TEACHING CASE
Targeting Target with a 100 million dollar data breach
Federico Pigni1 • Marcin Bartosiak2 • Gabriele Piccoli3 • Blake Ives4
Published online: 16 November 2017
� Association for Information Technology Trust 2017
Abstract In January 2014, the CEO of the renowned U.S.
discount retailer Target wrote an open letter to its cus-
tomers apologizing for the massive data breach the com-
pany experienced during the 2013 holiday season.
Attackers were able to steal credit card data of 40 million
customers and more were probably at risk. Share prices,
profits, but above all reputation were all now at stake. How
did it happen? What was really stolen? What happened to
the data? How could Target win consumer confidence
back? While the company managed the consequences of
the attack, and operations were slowly back to normal, in
the aftermath the data breach costs hundreds of million
dollars. Customers, banks, and all the major payment card
companies took legal action against Target. Some of these
litigations remained unsettled 3 years later. The importance
of the breach lays in its far broader consequences, rippling
through the U.S. Congress, and raising consumer and
industry awareness on cyber security. The case provides
substantial data and information, allowing students to step
into the shoes of Target executives as they seek answers to
the above questions.
Keywords Teaching case � Cyber security � Hacking �
Data breach � Target � Information systems
Introduction
On January 13th and 14th, 2014, Greg Steinhafel, Chair-
man, President, and CEO of Target, published an open
letter to customers (Steinhafel 2014) in The New York
Times, The Wall Street Journal, USA Today, and The
Washington Post, as well as in local papers of the firm’s 50
largest markets. In the letter, he apologized for the massive
data breach his company experienced during the 2013
holiday season.
Target learned in mid-December that criminals
forced their way into our systems, gaining access to
guest credit and debit card information. As a part of
the ongoing forensic investigation, it was determined
last week that certain guest information, including
names, mailing addresses, phone numbers or email
addresses, was also taken.
I know this breach has had a real impact on you,
creating a great deal of confusion and frustration. I
share those feelings. You expect more from us and
deserve better. We want to earn back your trust and
confidence and ensure that we deliver the Target
experience you know and love.
The breach, announced to the public 6 days before
Christmas, included credit card data from 40 million
customers. It was later discovered that data for another
70 million customers were also at risk.
& Federico Pigni
[email protected]
1 Grenoble Ecole de Management, 12, rue Pierre Sémard,
38000 Grenoble, France
2 Department of Economics and Management, University of
Pavia, Pavia, Italy
3 E.J. Ourso College of Business, Lo.
Business Ethics: The impact of technologyRakesh Mehta
The document summarizes the key events of the 2013 data breach at Target stores that exposed payment card and personal information of over 40 million customers. It details how the breach occurred from November to December 2013, was disclosed by Target on December 19th, and the ongoing investigations, lawsuits, costs, executive changes and settlements in the following years as a result of the massive data breach.
Target suffered a major cyber attack in late 2013 that compromised over 40 million payment card numbers and 70 million customer records. Hackers gained access to Target's systems by phishing an outside vendor of Target's and using those credentials to install malware on Target's point-of-sale systems. This attack resulted in significant financial and reputational damages for Target due to lost sales, lawsuits, and remediation costs. It highlighted the need for companies to properly secure and monitor their networks and outside vendors.
Interested in learning moreabout cyber security training.docxvrickens
The Home Depot data breach compromised over 56 million payment cards after malware was installed on over 7,500 POS terminals. Similar to the Target breach, stolen third-party credentials were used to access Home Depot's network and install RAM scraping malware on POS systems. Home Depot could have prevented the breach by implementing point-to-point encryption, properly configuring antivirus software, upgrading outdated operating systems, and segregating the payment network.
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
• What steps can the board take to prevent, monitor, and mitigate data theft?
• What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
• What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
• How difficult is it to find board candidates with these skills?
Case in PointInaction Caused Costly Hacking At Large Retailer.docxcowinhelen
Case in Point
Inaction Caused Costly Hacking At Large Retailer
November/December 2008
By Jon J. Lambiras, J.D., CFE, CPA
Hackers penetrated a large retailer's central database and stole at least 45 million credit card and debit card numbers along with 456,000 customers' personal information. Fraudulent charges approaching $100 million appeared around the world. The worst part? The company essentially rolled out the red carpet to the hackers by not installing industry-standard safeguards.
This article is excerpted and adapted from "Computer Fraud Casebook: The Bytes that Byte," edited by Joseph T. Wells, CFE, CPA, to be published in January, 2009 by John T. Wiley & Sons Inc.
According to nationwide news reports, hackers pointed a telescope-shaped antenna toward a U.S. retail store. A laptop computer helped decode data streaming through the air among handheld inventory management devices, cash registers, and store computers. From there, the hackers found their way into the company's central database at its headquarters more than 1,000 miles away. The hackers' entry point was an outdated wireless network connected to a computer system plagued with a host of data securityshortfalls.
What followed was one of the biggest data-security breaches in history. At least 45 million credit card and debit card numbers were stolen, along with approximately 456,000 customers' driver's license, state, or military identification (personal ID) numbers with accompanying names and addresses. Many of the personal ID numbers were the same as the customers' Social Security numbers.
The hackers sold much of the stolen data on Web sites used to traffic stolen information. One cardholder's account experienced unauthorized transactions at a large discount store and at online vendors. Another account had $45,000 in fraudulent charges for gift cards. Fraudulent charges approaching $100 million surfaced throughout the United States and as far away as Mexico, Italy, Sweden, Thailand, China, Japan, and Australia.
At the heart of the data breach is RackCo, a major U.S. retailer. (All names have been changed in this article.) Parent company to a chain of several stores, there are collectively more than 2,000 retail locations throughout the United States. The business boasts $17 billion in annual sales worldwide.
At first blush, RackCo appears to be a helpless victim of a highly specialized gang of data thieves. But a closer look shows that, because of numerous violations of core data security standards, the company essentially invited the hackers in. As a result, the fraudsters methodically stole data from RackCo's computer system within a year and a half.
(I'm an attorney involved in litigation against RackCo. In light of my role in the litigation, this case study is limited, by necessity, to publicly available information. The data breach was high-profile, so there's much information in major national media. I don't attest to the accuracy of the information fro.
A Contextual Framework For Combating Identity TheftMartha Brown
Identity theft is a growing problem, with reported cases in the US rising 33% from 2002 to 2003. The framework proposes that there are four main stakeholders in combating identity theft: identity owners, identity issuers, identity checkers, and identity protectors. Each stakeholder plays a distinct role through prevention, detection, and legal prosecution activities, and they must collaborate for effective identity management. The framework provides a way to understand identity theft risks, develop solutions, and evaluate prevention and detection methods from multiple perspectives.
Identity theft remains a pernicious threat to consumers. While the federal government and private sector have done much to address this issue, it is important that legislators and regulators remain vigilant to protect consumers from this ever-evolving fraud.
Business Ethics: The impact of technologyRakesh Mehta
The document summarizes the key events of the 2013 data breach at Target stores that exposed payment card and personal information of over 40 million customers. It details how the breach occurred from November to December 2013, was disclosed by Target on December 19th, and the ongoing investigations, lawsuits, costs, executive changes and settlements in the following years as a result of the massive data breach.
Target suffered a major cyber attack in late 2013 that compromised over 40 million payment card numbers and 70 million customer records. Hackers gained access to Target's systems by phishing an outside vendor of Target's and using those credentials to install malware on Target's point-of-sale systems. This attack resulted in significant financial and reputational damages for Target due to lost sales, lawsuits, and remediation costs. It highlighted the need for companies to properly secure and monitor their networks and outside vendors.
Interested in learning moreabout cyber security training.docxvrickens
The Home Depot data breach compromised over 56 million payment cards after malware was installed on over 7,500 POS terminals. Similar to the Target breach, stolen third-party credentials were used to access Home Depot's network and install RAM scraping malware on POS systems. Home Depot could have prevented the breach by implementing point-to-point encryption, properly configuring antivirus software, upgrading outdated operating systems, and segregating the payment network.
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
• What steps can the board take to prevent, monitor, and mitigate data theft?
• What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
• What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
• How difficult is it to find board candidates with these skills?
Case in PointInaction Caused Costly Hacking At Large Retailer.docxcowinhelen
Case in Point
Inaction Caused Costly Hacking At Large Retailer
November/December 2008
By Jon J. Lambiras, J.D., CFE, CPA
Hackers penetrated a large retailer's central database and stole at least 45 million credit card and debit card numbers along with 456,000 customers' personal information. Fraudulent charges approaching $100 million appeared around the world. The worst part? The company essentially rolled out the red carpet to the hackers by not installing industry-standard safeguards.
This article is excerpted and adapted from "Computer Fraud Casebook: The Bytes that Byte," edited by Joseph T. Wells, CFE, CPA, to be published in January, 2009 by John T. Wiley & Sons Inc.
According to nationwide news reports, hackers pointed a telescope-shaped antenna toward a U.S. retail store. A laptop computer helped decode data streaming through the air among handheld inventory management devices, cash registers, and store computers. From there, the hackers found their way into the company's central database at its headquarters more than 1,000 miles away. The hackers' entry point was an outdated wireless network connected to a computer system plagued with a host of data securityshortfalls.
What followed was one of the biggest data-security breaches in history. At least 45 million credit card and debit card numbers were stolen, along with approximately 456,000 customers' driver's license, state, or military identification (personal ID) numbers with accompanying names and addresses. Many of the personal ID numbers were the same as the customers' Social Security numbers.
The hackers sold much of the stolen data on Web sites used to traffic stolen information. One cardholder's account experienced unauthorized transactions at a large discount store and at online vendors. Another account had $45,000 in fraudulent charges for gift cards. Fraudulent charges approaching $100 million surfaced throughout the United States and as far away as Mexico, Italy, Sweden, Thailand, China, Japan, and Australia.
At the heart of the data breach is RackCo, a major U.S. retailer. (All names have been changed in this article.) Parent company to a chain of several stores, there are collectively more than 2,000 retail locations throughout the United States. The business boasts $17 billion in annual sales worldwide.
At first blush, RackCo appears to be a helpless victim of a highly specialized gang of data thieves. But a closer look shows that, because of numerous violations of core data security standards, the company essentially invited the hackers in. As a result, the fraudsters methodically stole data from RackCo's computer system within a year and a half.
(I'm an attorney involved in litigation against RackCo. In light of my role in the litigation, this case study is limited, by necessity, to publicly available information. The data breach was high-profile, so there's much information in major national media. I don't attest to the accuracy of the information fro.
A Contextual Framework For Combating Identity TheftMartha Brown
Identity theft is a growing problem, with reported cases in the US rising 33% from 2002 to 2003. The framework proposes that there are four main stakeholders in combating identity theft: identity owners, identity issuers, identity checkers, and identity protectors. Each stakeholder plays a distinct role through prevention, detection, and legal prosecution activities, and they must collaborate for effective identity management. The framework provides a way to understand identity theft risks, develop solutions, and evaluate prevention and detection methods from multiple perspectives.
Identity theft remains a pernicious threat to consumers. While the federal government and private sector have done much to address this issue, it is important that legislators and regulators remain vigilant to protect consumers from this ever-evolving fraud.
Each year businesses around the globe are devastated by hackers stealing confidential information. These massive data breaches have resulted in billions of dollars in lost revenue over the past decade. Learn more about the real Cost of Hacking.
Part of the Rosetta series of communications studies, this article uses real-world case studies of fraud to look at how organizations have managed issues and crises.The article provides tools to help organizations more effectively manage these sorts of situations.
A summarized version of the 60 page Rule broken down by Kirk J. Nahra, a partner with Wiley Rein & Fielding LLP in Washington, D.C. He specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is the Chair of the firm’s Privacy Practice. He serves on the Board of Directors of the International Association of Privacy Professionals, and edits IAPP’s monthly newsletter, Privacy Officers Advisor. He is a Certified Information Privacy Professional, and is the Chair of the ABA Health Law Section’s Interest Group on eHealth, Privacy & Security.
Your Employees at Risk: The New, Dangerous Realities of Identity TheftElizabeth Dimit
This document discusses the growing threat of identity theft and how employers can help protect employees. It notes that over 90% of passwords are hackable and criminals are increasingly organized in stealing and selling personal data online. Identity theft comes in many forms and can have serious financial and legal consequences for victims. As such, many employers are offering identity protection services as a benefit to help insulate employees from stress and costs associated with identity theft. The document recommends employers match the type of identity protection offered to the specific risks employees face, such as credit monitoring for financial data or healthcare monitoring for medical information. It then describes the features of one identity protection service called MyIDCare that provides comprehensive monitoring, concierge support services, and assistance recovering from
Cybercriminals will leverage various techniques in 2020 to steal consumers' personal and financial information, according to Experian's annual data breach industry forecast. These include using text messages ("smishing") disguised as fundraising initiatives to target online communities, hacking into unsecured public Wi-Fi networks using drones, and creating fake videos and audio ("deepfakes") to disrupt large enterprises and governments. Experian predicts identity theft will rise as cybercriminals exploit the growing use of mobile payments at venues like concerts and sporting events. Organizations must strengthen defenses against these evolving cyberthreats through employee training, security precautions, and rapid response planning.
This white paper discusses challenges that financial institutions face in managing enterprisewide fraud. It notes that fraud is increasing in volume and sophistication, targeting the fastest growing channels like online and mobile that are most vulnerable. Traditionally, fraud has been managed within business unit silos rather than taking an enterprisewide view. This allows fraudsters, who view the institution holistically, to exploit inconsistencies. The paper recommends analyzing patterns and perpetrators across the entire enterprise to better prevent, detect, and investigate fraud.
Technical development is what most people think of when they think of attackers. This aspect of hacking requires computer-savvy actors performing development activities that include research to find zero-day vulnerabilities, development of exploits for these vulnerabilities, and tools to automate the different pieces of a hack (bot-nets, data exfiltration, etc.).
The Business of Hacking - Business innovation meets the business of hackingat MicroFocus Italy ❖✔
Introduction
Attackers are sophisticated. They are organized. We hear these statements a lot but what
do they mean to us? What does it mean to our businesses? When we dig deeper into the
“business of hacking,” we see that the attackers have become almost corporate in their behavior.
Their business looks a lot like ours. Cyber criminals look to maximize their profits and minimize
risk. They have to compete on quality, customer service, price, reputation, and innovation. The
suppliers specialize in their market offerings. They have software development lifecycles and
are rapidly moving to Software as a Service (SaaS) offerings. Our businesses overlap in so many
ways that we should start to look at these attackers as competitors.
This paper will explore the business of hacking: the different ways people make money by
hacking, the motivations, the organization. It will break down the businesses’ profitability and
risk levels, and provide an overall SWOT analysis. From this, opportunities for disruption will be
discussed and a competitive approach for disrupting the business of hacking will be laid out.
The information in this paper draws on data and observations from HPE Security teams, open
source intelligence, and other industry reports as noted.
Whether building in enterprise security or applying security intelligence and advanced analytics,
we can use our understanding of the business of hacking and the threats to our specific
businesses to ensure that we are investing in the most effective security strategy.
Securing information in the New Digital Economy- Oracle Verizon WPPhilippe Boivineau
Situation : A lucrative information black market has created a data breach epidemic. The perimeter security that most IT organizations depend on has become largely ineffective.
Why it matters : IT organizations devote almost 70% of security resources to perimeter security controls, but while
the threats are external, the vulnerabilities exploited are mostly internal.
Call to Action : Securing the new digital economy means thinking security inside out and focusing more on data and
internal controls.
The document summarizes a data breach at Target Corporation in which customer payment card data was stolen. It discusses how the network was compromised through malware installed on point-of-sale registers, and that credentials from an HVAC vendor were used to access Target's system. The breach could have been prevented through better compliance with security standards and use of EMV chip technology, which is more widely used internationally than in the US.
Data mining involves extracting and analyzing large amounts of data to find patterns. While it provides benefits to companies, some view it as an invasion of privacy. There is little regulation in the US on data mining. The government has broad powers to collect data under laws like the Patriot Act. Data breaches have compromised over 800 million records, revealing sensitive personal information. Retailers use data mining to target customers, while gamers mine data to learn about new game content. More regulation may be needed to protect personal privacy as data mining becomes more widespread.
Data breaches reached record levels in 2014, with over 5,000 incidents compromising an estimated 675 million records. Healthcare organizations experienced the most breaches at 42.5% of the total. Major breaches impacted Sony, J.P. Morgan, Home Depot, and eBay, compromising millions of customer records. The costs of data breaches for US companies averaged $201 per compromised record, with total costs increasing 15% on average. Looking ahead, healthcare breaches and threats to corporate intellectual property and trade secrets are expected to remain significant risks.
As more and more data is received by companies every second it is vital for them to protect their customers at the highest level. Even the biggest tech giants did not avoid the failure: Google, Facebook
But there is another field that receives tremendous amounts of very private information - hotels
Let's discover how Marriott has overcame one of the biggest data 'leakages' in the history
Or it hasn't?
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Tech and Law Center
The document discusses cybercrime and digital investigation. It begins with defining cybercrime and listing its common forms. It then discusses the underground economy of cybercrime, describing how criminal networks operate similarly to legitimate businesses. Several specific cybercrimes are examined in depth, including malware, data theft, identity theft, phishing, and botnets. The document also profiles some case studies of major cybercriminal groups and hacking incidents to illustrate how crimes are committed. It aims to outline the scope and techniques of cybercrime threats.
