organisation as a whole.

Unfortunately it is at business unit level that individual performance appraisal systems often ignore the increasing use of teams in organisations (Lane 2004). Performance Appraisal methods however generally focus on individual endeavours in opposition to measuring and rewarding team performance.

Teams may examine their own functions from its boundaries, leadership, range of skills, and even to the methods it will utilise in managing its own fortune and exertions. The team model requires continuous improvement in work progression in order to address its business unit plan.
The organisation as a whole
The organisational level may be seen as the natural progression of the move from an individualistic IT structure to a more team focused one. From the stakeholder’s perspective, the organisational view makes sense as it concentrates on core strategic processes. However, employees will require adequate resources to achieve the organisational goals.
Most strategic plans struggle to make an impact on employee behaviour probably because executive managers formulated the plan when they took themselves away as part of a residential strategic planning weekend.

Edwin Locke (1990) has been significant in demonstrating the impact of goals on work performance. He discovered that difficult challenging goals lead to higher performance than do easy goals, provided that the job holder accepts and is committed to the goals. Additionally, it is noted that specific goals lead to higher performance than do vague, general ‘do your best’ goals or no goals at all.

Applied to the organisation, goals need to be team orientated, challenging and specific. Most importantly they also need to be aligned with the requirements of both the business stakeholders and the employee. This is a difficult task that often falls back on an individual performance appraisal system without delivering the benefits it promises. In this it may be seen as a failure of the strategy used to promote these goals.

Strategy and Vision
Lane (2004) notes that strategic plans generally consist of:
  1. Vision (where we want to be)
  2. Mission (our purpose or reason for existence)
  3. Values (the principles that guide our behaviour, give us a sense of direction, which also helps us decide what is important and provide us with an ethical and moral foundation).

Key Result Areas (KRA’s) of the organisation are used with performance indicators, strategies and tactics to measure individual’s performance against the goals of the organisation. These objectives, KRA’s and performance measures/indicators also contribute to departmental aims objectives in achieving their strategic plan.

Mintzberg (1994) believes that strategic planning should be more correctly called strategic programming as it is an analysis, articulation, and elaboration of that which already exists. Mintzberg (p 52) points out that “in seeking to measure productivity we are basically concerned with the question of how well (how efficiently) available inputs are converted into outputs”.
Mintzberg disapproves of this type of strategic planning process and accuses it of being inflexible and analytical. Fitz-enz (1997) however opposes this view and argues that there is insufficient analysis in this process of rewarding for activity, rather than analysis. Fitz-enz is appalled with management’s obsession with action over analysis.

Reviewing and Supporting Performance
O’Neill (1994, p 11) notes that “pay and benefit costs are the single largest operating expense for most service companies, and typically, the second or third highest expense category in manufacturing”. From this we see that “pay for performance” is designed to “promote a unitarist rather than a plurarist approach to employment” in rewarding the efforts of the individual over that of a collective bargaining base.

Stone (2002, p 450) defines merit pay as “any salary increase awarded to an employee based on their individual performance” and this is supported by Williams (2002, p 194). As the nature of IT work is traditionally creative and individualistic, when developing performance structure, the nature of the work preformed must be taken into account.

Pay by Merit
Merit pay is common in executive and management pay structures and is an approach to remuneration where the intention is to “develop a productive, efficient, effective organisation that enhances employee motivation and performance” (Hoevemeyer, 1989, p 64). Merit pay is becoming more common in IT as employees are being offered bonuses for successful completion of business projects.

Ivancevich, (1995, p 309) asserts that pay by merit schemes do not reward accomplishment as “employees fail to make the connection between pay and performance, other employees perceive the secrecy of the reward as inequity”. IT in particular with a largely independent employee base often suffers as these types of arrangement may be:

  1. seen as unfair;
  2. promote employees to be risk adverse, and
  3. increase distrust between staff and management.

It should also be noted that Brown & Walsh (1994, p 450) suggest that it is a flawed conjecture by management that pay is adequately appreciated as recompense and thus acts as a motivator for all employees.

