Friday, 11 April 2008

Rewarding IT staff in a changing environment

In any discussion of reward management it is essential to first define what we are rewarding and why. IT is a changing environment where the traditional “independent loaner” is slowly being supplanted by the team player. Reward systems need to take this into account and treat staff on a varying basis.
Management’s role is to accomplish production through others. For this reason, management is more comfortable when employees are directed, and committed to achieving the organisations objectives. In this it is essential that management creates the most effective method of developing their IT employees.


Introduction
Lane (2004) has stated that “once an organisation has selected its employees… it will attempt to find some means to measure and appraise their performance”. He further postulates that “in the absence or presence of a formal appraisal system, informal appraisal of work and behaviour takes place continually”.

In any discussion of reward management it is essential to first define the terms. As such this paper will first look at performance management and the effect of behaviour on performance from a theoretical viewpoint.

Next, we look at reward management as it pertains to information technology staff. This is explored by contrasting performance management techniques and fairness across the organisation, team and the individual. Alternative methods to reward are investigated as a more effective and productive alternative to the typical performance appraisal scheme.
Management’s role is to accomplish production through others. For this reason, management is more comfortable when employees are directed, and committed to achieving the organisations objectives. In this it is essential that management creates the most effective method of developing their employees.

Defining Performance Management
Performance appraisals are that occasion when, once a year, you are reminded who owns you, (Peter Block quoted by Lee 1996, p 44). For many, this quote sums up the view that performance management is not a tool to help them. Rather it is often seen as a irrational grasp by management to maintain power.

“The essence of the concept of rationality is the relationship between means and ends. In all decision situations, certain ends will be desirable,” Carter & Jackson (2000, p 98).
Stone (2002) and Kramer, McGraw and Schuler (1997) disregard any detailed discussion of performance management in their attempts to differentiate among performance appraisal and performance management practices. It would seem that they infer this approach in order to integrate equally performance management and the concept of performance appraisal in the structure introduced into U.S. organisations around 1914 (Lee 1996, p 43).

Williams (2002, p 10) on the other hand defines performance management as a system based approach to performance for managing employee performance within the organisation as a means of integrating organisational and employee performance and controls. Williams’s performance management system starts with input such as a high end managerial statement (such as corporate policy or a performance plans), a control mechanism for formulating and overseeing performance objectives, and finally a series of controls used to evaluate and remunerate outputs with respect to products and /or services in a fair and effective manner.

Problems with the denotation of performance management
Lane (2004) has postulated that the precise nature of performance management remains ‘indistinct’. He further argues that this can explain why “many textbook writers use the term performance appraisal and performance management interchangeably, as if these concepts were one and the same thing”. It is clear that an effort is made by various authors [Williams (2002); Stone (2002); and Kramer, McGraw and Schuler (1997)] to differentiate performance appraisal and performance management. However an abundance of vagueness over the character of performance management has lead to a discussion of performance appraisal rather than performance management (Lane, 2004).

Primary focus of Performance management
Williams (2002, p 134) has argued that, “even at its most basic performance management isn’t about a single intervention”. Yet, “teamwork and multi-skilling, one main interpretation of performance management continues to dominate practice” (Lane, 2004). This spotlighting of the “individual” has occurred against the move to empowerment. Performance management should be an evolutionary addition to the development of the traditional appraisal practice.
Kramer, McGraw and Schuler (1997) 3rd edition argue that organisations are yet to develop performance management systems that recognise team performance management in organisations. They further hypothesize that performance management systems fail to effectively address participation, continuous improvement or even a concern for employee well-being.

Nankervis & Leece (1997, p 80) conclude that performance management systems meet the needs of management but not the needs and welfare of those most directly affected by performance management. When the primary focus of performance management is focused on the individual they often fail to address a continuous process of improvement and organisational performance.

It is obvious that a clear and concise definition of performance management is lacking and disagreement exists on its meaning.

Performance management starts when the employee commences
Orientation is a commonly used method of introducing a new employee to the organisation. For orientation programs to be effective, new employees must receive specific information about the following three areas (Lane, 2004):

  1. Company standards, expectations, norms, traditions, policies
  2. Social behaviour, work climate, getting to know colleagues and supervisors
  3. Technical aspects of the job
Lane (2004) notes that orientation occurs at two levels, “the company (conducted by HR representative), and departmental (conducted by direct supervisor)”. It is further noted that a successful orientation program includes a process of follow-up and evaluation.
Competence development in employees is a primary goal of performance management (Williams, 2002). To be effective it requires an effective training program which includes assessment, implementation and evaluation.

Performance appraisal interviews, an fundamental component of performance management for many organisations, rely on methodical portrayals of the job-relevant strengths and weaknesses of individuals in the group in order to improve the professional performance of the employees and to disseminate information to management for use in future decision making (Thompson & McHugh, 1995). It is further argued that any dysfunctional aspects of managing employee performance may be solved by a study of organisational behaviour. Continuous feedback could be used as one alternative method of addressing personality conflicts and employee performance monitoring.