The document discusses current trends in online payment fraud, including how fraudsters use increasingly sophisticated methods like malware, phishing, and stolen credit card numbers. It provides statistics on the scale of the online "shadow economy" and common fraud detection tools. The document recommends merchants strengthen protections by knowing their enemies' methods in order to help reduce fraud losses.
This document provides an overview of digital crimes and cybersecurity issues on a global scale. It discusses the large economic costs of digital crimes to nations and organizations, provides several case studies of significant cyber attacks and data breaches, and outlines types of digital crimes committed against governments, organizations, property, society, and individuals. The case studies illustrate how digital criminals have used viruses, spoofing, hacking, data theft, and other techniques to inflict major impacts. Overall, the document examines the changing nature of crimes in the digital age and some of the most serious cybersecurity incidents occurring worldwide.
Major data breaches in 2018 were often caused by vulnerabilities in third-party systems. Common third parties that led to breaches included cloud services, payment processors, JavaScript libraries, online tools, small suppliers, and transcription services. One breach exposed over 500 million Marriott guest records due to a pre-acquisition breach at Starwood, highlighting cyber risk in mergers and acquisitions.
In 2017, there were over 1,765 data breach incidents compromising over 2.6 billion records. The largest breaches stemmed from poor security practices and accidental data exposures, rather than external hacking attacks. Notable breaches included the Equifax breach of 147 million Americans' personal data due to unpatched vulnerabilities, and accidental exposures of personal data by Deep Root Analytics, River City Media, and Alteryx due to misconfigured cloud storage settings. Looking ahead, new regulations like the EU's GDPR have the potential to increase transparency around data breaches.
IBM X-Force Threat Intelligence Report 2016thinkASG
Download the latest IBM X-Force Threat Intelligence Report
High-value breaches stole headlines as lackluster security fundamentals left organizations open to attack in 2015.
* The globalization of security incidents is shifting to targets like health-related PII and sensitive personal data
* The growing sophistication and organization of cybercrime rings are helping expand their reach
* New attack techniques like mobile overlay malware are evolving, while classics like DDoS and POS malware remain effective
Assignment 1 Dealing with Diversity in America from Reconstructi.docxdeanmtaylor1545
Assignment 1: Dealing with Diversity in America from Reconstruction through the 1920s
For History 105: Dr. Stansbury’s classes (6 pages here)
Due Week 3 and worth 120 points. The formal deadline is Monday at 9am Eastern time, Jan. 21. But, due to the King holiday, no late penalty will be imposed if submitted by the end of Jan. 22.
[NOTE ON ECREE: The university is adopting a tool, called ecree for doing writing assignments in many classes. We will be using the ecree program for doing our papers in this class. More instructions on this tool will be posted. You are welcome to type your paper in MS-Word as traditionally done—and then to upload that file to ecree to revise and finish it up. Or, as we suggest, you may type your paper directly into ecree. When using ecree, you should use CHROME as your browser. As posted: “Please note that ecree works best in Firefox and Chrome. Please do not use Internet Explorer or mobile devices when using ecree.”]
BACKGROUND FOR THE PAPER: After the Civil War, the United States had to recover from war, handle western expansion, and grapple with very new economic forms. However, its greatest issues would revolve around the legacies of slavery and increasing diversity in the decades after the Civil War. In the South, former slaves now had freedom and new opportunities but, despite the Reconstruction period, faced old prejudices and rapidly forming new barriers. Immigrants from Europe and Asia came in large numbers but then faced political and social restrictions. Women continued to seek rights. Yet, on the whole, America became increasingly diverse by the 1920s. Consider developments, policies, and laws in that period from 1865 to the 1920s. Examine the statement below and drawing from provided sources, present a paper with specific examples and arguments to demonstrate the validity of your position.
Topic and Thesis Statement—in which you can take a pro or con position:
· Political policies and movements in the period from 1865 to the 1920s generally promoted diversity and “the melting pot” despite the strong prejudices of a few. (or you can take the position that they did not). Use specific examples of policies or movements from different decades to support your position.
After giving general consideration to your readings so far and any general research, select one of the positions above as your position—your thesis. (Sometimes after doing more thorough research, you might choose the reverse position. This happens with critical thinking and inquiry. Your final paper might end up taking a different position than you originally envisioned.) Organize your paper as follows with the four parts below (see TIPS sheet and TEMPLATE also), handling these issues:
1. The position you choose —or something close to it—will be the thesis statement in your opening paragraph. [usually this is one paragraph with thesis statement being the last sentence of the paragraph.]
2. To support your position, use thre.
Assignment 1 Why are the originalraw data not readily us.docxdeanmtaylor1545
Assignment 1
:
Why are the original/raw data not readily usable by analytics tasks? What are the main data preprocessing steps? List and explain their importance in analytics.
Refer to Chapter 3 in the attached textbook:
Sharda, R., Delen, D., Turban, E. (2020). Analytics, Data Science, & Artificial Intelligence: Systems for Decision Support 11E.
ISBN: 978-0-13-519201-6.
Discuss the process that generates the power of AI and discuss the differences between machine learning and deep learning.
Requirement:
****Separate document for each assignment.****
Minimum 300-350 words. Cover sheet, abstract, graphs, and references does not count.
Add references separately for each assignment question.
Double Spaced and APA 7th Edition Format
No plagiarized content please! Attach a plagiarized report.
Check for spelling and grammar mistakes!
$5 max. Please bid if you agree.
Assignment 2
:
What are the privacy issues with data mining? Do you think they are substantiated?
Refer to Chapter 4
in the attached textbook:
Sharda, R., Delen, D., Turban, E. (2020). Analytics, Data Science, & Artificial Intelligence: Systems for Decision Support 11E.
ISBN: 978-0-13-519201-6.
Requirement:
****Separate document for each assignment.****
Minimum 300-350 words. Cover sheet, abstract, graphs, and references does not count.
Add references separately for each assignment question.
Double Spaced and APA 7th Edition Format
No plagiarized content please! Attach a plagiarized report.
Check for spelling and grammar mistakes!
$5 max. Please bid if you agree.
.
More Related Content
Similar to TEACHING CASETargeting Target with a 100 million dollar da.docx
Each year businesses around the globe are devastated by hackers stealing confidential information. These massive data breaches have resulted in billions of dollars in lost revenue over the past decade. Learn more about the real Cost of Hacking.
Part of the Rosetta series of communications studies, this article uses real-world case studies of fraud to look at how organizations have managed issues and crises.The article provides tools to help organizations more effectively manage these sorts of situations.
A summarized version of the 60 page Rule broken down by Kirk J. Nahra, a partner with Wiley Rein & Fielding LLP in Washington, D.C. He specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is the Chair of the firm’s Privacy Practice. He serves on the Board of Directors of the International Association of Privacy Professionals, and edits IAPP’s monthly newsletter, Privacy Officers Advisor. He is a Certified Information Privacy Professional, and is the Chair of the ABA Health Law Section’s Interest Group on eHealth, Privacy & Security.
Your Employees at Risk: The New, Dangerous Realities of Identity TheftElizabeth Dimit
This document discusses the growing threat of identity theft and how employers can help protect employees. It notes that over 90% of passwords are hackable and criminals are increasingly organized in stealing and selling personal data online. Identity theft comes in many forms and can have serious financial and legal consequences for victims. As such, many employers are offering identity protection services as a benefit to help insulate employees from stress and costs associated with identity theft. The document recommends employers match the type of identity protection offered to the specific risks employees face, such as credit monitoring for financial data or healthcare monitoring for medical information. It then describes the features of one identity protection service called MyIDCare that provides comprehensive monitoring, concierge support services, and assistance recovering from
Cybercriminals will leverage various techniques in 2020 to steal consumers' personal and financial information, according to Experian's annual data breach industry forecast. These include using text messages ("smishing") disguised as fundraising initiatives to target online communities, hacking into unsecured public Wi-Fi networks using drones, and creating fake videos and audio ("deepfakes") to disrupt large enterprises and governments. Experian predicts identity theft will rise as cybercriminals exploit the growing use of mobile payments at venues like concerts and sporting events. Organizations must strengthen defenses against these evolving cyberthreats through employee training, security precautions, and rapid response planning.
This white paper discusses challenges that financial institutions face in managing enterprisewide fraud. It notes that fraud is increasing in volume and sophistication, targeting the fastest growing channels like online and mobile that are most vulnerable. Traditionally, fraud has been managed within business unit silos rather than taking an enterprisewide view. This allows fraudsters, who view the institution holistically, to exploit inconsistencies. The paper recommends analyzing patterns and perpetrators across the entire enterprise to better prevent, detect, and investigate fraud.
Technical development is what most people think of when they think of attackers. This aspect of hacking requires computer-savvy actors performing development activities that include research to find zero-day vulnerabilities, development of exploits for these vulnerabilities, and tools to automate the different pieces of a hack (bot-nets, data exfiltration, etc.).
The Business of Hacking - Business innovation meets the business of hackingat MicroFocus Italy ❖✔
Introduction
Attackers are sophisticated. They are organized. We hear these statements a lot but what
do they mean to us? What does it mean to our businesses? When we dig deeper into the
“business of hacking,” we see that the attackers have become almost corporate in their behavior.
Their business looks a lot like ours. Cyber criminals look to maximize their profits and minimize
risk. They have to compete on quality, customer service, price, reputation, and innovation. The
suppliers specialize in their market offerings. They have software development lifecycles and
are rapidly moving to Software as a Service (SaaS) offerings. Our businesses overlap in so many
ways that we should start to look at these attackers as competitors.
This paper will explore the business of hacking: the different ways people make money by
hacking, the motivations, the organization. It will break down the businesses’ profitability and
risk levels, and provide an overall SWOT analysis. From this, opportunities for disruption will be
discussed and a competitive approach for disrupting the business of hacking will be laid out.
The information in this paper draws on data and observations from HPE Security teams, open
source intelligence, and other industry reports as noted.
Whether building in enterprise security or applying security intelligence and advanced analytics,
we can use our understanding of the business of hacking and the threats to our specific
businesses to ensure that we are investing in the most effective security strategy.
Securing information in the New Digital Economy- Oracle Verizon WPPhilippe Boivineau
Situation : A lucrative information black market has created a data breach epidemic. The perimeter security that most IT organizations depend on has become largely ineffective.
Why it matters : IT organizations devote almost 70% of security resources to perimeter security controls, but while
the threats are external, the vulnerabilities exploited are mostly internal.
Call to Action : Securing the new digital economy means thinking security inside out and focusing more on data and
internal controls.
The document summarizes a data breach at Target Corporation in which customer payment card data was stolen. It discusses how the network was compromised through malware installed on point-of-sale registers, and that credentials from an HVAC vendor were used to access Target's system. The breach could have been prevented through better compliance with security standards and use of EMV chip technology, which is more widely used internationally than in the US.
Data mining involves extracting and analyzing large amounts of data to find patterns. While it provides benefits to companies, some view it as an invasion of privacy. There is little regulation in the US on data mining. The government has broad powers to collect data under laws like the Patriot Act. Data breaches have compromised over 800 million records, revealing sensitive personal information. Retailers use data mining to target customers, while gamers mine data to learn about new game content. More regulation may be needed to protect personal privacy as data mining becomes more widespread.
Data breaches reached record levels in 2014, with over 5,000 incidents compromising an estimated 675 million records. Healthcare organizations experienced the most breaches at 42.5% of the total. Major breaches impacted Sony, J.P. Morgan, Home Depot, and eBay, compromising millions of customer records. The costs of data breaches for US companies averaged $201 per compromised record, with total costs increasing 15% on average. Looking ahead, healthcare breaches and threats to corporate intellectual property and trade secrets are expected to remain significant risks.
As more and more data is received by companies every second it is vital for them to protect their customers at the highest level. Even the biggest tech giants did not avoid the failure: Google, Facebook
But there is another field that receives tremendous amounts of very private information - hotels
Let's discover how Marriott has overcame one of the biggest data 'leakages' in the history
Or it hasn't?
Cybercrime, Digital Investigation and Public Private Partnership by Francesca...Tech and Law Center
The document discusses cybercrime and digital investigation. It begins with defining cybercrime and listing its common forms. It then discusses the underground economy of cybercrime, describing how criminal networks operate similarly to legitimate businesses. Several specific cybercrimes are examined in depth, including malware, data theft, identity theft, phishing, and botnets. The document also profiles some case studies of major cybercriminal groups and hacking incidents to illustrate how crimes are committed. It aims to outline the scope and techniques of cybercrime threats.
The document discusses current trends in online payment fraud, including how fraudsters use increasingly sophisticated methods like malware, phishing, and stolen credit card numbers. It provides statistics on the scale of the online "shadow economy" and common fraud detection tools. The document recommends merchants strengthen protections by knowing their enemies' methods in order to help reduce fraud losses.
This document provides an overview of digital crimes and cybersecurity issues on a global scale. It discusses the large economic costs of digital crimes to nations and organizations, provides several case studies of significant cyber attacks and data breaches, and outlines types of digital crimes committed against governments, organizations, property, society, and individuals. The case studies illustrate how digital criminals have used viruses, spoofing, hacking, data theft, and other techniques to inflict major impacts. Overall, the document examines the changing nature of crimes in the digital age and some of the most serious cybersecurity incidents occurring worldwide.
Major data breaches in 2018 were often caused by vulnerabilities in third-party systems. Common third parties that led to breaches included cloud services, payment processors, JavaScript libraries, online tools, small suppliers, and transcription services. One breach exposed over 500 million Marriott guest records due to a pre-acquisition breach at Starwood, highlighting cyber risk in mergers and acquisitions.
In 2017, there were over 1,765 data breach incidents compromising over 2.6 billion records. The largest breaches stemmed from poor security practices and accidental data exposures, rather than external hacking attacks. Notable breaches included the Equifax breach of 147 million Americans' personal data due to unpatched vulnerabilities, and accidental exposures of personal data by Deep Root Analytics, River City Media, and Alteryx due to misconfigured cloud storage settings. Looking ahead, new regulations like the EU's GDPR have the potential to increase transparency around data breaches.
IBM X-Force Threat Intelligence Report 2016thinkASG
Download the latest IBM X-Force Threat Intelligence Report
High-value breaches stole headlines as lackluster security fundamentals left organizations open to attack in 2015.
* The globalization of security incidents is shifting to targets like health-related PII and sensitive personal data
* The growing sophistication and organization of cybercrime rings are helping expand their reach
* New attack techniques like mobile overlay malware are evolving, while classics like DDoS and POS malware remain effective
Similar to TEACHING CASETargeting Target with a 100 million dollar da.docx (20)
Assignment 1 Dealing with Diversity in America from Reconstructi.docxdeanmtaylor1545
Assignment 1: Dealing with Diversity in America from Reconstruction through the 1920s
For History 105: Dr. Stansbury’s classes (6 pages here)
Due Week 3 and worth 120 points. The formal deadline is Monday at 9am Eastern time, Jan. 21. But, due to the King holiday, no late penalty will be imposed if submitted by the end of Jan. 22.
[NOTE ON ECREE: The university is adopting a tool, called ecree for doing writing assignments in many classes. We will be using the ecree program for doing our papers in this class. More instructions on this tool will be posted. You are welcome to type your paper in MS-Word as traditionally done—and then to upload that file to ecree to revise and finish it up. Or, as we suggest, you may type your paper directly into ecree. When using ecree, you should use CHROME as your browser. As posted: “Please note that ecree works best in Firefox and Chrome. Please do not use Internet Explorer or mobile devices when using ecree.”]
BACKGROUND FOR THE PAPER: After the Civil War, the United States had to recover from war, handle western expansion, and grapple with very new economic forms. However, its greatest issues would revolve around the legacies of slavery and increasing diversity in the decades after the Civil War. In the South, former slaves now had freedom and new opportunities but, despite the Reconstruction period, faced old prejudices and rapidly forming new barriers. Immigrants from Europe and Asia came in large numbers but then faced political and social restrictions. Women continued to seek rights. Yet, on the whole, America became increasingly diverse by the 1920s. Consider developments, policies, and laws in that period from 1865 to the 1920s. Examine the statement below and drawing from provided sources, present a paper with specific examples and arguments to demonstrate the validity of your position.
Topic and Thesis Statement—in which you can take a pro or con position:
· Political policies and movements in the period from 1865 to the 1920s generally promoted diversity and “the melting pot” despite the strong prejudices of a few. (or you can take the position that they did not). Use specific examples of policies or movements from different decades to support your position.
After giving general consideration to your readings so far and any general research, select one of the positions above as your position—your thesis. (Sometimes after doing more thorough research, you might choose the reverse position. This happens with critical thinking and inquiry. Your final paper might end up taking a different position than you originally envisioned.) Organize your paper as follows with the four parts below (see TIPS sheet and TEMPLATE also), handling these issues:
1. The position you choose —or something close to it—will be the thesis statement in your opening paragraph. [usually this is one paragraph with thesis statement being the last sentence of the paragraph.]
2. To support your position, use thre.
Assignment 1 Why are the originalraw data not readily us.docxdeanmtaylor1545
Assignment 1
:
Why are the original/raw data not readily usable by analytics tasks? What are the main data preprocessing steps? List and explain their importance in analytics.
Refer to Chapter 3 in the attached textbook:
Sharda, R., Delen, D., Turban, E. (2020). Analytics, Data Science, & Artificial Intelligence: Systems for Decision Support 11E.
ISBN: 978-0-13-519201-6.
Discuss the process that generates the power of AI and discuss the differences between machine learning and deep learning.