Two-Factor Theory (Herzberg, 1959) classifies pay as a hygiene factor, it does not motivate the employee, but its absence can prevent motivation such as recognition, responsibility and advancement from occurring.

There’s more than Money or Pay
Strategic human resources management is required to accurately determine an effectice reward program. It involves the “measurement of productivity, performance appraisal, training, performance-related pay, profit-sharing and share ownership schemes, and job redesign, with a management philosophy that espouses teamwork, consultation, communications and information sharing”. (Bamber, 1992, page 92)

During the late 1980’s in an attempt to contest the perceived divisions and attempt to motivate staff new remuneration arrangements where developed:

  • Performance based pay
  • Competency based pay
  • Broadbanding (moving a large number of employment grades with narrow salary bands into a structure with few broad grades using wide salary bands, [Stone, 2002, p 836])
  • Team based pay
  • Employee share/option or recognition schemes (O’Neill, 2003, p 196)
  • Value added packaging (including laptops and training plans)

In rewarding IT staff, alternatives to pay should be considered. Value added packaging is commonly used in rewarding IT staff.

Training in lieu of pay
“Training personnel to acquire knowledge, skills, and attitudes are an essential role for instructional systems design, and so is training that translates knowledge, skills and attitudes into effective performance.” (Davies, 1994, p 111). Ghoshal & Bartlett (1995:89) deliver the same importance to training systems as Davies.

Jackson (1995) criticises the competency movement for specifying performance goals in clear, precise, detailed and measurable terms. Training for IT workers should not just be seen as a means of improving performance. Training can be both reward and ambition to the Information Technology employee where training and associated development are a reward for a job well done.

The INTJ personality which still flourishes in the IT environment (Myers & McCaulley, 1985) can see this as a means to increasing their personal competency and thus find satisfaction. The values of “ensuring a job is done well” and innovation that they hold dear are supported by a program of training.

O’Neill (2003, p 196) comments “if there is one global trend in the broad terms of employee rewards, it is in the growth of the idea of ‘Total Rewards.’ In effect this approach is aimed at providing a tailored and integrated approach encompassing direct remuneration, financial security and benefits, individual development, work environment and corporate image. Other labels used to capture the essence of this approach include ‘Employer of Choice.’
In managing Information Technology staff it is essential to not forget that they are often individualistic and creative. As such any scheme to reward them has to take this into account. IT staff are sensitive to inequality and inequity. To best utilise their skills in an effective manner, IT staff need to be nurtured and developed using an approach that both rewards their efforts and encourages risk and creativity.

[1] ENTJ, MBTI – Extroverted, Intuitive, Thinking and Judging
[2] ISTJ, MBTI – Introverted, Sensing, Thinking and Judging
[3] ESTJ, MBTI – Extroverted, Sensing, Thinking and Judging
[4] The percentage of IT workers of each personality type would be likely to vary based on the size of the IT department and role. It is postulated that more INTJ type IT workers would be found in smaller organisation where IT is a “one man band”.
[5] It is likely that the composition of personality types in IT would also vary based on “generational divisions”. Little quantitative data on this subject was found to be available in this study. Research into the personality compositions of early entrants, “Generation X” and “Gen Y” IT workers would be warranted.