Thompson & McHugh, (1995) in their study argue that “organizations, their employees and systems, are rational and reasonable” and as such that performance management works through the above stages to improve organisational behaviour by reducing the dysfunctional aspects of the interactions between the groups while simultaneously “reinforc(ing) the positions, rewards and activities of dominant groups in organisations (managers)”.

A behavioural view of performance
Walker (1992, p 259) details an interlinking framework of strategic contexts/expectations, performance objectives, work, coaching (or mentoring) and training designed as a control process. It is claimed that personal performance, abilities and knowledge mixed with equitable rewards, motivation (or reinforcement) coupled to performance feedback will lead to improved performance and higher levels of motivation.

This view formulates a strategy to reward positive behaviour and discipline negative behaviour in order to modify employee output. These rewards (such as promotions, increases in pay and training opportunities) and punishments (demotion, negative feedback or dismissal) are used by the organisation’s management to shape its workforce. This progression is intended to strategically advance the organisation by improving its competitiveness.

What does this mean for ITC Professionals
As “competency based approaches to management development are most likely to be useful in large, mechanistic bureaucratic organisations which have clearly delineated roles and functions that are well documented” (Toohey, 1995, p125), information technology professionals may face difficulties in adjusting to this style of control.

“Faster and more flexible ways to respond to management development needs may be what is required in the present turbulent management environment” (Toohey, 1995, p126) of IT where change is a daily aspect of the job. IT roles are often fairly autonomous in nature, requiring a large degree of independence. Bureaucratic systems of control generally leave IT professionals feeling they are being watched too closely. Also unless supervisors are given a structure to work from, their observations may reflect their own biases, rather than the objective performance of employees (Lane, 2004) as they are not trained in behavioural assessment skills.

Lansbury (1995) argues that in performance appraisal there are conflicting strains and prospects for both employers and employees. The ideal approach to performance management is thus an intangible goal. Lansbury further remarks that, “a well designed system, based on objective performance criteria negotiated between management and employees, and providing for two-way feedback and communication, may achieve worthwhile outcomes” (Lansbury, 1995, p. 141).

The aim of a performance appraisal is to (Stone, 2002):
  1. improve employees’ work performance by helping them to realize and use their full potential in carrying out their firm’ s missions;
  2. to provide information to employees and managers for use in making work-related decisions.
Specifically, appraisals may be seen to provide legal and formal organizational justification for employment decisions to promote outstanding performers while also to removing the marginal and low performers (Williams, 2002). They are also functional as a method to train, transfer and discipline others while justifying merit increases/no increases. Finally they are also the foundation of a legal method to reduce the size of the workforce.

Toohey (1995) advocates that appraisal results are correlated with test result from management studies in order to evaluate the hypothesis that test scores predict job performance. Appraisals also present feedback to employees allowing them to use the results to further their own personal and career development goals. This may also present both the employee and management with opportunities to develop and instigate training programs.
Toohey (1995) also notes that the appropriate specifications of performance levels developed from appraisals can help detect “organisational problems by identifying training needs and the knowledge, abilities, skills, and other characteristics to consider in hiring”. Appraisals are the commencement of the process, rather than the end result as they provide a basis for distinguishing amongst successful and unproductive employees.

Reward Management, an incentive based approach
Brache & Rummler (1995) have stated that there are three levels of performance:
  1. The organisational level
  2. The business unit /team level
  3. The individual level
Myers and McCaulley (1985) modelled the key determinants of Information Technology staff using the Myers-Briggs Type Indicator (MBTI). Both analysts and programmers are defined to frequently have INTJ (Introverted, Intuitive, Thinking and Judging) personality profiles. Numerous researchers [Lamberth, Rappaport, & Rappaport, (1978); Myers, (1980); Myers & McCaulley, (1985); Vogt & Holder, (1988); Weade & Gritzmacher, (1987); Zeisset, (1989)] agree that this personality type [as is defined by Psychological type theory (Myers & Briggs, 1975)] is generally individualistic and independent.

Although INTJ personality types represent just 2% of the population (Myers & Briggs, 1975) they compose upwards of 10% of Information Technology staff. Other dominant personality types within Information Technology are ENTJ[1], ISTJ[2], and ESTJ[3]. ISTJ and ESTJ personality types feature strongly in many male dominated professions as they represent a large part of the total male population (Myers & McCaulley, 1985).

For this reason, IT has generally been seen as a haven for “geeks”, individualistic, non-social and the fiercely independent. However, researchers such as Sheard & Carbone (2004) have shown that there is a change in the personality profiles of IT workers as more females enter the field[4]. Further it is also demonstrated that the move towards a more team orientated working environment is also changing the fundamental nature of IT.

Does Performance Management improve productivity?
In the past the answer to the question of whether “Performance Management improves productivity” would be no. The move towards a more team focused and formal environment however is shown by Sheard & Carbone (2004) to promote a more collegial environment conducive of productivity improvements.

In this manner as IT becomes more of a mainstream function within businesses, we may see the composition of the personality types of those in the field change. These changes are allowing a progression to occur where the organisational level is supplanting the business unit or team level which has in many cases already replaced the more traditional individualistic attitudes which have defined IT staff. For the time however, the independent IT staff member is still an influence within the workforce.