Requirement:
****Separate document for each assignment.****
Minimum 300-350 words. Cover sheet, abstract, graphs, and references does not count.
Add references separately for each assignment question.
Double Spaced and APA 7th Edition Format
No plagiarized content please! Attach a plagiarized report.
Check for spelling and grammar mistakes!
$5 max. Please bid if you agree.
Assignment 2
:
What are the privacy issues with data mining? Do you think they are substantiated?
Refer to Chapter 4
in the attached textbook:
Sharda, R., Delen, D., Turban, E. (2020). Analytics, Data Science, & Artificial Intelligence: Systems for Decision Support 11E.
ISBN: 978-0-13-519201-6.
Requirement:
****Separate document for each assignment.****
Minimum 300-350 words. Cover sheet, abstract, graphs, and references does not count.
Add references separately for each assignment question.
Double Spaced and APA 7th Edition Format
No plagiarized content please! Attach a plagiarized report.
Check for spelling and grammar mistakes!
$5 max. Please bid if you agree.
.
Assignment 1 Refer to the attached document and complete the .docxdeanmtaylor1545
Assignment 1
:
Refer to the attached document and complete the following sections from the document (highlighted in yellow):
Policy 1.1
Policy Statement Section Overview
Policy 1.2
Policy Statements Contents
Requirement:
·
****Separate word document for each assignment****
· Minimum 300-350 words. Cover sheets, abstracts, graphs, and references do not count.
·
Add references separately for each assignment question.
·
Strictly follow APA style. Length – 2 to 3 paragraphs.
·
Sources: 2 References to Support your answer
· No plagiarized content please! Attach a plagiarized report.
· Check for spelling and grammar mistakes!
· $5 max. Please bid if you agree.
.
Assignment 1
:
Remote Access Method Evaluation
Learning Objectives and Outcomes
Ø
Explore and assess different remote access solutions.
Assignment Requirements
Discuss which of the two remote access solutions
, virtual private networks (VPNs) or hypertext transport protocol secure (HTTPS),
you will rate as the best.
You need to make a choice between the two remote access solutions based on the following features:
Ø Identification, authentication, and authorization
Ø Cost, scalability, reliability, and interoperability
Requirement:
·
****Separate word document for each assignment****
· Minimum 300-350 words. Cover sheet, abstract, graphs, and references do not count.
·
Add reference separately for each assignment question.
·
Strictly follow APA style. Length – 2 to 3 paragraphs.
·
Sources: 2 References to Support your answer
· No plagiarized content please! Attach a plagiarized report.
· Check for spelling and grammar mistakes!
· $5 max. Please bid if you agree.
Assignment 2
:
Discuss techniques for combining multiple anomaly detection techniques to improve the identification of anomalous objects. Consider both supervised and unsupervised cases.
Requirement:
·
****Separate word document for each assignment****
· Minimum 300-350 words. Cover sheet, abstract, graphs, and references do not count.
·
Add reference separately for each assignment question.
·
Strictly follow APA style. Length – 2 to 3 paragraphs.
·
Sources: 2 References to Support your answer
· No plagiarized content please! Attach a plagiarized report.
· Check for spelling and grammar mistakes!
· $5 max. Please bid if you agree.
Assignment 3
:
Refer to the attached “Term Paper for ITS632(1)” for assignment.
Requirements
:
·
****Separate word document for each assignment****
· Minimum 6 pages. Cover sheet, abstract, graphs, and references do not count.
·
Add reference separately for each assignment question.
·
Strictly follow APA style.
·
Sources: 3-5 References
· No plagiarized content please! Attach a plagiarized report.
· Check for spelling and grammar mistakes!
· $30 max. Please bid if you agree.
.
Assignment 1 Inmates Rights and Special CircumstancesCriteria.docxdeanmtaylor1545
Assignment 1: Inmates Rights and Special Circumstances
Criteria
Unacceptable
Below 60% F
Meets Minimum Expectations
60-69% D
Fair
70-79% C
Proficient
80-89% B
Exemplary
90-100% A
1. Analyze the legal mechanisms in which an inmate can challenge his or her confinement. Support or refute the cost of such challenges to the state and / or federal government. Provide a rationale for your response.
Weight: 30%
Did not submit or incompletely analyzed the legal mechanisms in which an inmate can challenge his or her confinement. Did not submit or incompletely supported or refuted the cost of such challenges to the state and / or federal government. Did not submit or incompletely provided a rationale for your response.
Insufficiently analyzed the legal mechanisms in which an inmate can challenge his or her confinement. Insufficiently supported or refuted the cost of such challenges to the state and / or federal government. Insufficiently provided a rationale for your response.
Partially analyzed the legal mechanisms in which an inmate can challenge his or her confinement. Partially supported or refuted the cost of such challenges to the state and / or federal government. Partially provided a rationale for your response.
Satisfactorily analyzed the legal mechanisms in which an inmate can challenge his or her confinement. Satisfactorily supported or refuted the cost of such challenges to the state and / or federal government. Satisfactorily provided a rationale for your response.
Thoroughly analyzed the legal mechanisms in which an inmate can challenge his or her confinement. Thoroughly supported or refuted the cost of such challenges to the state and / or federal government. Thoroughly provided a rationale for your response.
2. Examine the four (4) management issues that arise as a result of inmates with special needs. Prepare one (1) recommendation for each management issue that effectively neutralizes each concern. Provide a rationale for your response.
Weight: 30%
Did not submit or incompletely examined the four (4) management issues that arise as a result of inmates with special needs. Did not submit or incompletely prepared one (1) recommendation for each management issue that effectively neutralizes each concern. Did not submit or incompletely provided a rationale for your response.
Insufficiently examined the four (4) management issues that arise as a result of inmates with special needs. Insufficiently prepared one (1) recommendation for each management issue that effectively neutralizes each concern. Â Insufficiently provided a rationale for your response.
Partially examined the four (4) management issues that arise as a result of inmates with special needs. Partially prepared one (1) recommendation for each management issue that effectively neutralizes each concern. Partially provided a rationale for your response.
Satisfactorily examined the four (4) management issues that arise as a result of inmates with special needs. Satisfactorily prepare.
Assignment 1 Go back through the business press (Fortune, The Ec.docxdeanmtaylor1545
Assignment 1
Go back through the business press (Fortune, The Economist, BusinessWeek, and so forth and any other LIRN- based articles) and find at least three articles related to either downsizing, implementation of a new technology, or a merger or acquisition. In a minimum of four (4) pages in 7th edition APA formatted paper:
What were the key frontline experiences listed in relation to your chosen change?
How do they relate to those listed in Chapter 4?
Did you identify new ones confronting change managers?
How would you prioritize these experiences?
Do any stand out as “deal breakers”? Why?
What new insights into implementing this type of change emerge from this?
Assignment 2
PA2 requires you to identify a current change in an organization with which you are familiar and evaluate a current public issue about which “something must be done.” In relation to the change issue, think about what sense-making changes might need to be enacted and how you would go about doing this. Assess this in terms of the eight (8) elements of the sense-making framework suggested by Helms Mills and as set out in Table 9.7:
Identity construction
Social sense-making
Extracted cues
Ongoing sense-making
Retrospection
Plausibility
Enactment
Projection
Which ones did you believe you might have the most/least control over and why?
What implications does this have for adopting a sense-making approach to organizational change?
minimum of
four (4) pages document for each assignment
.
Assignment 1 Discussion—Environmental FactorsIn this assignment, .docxdeanmtaylor1545
Assignment 1: Discussion—Environmental Factors
In this assignment, you will have a chance to discuss a topic that brings personality theory together with social psychology. Dealing with unhealthy groups like gangs or cults is an important issue in social psychology. However, you cannot fully address this issue if you do not first understand personality development and how one’s personality affects the choices that are made. Specifically, you will look at Skinner’s behavioral perspective on personality development and discuss how that theory can play a role in this issue of unhealthy groups.
Bob is an adolescent who grew up in a gang-infested part of a large city. His parents provided little supervision while he was growing up and left Bob mostly on his own. He developed friendships with several kids in his neighborhood who were involved in gangs, and eventually joined a gang himself. Now crime and gang activities are a way of life for Bob. These have become his way to identify with his peer group and to support himself.
It is relatively easy to see that Bob’s environment has played a large role in his current lifestyle. This coincides with Skinner’s concept of environment being the sole determinant of how personality develops. Skinner believed that if you change someone’s environment and the reinforcements in that environment, you can change their behavior.
Use the Internet, Argosy University library resources, and your textbook to research Skinner’s concept of the environment and answer the following questions:
If you were to create an environment for Bob to change his behavior from that of a gang member to a respectable and law-abiding citizen, what types of environmental changes and positive reinforcements would you suggest and why?
What are some interventions that are used in the field currently? Are there any evidence-based programs that use these environmental and reinforcement interventions?
Write your initial response in 2–3 paragraphs. Apply APA standards to citation of sources.
By
Saturday, March 1, 2014
, post your response to the appropriate
Discussion Area
. Through
Wednesday, March 5, 2014
, review and comment on at least two peers’ responses.
.
Assignment 1 1. Using a Microsoft Word document, please post one.docxdeanmtaylor1545
Assignment 1
1. Using a Microsoft Word document, please post one federal and one state statute utilizing standard legal notation and a hyperlink to each statute.
2. In the same document, please post one federal and one state case using standard legal notation and a hyperlink to each case.
Assignment 2
A. Social media platforms such as Facebook, Twitter, and even Tiktok have become very powerful and influential. Please give your thoughts on whether governments should regulate the content of content on these media. Minimum 250 words.
B. Respond to two classmates' postings. Minimum 100 words per posting.
.
Assignment 1 Dealing with Diversity in America from Reconstructi.docxdeanmtaylor1545
Assignment 1:
Dealing with Diversity in America from Reconstruction through the 1920s
Due Week 3 and worth 120 points
After the Civil War, the United States had to recover from war, handle western expansion, and grapple with very new economic forms. However, its greatest issues would revolve around the legacies of slavery and increasing diversity in the decades after the Civil War. In the South, former slaves now had freedom and new opportunities but, despite the Reconstruction period, faced old prejudices and rapidly forming new barriers. Immigrants from Europe and Asia came in large numbers but then faced political and social restrictions. Women continued to seek rights. Yet, on the whole, America became increasingly diverse by the 1920s. Consider developments, policies, and laws in that period from 1865 to the 1920s. Examine the statement below and drawing from provided sources, present a paper with specific examples and arguments to demonstrate the validity of your position.
Statement—in which you can take a pro or con position:
Political policies and movements in the period from 1865 to the 1920s generally promoted diversity and “the melting pot” despite the strong prejudices of a few. (or you can take the position that they did not). Use specific examples of policies or movements from different decades to support your position.
After giving general consideration to your readings so far and any general research, select one of the positions above as your position—your thesis. (Sometimes after doing more thorough research, you might choose the reverse position. This happens with critical thinking and inquiry. Your final paper might end up taking a different position than you originally envisioned.) Organize your paper as follows, handling these issues:
The position you choose —or something close to it—will be the thesis statement in your opening paragraph.
To support your position, use three (3) specific examples from different decades between 1865 and 1930. You may narrowly focus on race or gender or immigrant status, or you may use examples relevant to all categories.
Explain why the opposing view is weak in comparison to yours.
Consider your life today: In what way does the history you have shown shape or impact issues in your workplace or desired profession?
Length: The paper should be 500-to-750 words in length.
Research and References: You must use a
MINIMUM of three sources
; the Schultz textbook must be one of them. Your other two sources should be drawn from the list provided below. This is guided research, not open-ended Googling.
Source list for Assignment 1:
Some sources are “primary” sources from the time period being studied. Some sources below can be accessed via direct link or through the primary sources links on Blackboard. Each week has a different list of primary sources. For others, they are accessible through the permalink to the source in our online library: Sources below having
libdatab.
Assignment 1 Due Monday 92319 By using linear and nonlinear .docxdeanmtaylor1545
This document provides guidance for counselors on an upcoming assignment due September 23rd. It instructs counselors to listen both linearly and nonlinearly during client assessments to build a strong therapeutic alliance and identify client needs, resources, strengths and gaps in their stories. Counselors are advised to consider both the conscious and unconscious parts of client stories, including recognizing potential adverse childhood experiences and how that might inform the assessment, guide goal development, and affect client readiness to change.
Assignment 1This assignment is due in Module 8. There are many v.docxdeanmtaylor1545
Assignment 1
This assignment is due in Module 8. There are many variations on WebQuests. Please make sure you follow these instructions and not those listed in the textbook. Although, reading the texts and learning another variation will only benefit you in the future. This assignment is worth 100 points.
1. Find a good website in which you can use for the exercise. If you want your students to learn more about zoo animals, then maybe you should locate your local zoo website and use it as a source. Make sure you choose a site that is age appropriate for your students. And please identify which grade and subject level you have chosen in the title.
2. After deciding on a website, create the student instructions for this exercise. Make sure to incorporate aesthetic value (picture). The instructions are very important because you do want your students to be excited about the activity.
3. You will ask the students 10 questions about the site and its information. Be sure the website is clear in its direction and easily navigated so the students can find the information. Create the questions and type them into a Word document with lines for students to use to fill in their answers.
4. After you finish your WebQuest, make sure you include a sheet with the answers to the questions.
5. Save the document as a .doc, .docx, or pdf and submit it via the assignment drop box by clicking on the title of the assignment.
Submission: To submit, choose the Assignment 4: WebQuest link above and use the file attachment feature to browse for and upload your completed document. Remember to choose Submit to complete the submission.
Grading: This assignment is worth 100 points toward your final grade and will be graded using the Webquest Rubric. Please use it as a guide toward successful completion of this assignment.
Assignment 2
This assignment is due in Module 9. The objective of this lesson is to utilize the Internet to help clarify/expand upon your teaching, while creating a field trip environment for your students.
There are times when you will not have the funding to take your class on an actual field trip. With the help of technology, you can now visit various sites without leaving the room. For assignment 4, you are going to plan a virtual field trip for your classroom. Think about the grade level, subject area, possible topics for the curriculum that you teach, and appropriate online communication. You must create an original, virtual field trip. You cannot use someone else's field trip. Remember, you can utilize various software (PowerPoint, Prezi, etc.) to create this field trip, but be careful, it is not a lesson with technology assisted software. The students have to feel like they are truly at the location of the field trip looking at the exhibit, animal, statue, and so forth. There should be no words on the slides because it is not a classroom lesson, it is a field trip.
You will be the tour guide, and everything you plan to say as the guide shoul.
Assignment 1TextbookInformation Systems for Business and Beyond.docxdeanmtaylor1545
Assignment 1
Textbook:Information Systems for Business and Beyond
Please answer the following
From Chapter 1 – Answer Study questions 1-5 and Exercise 3
From Chapter 2 – Answer Study questions 1-10 and Exercise 2 (should be a Power point presentation)
All the above questions should be submitted in one Word document, except for the PowerPoint presentation (Chapter 2 - Exercise 2).
Please understand that Plagiarism will not be tolerated and will result in a zero grade.
Submission Requirements
Font: Times New Roman, size 12, double-space
Citation Style: APA
References: Please use citations and references where appropriate
No Plagiarism
Chapter 1: What Is an
Information System?
Learning Objectives
Upon successful completion of this chapter, you will be
able to:
• define what an information system is by identifying
its major components;
• describe the basic history of information systems;
and
• describe the basic argument behind the article
“Does IT Matter?” by Nicholas Carr.
Introduction
Welcome to the world of information systems, a world that seems to
change almost daily. Over the past few decades information systems
have progressed to being virtually everywhere, even to the point
where you may not realize its existence in many of your daily
activities. Stop and consider how you interface with various
components in information systems every day through different
Chapter 1: What Is an Information
System? | 9
electronic devices. Smartphones, laptop, and personal computers
connect us constantly to a variety of systems including messaging,
banking, online retailing, and academic resources, just to name a
few examples. Information systems are at the center of virtually
every organization, providing users with almost unlimited
resources.
Have you ever considered why businesses invest in technology?
Some purchase computer hardware and software because everyone
else has computers. Some even invest in the same hardware and
software as their business friends even though different technology
might be more appropriate for them. Finally, some businesses do
sufficient research before deciding what best fits their needs. As
you read through this book be sure to evaluate the contents of each
chapter based on how you might someday apply what you have
learned to strengthen the position of the business you work for, or
maybe even your own business. Wise decisions can result in stability
and growth for your future enterprise.
Information systems surround you almost every day. Wi-fi
networks on your university campus, database search services in
the learning resource center, and printers in computer labs are
good examples. Every time you go shopping you are interacting
with an information system that manages inventory and sales. Even
driving to school or work results in an interaction with the
transportation information system, impacting traffic lights,
cameras, etc. V.
ASSIGNMENT 1TASK FORCE COMMITTEE REPORTISSUE AND SOLUTI.docxdeanmtaylor1545
The document provides instructions for an assignment to analyze an organizational issue and propose solutions as the leader of a task force committee. Students are asked to: 1) Describe the selected organization and issue affecting productivity; 2) Analyze how the current corporate culture contributed to the issue; 3) Identify areas of weakness in the organization; 4) Propose modifications to practices and solutions to resolve the issue; and 5) Prepare a one-page executive summary of recommendations. The assignment aims to expose students to modern organizational challenges and develop solutions reflecting their learning.