1. Ainsworth, M. and Smith, N. 1993 “Making it happen: managing performance at work”. Sydney: Prentice Hall
2. Armstrong, M 1994 “Performance Management”. London: Kogan Page
3. Artley, Will; Ellison, DJ; Kennedy, Bill, 2001 “The Performance-Based Management Handbook, Volume 1 - Establishing and Maintaining a Performance-Based Management Program”, [The Performance-Based Management Special Interest Group (PBM SIG) is a U.S. Department of Energy (DOE)], September 2001
4. Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 “The association of demographic variables and ethical behaviour of information system personnel”, Industrial Management & Data Systems 96/3 [1996] 3–10 MCB University Press
5. Brache, A.P. and Rummler, G.A 1995 “Improving Performance”, 2nd edition, San Francisco: Jossey Bass
6. Carter, P. & Jackson, N. 2000 “Rethinking organisational behaviour.” UK: Financial Times and Prentice Hall
7. Cohen, W. M., and Levinthal D.A.1990, “Absorptive Capacity: A New perspective on Learning and Innovations,” Administrative Science Quarterly, 35:128-152.
8. Costello, S.J. 1994 “Effective performance management”. New York: Irwin
9. Davies, I.K. 1994, “Process re-design for enhanced human performance”. Performance Improvement Quarterly, 7 (3): 103-113
10. Dhillon, Gurpreet (ed), 2001, “Information Security Management: Global Challenges in the New Millennium” Idea Group Publishing, ISBN:1878289780
11. Dowling, P.J., Welsh, D.E. and Schuler, R.S. 1999 “International Human Resource Management: managing people in a multinational context”. 3rd edition. Cincinnati, OH: South Western
12. Ghoshal, S. & Bartlett, C.A. 1995”Changing the role of top management: beyond structure to processes”. Harvard Business Review, January-February: 86-96
13. Harris, L. 1999 “Performance pay and performing for pay”. In J. Leopold, L, Harris, and T.Watson, “Strategic Human Resourcing: principles, perspectives, and practices”. UK: Financial Times Pitman publishing.
14. Herzberg, F., Mausner, B., Snyderman, B. 1959, “The motivation to work. 2nd edition”. New York: John Wiley and Sons
15. Hoevemeyer, V.A. 1989, “Performance based compensation: miracle or warfare?” Personnel Journal. 68(7) July p.64
16. Jackson, N. 1992; Chapter 7 “Training Needs: An Objective Science?”
17. Kirkpatrick, S. A., Locke, E. A. & Latham, G. P. 1991 “Using goal setting to improve performance”. King of Prussia, PA: Organisational Design & Development.
18. Kramer, R., McGraw, Paul Schuler, R. 1997 “Human Resource Management in Australia”. 3rd edition South Melbourne: Longman.
19. Lamberth, J., Rappaport, H., & Rappaport, M. 1978. “Personality: An introduction”. New York: Alfred A. Knopf.
20. Lane, David, 2004, “Foundations of HRM, Performance and Compensation Management”, Course Notes, University of SA
21. Lansbury, R.D. 1995, “Writing on Performance Appraisal: The Elusive Quest”. Melbourne: Pitman. Chapter 5, pages 123-141.
22. Lawler, E.E. 1995, “Organisational effectiveness: New realities and challenges”. San Francisco: Jossey Bass
23. Lee, C. 1996 “Performance appraisal: can we ‘manage’ away the curse?” Training: 44, 46-48, 50, 53, 55, 57, 59.
24. Locke, E. & Latham G. 1990 “A Theory of Goal Setting and Task Performance” Englewood Cliffs, NJ, Prentice Hall, USA
25. Locke, E. & Latham, G. 2002 “Building a practically useful theory of goal setting and task motivation: A 35-year odyssey.” American Psychologist, 57, 705-717.
26. Locke, E. A. & Latham, G. P. 1990(a) “Work motivation and satisfaction: Light at the end of the tunnel” Psychological Science, 1, 240-246.
27. Mabey, C.; Salaman, G.; Storey, J. 1998 “Human resource management: A strategic introduction”. (2nd Edition) Oxford: Blackwell.
28. McCaulley, M. H. 1980. “Introduction to the MBTI for researchers”. Gainesville, FL: Center for Application of Psychological Type.
29. Mead, Richard, 1998, ‘International Management, Cross-Cultural Dimensions‘, 2nd Edn, Blackwell Publishing, UK
30. Mintzberg, H. 1994 “The rise and fall of strategic planning”. New York: Free Press.