Fairness
Expectancy theory (Vroom, 1964) explains that employees will be motivated if they can perceive the limits between their behaviour in meeting performance goals, and that as a consequence, they will receive rewards that they value. The independent and individualistic nature of many IT staff aligns them with this style of motivational style.

Likewise, Equity Theory (Adams, 1965), which envelops the notion of fairness with respect to an organisation’s reward schemes shows some of the motivational issues with IT staff as they often feel the rewards they receive are inequitable when they compare themselves with others. This view comes from a combination of their need to achive with a generalised critical insight into the work of others (Myers & McCaulley, 1985).

Reinforcement theory (Thorndike, 1911) however, with its origins in the behavioural school of psychology, reinforces or abates mannerisms using the consequence of reward and punishment without considering the individual. This system will by nature fail to work in the independent environment of many existing IT departments. The change in IT staff compositions which have been noted above may result in future changes to the fundamental nature of the IT department.

Williams (2002, p 191 – 196) elaborates on the concept of fairness and equity concerning performance management decisions. He states that all performance evaluation systems must be transparent so that employees accept the processes and procedures, used in the evaluation of their performance.

Schuler & Jackson (1999, p 271) note that problems will arise with many performance appraisal systems due to perceptions of fairness and have noted that there is dubious support for appraisal ever being shown to work. Equally, Mabey et al (1998, p 136) details appraisals as a highly political process, with the parties involved in pursuing their own power stratagems.

Individual Performance
Individual Performance is characteristically the focal point of a performance management system and is also the focus of many IT staff (Myers & McCaulley, 1985). Traditionally this involves staff being held responsible for the key result areas and outputs of their job description (Lane, 2004) where “Job descriptions are criticized as being inflexible, static, rigid definitions of responsibilities, and are probably inappropriate for turbulent work environments”.
Job descriptions of this style often ignore multi-skilling for teamwork and have led to an individualistic haven for IT staff seeking an independent view of the organisation.

IT staff often seek a clear notion of individual accountability (Myers & McCaulley, 1985). This allows them to enter into a performance agreement or performance contract which records the work to be done, results to be attained and the attributes (skills, knowledge and expertise), and the competencies required to achieve these results (Armstrong 1994, p 46) in a manner that answers the question asked by many INTJ personality types: How will I know I have achieved what I set out to do?

Performance agreements which concentrate on how to improve those things which are under the IT staffers control need to aim at delivering an improved product or service which is seen as being of value by the key stakeholders (Lane, 2004) to be effective within the organisation.

Team Performance
Sheard & Carbone (2004) noted the evolution of IT environments towards a composition of staff members with less independent and individualistic needs[5]. As the trend towards the normalisation of IT progresses into the mainstream, a more socially focused and team orientated model will develop. This model will ideally start with the team and move to eventually encompass the organisation as a whole.

Unfortunately it is at business unit level that individual performance appraisal systems often ignore the increasing use of teams in organisations (Lane 2004). Performance Appraisal methods however generally focus on individual endeavours in opposition to measuring and rewarding team performance.

Teams may examine their own functions from its boundaries, leadership, range of skills, and even to the methods it will utilise in managing its own fortune and exertions. The team model requires continuous improvement in work progression in order to address its business unit plan.

The organisation as a whole
The organisational level may be seen as the natural progression of the move from an individualistic IT structure to a more team focused one. From the stakeholder’s perspective, the organisational view makes sense as it concentrates on core strategic processes. However, employees will require adequate resources to achieve the organisational goals.
Most strategic plans struggle to make an impact on employee behaviour probably because executive managers formulated the plan when they took themselves away as part of a residential strategic planning weekend.

Edwin Locke (1990) has been significant in demonstrating the impact of goals on work performance. He discovered that difficult challenging goals lead to higher performance than do easy goals, provided that the job holder accepts and is committed to the goals. Additionally, it is noted that specific goals lead to higher performance than do vague, general ‘do your best’ goals or no goals at all.

Applied to the organisation, goals need to be team orientated, challenging and specific. Most importantly they also need to be aligned with the requirements of both the business stakeholders and the employee. This is a difficult task that often falls back on an individual performance appraisal system without delivering the benefits it promises. In this it may be seen as a failure of the strategy used to promote these goals.

Strategy and Vision
Lane (2004) notes that strategic plans generally consist of:
  1. Vision (where we want to be)
  2. Mission (our purpose or reason for existence)
  3. Values (the principles that guide our behaviour, give us a sense of direction, which also helps us decide what is important and provide us with an ethical and moral foundation).
Key Result Areas (KRA’s) of the organisation are used with performance indicators, strategies and tactics to measure individual’s performance against the goals of the organisation. These objectives, KRA’s and performance measures/indicators also contribute to departmental aims objectives in achieving their strategic plan.