Assignment 1Select one of these three philosophers (Rousseau, Lo.docxdeanmtaylor1545
This document contains instructions for 5 separate assignments related to ethics, diversity, and organizational culture. Assignment 1 asks students to analyze differences between ideas of philosophers like Rousseau, Locke and Hobbes and modern democracies. Assignment 2 involves responding to inappropriate workplace comments and discussing ethical and legal implications. Assignment 3 has students analyze alternatives and implications related to a case study on discrimination. Assignment 4 examines organizational culture and inclusion at Sherwood Manufacturing. Assignment 5 is researching diversity at different organizations and comparing their cultures.
Assignment 1Scenario 1You are developing a Windows auditing pl.docxdeanmtaylor1545
Assignment 1
Scenario 1
You are developing a Windows auditing plan and need to determine which log files to capture and review. You are considering log files that record access to sensitive resources. You know that auditing too many events for too many objects can cause computers to run more slowly and consume more disk space to store the audit log file entries.
Answer the following question(s): (2 References)
If computer performance and disk space were not a concern, what is another reason for not tracking audit information for all events?
Scenario 2
Assume you are a security professional. You are determining which of the following backup strategies will provide the best protection against data loss, whether from disk failure or natural disaster:
· Daily full server backups with hourly incremental backups
· Redundant array of independent disks (RAID) with periodic full backups
· Replicated databases and folders on high-availability alternate servers
Answer the following question(s): (2 References)
Which backup strategy would you adopt? Why?
Assignment 1 Submission Requirements
Format: Microsoft Word (or compatible)
Font: Arial, size 12, double-space
Citation Style: APA
Length: At least 350 words for each question
References: At least 2 credible scholarly references for each question
No plagiarism
Assignment 2: Security Audit Procedure Guide
Scenario
Always Fresh wants to ensure its computers comply with a standard security baseline and are regularly scanned for vulnerabilities. You choose to use the Microsoft Security Compliance Toolkit to assess the basic security for all of your Windows computers and use OpenVAS to perform vulnerability scans.
Tasks
Develop a procedure guide to ensure that a computer adheres to a standard security baseline and has no known vulnerabilities.
For each application, fill in details for the following general steps:
1. Acquire and install the application.
2. Scan computers.
3. Review scan results.
4. Identify issues you need to address.
5. Document the steps to address each issue.
Assignment 2 Submission Requirements
Format: Microsoft Word (or compatible)
Font: Arial, size 12, double-space
Citation Style: APA
Length: At least 3 pages
References: At least 4 credible scholarly references
No plagiarism
Assignment 3: System Restoration Procedure Guide
Scenario
One of the security improvements at Always Fresh is setting up a system recovery procedure for each type of computer. These procedures will guide administrators in recovering a failed computer to a condition as near to the point of failure as possible. The goal is to minimize both downtime and data loss.
You have already implemented the following backup strategies for workstation computers:
· All desktop workstations were originally installed from a single image for Always Fresh standard workstations. The base image is updated with all patches and new software installed on live workstations.
· Desktop workstation computers execute a cloud backup eve.
Assignment 1Research by finding an article or case study discus.docxdeanmtaylor1545
A
ssignment 1:
Research by finding an article or case study discussing ONE of the following laws or legal issues as it relates to computer forensics:
1) Electronic Communications Privacy Act (ECPA)
2) Cable Communications Privacy Act (CCOA)
3) Privacy Protection Act (PPA)
4) USA Patriot Act of 2001
5) Search and seizure requirements of the Fourth Amendment
6) Legal right to search the computer media
7) Legal right to remove the computer media from the scene
8) Availability of privileged material on the computer media for examination
Using at least 500 words - summarize the the article you have chosen. You will be graded on Content/Subject Knowledge, Critical Thinking Skills, Organization of Ideas, and Writing Conventions.
.
Assignment 1Positioning Statement and MottoUse the pro.docxdeanmtaylor1545
Assignment 1
Positioning Statement and Motto
Use the provided information, as well as your own research, to assess one (1) of the stated brands (Alfa Romeo Hewlett Packard, Subway, or Sony) by completing the questions below. At the end of the worksheet, be sure to develop a new positioning statement and motto for the brand you selected. Submit the completed template in the Week 4 assignment submission link.
Name:
Professor’s Name:
Course Title:
Date:
Company/Brand Selected (Alfa Romeo Hewlett Packard, Subway, or Sony):
1. Target Customers/Users
Who are the target customers for the company/brand? Make sure you tell why you selected each item that you did. (NOTE: DO NOT say “ANY, ALL, EVERYONE” you cannot target everyone, you must be specific)
Age Bracket: [Insert response]
Gender: [Insert response]
Income Bracket: [Insert response]
Education Level: [Insert response]
Lifestyle: [Insert response]
Psychographics (Interest, Hobbies, Past-times): [Insert response]
Values (What the customer values overall in life): [Insert response]
Other items you would segment up on: [Insert response]
How does the company currently reach its customers/users? What methods and media does the company use to currently reach the customers/users? What methods and media should the company use to currently reach the customers/users?
[Insert response]
What would grab the customers/users’ attention? Why do you think this will capture their attention?
[Insert response]
What do these target customers’ value from the business and its products? Why do you think they value these items?
[Insert response]
2. Competitors
Who are the brand’s competitors? Provide at least 3 competitors and tell why you selected each competitor.
Competitor 1: [Insert response]
Competitor 2: [Insert response]
Competitor 3: [Insert response]
What product category does the brand fit into? Why have you placed this brand into the product category that you did?
[Insert response]
What frame of reference (frame of mind) will customers use in making a choice to use/purchase this brand/service? What other brands/companies might customers compare this brand to (other than the top three identified above)?
[Insert response]
3. USP (Unique Selling Proposition) Creation
What is the brand’s uniqueness? Why do you think this is a key uniqueness for this business?
[Insert response]
What is the competitive advantage of the brand? How is it different from other competing brands? Why do you consider this a competitive advantage?
[Insert response]
What attributes or benefits does the brand have that dominate competitors? Why do you think they dominate?
[Insert response]
How is this brand/company better than its competitors? What is the brand’s USP (Unique Selling Proposition? Why have you decided upon this USP?
Unique Selling Proposition: [Insert response]
Defense of USP: [Insert response]
4. Positioning Statement & Motto
Develop a new positioning statement and motto for the brand you selected. Below is an.
ASSIGNMENT 1Hearing Versus ListeningDescribe how you le.docxdeanmtaylor1545
ASSIGNMENT 1:
Hearing Versus Listening
Describe how you learned how to listen! Please use between 300-500 words to make a complete description of this learned behavior. Did you learn to listen properly? Do you still listen the same way that you were taught as a child? Why or why not?
“Doctor Aunt”
by Eden, Janine and Jim.
CC-BY
.
A mother takes her four-year-old to the pediatrician reporting she’s worried about the girl’s hearing. The doctor runs through a battery of tests, checks in the girl’s ears to be sure everything looks good, and makes notes in the child’s folder. Then, she takes the mother by the arm. They move together to the far end of the room, behind the girl. The doctor whispers in a low voice to the concerned parent: “Everything looks fine. But, she’s been through a lot of tests today. You might want to take her for ice cream after this as a reward.” The daughter jerks her head around, a huge grin on her face, “Oh, please, Mommy! I love ice cream!” The doctor, speaking now at a regular volume, reports, “As I said, I don’t think there’s any problem with her hearing, but she may not always be choosing to listen.”
Hearing
is something most everyone does without even trying. It is a physiological response to sound waves moving through the air at up to 760 miles per hour. First, we receive the sound in our ears. The wave of sound causes our eardrums to vibrate, which engages our brain to begin processing. The sound is then transformed into nerve impulses so that we can perceive the sound in our brains. Our auditory cortex recognizes a sound has been heard and begins to process the sound by matching it to previously encountered sounds in a process known as
auditory association
.
[1]
Hearing has kept our species alive for centuries. When you are asleep but wake in a panic having heard a noise downstairs, an age-old self-preservation response is kicking in. You were asleep. You weren’t listening for the noise—unless perhaps you are a parent of a teenager out past curfew—but you hear it. Hearing is unintentional, whereas
listening
(by contrast) requires you to pay conscious attention. Our bodies hear, but we need to employ intentional effort to actually listen.
“Hearing Mechanics”
by Zina Deretsky. Public domain.
We regularly engage in several different types of listening. When we are tuning our attention to a song we like, or a poetry reading, or actors in a play, or sitcom antics on television, we are listening for pleasure, also known as
appreciative listening
. When we are listening to a friend or family member, building our relationship with another through offering support and showing empathy for her feelings in the situation she is discussing, we are engaged in
relational listening
. Therapists, counselors, and conflict mediators are trained in another level known as
empathetic or therapeutic listening
. When we are at a political event, attending a debate, or enduring a salesperson touting the benefits of vario.
assignment 1
Essay: Nuclear Proliferation
The proliferation of nuclear weapons is closely monitored by the international community. While the international community formally recognizes only five nuclear powers - the United States, Russia, China, France, and the United Kingdom - it is widely acknowledged that at least four others (India, Israel, North Korea, and Pakistan) currently possess nuclear weapons and one other (Iran) is attempting to develop nuclear weapons capabilities.
Describe the current international regime governing the development of nuclear weapons, including the major agreements and treaties controlling nuclear technology. Explain why the international community generally seeks to prevent the proliferation of nuclear weapons. (500-750 words)
assignment 2
World military spending is nearly $2 trillion every year. If you could redirect these funds, how would you use them? Would such uses be better or worse for the states involved? Do you think there is a realistic chance of redirecting military spending in the way you suggest? (150 words minimum)
assignment 3
Human Rights: A Hollow Promise to the World?
( one paragraph )
.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Diana Rendina
Librarians are leading the way in creating future-ready citizens – now we need to update our spaces to match. In this session, attendees will get inspiration for transforming their library spaces. You’ll learn how to survey students and patrons, create a focus group, and use design thinking to brainstorm ideas for your space. We’ll discuss budget friendly ways to change your space as well as how to find funding. No matter where you’re at, you’ll find ideas for reimagining your space in this session.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...PECB
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
spot a liar (Haiqa 146).pptx Technical writhing and presentation skills
TEACHING CASETargeting Target with a 100 million dollar da.docx
1. TEACHING CASE
Targeting Target with a 100 million dollar data breach
Federico Pigni1 • Marcin Bartosiak2 • Gabriele Piccoli3 • Blake
Ives4
Published online: 16 November 2017
� Association for Information Technology Trust 2017
Abstract In January 2014, the CEO of the renowned U.S.
discount retailer Target wrote an open letter to its cus-
tomers apologizing for the massive data breach the com-
pany experienced during the 2013 holiday season.
Attackers were able to steal credit card data of 40 million
customers and more were probably at risk. Share prices,
profits, but above all reputation were all now at stake. How
did it happen? What was really stolen? What happened to
the data? How could Target win consumer confidence
back? While the company managed the consequences of
the attack, and operations were slowly back to normal, in
2. the aftermath the data breach costs hundreds of million
dollars. Customers, banks, and all the major payment card
companies took legal action against Target. Some of these
litigations remained unsettled 3 years later. The importance
of the breach lays in its far broader consequences, rippling
through the U.S. Congress, and raising consumer and
industry awareness on cyber security. The case provides
substantial data and information, allowing students to step
into the shoes of Target executives as they seek answers to
the above questions.
Keywords Teaching case � Cyber security � Hacking �
Data breach � Target � Information systems
Introduction
On January 13th and 14th, 2014, Greg Steinhafel, Chair-
man, President, and CEO of Target, published an open
letter to customers (Steinhafel 2014) in The New York
Times, The Wall Street Journal, USA Today, and The
Washington Post, as well as in local papers of the firm’s 50
3. largest markets. In the letter, he apologized for the massive
data breach his company experienced during the 2013
holiday season.
Target learned in mid-December that criminals
forced their way into our systems, gaining access to
guest credit and debit card information. As a part of
the ongoing forensic investigation, it was determined
last week that certain guest information, including
names, mailing addresses, phone numbers or email
addresses, was also taken.
I know this breach has had a real impact on you,
creating a great deal of confusion and frustration. I
share those feelings. You expect more from us and
deserve better. We want to earn back your trust and
confidence and ensure that we deliver the Target
experience you know and love.
The breach, announced to the public 6 days before
Christmas, included credit card data from 40 million
4. customers. It was later discovered that data for another
70 million customers were also at risk.
& Federico Pigni
[email protected]
1 Grenoble Ecole de Management, 12, rue Pierre Sémard,
38000 Grenoble, France
2 Department of Economics and Management, University of
Pavia, Pavia, Italy
3 E.J. Ourso College of Business, Lousiana State University,
Baton Rouge, LA, USA
4 C.T. Bauer School of Business, University of Houston,
Houston, TX, USA
J Info Technol Teach Cases (2018) 8:9–23
DOI 10.1057/s41266-017-0028-0
Target Inc.
Target’s chain of discount stores sold low-cost clothing,
items for the home, and—in some stores—groceries. Major
competitors in the U.S. included Walmart, Kmart, CostCo,
5. Kohl’s, J.C. Penney and, in Target’s still small but growing
online segment, Amazon. The first Target store, a low-cost
subsidiary of the department store chain Dayton Hudson,
opened in 1962; by December of 2014, Target’s 366,000
employees staffed a network of nearly 2000 stores located
in the U.S. (1801) and Canada (133). Target’s stores also
included larger SuperTarget stores, smaller CityTarget
stores, and still smaller Target Express stores. In 2014,
Target reported revenues of USD 73 billion.
Headquartered in Minneapolis, Target differentiated
itself from low-cost competitors by offering Target brands,
exclusive deals with other brands, quality and trendy
goods, as well as fashion items from well-known design-
ers—all at modest prices; Fortune magazine characterized
Targets merchandising focus as ‘‘Cheap and Chic’’ (Wahba
2014).
The breach
Target announced the data breach (see Exhibit 1), one day
6. after an independent reporter and investigator of Internet
security, Brian Krebs, broke the story on his blog:
…Target is investigating a data breach potentially
involving millions of customer credit and debit card
records… According to sources at two different top
10 credit card issuers, the breach extends to nearly all
Target locations nationwide, and involves the theft of
data stored on the magnetic stripe of cards used at the
stores (Krebs 2013).
For several days prior to Kreb’s posting, banks had
witnessed an uptick in illegal card activity, with a
disproportionate number of those transactions traceable to
card numbers recently used by Target customers. The
banks notified the Federal Bureau of Investigation (FBI).
The U.S. Department of Justice (DOJ) alerted Target on the
evening of December 12th. The following day, DOJ and
U.S. Secret Service personnel met with Target executives.
By December 15th, outside experts, hired by Target, helped
to discover and remove malware in Target’s point-of-sale
7. (POS) terminals and on several of the company’s servers.
On December 16th, Target notified banks and payment
processors (e.g., Visa) that it had been breached.
From November 27th onwards, debit and credit trans-
actions from Target’s U.S. store’s point-of-sale checkout
terminals had been compromised and customer data stolen.
By December 15th, the hemorrhaging had slowed to a
trickle, and by the 18th was stopped. By then the data
contained on magnetic stripes of 40 million debit and
credit cards had been copied and, through a circuitous
route, transmitted to a server in Russia. Almost immedi-
ately, customer credit card data surfaced on the black
market at Internet ‘‘card shops.’’
On December 27th, Target announced that encrypted
personal identification number (PIN) data from some cards
had also been scraped. Then, on January 10th, 2014, Target
reported that non-financial data from as many as 70 million
additional customers had also been stolen from Target
8. servers; included were names, addresses, phone numbers,
and email addresses. Because of duplicates between the
two sets of data, the total number of customers affected
was approximately 100 million.
Data breaches
The Identity Theft Resource Center (ITRC) defines a data
breach as (ITRC 2015, p. 2):
An incident in which an individual name plus a
Social Security number, driver’s license number,
medical record or financial record (credit/debit cards
included) is potentially put at risk because of
exposure.
Data breaches were classified in several ways. Breaches
could be criminal or accidental, carried out by insiders or
outsiders, computer-based or manual. The external, com-
puter-based, criminal variety often involved changes to, or
tapping into, the network, computer, or terminal hardware
(called skimming). For instance, fake ATM fronts or card
9. readers were surreptitiously attached to ATM machines; or,
for as little as USD 1000 an ATM could be acquired and set
up as a honey pot for capturing unencrypted data from
legitimate cards (Satanovsky 2011). An alternative
approach, called RAM or Memory Scraping (Zetter
2014), required the use of software tools, either malware
or legitimate software employed in an illegitimate manner
on customer facing devices including ATMs, POS, or even
consumers own computers or phones. Scraping, unlike
skimming, required no physical access; it could be carried
out from anywhere in the world, thus lowering the risk to
the perpetrator, while presenting still greater exposure to
the victims.
The Target data breach was but one of an increasingly
common phenomenon. One compilation (ITRC 2015)
identified 781 breaches in the U.S. that exposed 169 mil-
lion records in 2015, a significant increase from 498
reported breaches and 22 million records reported six years
10. 10 F. Pigni et al.
earlier (Fig. 1). In ten years, the ITRC had identified over
6000 breaches exposing more than 850 million records. A
fourfold increase in a decade, affecting financial services,
business, education, government, and healthcare sectors.
As many breaches went unreported, these were conserva-
tive numbers.
U.S. firm’s reported having had more than a million
records exposed in the year following the Target breach;
among them were three retailers: Home Depot, Michael’s
Stores, and Neiman Markus. In each case, the perpetrators
appeared to have employed tools, and taken advantage of
organizational lapses, in ways similar to Target’s Breach.