31. Myers, I. B. 1980. “Gifts differing”. Palo Alto, CA: Consulting Psychological Press.
32. Myers, I. B., & McCaulley, M. H. 1985. ”Manual: A guide to the development and use of the Myers-Briggs Type Indicator” (2nd ed.). Palo Alto, CA: Consulting Psychological Press.
33. Myers, I. B., & Briggs, K. 1975. The Myers-Briggs type indicator (Form G). Palo Alto, CA: Consulting Psychologists Press
34. Nankervis, A and Leece, P. 1997; “Performance Appraisal: Two Steps Forward, One Step Back?” Asia Pacific Journal of Human Resources, 35(2), 80-92.
35. Nkamuhebwa, Willy; 2004 “Does a Training function help an organisation to meet its objectives? Assessment of the effectiveness and relevancy of training in the growth and Development of Community-Based Organisations in Uganda”. St Clements University, Doctor of Philosophy Research Dissertations, Matriculation Number: 2595
36. O’Brien, James A., 1999, ‘Management Information Systems, Managing Information Technology in the Internetworked Enterprise‘, 4th Edn, Irwin McGraw-Hill Ltd, US
37. O’Bryan, Bernard Burch and Pick, Roger Alan, 1995 “Keeping information systems staff (happy)”, Emerald - The International Journal of Career Management, Volume 7 · Number 2 · 1995 · 17–20
38. O’Dea, Angela & Flin, Rhona; 2003, “The role of managerial leadership in determining workplace safety outcomes” University of Aberdeen, Department of Pschology; Crown copyright 2003
39. O’Neill, G. & Kramar, R.1995 “Australian Human Resources Management”. Melbourne: Pitman. Chapter 5 pages 123-141.
40. Parker, S.K., Wall, T.D. 1996, “Job design and modern manufacturing”. P.Warr (ed). Psychology at Work. 4th edition. Harmondsworth:penguin
41. Rummler, G.A. and Brache, A.P. 1995 “Improving performance”. 2nd edition, San Francisco: Jossey Bass
42. Schuler, R.S. and Jackson, S.E. 1999, “Strategic Human Resource Management: A Reader”. London: Blackwell Publishers.
43. Sheard, Judy & Carbone, Angela, 2004 “From Informal to Formal: Creating the Australasian Computing Education Community”, Australian Computer Society, Inc. This paper appeared at the 6th Australasian Computing Education Conference (ACE2004), Dunedin. Conferences in Research and Practice in Information Technology, Vol. 30.
44. Steers, R.M. and Porter, L.W. 1991, “Reward Systems in organisations”. In R.M. Steers and L.W. Porter (ed). Motivation and Work Behaviour. 5th Edition. New York: McGraw Hill
45. Stone, Raymond .J. 2002 “Human Resource management”. 4th Edition Singapore: Wiley
46. Taylor, F.W. 1947 “Scientific management”. New York: Harper and Row
47. Toohey, S. 1995 “Competency based Management Education: What does it have to offer?” Asia Pacific Journal of Human Resources. 33, (2) 118-126.
48. Ulrich, D.1998, “Delivering Results: A New Mandate for Human Resource Professionals”, Boston:Harvard Business School Press
49. Vogt, G., & Holder, B. H. 1988. “Myers-Briggs type indicator personality characteristics of business teacher education majors”. NABTE Review, 15, 39-41.
50. Walters, M. (ed) 1995 “Introduction. The Performance management handbook”. London: Institute of Personnel and Development.
51. Warr, P. 1996, “Employee well being”. In P. Warr (ed). “Psychology at Work”. 4th edition, Harmondsworth: Penguin
52. Weade, R., & Gritzmacher, J. 1987. “Personality characteristics and curriculum design preferences of vocational home economics educators”. Journal of Vocational Education Research, 12(2), 1-18.
53. Williams, R.S. 2002, “Managing Employee Performance: Design and Implementation in Organisation”, 2nd, Thomson Learning.
54. Witana, Julie; Project Manager, MCI, 1997 “Developing Professional Management Skills; CPD MODULE 8, Reviewing Your Organisation”, The National Forum for Management Education and Development 1997.
55. Wood, R. E., & Locke, E.A. 1990 “Goal setting and strategy effects on complex tasks. B. Staw & L. Cummings (Eds.) Research in organisational behavior, Vol. 12, Greenwich, CT.: JAI Press.
56. Vroom, V.H. 1964, “Work and Motivation”. New York: John Wiley & Sons.
57. Zeisset, C. 1989. “Many ways to cut a pie”. Bulletin of Psychological Type, 12(1), 7, 22.