Mintzberg (1994) believes that strategic planning should be more correctly called strategic programming as it is an analysis, articulation, and elaboration of that which already exists. Mintzberg (p 52) points out that “in seeking to measure productivity we are basically concerned with the question of how well (how efficiently) available inputs are converted into outputs”.
Mintzberg disapproves of this type of strategic planning process and accuses it of being inflexible and analytical. Fitz-enz (1997) however opposes this view and argues that there is insufficient analysis in this process of rewarding for activity, rather than analysis. Fitz-enz is appalled with management’s obsession with action over analysis.

Reviewing and Supporting Performance
O’Neill (1994, p 11) notes that “pay and benefit costs are the single largest operating expense for most service companies, and typically, the second or third highest expense category in manufacturing”. From this we see that “pay for performance” is designed to “promote a unitarist rather than a plurarist approach to employment” in rewarding the efforts of the individual over that of a collective bargaining base.

Stone (2002, p 450) defines merit pay as “any salary increase awarded to an employee based on their individual performance” and this is supported by Williams (2002, p 194). As the nature of IT work is traditionally creative and individualistic, when developing performance structure, the nature of the work preformed must be taken into account.

Pay by Merit
Merit pay is common in executive and management pay structures and is an approach to remuneration where the intention is to “develop a productive, efficient, effective organisation that enhances employee motivation and performance” (Hoevemeyer, 1989, p 64). Merit pay is becoming more common in IT as employees are being offered bonuses for successful completion of business projects.

Ivancevich, (1995, p 309) asserts that pay by merit schemes do not reward accomplishment as “employees fail to make the connection between pay and performance, other employees perceive the secrecy of the reward as inequity”. IT in particular with a largely independent employee base often suffers as these types of arrangement may be:
  1. seen as unfair;
  2. promote employees to be risk adverse, and
  3. increase distrust between staff and management.
It should also be noted that Brown & Walsh (1994, p 450) suggest that it is a flawed conjecture by management that pay is adequately appreciated as recompense and thus acts as a motivator for all employees.

Two-Factor Theory (Herzberg, 1959) classifies pay as a hygiene factor, it does not motivate the employee, but its absence can prevent motivation such as recognition, responsibility and advancement from occurring.

There’s more than Money or Pay
Strategic human resources management is required to accurately determine an effectice reward program. It involves the “measurement of productivity, performance appraisal, training, performance-related pay, profit-sharing and share ownership schemes, and job redesign, with a management philosophy that espouses teamwork, consultation, communications and information sharing”. (Bamber, 1992, page 92)
During the late 1980’s in an attempt to contest the perceived divisions and attempt to motivate staff new remuneration arrangements where developed:
  • Performance based pay
  • Competency based pay
  • Broadbanding (moving a large number of employment grades with narrow salary bands into a structure with few broad grades using wide salary bands, [Stone, 2002, p 836])
  • Team based pay
  • Employee share/option or recognition schemes (O’Neill, 2003, p 196)
  • Value added packaging (including laptops and training plans)
In rewarding IT staff, alternatives to pay should be considered. Value added packaging is commonly used in rewarding IT staff.

Training in lieu of pay
“Training personnel to acquire knowledge, skills, and attitudes are an essential role for instructional systems design, and so is training that translates knowledge, skills and attitudes into effective performance.” (Davies, 1994, p 111). Ghoshal & Bartlett (1995:89) deliver the same importance to training systems as Davies.

Jackson (1995) criticises the competency movement for specifying performance goals in clear, precise, detailed and measurable terms. Training for IT workers should not just be seen as a means of improving performance. Training can be both reward and ambition to the Information Technology employee where training and associated development are a reward for a job well done.

The INTJ personality which still flourishes in the IT environment (Myers & McCaulley, 1985) can see this as a means to increasing their personal competency and thus find satisfaction. The values of “ensuring a job is done well” and innovation that they hold dear are supported by a program of training.

Conclusion
O’Neill (2003, p 196) comments “if there is one global trend in the broad terms of employee rewards, it is in the growth of the idea of ‘Total Rewards.’ In effect this approach is aimed at providing a tailored and integrated approach encompassing direct remuneration, financial security and benefits, individual development, work environment and corporate image. Other labels used to capture the essence of this approach include ‘Employer of Choice.’

In managing Information Technology staff it is essential to not forget that they are often individualistic and creative. As such any scheme to reward them has to take this into account. IT staff are sensitive to inequality and inequity. To best utilise their skills in an effective manner, IT staff need to be nurtured and developed using an approach that both rewards their efforts and encourages risk and creativity.

Acknowledgements
I would like to thank Dr. Richard Sappey of Charles Stuart University for his help.

