Building Security in during Information Systems Development

There are many facets of managing security in information systems. Although there are prior studies that focus on how to build secure code from an architectural standpoint, an often overlooked aspect of security is the relationship between the systems development policies and procedures and the security of the systems developed. We focus on this relationship and draw from a general software quality model to provide a foundation for testing this relationship. This study discusses ideas that follow from prior research and develops a survey instrument for exploring the relationship between policies and procedures during systems development life cycle and the security quality of the system developed

Conceptualization and Measurement of the Capability Maturity Model (CMM): An Examination of Past Practices and Suggestions for Future Applications

The Capability Maturity Model (CMM) has obtained world-wide status as a premier process improvement framework. This influence has not gone unnoticed by the academic community who has utilized the CMM as a key construct representing a firm’s IT project management and development capabilities. However, an examination of the current state of research reveals no consensus on how to best operationalize CMM-based process capability; therefore, this study seeks to start a dialog in the academic community about how CMM-based process capability should be conceptualized and measured. While the results do suggest that CMM-based process capability is multidimensional, and that a process structure rather than a level structure may be the most appropriate; the main intent of this research is to call attention to the need for greater rigor in the measurement and conceptualization of CMM-based process capability in the academic literature. The hope is this research represents a first step in developing a fully refined and validated CMM-based process capability measure

Modelos de análisis de impacto aplicados a la gestión de riesgos en proyectos de desarrollo de software: una revisión sistemática de la literatura

El análisis de impacto aplicado a un proyecto de desarrollo de software permite determinar entre otros los factores o atributos que se ven afectados de manera positiva o negativa. Los valores de estos atributos como: tiempo, presupuesto y cronograma, entre otros, varían en el tiempo y deben ser controlados por el responsable del proyecto, sin embargo éstos no siempre se apoyan en la gestión de 1s de manera adecuada. El objetivo de este trabajo es identificar modelos de análisis de impacto aplicables para la gestión de riesgos en proyectos de desarrollo de software. Para este estudio se realizó una revisión sistemática de la literatura en bases de datos reconocidas. Se encontraron 1654 estudios primarios de análisis de impacto aplicados a proyectos de desarrollo de software y 17 artículos definiendo 21 modelos de análisis de impacto y 1 artículo de un marco comparativo entre algunos modelos existentes. A partir del análisis realizado de los estudios primarios se puede concluir que existen modelos de análisis de impacto que se han aplicado a proyectos de desarrollo de software en distintas fases y distintos aspectos. Sin embargo, ninguno de ellos aplicado a la gestión de riesgos en proyectos de desarrollo de software.Trabajo de investigació

An Integrative Model of Managing Software Security during Information Systems Development

This study investigates the critical relationship between organizational system development policies, procedures and processes and the resulting security quality of the systems developed. We draw from a general software quality model to provide a theoretical foundation for testing this relationship. We used paper-based survey as well as online surveys to collect data from software developers and project managers. Our results revealed a significant relationship between management support and security policies and development process control. We also found significant relationships between development-process control and security quality, attitude and security quality, and the interaction between value congruence and commitment to provide security skills development. Counter-intuitively, we did not find a significant relationship between either security policy and security quality or the interaction between security policy and its legitimacy as perceived by systems development personnel. The managerial implications of the study include the need to foster a climate of security skills development through training for system development personnel and also simultaneously find strategies to more closely align their values to the security goals of the organization. Additionally, providing management support to formulate guidelines for development process control can improve the security quality of the systems developed

Knowledge Transfer and Quality Practices in the Implementation of a Sourcing Capability Model

This study adopts a knowledge transfer framework to examine the implementation and assimilation of a process improvement program for outsourcing service providers. Our theoretical model identifies the factors affecting knowledge transfer during both the initial implementation stage and the subsequent stage of full assimilation of improved outsourcing processes into organizational practice. We evaluate our theoretical model using detailed archival data collected on the implementation of an outsourcing capability model in the offshore delivery center of a large service provider. Findings indicate that knowledge transfer characteristics affect the time to implement the improved processes in the delivery center, but do not significantly relate to the likelihood of full assimilation. We also find an unexpected curvilinear relationship between implementation time and assimilation success such that processes with very low or very high implementation times are more likely to be fully assimilated

Analysis of Resource-Sharing Decisions in Dyadic Collaborative Knowledge Creation: A Game-Theoretic Approach