Among notable, other victims of data breaches in 2014
were AliExpress (owned by Alibaba.com), American
Express, Korean Credit Bureau, JPMorgan, The U.S. Postal
Service, the U.S. Internal Revenue Service, Rumbler.ru
11. and, perhaps most notoriously, SONY Pictures.
In 2016, data breaches were still increasing 15% year on
year, and the number of stolen record was growing at twice
that peace (31%), with an average of 3 million records
stolen per day. North America (see Fig. 2) was experi-
encing the largest number of data breaches, accounting for
almost 80% of the world total (Breach Level Index, 2016).
The United States led the world in data breaches with over
400 million compromised records (70% of the total).
Europe, the next highest, accounted for 10% of the total
breaches with close to 50 million stolen records. The Asia
and Pacific region was close behind in breaches (8%) but
far outstripped Europe with 110 million compromised
records (20%). U.S. security breach notification laws and
European directives and regulations (e.g., the General Data
Protection Regulation 2016/679) required organizations to
disclose and to inform promptly customers, authorities, and
other parties when personal data were stolen or compro-
12. mised; an obligation not all countries were under. These
regulations had the double objective of encouraging firms
to improve their practices and consequently reduce con-
sumers’ risk.
Healthcare, government, financial, retail, education, and
technology were the main target sectors for data breaches.
In the U.S., 2016 saw an increase in breaches to POS
systems at several hotel chains and retailers (see Fig. 3).
Senior management’s rising concern regarding com-
puter and network security were on display in the results of
the 2016 PwC Annual Global CEO Survey, where 61%
percent of the executives interviewed described cyber
threats and lack of data security as a threat to both national
and commercial interests (PwC 2016). Moreover, an even
higher proportion (78%) of them considered cyber security
technologies to be strategically important for their firms.
While security became a top priority in CEOs’ agendas
and a prominent topic in boardroom discussions, the data
13. showed that corporations were losing ground in responding
to the threat.
Payment systems and fraud
The U.S. Federal Reserve Bank reported (Federal Reserve
Board 2014, p. 41) in 2012 that credit cards made up 21%
of the total number of non-cash transactions in the US and
1.4% of the non-cash value; the corresponding numbers for
debit cards were 38% and 1% and for checks, 15% and
14.8%. For Automated Clearing House (ACH) transac-
tions, such as online bill-pay and wire transfers, commonly
used for large, non-retail transactions, the transaction and
value numbers were 18% and 83%. Cash, an essentially
0
100
200
300
400
500
14. 600
700
800
900
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
nu
m
be
r o
f b
re
ac
he
s
Banking/Credit/Financial
Health/Medical
Government/Military
Educational
Business
Fig. 1 Evolution of data
breaches in the U.S. (ITRC
15. 2016)
Targeting Target with a 100 million dollar data breach 11
anonymous payment system, was still the most common
payment method, constituting 40% of transactions in the
U.S. (Bennett et al. 2014, p. 3). An average consumer in the
month of October 2012 used cash for 23 of 59 payments
(Bennett et al. 2014, p. 2). Cash, however, was primarily
used for small dollar value purchases, constituting only
14% of purchases at retail, and averaging USD 21 per
transactions (Bennett et al. 2014, p. 3). At brick & mortar
stores such as Target, a high, and increasing, proportion of
purchases were made with credit or debit cards.
Payment cards, particularly credit and non-pin protected
debit cards and prepaid cash cards, presented tempting, and
still relatively risk-free, opportunities for criminals. The
ability to tap into U.S. payment systems from other coun-
tries, particularly those with weak enforcement or no
16. extradition treaties with the U.S., further lowered the risk.
In 2012, the Federal Reserve reported over 31 million
fraudulent payment transactions with a value of over USD
6 billion; 26 million of these transactions, and over USD 4
billion of value, were from credit, signature-only debit, or
prepaid cash cards. Pin-protected debit cards were far more
secure, experiencing only 20% of the fraud rates of sig-
nature debit cards (Federal Reserve Board 2014).
The biggest vulnerability in card payment systems in the
U.S. was the card’s magnetic stripe. The data written on the
‘‘magstripe’’ included the primary account number, the
United
States
United
Kingdom
New
Zealand Japan China Israel
South
Africa
2016
17. 2015
2014
2013
Canada Australia India
1008 82 55 34 17 12 7 9 8 8
1370 158 65 45 22 23 21 9 5 5
1259 135 65 34 7 13 12 15 17 4
911 86 30 26 12 13 12 5 8 3
1
10
100
1,000
Nu
m
be
r o
f b
re
ac
he
s
Fig. 2 Data breaches by
country—logarithmic scale
18. (authors on Gemalto’s data,
October 2016—http://www.
breachlevelindex.com/data-
breach-database)
2016
2015
2014
2013 2623411097165
Healthcare Government Financial Retail Technology Education
Hospitality Other
375 197 169 142 133 122 11 195
445 296 276 238 120 165 1 322
446 289 211 194 138 173 274
119342
0
150
300
450
Nu
m
be
r o
f b
19. re
ac
he
s
Fig. 3 Data breaches by
industry (authors on Gemalto’s
data, October 2016—http://
www.breachlevelindex.com/
data-breach-database)
12 F. Pigni et al.
account holder’s name, the expiration date, a service code
indicating the types of charges that could be accepted, and
discretionary data, such as a PIN code. Once compromised,
either by scraping or skimming, these data could be used to
make online purchases or to legitimate counterfeit cards,
which could then be used in physical stores. While in-store
use might seem risky, it did not require a mailing address to
collect the ordered merchandise. Moreover, the stolen
20. merchandise, mostly electronics or gift cards, could often
be immediately resold.
‘‘Big Box’’ and discount retailers were particularly
vulnerable to payment card fraud and data breaches due to
the size of their customer population, their high daily
transaction volumes, the liquidity of some of their mer-
chandise, and their customers’ desire for fast and conve-
nient checkout. Moreover, huge past investments in point-
of-sale check-out devices, as well as the typical customer’s
comfort with mag-stripe credit and debit cards, had retar-
ded retailers’ transition to more secure technologies (Geuss
2015).
The complexity of the payment network added further
vulnerability. The observation of a judge in an earlier data
breach case described that complexity and, implicitly, its
consequent vulnerability:
‘‘Every day, merchants swipe millions of customers’
payment cards. In the seconds that pass between the
21. swipe and approval (or disapproval), the transaction
information goes from the point of sale, to an acquirer
bank, across the credit-card network, to the issuer
bank, and back. Acquirer banks contract with mer-
chants to process their transactions, while issuer
banks provide credit to consumers and issue payment
cards. The acquirer bank receives the transaction
information from the merchant and forwards it over
the network to the issuer bank for approval. If the
issuer bank approves the transaction, that bank sends
money to cover the transaction to the acquirer bank.
The acquirer bank then forwards payment to the
merchant.’’ (Rosenthal, 2011)
The judge described a four-party payment system: A
credit-card network, usually Visa or MasterCard, is a
network intermediary between the merchants’ bank (‘‘ac-
quirer’’), the merchant, and the customer’s bank (‘‘issuer’’).
The alternative, a three-party approach, links three partic-
22. ipants: the card-carrying customer, the merchant, and the
card issuer (e.g., American Express or Discover). In 2013,
82% of card payments went through the four-party system.
To further the complexity, many merchants relied on
outside payment processors for the link between their POS
devices and acquiring banks. Two of these, Global
Payments and Heartland Payments, had themselves been
major victims of hackers.
Anatomy of the Target breach
The first victim in the heist was not Target, but Fazio
Mechanical Services, a provider of refrigeration services to
Target. Themeans of attackwas uncertain, but likely executed
via a bogus link or attachment as part of an email ‘‘phishing’’
broadcast to multiple Target third-party vendors—a list of
which was openly available on the Internet. To get inside the
supplier’s network, the attackers used a malware package
called Citadel (Olavsrud 2014) and then found and used
Fazio’s credentials to exploit its previously authorized access
23. to Target’s computer network. Fazio had access to several
Target systems, including contract management, project
management and electronic billing.OnNovember 12th, 2013,
the attackers gained access to Target’s internal network,
probably by uploading an executable file disguised as a
legitimate document attachment through a Web application.
The name of the uploaded file was apparently chosen to be
similar to that of other files commonly seen on the system.
Once inside Target’s internal network, the attackers
sought out logins, passwords, and network diagrams.
Failing to find credit card credentials on Target servers,
they instead, apparently patiently and successfully, pene-
trated Target’s POS terminals. Harnessing a computer
account they had created on Target’s network, they
deployed malware to POS terminals that the investigators
named Kaptoxa (pronounced kar-toe-sha), available for
about USD 2000 on black market Web sites. The software
then scraped each unencrypted card as it was read.
24. Between November 15th and 28th, the attackers tested the
malware1 on a few of Target’s POS devices. By November
30th, the hack was fully installed on almost all POS devices
and fully operational. That day, the attackers also installed
malware to transfer the stolen data to an internal server. This
data exfiltration malware,2 the file name of which was dis-
guised to look like a legitimate application, was updated
twice: on December 2nd, and again on December 4th. On
December 2nd, the perpetrators began to transfer data to
another Target server, one that was authorized for file
transfers through Target’s firewall. The data were moved
from that server to servers outside the U.S., eventually
ending up on a server in Russia. Data were moved during
business hours to hide the illicit activity within an otherwise
busy network traffic.
1 While not definitively linked to the Target data breach, in
August of
2014 the U.S. Secret Service Identified malware called
‘‘backoff’’ that
25. was first detected in October of 2013 but not detectable by anti-
virus
solutions until almost a year later. Backoff was estimated to
have already
affected over 1000 U.S. Businesses.
https://www.documentcloud.org/
documents/1279345-secret-service-malware-
announcement.html.
2 Data exfiltration is the transfer of stolen data from a
compromised
system within victims’ network back to the attacker while
attempting
to remain undetected.
Targeting Target with a 100 million dollar data breach 13
Stolen card numbers were almost immediately available
on Internet black markets. One market, Rescator, had been
described as ‘‘The Amazon.com of Stolen Credit Cards.’’
(Lawrence 2014) Here batches of credit cards could be
purchased, sometimes for prices exceeding USD 100
(Fig. 4). Cards data contained in the earliest batch released
on Rescator sold for between USD 26.60 and USD 44.80 in
26. the days before December 19th (Exhibit 3), when Target
went public on the data breach (Krebs 2014).
Failed security measures
Target’s attackers exploited numerous security weaknesses.
Target had publicly posted the names of its suppliers on the
Internet. One of them, FazioMechanical Services, had relied
on a free malware detection package, intended for use by
individuals, rather than for commercial use. The malicious
detection package, installed at Fazio, probably captured
login and password information during transactions. While
two-factor authentication was required by PCI3 for payment
servers, it was not required, and from reports was rarely used,
for non-payment related, externally accessible applications
on Target’s external network. Instead, Target relied on a
scheme required by PCI policy: payment servers were seg-
regated from the rest of the network. Indeed, PCI had
recently given a clean audit of Target’s network segrega-
tion—a segregation that subsequently proved inadequate.
27. Two different security packages triggered alarms as the
data exfiltration malware was installed on November 30th,
and then again when it was updated. One of these pack-
ages, FireEye, installed at a cost of USD 1.6 million a few
months earlier, recommended to its Target minders in
Bangalore the deletion of the malware—a recommendation
reportedly passed on to, but ignored by, the personnel in
Target’s security operations center in Minneapolis (Riley
et al. 2014). Target also apparently did not maintain a
‘‘white list’’ of authorized processes, often used to ensure
that malware is not allowed to run on a device or server.
Neither did Target adequately monitor the creation of new
Fig. 4 Rescator’s efficient and user friendly web shopping
interface
3 The Payment Card Industry Security Standards Council (PCI
SSC)
was created in 2006 to develop security standards for the
evolving
Payment Card Industry (PCI). The resulting Payment Card
Industry
28. Footnote 3 continued
Data Security Standard (PCI DSS) is intended to ensure
participating
companies that process, store, or transmit credit card
information do
so in a secure manner.
14 F. Pigni et al.
accounts, nor effectively block access to certain external
file servers (e.g., servers in Russia).
Financial consequences
The breach proved to be immediately costly as reflected in
the CEO’s comments to analysts in a February 2014
earnings conference call.
Target’s fourth quarter financial results reflect better
than expected US segments performance through the
first three weeks of the holiday season, followed by
meaningfully softer results following our December
19 [data breach announcement] … fourth quarter
29. comparable sales decreased 2.5%, consistent with our
updated guidance in January. (Target 2014c, p. 3)
Target’s cumulative stock return had beaten both the S&P
500 and Target’s peer comparison group in February of 2013
but, by the following February, 2 months after the breach,
had fallen precipitously behind both groups. Earnings per
share had also fallen (Target 2014a, pp. 15–16). Profits in the
4th quarter of 2013 were off 47% from the previous year,
though the decline was partially attributed to poor perfor-
mance at Target’s Canadian stores.
Costs piled up. Eight months after the breach, the com-
pany reported USD 236 million in breach-related costs, of
which USD 90 million were covered by insurance (Target
2014e, p. 9). One big expense was the cost to provide Tar-
get’s customers with a year of credit screening services.
Those reported expenses, coupled with a drop in expected
earnings from 85 to 78 cents a share, stunned Wall Street;
Target’s stock price fell 4.4% the next day (Abrams 2014).
30. John Kindervag, a Vice President and principal analyst
at Forrester Research, predicted that the eventual costs of
the breach would be much higher:
I don’t see how they’re getting out of this for under a
billion, over time… One hundred fifty million in a
quarter seems almost like a bargain. (Abrams 2014)
Legal consequences
In its 2014s quarter earnings conference call (Target 2014e,
p. 9), Target trumpeted ‘‘dramatically lower’’ breach-re-
lated costs as compared to post-breach external estimates
that had been more in line with Kindevag’s billion dollar
estimate. But, 3 months later, in the risk assessment section
of Target’s November 2014 10-Q filing to the SEC (Target
2014b, p. 9), Target identified many, still unresolved
potential sources for further costs and legal uncertainties.
… more than 100 actions have been filed in courts in
many states, along with one action in Canada, and other
claimshave been ormaybe asserted against us on behalf
of guests, payment card issuing banks, shareholders or
31. others seeking damages or other related relief allegedly
arising out of the Data Breach. State and federal agen-
cies, including State Attorneys General, the Federal
Trade Commission and the SEC, are investigating
events related to the Data Breach, including how it
occurred, its consequences and our responses…
Target customers’ numerous lawsuits were combined into a
single class action suit, to be adjudicated in a Federal District
Court in Minnesota. One of nearly 100 customer reports
included in the lawsuit described the damages and inconve-
niences suffered by one misfortunate Target customer:
[A Target customer] used her Savannah State Bank
Visa debit card to purchase goods at a Target store in
Georgia during the period of the Target data breach.
[The customer’s] personal information associated
with her debit card was compromised in and as a
result of the Target data breach. [The customer] was
harmed by having her financial and personal infor-
32. mation compromised. She incurred multiple unau-
thorized charges totaling approximately $1900 in
December 2013. [The customer] also experienced a
loss of access to her funds, paid a replacement card
fee for which she remains unreimbursed, and incurred
late payment fees due to failed automatic payments.
She also paid for credit monitoring services as a
result of the Target data breach. (United States Dis-
trict Court: District of Minnesota 2014, p. 23)
Estimates of the eventual total cost of fraudulent charges to
customer cards ranged from USD 240 million to USD 2.2
billion (Weiss and Miller 2015). Among the numerous
damages enumerated by customers’ lawyers were: unau-
thorized charges to debit and credit card accounts; theft of
personal and financial information; costs of detecting and
protecting against identity theft and unauthorized use of
accounts; lack of access to account funds; costs associated
with that lack of access (e.g., late charges and fees, credit
33. rating harm); time and loss of productivity stemming from
the need to deal with the challenges faced.
The customers’ lawyers accused Target of:
… failing to take adequate and reasonable measures to
ensure its data systems were protected, failing to take
available steps to prevent and stop the breach from ever
happening, failing to disclose to its customers the
material facts that it did not have adequate computer
systems and security practices to safeguard customers’
financial account and personal data, and failing to
provide timely and adequate notice of the Target data
breach (United States District Court: District of Min-
nesota 2014, p. 4)
Targeting Target with a 100 million dollar data breach 15
That sameU.S.District Court inMinnesotawould adjudicate
another set of class action lawsuits, this time brought by
banking institutions adversely impacted by their own
customers’ misfortune. Because of contracts with payment
34. networks like Visa, historically the banks had shouldered the
bulk of the losses for credit card breaches. This time they
hoped, because of the retailers’ alleged negligence, more of
the responsibility would be assigned to Target. Estimates of
the potential fines thatmight be levied on Target ranged from
USD 71 million to USD 1.1 billion, numbers that repre-
sented anywhere from 2 to 37% of Target’s net income for
2013 (Weiss and Miller 2015). The American Bankers
Association estimated that the data breach affected more
than 8% of debit cards and nearly 4% of credit cards
countrywide, with the average loss to banks of USD 331 per
debit card and USD 530 per credit card (ABA 2014).
Targeting Target with a 100 million dollar data
breach (B)
Everyone in this industry right now has to come
together to make sure we’re putting the right defense
plans in place.
[Brian Cornell, CEO Target Stores] (CBS News
35. 2014)
In May 2014, Greg Steinhafel resigned as Target’s
Chairman, President and CEO, a resignation partially
attributed (Abrams 2014) to a massive, criminal data
breach suffered by Target during the 2013 holiday season.