Bibliography
1. Ainsworth, M. and Smith, N. 1993 “Making it happen: managing performance at work”. Sydney: Prentice Hall
2. Armstrong, M 1994 “Performance Management”. London: Kogan Page
3. Artley, Will; Ellison, DJ; Kennedy, Bill, 2001 “The Performance-Based Management Handbook, Volume 1 - Establishing and Maintaining a Performance-Based Management Program”, [The Performance-Based Management Special Interest Group (PBM SIG) is a U.S. Department of Energy (DOE)], September 2001
4. Banerjee, Debasish; Jones, Thomas W. and Cronan, Timothy Paul, 1996 “The association of demographic variables and ethical behaviour of information system personnel”, Industrial Management & Data Systems 96/3 [1996] 3–10 MCB University Press
5. Brache, A.P. and Rummler, G.A 1995 “Improving Performance”, 2nd edition, San Francisco: Jossey Bass
6. Carter, P. & Jackson, N. 2000 “Rethinking organisational behaviour.” UK: Financial Times and Prentice Hall
7. Cohen, W. M., and Levinthal D.A.1990, “Absorptive Capacity: A New perspective on Learning and Innovations,” Administrative Science Quarterly, 35:128-152.
8. Costello, S.J. 1994 “Effective performance management”. New York: Irwin
9. Davies, I.K. 1994, “Process re-design for enhanced human performance”. Performance Improvement Quarterly, 7 (3): 103-113
10. Dhillon, Gurpreet (ed), 2001, “Information Security Management: Global Challenges in the New Millennium” Idea Group Publishing, ISBN:1878289780
11. Dowling, P.J., Welsh, D.E. and Schuler, R.S. 1999 “International Human Resource Management: managing people in a multinational context”. 3rd edition. Cincinnati, OH: South Western
12. Ghoshal, S. & Bartlett, C.A. 1995”Changing the role of top management: beyond structure to processes”. Harvard Business Review, January-February: 86-96
13. Harris, L. 1999 “Performance pay and performing for pay”. In J. Leopold, L, Harris, and T.Watson, “Strategic Human Resourcing: principles, perspectives, and practices”. UK: Financial Times Pitman publishing.
14. Herzberg, F., Mausner, B., Snyderman, B. 1959, “The motivation to work. 2nd edition”. New York: John Wiley and Sons
15. Hoevemeyer, V.A. 1989, “Performance based compensation: miracle or warfare?” Personnel Journal. 68(7) July p.64
16. Jackson, N. 1992; Chapter 7 “Training Needs: An Objective Science?”
17. Kirkpatrick, S. A., Locke, E. A. & Latham, G. P. 1991 “Using goal setting to improve performance”. King of Prussia, PA: Organisational Design & Development.
18. Kramer, R., McGraw, Paul Schuler, R. 1997 “Human Resource Management in Australia”. 3rd edition South Melbourne: Longman.
19. Lamberth, J., Rappaport, H., & Rappaport, M. 1978. “Personality: An introduction”. New York: Alfred A. Knopf.
20. Lane, David, 2004, “Foundations of HRM, Performance and Compensation Management”, Course Notes, University of SA
21. Lansbury, R.D. 1995, “Writing on Performance Appraisal: The Elusive Quest”. Melbourne: Pitman. Chapter 5, pages 123-141.
22. Lawler, E.E. 1995, “Organisational effectiveness: New realities and challenges”. San Francisco: Jossey Bass
23. Lee, C. 1996 “Performance appraisal: can we ‘manage’ away the curse?” Training: 44, 46-48, 50, 53, 55, 57, 59.
24. Locke, E. & Latham G. 1990 “A Theory of Goal Setting and Task Performance” Englewood Cliffs, NJ, Prentice Hall, USA
25. Locke, E. & Latham, G. 2002 “Building a practically useful theory of goal setting and task motivation: A 35-year odyssey.” American Psychologist, 57, 705-717.
26. Locke, E. A. & Latham, G. P. 1990(a) “Work motivation and satisfaction: Light at the end of the tunnel” Psychological Science, 1, 240-246.
27. Mabey, C.; Salaman, G.; Storey, J. 1998 “Human resource management: A strategic introduction”. (2nd Edition) Oxford: Blackwell.
28. McCaulley, M. H. 1980. “Introduction to the MBTI for researchers”. Gainesville, FL: Center for Application of Psychological Type.
29. Mead, Richard, 1998, ‘International Management, Cross-Cultural Dimensions‘, 2nd Edn, Blackwell Publishing, UK
30. Mintzberg, H. 1994 “The rise and fall of strategic planning”. New York: Free Press.
31. Myers, I. B. 1980. “Gifts differing”. Palo Alto, CA: Consulting Psychological Press.
32. Myers, I. B., & McCaulley, M. H. 1985. ”Manual: A guide to the development and use of the Myers-Briggs Type Indicator” (2nd ed.). Palo Alto, CA: Consulting Psychological Press.
33. Myers, I. B., & Briggs, K. 1975. The Myers-Briggs type indicator (Form G). Palo Alto, CA: Consulting Psychologists Press
34. Nankervis, A and Leece, P. 1997; “Performance Appraisal: Two Steps Forward, One Step Back?” Asia Pacific Journal of Human Resources, 35(2), 80-92.
35. Nkamuhebwa, Willy; 2004 “Does a Training function help an organisation to meet its objectives? Assessment of the effectiveness and relevancy of training in the growth and Development of Community-Based Organisations in Uganda”. St Clements University, Doctor of Philosophy Research Dissertations, Matriculation Number: 2595
36. O’Brien, James A., 1999, ‘Management Information Systems, Managing Information Technology in the Internetworked Enterprise‘, 4th Edn, Irwin McGraw-Hill Ltd, US
37. O’Bryan, Bernard Burch and Pick, Roger Alan, 1995 “Keeping information systems staff (happy)”, Emerald - The International Journal of Career Management, Volume 7 · Number 2 · 1995 · 17–20
38. O’Dea, Angela & Flin, Rhona; 2003, “The role of managerial leadership in determining workplace safety outcomes” University of Aberdeen, Department of Pschology; Crown copyright 2003
39. O’Neill, G. & Kramar, R.1995 “Australian Human Resources Management”. Melbourne: Pitman. Chapter 5 pages 123-141.
40. Parker, S.K., Wall, T.D. 1996, “Job design and modern manufacturing”. P.Warr (ed). Psychology at Work. 4th edition. Harmondsworth:penguin
41. Rummler, G.A. and Brache, A.P. 1995 “Improving performance”. 2nd edition, San Francisco: Jossey Bass
42. Schuler, R.S. and Jackson, S.E. 1999, “Strategic Human Resource Management: A Reader”. London: Blackwell Publishers.
43. Sheard, Judy & Carbone, Angela, 2004 “From Informal to Formal: Creating the Australasian Computing Education Community”, Australian Computer Society, Inc. This paper appeared at the 6th Australasian Computing Education Conference (ACE2004), Dunedin. Conferences in Research and Practice in Information Technology, Vol. 30.
44. Steers, R.M. and Porter, L.W. 1991, “Reward Systems in organisations”. In R.M. Steers and L.W. Porter (ed). Motivation and Work Behaviour. 5th Edition. New York: McGraw Hill
45. Stone, Raymond .J. 2002 “Human Resource management”. 4th Edition Singapore: Wiley
46. Taylor, F.W. 1947 “Scientific management”. New York: Harper and Row
47. Toohey, S. 1995 “Competency based Management Education: What does it have to offer?” Asia Pacific Journal of Human Resources. 33, (2) 118-126.
48. Ulrich, D.1998, “Delivering Results: A New Mandate for Human Resource Professionals”, Boston:Harvard Business School Press
49. Vogt, G., & Holder, B. H. 1988. “Myers-Briggs type indicator personality characteristics of business teacher education majors”. NABTE Review, 15, 39-41.
50. Walters, M. (ed) 1995 “Introduction. The Performance management handbook”. London: Institute of Personnel and Development.
51. Warr, P. 1996, “Employee well being”. In P. Warr (ed). “Psychology at Work”. 4th edition, Harmondsworth: Penguin
52. Weade, R., & Gritzmacher, J. 1987. “Personality characteristics and curriculum design preferences of vocational home economics educators”. Journal of Vocational Education Research, 12(2), 1-18.
53. Williams, R.S. 2002, “Managing Employee Performance: Design and Implementation in Organisation”, 2nd, Thomson Learning.
54. Witana, Julie; Project Manager, MCI, 1997 “Developing Professional Management Skills; CPD MODULE 8, Reviewing Your Organisation”, The National Forum for Management Education and Development 1997.
55. Wood, R. E., & Locke, E.A. 1990 “Goal setting and strategy effects on complex tasks. B. Staw & L. Cummings (Eds.) Research in organisational behavior, Vol. 12, Greenwich, CT.: JAI Press.
56. Vroom, V.H. 1964, “Work and Motivation”. New York: John Wiley & Sons.
57. Zeisset, C. 1989. “Many ways to cut a pie”. Bulletin of Psychological Type, 12(1), 7, 22.