Web Sites
1. Hay/McBer (2000). “Research into teacher effectiveness: A model of teacher effectiveness report by Hay McBer to the Department for Education and Employment”. Report prepared by Hay/McBer for the government of the United Kingdom, .
2. Team Technology (2005), “IT Management personality types”

Wednesday, 12 December 2007

Corporate Social Responsibility (CRS)

Corporate Social Responsibility (CRS)
Is this just a buzz word or phrase being heard at the moment in the corporate community or does it seem likely that it will become entrenched in our business world and the day to day life we lead in that world? It must also be stressed that this concept is not an Australian one alone but a global concerned being addressed both by the global community as well as an individual one being addressed by the separate countries.

The whole idea of corporate social responsibility is a difficult one to pinpoint and more difficult to establish and maintain in Australian companies. This leads to a great many questions and some answers that may not be appreciated by those who encourage CSR.

What must be understood when dealing with every corporation is its genetic make-up, for lack of a more descriptive term. Lord Reid* in Tesco Supermarkets Ltd v Nattrass [1972] AC 153 House of Lords made it very clear when he stated:

… a corporation cannot possess knowledge or intention on its own, rather the directing mind and will of the corporation is to be found in the minds of its most senior personnel.

To discuss this with a modicum of fairness let us look at the following two concepts before moving onto the critical issues.

What is corporate governance?
As indicated by Woodward et al* it is a term used to describe methods a firm will utilise in dealing with the conflicts which occur in the management of a company. These conflicts can occur between directors, managers and employees and other disruptions to the way their business is operated on a day to day basis. An important way of looking at this is the methods used are considered internal rules of the business.

What is corporate social responsibility?
Corporate social responsibility is a concept whereby companies integrate social and environmental concerns in their business operations and in their interaction with their stakeholders on a voluntary basis.*

It is looked at as the company overseeing the day to day smooth running of the business which would include the financial, cultural and environmental aspects of keeping the business running as smoothly as is possible. This would include, as referred in Anderson and Landau* ‘triple bottom line reporting’ which refers to achieving and maintaining the goals of financial gains, environmentally sound effects, and social philanthropy; ‘sustainability reporting’ which encompasses the public reporting of their financial, environmental and social accomplishments; and finally their corporate community involvement (CCI) which pinpoints their involvement and interactions within the communities in which they exist. However it must be emphasised the concept of CSR has no standardised definition.

As we grow as a country and our smaller companies start to become more internationalised we can understand how governments influence corporate behaviour through their “…legislative and regulatory initiatives”*. It is through this we also note the various studies which have been carried out in the Australian business community and the weaknesses they have suffered, not the least of which was the limited number of companies canvassed by the groups. For example in 2001 Cronin and Zappala* conducted a survey of 100 companies. Of these 70% claimed to have corporate involvement in their communities or CSR policies. The results of 70% seem pretty impressive until you realise this is only 70 companies. It is the same for many of the studies carried out and as a result there are considerable weaknesses in those outcomes. This emphasises there is still very little is actually known about the different corporate approached to CSR in Australia. There is also little known about how Australian companies are responding to the need for change and the need to develop their own CSR.

It is also necessary to mention that thus far in Australia the regulation of CSR has been through what is termed ‘soft law’ initiatives*. So the question remains: Must we change the Corporations Act in order to achieve the results the governments of Australia and other countries want? Having asked this question again it is becoming evident from the studies that; as stated by Anderson and Landau*:

…the Australian approach to CSR is largely characterised by tentative and short term initiatives of a philanthropic nature.