The breach had exposed over 100 million customer
records; it depressed Target’s holiday shopping revenues,
increased administrative costs, and triggered legal liabili-
ties. Moreover, the breach was a clear threat to Target’s
brand and reputation. In parallel with Steinhafel’s May
resignation, Institutional Shareholder Services, an overseer
of corporate governance for institutional investors, recom-
mended that shareholders reject the re-election of seven
members of the board who served on Target’s audit and
corporate responsibility committee.
Following Steinhafel’s resignation, John Mulligan,
Target’s CFO took on the position of interim CEO. Three
months later, in mid-August of 2014, Brian Cornell was
36. named Chairman and CEO. A previous CEO of PepsiCo
Americas’ Foods Division, Cornell brought extensive retail
experience to Target; his impressive resume included CEO
at Sam’s Club, CEO at Michael’s Craft Stores, and CMO at
Safeway.
The breach foreshadowed a further shakeup in Target’s
management team. Prior to Steinhafel’s resignation, and
3 months after the breach, Target’s CIO resigned. The Vice
President of Assurance Risk and Compliance, in keeping
with his previously announced intention, also resigned.
Customer communication
From its initial announcement of the breach on the 19th
through January 15th, Target sent six emails to its ‘‘guests’’
and a seventh to the holders of Target’s proprietary
REDcard payment card. Included among these were
descriptions of what had happened, apologies, reassurances
that the problem was being well taken care of and that the
customer risk was small, advice about how the recipient
37. could protect themselves or what actions the customer
should take (e.g., ‘‘Be wary of emails that ask for money or
send you to suspicious websites.’’) or should not take (e.g.,
‘‘Never share information with anyone over the phone,
email or text, even if they claim to be someone you know
or do business with.’’), and explained how to take advan-
tage of the year of free credit monitoring Target was pro-
viding. The Company also quickly established, and
continued to update, several web resources. One web page
included links to the seven emails, related press
announcements, and to transcripts of CFO Mulligan’s
February 4th and March 26th testimony to Congressional
committees. A second web page included responses to 48
‘‘frequently asked questions.’’ The initial versions of these
web resources were prominently displayed and accessible
from Target’s home page as of the announcement on
December 19th.
Rebuilding the organization and consumer
38. confidence
In April of 2014, Target hired a new CIO, Bob DeRoddes,
who had served in a security advisory capacity to the U.S.
Department of Homeland Security, the U.S. Secretary of
Defense, the U.S. Department of Justice, and numerous
multi-national firms.
In the CIO announcement, Target also described its
intention to move Target’s ‘‘Red’’ branded credit and debit
cards to a ‘‘chip-and-pin enabled technology,’’ as well as
accelerating a plan to install new payment devices in close
to 1800 stores (see Exhibit 4). Further, it identified a
number of security enhancements already implemented
(Target 2014d). Among them were the following:
1. Enhancing monitoring and logging [including] addi-
tional rules, alerts, centralizing log feeds and enabling
additional logging capabilities.
2. Installation of application whitelisting point-of-sale
systems [including] deploying to all registers, point-of-
39. sale servers and development of whitelisting rules.
3. Implementation of enhanced segmentation [including]
development of point-of-sale management tools,
review and streamlining of network firewall rules and
16 F. Pigni et al.
development of a comprehensive firewall governance
process.
4. Reviewing and limiting vendor access [including]
decommissioning vendor access to the server impacted
in the breach and disabling select vendor access points
including FTP and telnet protocols.
5. Enhanced security of accounts coordinated reset of
445,000 Target team member and contractor pass-
words, broadening the use of two-factor authentication,
expansion of password vaults, disabled multiple ven-
dor accounts, reduced privileges for certain accounts,
and developing additional training related to password
40. rotation.
In June of 2014, Brad Maiorino was appointed to a newly
created position, that of Senior VP and Chief Information
Security Officer. Maiorino was previously with General
Motors and, prior to that, General Electric. In those roles,
his responsibilities focused on information security. He
would report to the CIO. Six months later, Target
announced the appointment of Jacqueline Hourigan Rice,
to fill the role of Senior VP and Chief Risk and Compliance
Officer. Hourigan Rice also came from GM where she had
spent 17 years, most recently as GM’s chief compliance
officer. According to the announcement, she would report
to CEO Cornell. Her responsibilities would include the
following: ‘‘centralized oversight of enterprise risk man-
agement, compliance, vendor management and corporate
security under her leadership’’ (Target 2014f).
A year later
In a televised interview in November of 2014, a year after
41. the breach and two days before ‘‘Black Friday4,’’ the semi-
official start of the crucial holiday sales season, Cornell
reassured customers, shareholders, and business partners
that the Target leadership team was taking data security
very seriously:
We focus every day, every single day, not just during
the holidays, but 52 weeks a year, on data security.
Making sure we’ve the right team in place, to mon-
itor, detect, contain. (CBS News 2014)
Confidence building words, but even as he spoke, the
perpetrator(s) had not been apprehended, the stolen credit
card credentials were still for sale on Internet black
markets, and a growing number of breach-related lawsuits
still hung over Target.
Yet, the mood at Target seemed considerably more
upbeat than a year earlier. So too were Target’s financials.
The 2014 fiscal year closed with sales up 1.3% and with
digital channel sales growth exceeding 30 percent (Target
42. 2015a) and by the first quarter of 2015, sales grew 2.3%
from the same period in the prior year (Target 2015b).
Target’s stock price, which had fallen to a low of USD
54.66 in February of 2014, had rebounded to over USD 75
in late January of 2015 (Exhibit 2). Target was confident
that the data breach would not impact their reputation in
the long term:
… we experienced weaker than expected sales
immediately following the announcement of the Data
Breach that occurred in the fourth quarter of 2013,
and while we now believe the incident will not have a
long-term impact to our relationship with our guests,
it is an example of an incident that affected our
reputation and negatively impacted our sales for a
period of time. (Target 2015a, p. 4)
The Target Web site, which had, until recently, promi-
nently displayed links to information on the data breach,
had returned to business as usual (Exhibit 5). By the end of
2015, the major lawsuits initiated by customers and credit
43. card issuers were finally being settled. In March, Target
agreed to pay USD 10 million to settle individual victims’
damages up to USD 10,000 (Reuters and Fortune, 2015). In
August, Visa issuers settled on up to $67 million in costs
related to the data breach (Whipp 2015). In December, an
agreement was reached with MasterCard issuers for USD
19.11 million, and banks and credit unions not covered in
the other actions for up to USD 20.25 million (Stempel and
Bose 2015).
While the situation was increasingly back to normal, the
company was still facing shareholder lawsuits, as well
probes by the Federal Trade Commission and State
Attorneys General, regarding the breach (Stempel and Bose
2015).
The broader threat
Executives at other multi-national companies were con-
siderably more pessimistic than Cornell appeared to be, at
least in his public pronouncements. Speaking at a panel at
44. the 2015 World Economic Forum in Davos, Switzerland,
several CEOs (Gelles 2015) had expressed their appre-
hensions about data breaches. John Chambers, CEO of
Cisco, predicted, ‘‘The number of security incidents this
year will be exponentially greater than last year.’’ Simi-
larly, the CEO of Infosys, Visha Sikka, predicted ‘‘five
times as many incidents as we did last year.’’ (Figure 1) As
vendors of IT and security solutions, Chambers and Sikka
4 The first shopping day after Thanksgiving in the U.S.:
allegedly,
named because it was often the day when a retailer’s
profitability for
the year went from red to black.
Targeting Target with a 100 million dollar data breach 17
were perhaps predictably alarmist in their assessments. The
comments of the CEO of IMax, Richard Gelfond, probably
better reflected the trepidation of many of Chambers’ and
Sikka’s customers:
45. The one thing that really scares me is that if someone
wants to get into your system, they can get in. Almost
no amount of money will keep them out.
Another vendor’s study supported their pessimism (Riley
et al. 2014) reporting that only 31 percent of companies
had identified data breaches through their own monitoring.
The percentage was far lower for retailers. As with Target,
95% of retail data breaches were not discovered by the
retailer; one observer described retailers as ‘‘the wilde-
beests of the digital savannah.’’
Congressional reactions to target breach
Compared to their European counterparts, U.S. retailers
were particularly vulnerable as Seth Berman, head of the
London office of a risk management firm, observed:
There’s a fundamental flaw in the US credit card
system in that they do not use chip and pin… The US
is doing everyone a favor by acting as a honeypot for
criminals, and in addition the country has more credit
46. cards per head than anywhere else.
The growing, still seemingly uncontrollable, threat to U.S.
firms posed by hackers was a growing concern in
Washington D.C. Between Feb 3rd and April 2nd, 2014,
six Congressional Committees held seven different hear-
ings related (Weiss and Miller 2015, p. 2) to data breaches
in general and the Target breach in particular. Among the
options discussed were:
Federal legislation to require notification to con-
sumers when their data have been breached; legisla-
tion to potentially increase Federal Trade
Commission (FTC) powers and authorities over
companies’ data security; and legislation that could
create a federal standard for the general quality or
reasonableness of companies’ data security.
Study questions
1. How was the attack on Target perpetrated? Can you
identify its main phases?
47. 2. Which weaknesses in Target security did hackers
exploited?
3. Would you consider Target data breach an information
system failure? Why?
4. Who do you believe is to blame for the incident? Why?
How did Target manage the situation when the breach
was detected? Do you consider their reaction
appropriate?
5. Do you believe it was the CEO’s responsibility to
inform customers about the data breach? What would
you have done?
6. What lessons should a CEO learn from Target?
7. What lessons should a CIO learn?
8. What should Target do next?
9. Do you believe consumers are becoming tolerant of
breeches?
Appendix
Exhibit 1: Initial notification to target customers
48. on December 19th, 2013
Important notice: unauthorized access to payment card
data in U.S. stores
We wanted to make you aware of unauthorized access to
Target payment card data. The unauthorized access may
impact guests who made credit or debit card purchases in
our U.S. stores from Nov. 27 to Dec. 15, 2013. Your trust is
a top priority for Target, and we deeply regret the incon-
venience this may cause. The privacy and protection of our
guests’ information is a matter we take very seriously and
we have worked swiftly to resolve the incident.
We began investigating the incident as soon as we
learned of it. We have determined that the information
involved in this incident included customer name, credit or
debit card number, and the card’s expiration date and CVV.
We are partnering with a leading third-party forensics
firm to conduct a thorough investigation of the incident and
to examine additional measures we can take that would be
49. designed to help prevent incidents of this kind in the future.
Additionally, Target alerted authorities and financial
institutions immediately after we discovered and confirmed
the unauthorized access, and we are putting our full
resources behind these efforts.
We recommend that you closely review the information
provided in this letter for some steps that you may take to
protect yourself against potential misuse of your credit and
debit information. You should remain vigilant for incidents
of fraud and identity theft by regularly reviewing your
account statements and monitoring free credit reports. If
you discover any suspicious or unusual activity on your
accounts or suspect fraud, be sure to report it immediately
to your financial institutions. In addition, you may contact
the Federal Trade Commission (‘‘FTC’’) or law
18 F. Pigni et al.
enforcement to report incidents of identity theft or to learn
50. about steps you can take to protect yourself from identity
theft. To learn more, you can go to the FTC’s Web site, at
www.consumer.gov/idtheft, or call the FTC, at (877)
IDTHEFT (438-4338) or write to Federal Trade Commis-
sion, Consumer Response Center, 600 Pennsylvania Ave-
nue, NW, Washington, DC 20,580.
You may also periodically obtain credit reports from
each nationwide credit reporting agency. If you discover
information on your credit report arising from a fraudulent
transaction, you should request that the credit reporting
agency delete that information from your credit report file.
In addition, under federal law, you are entitled to one free
copy of your credit report every 12 months from each of
the three nationwide credit reporting agencies.
Again, we want to stress that we regret any inconve-
nience or concern this incident may cause you. Be assured
that we place a top priority on protecting the security of our
guests’ personal information. Please do not hesitate to
51. contact us at 866-852-8680 or visit Target’s website if you
have any questions or concerns. If you used a non-Target
credit or debit card at Target between Nov. 27 and Dec. 15
and have questions or concerns about activity on your card,
please contact the issuing bank by calling the number on
the back of your card.
$50
$55
$60
$65
$70
December January February
Nov.27 - Dec.18
Hackers were stealing the
numbers from credit and
debit cards swiped at POS
registers.
Dec.18
Target says ‘strong start to its
holiday season has continued
through the first part of December.
Dec.19
52. Target says the card numbers
of 40 million customers were
stolen between Nov. 27 and
Dec.18.
Dec.27
Target says PIN data
also were stolen.
Jan.10
Target says up to 70 million
more customers had personal
information such as names and
email addresses stolen.
Jan.10
CEO Gregg Steinhafel
offers apology in full-page
newspaper ads.
Jan.29
Target confirms that hackers gained
network access through an outside
vendor.
Feb.4
CFO John Mulligan testifies before
Congress about need to convert cards
from magnetic strips to chip-enabled
technology.
Feb.18
Stock closes at $56.4,
down 11.3% since Target revealed
that card numbers were stolen.
53. Exhibit 2: Target data breach timeline (adapted Langley 2014)
Targeting Target with a 100 million dollar data breach 19
Exhibit 3: From hacking to monetization
Exhibit 4: New MasterCard Initiative
and commitment to chip-and-PIN
Today, Target also announced a significant new initiative
as part of the company’s accelerated transition to chip-and-
PIN-enabled REDcards. Beginning in early 2015, the entire
REDcard portfolio, including all Target-branded credit and
debit cards, will be enabled with MasterCard’s chip-and-
PIN solution. Existing co-branded cards will be reissued as
MasterCard co-branded chip-and-PIN cards. Ultimately,
through this initiative, all of Target’s REDcard products
will be chip-and-PIN secured.
Earlier this year, Target announced an accelerated $100
million plan to move its REDcard portfolio to chip-and-
PIN-enabled technology and to install supporting software
54. and next-generation payment devices in stores. The new
payment terminals will be in all 1797 U.S. stores by this
September, 6 months ahead of schedule. In addition, by
early next year, Target will enable all REDcards with chip-
and-PIN technology and begin accepting payments from all
chip-enabled cards in its stores.
20 F. Pigni et al.
‘‘Target has long been an advocate for the widespread
adoption of chip-and-PIN card technology,’’ said John Mul-
ligan, executive vice president, chief financial officer for
Target. ‘‘As we aggressivelymove forward to bring enhanced
technology to Target, we believe it is critical that we provide
our REDcard guests with the most secure payment product
available. This new initiative satisfies that goal.’’
‘‘Target and MasterCard are taking an important step
forward in providing consumers with a secure shopping
experience, and the latest in payments technology,’’ said
55. Chris McWilton, president, North American Markets for
MasterCard. ‘‘Our focus, together with Target, is on safety
and security.’’
Quarterly results (millions, except per share data) First quarter
Second quarter Third quarter Fourth quarter Total year
2013 2012 2013 2012 2013 2012 2013 2012a 2013 2012a
Sales 16,706 16,537 17,117 16,451 17,258 16,601 21,516
22,370 72,596 71,960
Credit card revenues – 330 – 328 – 328 – 356 – 1341
Total revenues 16,706 16,867 17,117 16,779 17,258 16,929
21,516 22,726 72,596 73,301
Cost of sales 11,563 11,541 11,745 11,297 12,133 11,569
15,719 16,160 51,160 50,568
Selling, general and administrative expenses 3590 3392 3698
3588 3853 3704 4235 4229 15,375 14,914
Credit card expenses – 120 – 108 – 106 – 135 – 467
Depreciation and amortization 536 529 542 531 569 542 576
539 2223 2142
Gain on receivables transaction 391 – – – – 156 – 5 391 161
Earnings before interest expense and income taxes 1408 1285
1132 1255 703 1164 986 1668 4229 5371
Net interest expense 629 184 171 184 165 192 161 204 1126
56. 762
Earnings before income taxes 779 1101 961 1071 538 972 825
1464 3103 4609
Provision for income taxes 281 404 350 367 197 335 305 503
1132 1610
Net earnings 498 697 611 704 341 637 520 961 1971 2999
Basic earnings per share 0.78 1.05 0.96 1.07 0.54 0.97 0.82 1.48
3.10 4.57
Diluted earnings per share 0.77 1.04 0.95 1.06 0.54 0.96 0.81
1.47 3.07 4.52
Dividends declared per share 0.36 0.30 0.43 0.36 0.43 0.36 0.43
0.36 1.65 1.38
Closing common stock price
High 70.67 58.86 73.32 61.95 71.99 65.44 66.89 64.48 73.32
65.44
Low 60.85 50.33 68.29 54.81 62.13 60.62 56.64 58.57 56.64
50.33
Per share amounts are computed independently for each of the
quarters presented. The sum of the quarters may not equal the
total year amount
due to the impact of changes in average quarterly shares
outstanding and all other quarterly amounts may not equal the
total year due to rounding
a The fourth quarter and total year 2013 consisted of 13 and 52
weeks, respectively, compared with 14 and 53 weeks in the
57. comparable prior-
year periods
Exhibit 5: Target income statement (adapted Target 2014a, p.
63)
Targeting Target with a 100 million dollar data breach 21
References
ABA. 2014. Target Breach Bank Impact. American Bankers
Asso-
ciation. Retrieved from http://www.aba.com/Tools/Function/
Payments/Documents/TargetBreachBankImpact.pdf.