Web Sites
1. Hay/McBer (2000). “Research into teacher effectiveness: A model of teacher effectiveness report by Hay McBer to the Department for Education and Employment”. Report prepared by Hay/McBer for the government of the United Kingdom, http://www.dfee.gov.uk/teachingreforms/mcber/ .
2. Team Technology (2005), “IT Management personality types” http://www.teamtechnology.co.uk/tt/t-articl/it-management.htm

[1] ENTJ, MBTI – Extroverted, Intuitive, Thinking and Judging
[2] ISTJ, MBTI – Introverted, Sensing, Thinking and Judging
[3] ESTJ, MBTI – Extroverted, Sensing, Thinking and Judging
[4] The percentage of IT workers of each personality type would be likely to vary based on the size of the IT department and role. It is postulated that more INTJ type IT workers would be found in smaller organisation where IT is a “one man band”.
[5] It is likely that the composition of personality types in IT would also vary based on “generational divisions”. Little quantitative data on this subject was found to be available in this study. Research into the personality compositions of early entrants, “Generation X” and “Gen Y” IT workers would be warranted.

Thursday, 10 April 2008

Data Protection

In December 2000, the Privacy Amendment (Private Sector) Act 2000[1] modified the Privacy Act[2] in Australia making it apply to various private sector organisations. The Australian legislation was updated to reflect the EU[3] and is based on the Organisation for Economic Cooperation and Development’s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The National Privacy Principles[4] (the NPPs) in the Privacy Act detail the methods that the private sector should use to “collect, use, keep secure and disclose personal information”.[5]

These principles provide individuals with a statutory right to discern the extent of information held concerning them by an organisation. It further introduces a right to correct information that is incorrect. An ISP or ICH in Australia would be covered by the amended Privacy Act. The State and Territory privacy legislation also needs to be considered.[6] Likewise, an ISP or ICP in the UK would be covered under the principles laid out in European Union Directive 95/46/EC.
An ISP or ICH that hosts sites for other parties could be held liable if they fail to maintain a reasonable level of system security and a breach of this leads to a compromise of an individuals private data.