Knowledge is an asset that can give an organization competitive edge. However, knowledge creation is an expensive activity. One of the reasons organizations form knowledge creation collaborations is to share resources that are needed to create knowledge. This dissertation models the dyadic collaborations as games between the partners and arrives at resource-sharing schemes for them. Specifically, the collaborations are modeled as two games- Stackelberg Leader-Follower game and Partnership game. The types of collaborations are distinguished based on the nature of the marginal return functions with respect to knowledge creation investments for each of the collaborating organizations. Three essays are presented and discussed. In Essay 1, collaborations between organizations characterized by decreasing marginal returns with respect to investments are modeled as a partnership game. In Essay 2, collaborations between organizations characterized by increasing marginal returns with respect to investments are modeled as a Stackelberg Leader-Follower game. In Essay 3, collaborations where the leader organization is characterized by decreasing marginal returns with respect to investment and the follower organization is characterized by increasing marginal returns with respect to investments are studied. The solutions for the game in terms of the participation rate, knowledge creation investments, and the system gain are presented for each essay. The results are analyzed and the observations are stated as propositions. The propositions provide guidelines for collaborating organizations to arrive at a resource-sharing scheme. Additionally, the results suggest conditions under which the potential partners collaborate specifically with respect to the participation rate and the system gain. The results of Essays 2 and 3 provide conditions for participation rate. The results of Essay 3 provide the conditions of expected system gain under which the follower organization will collaborate with a potential leader organization. The results have implications for several stages of the alliance management process such as partner selection, gauging the behavior of potential and current partners, and renegotiation of alliance terms

A model for sustainable operational excellence through knowledge management practices and continuous improvement principles

Integrating Knowledge Management maturity with associated Continuous Improvement efforts in order to remain competitive, is absent in most Operational Excellence initiatives. Furthermore, the intertwined relationship of Continuous Improvement and work development becomes a crucial focus area for organisations that wish to establish a continuously evolving management system consisting of core values, methodologies and tools with the aim of creating more satisfied customers with less resources. The old industrial paradigm that focused on labour, capital, materials, and energy viewed technology and knowledge as external influences on production. This framework is now being challenged and a new trend is emerging. This trend seeks to transform the old industrial system to that of a knowledge-based which one can lead to innovation and hence economic advantage. Continuous Improvement as a concept has roots in many other fields, including social-technical system design, human relations progress and the discussion surrounding ‘lean manufacturing’. This study will focus on Continuous Improvement as a noun, referring to on the outcome of the process of a stream of emergent innovations. The primary objective of the study is to create a model that will present an organisation with a three-layer knowledge reference process grid, which will align and depict the surrounding business knowledge functions, knowledge-enabling processes and knowledge-manipulating processes aiming for enabling Operational Excellence. This study promotes the theory that the cognitive domain layer, functional domain layer and resources layer of an organisation can be increasingly stimulated by focusing effort through Continuous Improvement routines towards the associated inter-organisational knowledge processes sustaining Operational Excellence. The proposed model is structured to review, compare, evaluate and integrate existing Knowledge Management practices of ii an organisation within the context of clear definitions for important concepts of Knowledge Management. Additionally the model provides an assessment instrument for evaluating the organisation’s Knowledge Management maturity level. The study concerns itself with two concepts towards business value creation which will lead to increased Operational Excellence. Firstly, the maturity of Knowledge Management processes, and secondly the level of the organisation wide process of focused and continuous incremental improvement namely, Continuous Improvement. A case study with PriceWaterhouseCoopers was concluded and an on-line Internet survey was used with a stratified sample from knowledge workers to test the factors from both a Knowledge Management and Continuous Improvement perspective. These factors were verified by means of a hypotheses network, describing in a structured and descriptive way, the importance of Knowledge Management and Continuous Improvement collectively on sustainable Operational Excellence as an integral development of Operational Excellence. With respect to Knowledge Management practices, the hypothesis network proposed at least three domains, which of knowledge generation, knowledge mobilisation and knowledge application as important input to the proposed process grid of knowledge development and associated layer elements. From a Continuous Improvement principles perspective it is apparent that elements from Continuous Improvement routines and Continuous Improvement characteristics are associated with the organisation Continuous Improvement ability. These findings are also a result of the deliberate design of processes, tools, structures and environments with the intent to increase, renew, share or improve the use of knowledge represented in any of the three elements for structural, human and social of intellectual capital. The proposed model combines the framework of the Boyd cycle as it is conceptualized as self-assessment activities, for it becomes possible to use them as basis of a self-assessment with sense making navigational properties across iii the proposed knowledge process grid for the model. The model will facilitate the concept of a three-layer knowledge reference process grid, which represents the main components of the knowledge processes within the cognitive domain layer, functional layer and resources layer of an organisation. The proposed model will deliver a single value that co-exists with the Knowledge Management maturity level and Continuous Improvement readiness index rating attained. Logical relationships to dynamic, evolving and flexible enabling Knowledge Management practices for each layer of the proposed three-layer knowledge reference process grid will be integrated as output of the proposed model. The research has limitations as Knowledge Management practices were measured using a subjective norm scale. It is suggested that a more comprehensive measure of Knowledge Management maturity processes may be needed to represent this construct. The complexity of the proposed model and the number of associated variables included in the results need further confirmation using possible multiple samples and additional measures of Knowledge Management maturity and Continuous Improvement readiness elements. The benefit of the proposed model as a practical Operational Excellence tool is to overcome the perceived gap of implementing Knowledge Management practices and Continuous Improvement principles collectively to deliver and sustain Operational Excellence