The studies have also shown that despite a few exceptions most Australian companies still have not incorporated the principles of CSR into their businesses. As such maybe it is time to change the Corporations Act and change the soft touch approach to this problem. But to what extent can legislation force companies to integrate the CSR into their corporate structure, especially when the smaller company directors and event the larger company directors feels they are meeting the expectations of their stakeholders and that they are doing the right thing for their companies.

When a Honeynet is not so Sweet.

Or the law of going to far.

HoneyPots are a passive means of drawing or redirecting attacks onto safe systems. These systems have several advantages including the capture of hackers’ methods, tools, or worm code for later analysis and possible prosecution. Since HoneyPots are completely passive and there should be no legitimate connections to them, any connection is highly suspect. This reduces the number of false positives to near zero.”

Andrew Ingle, “The new breed of cracker, verse the next generation of defences,” April 22, 2004, © SANS Institute 2004.

This works well until the administrator decides to go that little bit further, they divert from a passive HoneyPots to hacking back, or active counter hacking.

This is when you start with the real legal issues. HoneyPots have the issue that you may face civil liability if the attacker can attack from the Honeypot, but attack back and then it is a felony.

Most security practitioners have ached to retaliate rather then just applying an added patch and turning doing little more then watching. I admit that I have felt this way myself.
Further, software such as Enforcer and Simbiot has been developed with the capability to present this facility. The argument is along the lines “that a static defence is insufficient to defeat a determined and knowledgeable attacker, and the strike back features offer a deterrence or threat elimination capability that is otherwise absent”.

The issue is that you are ultimately responsible for what you configure. These software vendors may at worst face civil penalties, or even be held jointly responsible in some possible cases, but they are not criminally liable. They can not express intent. So when you decide that you will set a host to attack back, just remember how many hospitals have insecure networks. Remember how many have been targets of zombies and worms. Remember that attacking these could be an attack that endangers human life.

Or you may spend a long time in prison.

Tuesday, 11 December 2007

Why more training?

When going into court, the more papers, accreditations and books etc the better. This helps with Forensics, but it also helps in general. Many in Information Technology get their stock standard collection of 4-5 certifications and if we are lucky maybe a single degree.

I would argue this is not enough.

By doing continual training (I would hope) should also have you learn something. There are far too many forensic practitioners and security people who have not come out of the 90’s. Too many who pull a plug first and then find the answers (can we say hard drive encryption). Too many who do not question.

Get enough behind you and it will become difficult not to learn and develop. In fact, the act of maintaining ones certifications can become an exercise in development in itself. In my case, I have a certification exam every 11 days. I admit that these are not all directly digital forensics or information security related, but they all aid in some manner. In having 20 something SANS certifications I have constant training on these alone. The GCIH helps with incident handling, this also crosses to first response in forensic work (so an overlap exists).

However, I completed a UCP500-600 bridging course last year. This has nothing to do directly with information security. The Uniform Customs and Practices for Documentary Credits is a Trade and Banking issue. It still adds value as I can understand the needs of another group.

GCFW covers firewalls. This seems not to have to much of an impact for most people in the forensic field, but then we forget that traffic passes through these. Email on a server can be spoofed. By understanding the architecture, one can do more than a simple search on a single drive to uncover an email. I have been in court while an “expert” has told the judge that “time on the firewalls drifts like pc’s” and that “NTP only updates time daily leaving the time on the firewall to vary by over an hour”. Well first, NTP will not sync if it is out this far and next this was pure ignorance.

At our best, we provide circumstantial evidence. This is all a drive analysis is. Direct evidence is catching a person in the act (ie physically watching them type and maybe videotaping it). The more we know, the less the stuff-ups that will abound. The fewer cases of FUD that we will believe and the closer we can all come to being professional.