Criminally, the UK has no legislation specifically focussed to dishonest acquisition of pure information[7]. The law holds that information is not property capable of being stolen such as was decided in Oxford v Moss[8], where a university student broke into the Examination Committee’s premises, studied and made a copy of the exam paper and departed, leaving the original exam paper behind. The student’s actions were held not to be theft[9].
In the event that improperly obtained credit card numbers are published on a website facilitating the enacting of fraudulent purchases using those card numbers, if the intermediary operator knows or ought to known of this action, liability may exist. It is possible that the ISP or ICP could also be a secondary participant in the crime[10]. There is also the possibility of a charge of conspiracy, if the necessary agreement between the intermediary and subscriber could be demonstrated (such as through a contract to not conduct standard checks).
Criminal liability may occur in instances where the subscriber of an ICP publishes passwords allowing unauthorised entry into a computer system. The intermediary may be liable for an offence under the Computer Misuse Act[11] that is committed using those passwords. The precise nature of any liability will be dependant on the facts of the case. In the event that the intermediary had advertised to a category of persons who are expected to execute an attack against a computer system using those passwords made available on the web server, this could amount to incitement to commit an offence under the Computer Misuse Act[12]. To establish incitement, it must be demonstrated that the defendant knew or believed that the individual so incited had the required mens rea to commit the offence. As the mens rea for an offence under Section 1 of the Computer Misuse Act is simply that the defendant intends to gain access to a computer system and knows that such access is not authorised it should be a simple fact to establish.

Alternatively the intermediary could be charged with aiding, abetting, counselling or procuring commission of an offence. In all cases, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. There must be a causal link for procurement, aiding requires support but not consensus nor causation, while abetting and counselling necessitate consensus but not causation.

[1] This Act came into effect from 21 December 2001.
[2] Australia has an informational privacy regime at the federal level based on the Privacy Act 1988 which initially applied mainly to Commonwealth and ACT Government public sector agencies.
[3] European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[4] The National Privacy Principles are extracted from the compilation of Act No. 155 of 2000 Act No. 119 of 1988 that was prepared on 10 January 2001
[5] The Australian Office of the Privacy Commissioner has released “INFORMATION SHEET 2 -2001 Preparing for 21 December 2001” which is available from http://www.privacy.gov.au/publications/IS2_01.doc
[6] See further, The Office of the Federal Privacy Commissioner, Privacy in Australia
[7] There have been a number of cases in the United States, which involve the publication of stolen proprietary information. For example, United State v Riggs and Neidorf, 741 F.Supp.556 (N.D II 1990), the defendants had between them hacked into a Bell Telephone Company computer, obtained highly confidential information about that computer company’s emergency telephone number system, and had published it in a magazine. They were prosecuted under the 1986 Computer Fraud and Abuse Act, and also under federal statutes dealing with wire fraud and interstate transfer of stolen property.
[8] (1978) 68 Cr. App. R. 183
[9] In the UK, placing stolen Government confidential information on a bulletin board is likely to fall foul of the Official Secrets Act. However, catching the culprit is the main problem; the UK Government has been unable to prevent Sinn Fein putting information about police and army facilities and security on its Web page based in Texas.
[10] US Cases involve Defense Department information (United States-v-Morrison, 859 F.2d.151 (4th Circuit 1988)), law enforcement record (United States-v-Girard, (2nd Circuit 1979)), banking information (United States-v-Cherif, 943 F.2d.692 (7th Circuit 1991)) and stock market information (Carpenter-v-United States, 484 U.S. 19(1987). Besides these federal statutes, which only apply where there has been a transfer across State lines, a number of States have laws, which make criminal the theft of confidential information.
[11] Computer Misuse Act (1990) UK
[12] In a case involving police radar detectors, it was held that advertising an article for sale, representing its virtue to be that it may be used to do an act which is an offence, is an incitement to commit that offence-even if the advertisement is accompanied by a warning that the act is an offence.

Wednesday, 9 April 2008

What is the PCI Anyway?

The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. PCI Data Standard combines components of MasterCard's SDP security compliance program and Visa's Cardholder Information Security Program (CISP)
Specifications of the program require that merchants:

  1. Install and maintain a working network firewall to protect credit card data from other networks, including the Internet.
  2. Keep security patches up to date on all systems involved with credit card data.
  3. Encrypt stored credit card data.
  4. Encrypt data sent across networks using acceptable methods.
  5. Use and regularly update anti-virus software.
  6. Restrict access to data by business "need to know."
  7. Assign a unique User ID to each person with computer access to data to provide accountability.
  8. Do not use vendor-supplied defaults for system accounts and passwords and other security parameters.
  9. Monitor and log access to data by unique User ID.
  10. Test security systems and processes.
  11. Implement and maintain a security policy and processes. This includes assigning responsibility within the organisation
  12. Restrict physical access to cardholder information.