Abrams, R. 2014. Target Puts Data Breach Costs at $148
Million, and
Forecasts Profit Drop, The New York Times, August 5, 2014,
http://www.nytimes.com/2014/08/06/business/target-puts-data-
breach-costs-at-148-million.html.
Bennett, B., D. Conover, S. O’Brien, and R. Advincula. 2014.
Cash
Continues to Play a Key Role in Consumer Spending: Evidence
from the Diary of Consumer Payment Choice. Federal Reserve
58. Bank of San Francisco Fednotes (April 2014). Retrieved from
http://www.bheesty.com/cracker/1450697937_f3ce6ff546/fed
notes_evidence_from_dcpc.pdf.
Breach Level Index. 2016. 2016 It’s All About Identity Theft—
First
Half Findings from the 2016. Gemalto. Retrieved from http://
www.breachlevelindex.com/assets/Breach-Level-Index-Report-
H12016.pdf.
CBS News. 2014. Target CEO on Black Friday: ‘We have to
Win that
Big Playoff Game’. CBS News, November 26, 2014.
http://www.
cbsnews.com/news/target-ceo-brian-cornell-on-black-friday-
data-security-free-shipping/. Retrieved 23 June 2016.
Federal Reserve Board. 2014. The 2013 Federal Reserve
Payments
Study—Recent and Long-Term Payment Trends in the United
States: 2003–2012—Summary Report and Initial Data Release.
Federal Reserve System, p. 43. Retrieved from https://www.
frbservices.org/files/communications/pdf/general/2013_fed_res_
59. paymt_study_summary_rpt.pdf.
Gelles, D. 2015. Executives in Davos Express Worries Over
More
Disruptive Cyberattacks. The New York Times’ DealBook,
January 22, 2015. http://dealbook.nytimes.com/2015/01/22/in-
davos-executives-express-worries-over-more-disruptive-cyberat
tacks/. Retrieved 23 June 2016.
Geuss, M. 2015. Chip-Based Credit Cards are Old News; Why is
the
US only Rolling Them Out Now? Ars Technica, November 26,
2015. http://arstechnica.com/business/2015/11/chip-based-
credit-
cards-are-old-news-why-is-the-us-only-rolling-them-out-now/.
Retrieved 13 May 2016.
ITRC. 2015. Data Breach Reports. Identity Theft Resource
Center,
p. 197.
ITRC. 2016. ITRC Breach Statistics 2005–2015, January 25,
2016.
http://www.idtheftcenter.org/images/breach/2005to2015multiye
ar.
60. pdf. Retrieved 13 May 2016.
Krebs, B. 2013. Sources: Target Investigating Data Breach—
Krebs on
Security. Krebs on Security, March 18, 2013. Retrieved from
http://krebsonsecurity.com/2013/12/sources-target-
investigating-
data-breach/.
Krebs, B. 2014. Fire Sale on Cards Stolen in Target Breach,
Krebs on
Security, February 19, 2014. Retrieved from http://krebsonsecur
ity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/.
Langley, M. 2014. Inside Target, CEO Gregg Steinhafel
Struggles to
Contain Giant Cybertheft. Wall Street Journal, February 19,
2014. Retrieved from http://www.wsj.com/articles/
SB10001424052702304703804579382941509180758.
Lawrence, D. 2014. The Amazon.com of Stolen Credit Cards
Makes
It All So Easy. Bloomberg.com, September 4, 2014. http://www.
bloomberg.com/news/articles/2014-09-04/the-amazon-dot-com-
of-stolen-credit-cards-makes-it-all-so-easy. Retrieved 13 May
61. 2016.
Olavsrud, T. 2014. 11 Steps Attackers Took to Crack Target.
CIO,
September 2, 2014. http://www.cio.com/article/2600345/secur
ity0/11-steps-attackers-took-to-crack-target.html. Retrieved 13
May 2016.
PwC. 2016. 19th Annual Global CEO Survey.
PricewaterhouseCoop-
ers, p. 44. Retrieved from http://www.pwc.com/gx/en/ceo-
survey/
2016/landing-page/pwc-19th-annual-global-ceo-survey.pdf.
Reuters and Fortune. 2015. Target will pay $10 million to settle
data
breach lawsuit. Fortune, March 19, 2015. Retrieved from http://
fortune.com/2015/03/19/target-10-million-settle-data-breach/.
Riley, M., B. Elgin, D. Lawrence, and C. Matlack. 2014. Missed
Alarms and 40 Million Stolen Credit Card Numbers: How
Target
Blew It. Bloomberg.com, March 17, 2014. http://www.bloom
berg.com/news/articles/2014-03-13/target-missed-warnings-in-
62. epic-hack-of-credit-card-data. Retrieved 13 May 2016.
Rosenthal, L.H. 2011. n re: Heartland Payment Systems, Inc.
Customer Data Security Breach Litigation, No. 834 F.Supp.2d
573 (United States District Court, S.D. Texas, Houston Division
Dec. 1, 2011). Retrieved from http://www.leagle.com/decision/
In%20FDCO%2020111202937/IN%20RE%20HEARTLAND%
20PAYMENT%20SYSTEMS,%20INC.
Satanovsky, G. 2011. How Counterfeit Credit Cards are Created
From
ATM Skimmers. Fraud Fighter–Fraud Prevention Blog,
January 17, 2011. http://blog.fraudfighter.com/bid/52994/How-
Counterfeit-Credit-Cards-are-Created-From-ATM-Skimmers.
Retrieved 12 May 2016.
Steinhafel, G. 2014. An Open Letter from CEO Gregg
Steinhafel,
Target Corporate, January 12, 2014. http://corporate.target.com/
article/2014/01/target-ceo-gregg-steinhafel-open-letter-guests.
Retrieved 26 April 2016.
Stempel, J., and N. Bose. 2015. Target in $39.4 million
settlement
63. with banks over data breach, Reuters, December 3, 2015.
Retrieved from http://www.reuters.com/article/us-target-breach-
settlement-idUSKBN0TL20Y20151203.
Target. 2014a. 2013 Annual Report, Target.com. Retrieved May
13,
2016, from https://corporate.target.com/annual-reports/pdf-
viewer-2013?cover=6725&parts=6724-6726-6727-6730-6728.
Target. 2014b. Quarterly Report 10-Q, For the quarterly period
ended November 1, 2014 (SEC filing No. Commission File
Number 1-6049). Retrieved from http://investors.target.com/
phoenix.zhtml?c=65828&p=irol-secText&TEXT=aHR0cDovL2
FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdl
PTk5MjM5MTgmRFNFUT0xJlNFUT0mU1FERVNDPVNFQ1
RJT05fQk9EWSZleHA9JnN1YnNpZD01Nw%3D%3D.
Target. 2014c. Edited Transcript: TGT-Q4 2013 Target
Corporation
Earnings Conference Call. Target.com, February 26, 2014.
http://
phx.corporate-ir.net/External.File?item=UGFyZW50SUQ9M
64. jIyNTE0fENoaWxkSUQ9LTF8VHlwZT0z&t=1. Retrieved 13
May 2016.
Target. 2014d. Target Appoints New Chief Information Officer,
Outlines Updates on Security Enhancements. Target Corporate,
April 29, 2014. http://corporate.target.com/press/releases/2014/
04/target-appoints-new-chief-information-officer-outl.
Retrieved
23 June 2016.
Target. 2014e. Edited Transcript: TGT—Q2 2014 Target
Corporation
Earnings Conference Call. Target.com, August 20, 2014. http://
phx.corporate-ir.net/External.File?item=UGFyZW50SUQ9M
jY0NDkzfENoaWxkSUQ9LTF8VHlwZT0z&t=1. Retrieved 13
May 2016.
Target. 2014f. Target Names Jacqueline Hourigan Rice as
Senior Vice
President, Chief Risk and Compliance Officer. Target
Corporate,
November 6, 2014.
http://corporate.target.com/press/releases/2014/
11/target-names-jacqueline-hourigan-rice-as-senior-vi.
65. Retrieved 23
June 2016.
Target. 2015a. Quarterly Report 10-Q, For the Fiscal Year
Ended
January 31, 2015 (No. Commission File Number 1-6049).
Retrieved from http://investors.target.com/phoenix.zhtml?c=
65828&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5r
d2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTEwMTQ2Njc
22 F. Pigni et al.
4JkRTRVE9MCZTRVE9MCZTUURFU0M9U0VDVElPTl9FT
lRJUkUmc3Vic2lkPTU3.
Target. 2015b. Quarterly Report 10-Q, For the Quarterly Period
Ended May 2, 2015 (No. Commission File Number 1-6049).
Retrieved from http://investors.target.com/phoenix.zhtml?c=
65828&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5r
d2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTEwMzA
0MDY0JkRTRVE9MCZTRVE9MCZTUURFU0M9U0VDVE
lPTl9FTlRJUkUmc3Vic2lkPTU3.
66. United States District Court: District of Minnesota. 2014. In re:
Target
Corporation Customer Data Security Breach Litigation, No.
14-2522 (PAM/JJK), January 12, 2014. Retrieved from http://
cdn.arstechnica.net/wp-content/uploads/2014/12/document4.pdf.
Wahba, P. 2014. Target puts focus back on ‘cheap-chic’ with
eye on
winning back holiday shoppers, October 21, 2014.
http://fortune.
com/2014/10/21/target-holiday/. Retrieved 26 April 2016.
Weiss, N.E., and R.S. Miller. 2015. The Target and Other
Financial
Data Breaches: Frequently Asked Questions. In Congressional
Research Service, Prepared for Members and Committees of
Congress February, Vol. 4, p. 2015.
Whipp, L. 2015. Target to pay $67 m over Visa data breach.
FT.com,
August 18, 2015. https://www.ft.com/content/a6b571d8-45c8-
11e5-af2f-4d6e0e5eda22. Retrieved 31 July 2016.
Zetter, K. 2014. How RAM Scrapers Work: The Sneaky Tools
67. Behind the Latest Credit Card Hacks. WIRED, September 30,
2014. https://www.wired.com/2014/09/ram-scrapers-how-they-
work/. Retrieved 12 May 2016.
Targeting Target with a 100 million dollar data breach 23
T E A C H I N G C A S E
An IT outsourcing dilemma at Sick Kids Hospital
Ron Babin1 • Mohamed Shazadh Khan1 • Kyle Stewart1
Published online: 16 November 2017
� Association for Information Technology Trust 2017
Abstract This teaching case is based on a true situation at
the Hospital for Sick Children, in Toronto Canada. The
case asks students to either assume the role of the CIO or to
advise the CIO in making a decision to outsource IT at Sick
Kids Hospital. The case requires students to understand
three important issues: First, while health care costs con-
tinue to increase, automation of information is an important
opportunity to streamline patient care and reduce costs in a
68. hospital environment. Second, IT outsourcing, relying on
external service providers to deliver complex technology
services, is a fundamental business strategy across all
industries and has great potential in the health care indus-
try. Third, hospitals and health care have unique require-
ments for IT outsourcing, particularly the critical
importance of patient data security and privacy.
Keywords IT outsourcing � Hospital information systems �
Information systems security � Data privacy
Introduction
The Hospital for Sick Children (known as Sick Kids) is a
premier children’s hospital with a global reputation. It is a
tertiary institution, offering a large variety of specialist care
to children afflicted and affected by many serious medical
conditions. Founded in 1875, Sick Kids has grown from a
rented 11-room house to a 370-bed facility that carries out
leading edge pediatric medical research. Currently at Sick
Kids, the projected number of admissions per year is
69. 16,500, treating over 100,000 patients per year and with an
annual budget of over $500 million.
Sarah began her term as CIO at Sick Kids in the
summer of 2015. After an initial review of the IT assets
including software applications, hardware, networks and
IT management, and professionals, she realized that a
number of critical IT services needed to be upgraded. Her
concerns were reinforced by a number of consulting
studies that had been commissioned prior to her arrival,
which recommended improvements in IT governance and
allocation of IT resources to support the existing systems.
One IT assessment report suggested that due to lack of
processes, multiple platforms, and aging information
technologies, ‘‘a much-needed overhaul is required in IT.’’
Another consulting study evaluated IT risk and concluded
that five out of seven areas were either medium or high
risk in terms of IT governance. Executive management at
Sick Kids were concerned that IT needed to be improved
70. and made more secure, to avoid outages and system
failures.
1
The executive management team were interested
in the benefits and costs of outsourcing, and had recently
held a discussion with an external advisor on this topic.
Selected slides from the discussion document are provided
in Exhibit A.
Sarah launched two important IT initiatives late in 2015.
Firstly, requirements were defined in order to issue a
request for proposal (RFP) to replace the core Hospital
information systems (HIS). The RFP was released in
& Ron Babin
[email protected]
1
Ryerson University, 350 Victoria Street, Toronto, Canada
1
In May 2017, computer systems in most UK hospitals under the
National Health Services (NHS) were shut down by a malicious
software attack. The attack gained access through outdated
software
71. running in most of the NHS hospitals. For more information see
https://www.theguardian.com/society/2017/may/12/hospitals-
across-
england-hit-by-large-scale-cyber-attack.
J Info Technol Teach Cases (2018) 8:81–89
DOI 10.1057/s41266-017-0027-1
December 2015. By May 2016, the executive team had
selected an external HIS vendor.
Secondly, a key component of the RFP was a request to
operate or host the HIS outside of Sick Kids, in other
words, to outsource the operation of the HIS to an external
service provider. Members of the executive team were
developing an appreciation for outsourcing. The Peo-
pleSoft Financial and HR system had been installed by a
global consulting firm who had then proposed an out-
sourced application management service (see Exhibit B for
details). The HIS represents a healthcare-specific applica-
tion, while the PeopleSoft application is a more general
72. purpose system that supports organizations in many
industries. Table 1 below provides an overview of the two
systems.
Patient information within the HIS is governed by the
Ontario Personal Health Information Protection Act, which
defines the rules for collection, use, and disclosure of
personal health information. Most jurisdictions have simi-
lar laws in place, such as the Health Information Portability
and Accountability Act in the US and the Data Protection
Act in the UK. Personal information within the HR system
is also protected under government legislation such as
Canada’s Personal Information Protection and Electronics
Document Act.
The executives at Sick Kids expected that outsourcing
would reduce IT costs and improve the overall IT services;
the consulting firm had certainly given the impression to
the executives that IT costs could be significantly reduced.
For these reasons, Sarah realized that she and her IT
73. management team required a better understanding of the
risks and benefits of outsourcing as well as outsourcing
trends in the hospital and health services industry. She
needed to improve IT’s capability in order to continue
supporting core services and to help the hospital continue
its growth while maintaining its excellent global reputation
as a pediatric hospital. At a time when other hospitals and
large organizations were discussing Digital Transforma-
tion, Sarah needed to improve Sick Kids capability to
simply provide reliable IT services and keep the lights on,
and to support Sick Kids core services as it continues to
grow.
Healthcare spending growth
With the rising costs and budget restrictions to healthcare,
managers and CIOs of hospitals are always searching for
ways to reduce their costs and find a way to make their
organizations work more efficiently (Roberts 2001).
According to the Canadian Institutes for Health Informa-
74. tion (CIHI), the ratio of Health expenditures to GDP has
declined from 11.6% to an estimated 10.9% in the period of
2011–2015 (CIHI 2015). Hospital spending growth rate is
at 0.9% as of 2015 which is the lowest it has been since the
1990s (Canadian Institute for Health Information 2015).
Hospital expenditure per capita in Canada has increased by
3.5% throughout the period of 2014–2015 which is putting
a strain on managers and CIOs and forcing them to find
new ways to reduce costs.
According to the Canadian Institute for Health Infor-
mation (CIHI), total health expenditure was expected to
reach over $219 billion in 2015. This represents over
10.9% of Canada’s gross domestic product (GDP).
2
Despite this share reducing since 2009, there are still rising
costs within the healthcare sector. Hospitals account for
29.5% of total health spending which is continuing to grow
each year although the pace has slowed down over the past
75. few years. In fact, hospitals account for the highest portion
of Canadian healthcare expenditures with Physicians and
Prescription Drugs following behind at 15.5 and 13.3%,
respectively. Healthcare spending is expected to account
for $1804 per person in 2015. It is believed by the Cana-
dian government that ‘‘The possibility of technological
change could create cost savings due to process efficiency
or could generate cost increases due to new or expanded
diagnostic services and treatments’’ (Canadian Institute for
Health Information 2015).
The information systems support category increased
from 1.8% in 1999 to 2.4% in 2008 of hospital expendi-
tures.
3
A higher share for systems support may reflect the
increasing complexity and widespread adoption of elec-
tronic systems for clinical records, monitoring, and man-
agement of hospital functions.
The above literature shows that there is a slow increase
76. in healthcare spending and even in hospital spending itself.
With information support systems rising to 2.4% in 2008 of
hospital expenditures and 60% of the hospital spending
being used to compensate the hospital workforce, there lies
potential savings there are potential savings from labor cost
reductions for hospital IS support services. One suggestion
for cost savings and access to skilled information systems
support is the phenomenon of outsourcing.
Why outsourcing?
Executives typically expect outsourcing of IT services to
reduce costs and improve service through five enablers,
described below.
2
See Canadian Institute for Health Information (2015) National
Health Expenditure Trends, 1975 to 2015.
3
See Canadian Institute for Health Information (2012) Hospital
Cost
Drivers Technical Report.
77. 82 R. Babin et al.