The more you know and understand the better. Yes getting people certified is difficult. I offer 20% training time (i.e. a day per week average) and getting staff to take this becomes difficult. Getting them to them do the exam or write a paper more so. So stick it in a KPI.

Monday, 10 December 2007

What is perception?

What is perception?
As humans, we do not directly experience our exterior environment. Rather we filter and examine signals that we model into an inspiration representing the external environment and form internal representations from these prompts. Due to the involuntary nature of this process, we require psychological reminders from parables and perceptual illusions.

A raison d'être that differentiates our interior representations from the exterior environment derives from human sensory limitations. Physiologically, humanity has evolved to effectively respond to its internal models. In cases of ambiguity, numerous internal models may present themselves. In these cases, the human active perceptual system can switch through these models in a manner that overrides conscious control. In selected instances, our interior representations or models do not reflect the external reality resulting in a perceived visual illusion.

Homo Sapiens often forgets the fact that we are not in direct contact with our external environment and witnesses errors in perceptive reality as truth.

The early philosopher Plato or the “wide, broad-browed” (or Aristocles as he was truly named) asked us to imagine a young child who had been captured by an enemy tribe and kept in a dimly lit cave throughout his early life; in the cave, there were only flat, grey surfaces and shadows undulating across these surfaces.

  1. When his home tribe defeated the enemy and released the now adult man from the cave, what do you think his perceptual experiences were?
  2. Did he look around the world and see it as we do, or did he “freak out” from all of the perceptual experiences that were missing in the cave?

We are all through the restrictions of our sensory systems representative to the man in the cave, in that we are tuned to only a part of the external world. Our unawareness is tuned to only a fragment of the electromagnetic frequency spectrum referred to egocentrically as the light. We do not see the entirety of the spectrum missing the infrared, ultraviolet, radio waves, microwaves, and so on. Humanity is further sensitised to sound being that we respond to and detect only sound waves in the 20,000-Hz to 200-Hz range. Olfactory senses are little better in humans. We detect a few chemicals from the atmosphere and egocentrically state that the others are odourless.

Three schools of deliberation have postulated methods in which we systematize cues from the our exterior environment to shape our interior models. The Gestalt school suggests integrated principles. These include the principles of proximity, similarity, closure, and good figure that allow us to delineate substance out of the components.

The perceptual constancy school suggests we discover that selected features of physical substance are invariant early in our being. These include size, shape, brightness, and colour which we assume as invariable to the creation and against our interior models.

Dale Purves ( postulates that an evolutionary effect has created unambiguous integrated perceptual elements derived through the quantitatively statistical property of the environment that are perfected through by learning.

Some of the substantiation representative of the notion that perception is incorporated includes an infant‘s preference “for stripes, avoidance of cliffs by animal and human babies, and single-cell recordings of visual cells”. An indication that perception is learned derives from how people rapidly adjust to inverting lenses and how the blind have difficulty with sight recovery. It would seem that humanity has integrated perceptual Hardware and programs that are required to be adjusted through practice.

Perceptual constancies: A school of perception proposing that early in life, we learn that certain properties of objects are invariant, such as size, shape, brightness, and colour.

Perceptual illusions: Situations in which our internal perceptual model of the external world is not in correspondence with reality, causing us to make mistakes in what we perceive.


  1. Coren, S., L. M. Ward, and J. T. Enns. Sensation and Perception, 6th ed. Fort Worth, TX: Harcourt Brace, 2004. A comprehensive textbook giving coverage to most topics in modern perception
  2. Dale Purves and R. Beau Lotto, Why We See What We Do: An Empirical Theory of Vision.
  3. Purves-Lab, Laboratory of Dale Purves, M.D., Center for Cognitive Neuroscience, Duke University,
  4. Visual Cognition Laboratory, University of Illinois, djs_lab/demos.html.

Sunday, 9 December 2007

Work on weekends. Bah

Well nothing today (or is there with this?)

A tender and the last instant together...