The PCI program applies not only to online merchants, but also mail-order, telephone order (MOTO) third party processing agents, "card-not-present" processes, and anyone who stores cardholder data on an electronic system.

Most small merchants will need to conduct an external vulnerability assessment to be compliant.

Why comply with these standards?
VISA argues that the program will provide merchants with a competitive edge. They point to consumer studies which show that customers would prefer to deal with merchants they feel safe with.

For the smaller merchants, this is basically a risk issue. These retailers need to address at the cost of implementing control systems against the cost of business and particularly the cost of not complying.

How does this affect my business?
Many POS systems used by retailers store credit card information for up to a month for backup or settlement reasons. Under the PCI requirements, this information needs to be encrypted.
Retailers will need to review, what data they capture and forward when they scan a credit card in stores. Merchants who store card data for automated processing later, will need to carefully review the systems and the controls around them.

For most small retailers, a quarterly external vulnerability assessment is a basic requirement. With the level of threats on the Internet these days, this can only be a good thing.
How can they make me comply?

The card companies are primarily pushing PCI through the acquirer is such as the banks. As the principle underwriters of the merchants, the banks and other acquirers are responsible for the fines and don’t want to have to accept the liability. Many acquirers are making PCI compliance part of the merchant agreements.

Tuesday, 8 April 2008

Electronic Conveyancing

The Law of Property (Miscellaneous Provisions) Act 1989[1] requires that contracts concerning real property to be in writing and signed by the parties or their authorised agents. The Land Registration Act 2002[2] [LRA] (which replaced the Land Registration Act 1925) has introduced changes allowing the introduction of Electronic conveyancing. The act has made the introduction of electronic conveyancing system possible. It has created a framework designed to allow the creation of interest in registered land electronically. Chapter 8 of the act expressly deals with electronic conveyancing.

Section 91(1) provides that Chapter 8 would apply to a document in electronic form only if:
(a )the document effects a disposition falling within s 91(2); and
(b) the conditions in s 91(3) are met.
A disposition will fall within s 91(2) if it is:
(a) a disposition of a registered estate or charge, or
(b) a disposition of an interest which is the subject of a notice in the register, or
(c) a disposition which triggers the requirement of registration.
The conditions in s 91(3) are as follows:
(a) the document makes provision for the time and date when it takes effect,
(b) the document has the electronic signature of each person by whom it purports to be authenticated,
(c) each electronic signature is certified, and
(d) such other conditions as rules may provide are met.


In addition, in s 91(10), The LRA is expressly linked to the ECA:
In this section, references to an electronic signature and to the certification of such a signature are to be read in accordance with section 7(2) and (3) of the Electronic Communications Act 2000 (c. 7).

It was clear that the ECA by itself did not adequately cover the provisions needed to ensure that contracts for the purchase and conveyancing of land could be completed electronically. As a result, s 91(4) of the Land Registration Act required the addition of provisions stating that a document satisfying the above requirements would be regarded as "in writing and signed by each individual, and sealed by each corporation, whose electronic signature it has" and that the document is also satisfy the role of performance creating a deed.

The parties to the deed need ensure that the electronic form states the time and date of effect as well as being signed using the electronic signature of both parties. Further, each electronic signature must be certified according to the land registration act. In this instance, the LRA effectively renders the electronic document to be in writing. The explanatory memorandum of the land registration act states, "the section does not disapply the formal statutory or common law requirements relating to deeds and documents but deems compliance with them. When the section applies, the electronic document is therefore to be treated as being in writing, having been executed by each individual or corporation who has attached an electronic signature to it, and, where appropriate, as a deed"[3].

Logically, it follows from the requirements to implement the LRA that the ECA alone was not able to mitigate uncertainty in the provisioning of electronic conveyancing in a satisfactorily manner. Again, this shows that although the ECA is a necessary step forward, it in itself was not capable of removing all uncertainty in electronic contracting.

[1] Law of Property (Miscellaneous Provisions) Act 1989 (c. 34)
[2] Statutory Instrument 2003 No. 2431, The Land Registration Act 2002 (Transitional Provisions) (No 2) Order 2003
[3] [LRA 91]

Monday, 7 April 2008

An interview

I have an interview with SANS online.

http://www.sans.edu/resources/securitylab/craig_wright_hero.php

I am happy with it.

An Introduction to Information Security

Data held on IT systems is valuable and critical any organisation. We all rely on information systems to store and process information, so it is essential that we maintain Information Security.

The purpose of information security is to preserve: -

  • Confidentiality - Data is only accessed by those with the right to view the data.
  • Integrity - Data can be relied upon to be accurate and processed correctly.
  • Availability -Data can be accessed when needed.

Sunday, 6 April 2008

Going Batty

The family came over this weekend. So here is my mother and her beau.
We had earlier found that things where a little batty.

This little guy found its way into the house.