1. Economies of scale External service providers are
expected to have sufficient size that allows them to reap
the benefits of the economies of scale, for example in
running telecommunication networks or data centers or
software development centers. The economies of scale
allow a vendor to deliver the IT service at a lower cost
than an in-house IT organization.
2. Economies of skill Outsourcing vendors focus on a very
narrow range of services and concentrate their human
skill acquisition and development in those areas which
are their core competencies. Their core competencies, a
concept defined in 1990 by Pralahad and Hamel, will be
different than those required in a hospital, or any other
organization (Prahalad and Hamel 1990).
3. Technology exploitation Many outsourcing vendors are
also technology developers and manufacturers, and are
78. experts at exploiting ongoing technology innovation.
Moore’s Law typifies this innovation, which predicts
that the cost of computer processing continues to
decline by approximately 50% every 18 months.
4. Labor arbitrage Outsource providers are able to move
digital activities to global locations where labor costs
are lower. Thomas Friedman describes the IT labor
arbitrage model in his 2005 book ‘‘The World Is Flat.’’
(Friedman 2005)
5. Transaction cost economics Ronald Coase defined the
concept of transaction costs in his 1937 paper on ‘‘The
Nature of the Firm’’ where he proposed that when
market transaction costs for providing services are
lower than internal transaction costs, organizations will
choose to buy from external firms for those services.
Researchers have applied transaction cost economics
(TCE) to the field of outsourcing, notably Bahli and
Rivard (2003), Dibbern et al. (2004), and Ngwenyama
79. and Bryson (1999).
Outsourcing in health care
For years, healthcare organizations have outsourced non-
core departments such as food service and housekeeping.
Now, managers and health professionals are attempting to
reduce healthcare costs and they are turning to outsourcing
in new ways to obtain high standards of care while keeping
costs low (Moschuris and Kondylis 2006).
Outsourcing can provide hospitals with the ability to
focus on the core competencies and customers. If the
hospitals partner with industry IT leaders, they can achieve
greater efficiencies (Roberts 2001). As outsourcing by
healthcare organizations increases, the potential market of
vendors that can provide these services will also increase
(Burmahl 2001). According to Lorence and Spink (2004), it
is believed that the less the healthcare organizations use
outsourcing, the slower will be the development of indus-
try-wide standards and practices across vendors (p. 132).
80. Outsourcing can provide lower costs and risks, while
greatly expanding flexibility, innovative capabilities, and
opportunities for creating value-added shareholder returns
(Roberts 2001). Thouin et al. (2009) found under the
transaction cost perspective that IT activities that have
become commodities should be outsourced to improve a
firm’s financial performance. Kern and Willcocks (2000)
slightly agreed that outsourcing is driven by economic
action but that it is embedded within social relations and
organizational strategy. While in Menachemti et al.’s
(2007) findings, IT outsourcing was not a cost-lowering
strategy but instead a cost-neutral way hospitals would use
to implement an organizational strategy, Lorence and
Spink (2004) examined over 16,000 healthcare information
managers’ viewpoints on outsourcing and found that the
top two reasons why they purchase external information
resources were to improve patient care and to save money.
Table 1 An overview of HIS and Financial/HR systems
81. Hospital information system (HIS) Financial and HR system
Purpose Single secure source of information for a patient’s
medical
care history
Administration of financial and human information
Processes &
information sets
Patient information system
Prescription history
Operation history
Laboratory information
Radiology information
General ledger
Accounts receivable/payable
Expense reimbursement
Capital projects
Payroll
Benefits management
Pension management
82. Principle users Physicians
Nursing staff
Clinical staff (radiology, laboratory, pharmacy, etc.)
Corporate managers and supervisors in Finance,
Accounting, HR
Departmental managers and supervisors throughout
the hospital
An IT outsourcing dilemma at Sick Kids Hospital 83
Another advantage is the cost efficiency associated with
outsourcing due to economies of scale and of experience.
Because the outsource provider specializes in IT manage-
ment, it can provide good service levels at lower cost than
the internal IT department (Thouin et al. 2009).
A simplified view of different outsourcing layers or
levels is provided below in Table 2.
The experience of other hospital CIOs
Sarah had the results of an environmental scan which was
83. conducted in mid-2016 by a team of external consultants,
to understand current IT outsourcing trends in health care.
Semi-structured interviews were conducted with CIOs at
seven local hospitals. There was mixed reaction regarding
outsourcing of applications such as the HIS, which is the
core application at every hospital. Some hospitals maintain
and operate the HIS in-house and had retained staff who
were skilled at maintaining and operating the systems.
Others had outsourced the HIS and were convinced that
retaining current knowledge of the complex technology,
applications, and interfaces was beyond the ability of the
in-house staff.
CIO experiences: motivation for outsourcing
Across all seven interviews, the CIOs commented that
reduced operating cost was not the primary motivation for
outsourcing. The CIOS consistently identified three bene-
fits of outsourcing: (1) quality and speed of service, (2)
access to skilled resources, and (3) focus human resources
84. on strategic activities. Each benefit is described in more
detail below.
1. Quality of service and speed of delivery were the
reasons most cited for outsourcing. One CIO men-
tioned that IT infrastructure, which was the most often
outsourced, is a commodity service that vendors have
focused on delivering with a high degree of reliability:
‘‘we plug-in and expect it to light up,’’ ‘‘we don’t
worry about it, it’s a generic resource.’’
2. Access to skilled resources. One CIO commented
regarding software outsourcing that it would be
‘‘impossible for my staff to support an immensely
complex software application of six million lines of
code.’’
3. By outsourcing generic services, the CIOs are able to
focus their resources on strategic activities within the
hospital: ‘‘we didn’t want to be in that [IT] business…
We focus on strategy and architecture, and how to
85. improve the customer experience’’; ‘‘focus on devel-
oping relationships with the clinicians’’ and ‘‘new and
innovative use of technologies that are relevant to the
business’’; infrastructure ‘‘is not my role, my role is to
help the business transform and change.’’
CIO experiences: challenges of outsourcing
However, managing an outsourced service does have some
challenges: (1) outsourcing may cost more than in-house
services, (2) external service providers may not be strate-
gic, and (3) additional time is required to manage and
govern the external relationship. These challenges are
described below.
1. Although a few CIOs mentioned that outsourcing will
avoid future costs, for new staff or additional IT
infrastructure, every CIO mentioned that outsourcing
typically costs more than delivering the same service
with in-house resources. One CIO cited a 30% cost
increase for outsourcing. A few CIOs have chosen
86. selective outsourcing for highly specialized services,
where the financial case can be demonstrated to the
hospital board or when in-house skills cannot be
readily hired.
Table 2 Simplified view of outsourcing levels
Level Description Examples
3 Business processes Finance and accounting
Payroll
2 Application software and data General—office software such
as email, word processing, spreadsheets
Industry related—Finance, accounting, payroll
Location specific—Hospital information system
1 Infrastructure Servers
Network
Help desk
Device deployment and management (PCs, laptops, phones,
tablets)
84 R. Babin et al.
87. 2. Outsource providers may not be innovative or strate-
gic, although they are very good at delivering a well-
defined service such as IT infrastructure. ‘‘I have to tell
them what I want’’ said one CIO, suggesting that the
external service providers are unable to anticipate
future innovation in the hospital sector.
3. Approximately 30% of management time was identi-
fied for ongoing management and governance of the
external providers. One CIO mentioned an outsourcing
contract where the vendor has 16% of total revenue at
risk if it fails to perform. To manage this contract, the
CIO stated: ‘‘You have to hold the vendor’s feet to the
fire.’’
CIO experiences: lessons learned from outsourcing
In terms of lessons learned, three stand out. First, managing
outsourcing, both internally and externally, takes time and
improves after several generations of contract experience.
Second, the governance of outsourcing is important, and it
88. requires involvement of the hospital senior executives and
potentially board members. Third, IT Infrastructure is the
most common service to outsource because the services are
more industry generic (e.g. help desk, PC support, network
monitoring) and less specific to a hospital.
What to do?
Sick Kids Hospital is at a turning point. It has recently
decided to acquire and install a sophisticated Health
Information System. It is seriously considering opportuni-
ties to rely on external vendors and outsource some or
major portions of the IT infrastructure operations. The
senior executives are searching for opportunities to reduce
cost and improve IT services, which may be realized
through outsourcing.
Sarah considered her options. Although she knew the
HIS vendor would install and start up the new system, she
had concerns about the long-term support costs, for
example the costs of servers and network within the hos-
89. pital as well as the costs of the failsafe mechanisms for
uninterrupted power supply and data redundancy that are
required in the hospital IT environment. She was concerned
about the ability of her staff to become knowledgeable and
capable of supporting and enhancing the software into the
future. This would become increasingly important as doc-
tors relied more heavily on the HIS for patient information,
and as the HIS became the central repository for all elec-
tronic patient data. As well, patient health data were
extremely sensitive, and many laws and regulations were in
place to protect the privacy and security of that data. Sarah
was a doctor herself and understood completely the
importance of the accurate and available electronic patient
information. Her decisions as CIO would have a significant
impact on the ability of her colleagues to deliver the best
care to patients at Sick Kids, as well as protecting Sick
Kids Hospital from significant risk and legal liability.
Apart from HIS, Sarah needed to address software
90. maintenance requirements for the PeopleSoft Finance and
HR systems: should the IT organization continue to support
these applications or should they outsource to an external
services firm? (Exhibit B provides more details) Finally,
Sarah needed to address the issues identified in the con-
sulting reports particularly about the multiple hardware
platforms, aging technology, data privacy concerns
regarding patient information, and security concerns
regarding reliable availability of the HIS. Could this be
outsourced to a single vendor and then consolidated to a
more manageable technology infrastructure? She also had
to consider the perspectives of her internal IT Managers;
see Exhibit C for an overview of their concerns regarding
outsourcing.
The CEO had planned an executive retreat later in the
year. One of the agenda items would be the strategy and
direction for the IT department, and the potential to engage
external service providers for more IT work. Sarah began
91. to prepare a discussion document to answer key questions
for the CEO at the executive retreat. Her presentation had
to set a clear direction for IT outsourcing at Sick Kids
hospital and had to address three topics:
A. Why would outsourcing of IT services within a
hospital be treated differently than similar IT services
in other organizations, such as a bank, a retail
enterprise, or a government organization? What effect
does this have on the decision to outsource IT services
or retain in-house at Sick Kids Hospital?
B. Assuming all data regulatory requirements can be met,
what are the issues that should be examined by Sarah
and the executive team when deciding to outsource IT
services or retain in-house?
C. What are the risks and opportunities for application
maintenance outsourcing regarding both the HIS and
the PeopleSoft finance and HR systems?
An IT outsourcing dilemma at Sick Kids Hospital 85
92. Appendices
Exhibit A: selected slides from executive discussion
on IT outsourcing
86 R. Babin et al.
Exhibit B
A recent internal analysis that examined options for Peo-
pleSoft Application Management Services (AMS) had
found the following. An AMS proposal had identified costs
of about $1.8 million per year, which would be approxi-
mately three times the current spending on in-house sup-
port for PeopleSoft. The proposal identified staffing levels
from a high of 14.4 FTEs to a steady-state level of 11.5
FTEs, approximately double the current Sick Kids support
staff of 6.8. The proposed AMS would be delivered by a
mix of onshore and offshore personnel based in India.
Table 3 below provides a comparison between the
93. external benchmark and internal costs. As the table shows,
the external per-FTE costs may range from 1.6 to 1.8 times
the cost of internal AMS.
An IT outsourcing dilemma at Sick Kids Hospital 87
Exhibit C: a workshop with IT staff at Sick Kids
A workshop was conducted with 12 senior managers of the
Sick Kids (SK) IT organization. The workshop was a
facilitated discussion to capture the perceived risks, chal-
lenges, and obstacles of outsourcing as well as the oppor-
tunities and benefits. Table 4 below presents the summary
comments from the workshop.
A few other interesting points surfaced during the
workshop. Sick Kids IT managers would not like to be at
the ‘bleeding edge’ of technology, but would like to be
abreast of current working technology. Consequently, they
were interested in refresh cycles, how often should
equipment and software be replaced and upgraded. For
94. Sick Kids, HIS may not yet be a commodity, and the area
of pediatric research, which is ever changing as new
developments and discoveries are made, may not be
suitable for a one-size-fits-all kind of software
commodity.
Table 3 Comparison of
internal costs to market costs for
PeopleSoft AMS
Sick Kids internal Proposal—high Proposal—low
Staff (FTE) 6.8 14.4 11.5
Total staff cost $636,000 $2,433,000 $1,717,000
Cost per FTE $93,500 $169,000 $149,300
Market cost above Sick Kids 1.8 1.6
Table 4 Outsourcing challenges and opportunities from the Sick
Kids management workshop
Risks, challenges, obstacles Opportunities, benefits
Quality will be compromised as there is no supervisory
oversight of
resources applied to tasks
Relationship with client (Clinicians) will not be there in an
95. outsourced
environment
Loss of control
SK is very early in the OS learning curve, consequently
capacity is not
there to properly manage outsourced contracts
RFP for any outsourced item may be deficient as there is not the
capacity
in-house to ensure that all considerations are taken into account:
may
result in many changes and hence cost increases
Outsourcing would necessarily mean a change in the financial
structure
Change management—managing user expectations of what the
outsourced environment will eventually become
The biggest risk is the culture change that would be needed as
culture of
silos changes to standardized
OS company may not be fully aware of infrastructure at time of
proposal
and even during implementation
96. Fear of not being able to design a successful governance
structure that is
appropriate
Speed of delivery of services
Would help to proactively make underlying infrastructure better
and
closer to leading edge as opposed to having outdated technology
Easier to scale and expand
Development of dynamic capacity
Economies of savings
Short-term increase in capacity
Allows in-house resources to focus on value added
Allows in-house resources to interface more with
clinicians/front-end
interaction with clients
Allows for resources to engage in requirements
gathering/education
Standardization
More availability of resources
Better equipped for disaster recovery
97. Less stress—would be able to sleep at night
Would be able to stay abreast of technology and data security
88 R. Babin et al.
References
Bahli, B., and S. Rivard. 2003. The information technology
outsourcing risk: a transaction cost and agency theory based
perspective. Journal of Information Technology 18 (3): 211–
221.
doi:10.1080/0268396032000130214.
Burmahl, B. 2001. Making the choice. The pros and cons of
outsourcing. Health Facilities Management 14 (6): 16–22.
Canadian Institute for Health Information. 2012. Hospital Cost
Drivers Technical Report. Retrieved from https://www.cihi.ca/
en/health_costdriver_phys_tech_en.pdf.
Canadian Institute for Health Information. 2015. National
Health
Expenditure Trends, 1975 to 2015. Retrieved from
https://secure.
cihi.ca/free_products/nhex_trends_narrative_report_2015_en.
98. pdf.
Coase, R.H. 1937. The nature of the firm. Economica 4 (16):
386–405. doi:10.1111/j.1468-0335.1937.tb00002.x.
Dibbern, J., T. Goles, R. Hirschheim, and B. Jayatilaka. 2004.
Information systems outsourcing: a survey and analysis of the
literature. SIGMIS Database 35 (4): 6–102. doi:10.1145/
1035233.1035236.
Friedman, T. 2005. The World is Flat. New York: Farrar, Straus
and
Giroux.
Kern, T., and L. Willcocks. 2000. Exploring information
technology
outsourcing relationships: theory and practice. The Journal of
Strategic Information Systems 9 (4): 321–350. doi:10.1016/
S0963-8687(00)00048-2.
Lorence, D.P., and A. Spink. 2004. Healthcare information
systems
outsourcing. International Journal of Information Management
24 (2): 131–145. doi:10.1016/j.ijinfomgt.2003.12.011.
99. Menachemi, N., J. Burkhardt, R. Shewchuk, D. Burke, and R.G.
Brooks. 2007. To outsource or not to outsource: examining the
effects of outsourcing IT functions on financial performance in
hospitals. Health Care Management Review 32 (1): 46–54.
Moschuris, S.J., and M.N. Kondylis. 2006. Outsourcing in
public
hospitals: a Greek perspective. Journal of Health Organization
and Management 20 (1): 4–14. doi:10.1108/14777260
610656534.
Ngwenyama, O.K., and N. Bryson. 1999. Making the
information
systems outsourcing decision: a transaction cost approach to
analyzing outsourcing decision problems. European Journal of
Operational Research 115 (2): 351–367. doi:10.1016/S0377-
2217(97)00171-9.
Prahalad, C.K., and G. Hamel. 1990. The core competence of
the
corporation. Harvard Business Review 68 (3): 79–91.
Roberts, V. 2001. Managing strategic outsourcing in the
healthcare
100. industry. Journal of Healthcare Management 46 (4): 239–249.
Thouin, M.F., J.J. Hoffman, and E.W. Ford. 2009. IT
outsourcing and
firm-level performance: a transaction cost perspective.
Information
& Management 46 (8): 463–469. doi:10.1016/j.im.2009.08.006.
An IT outsourcing dilemma at Sick Kids Hospital 89
TEACHING CASE
Lessons from attempting to backsource a government IT system
Nicholaos Petalidis1
Published online: 16 November 2017
� Association for Information Technology Trust 2017
Abstract Backsourcing is not a common term and refers to
the process of taking back development of a system that
was previously outsourced. Even though the term is not a
common one, the process that it describes is. Businesses try
to reverse outsourcing and start insourcing all the time. The
process however is not cost free and certainly is not paved
101. with roses. Herein we report from our own experience of
trying to backsource the development and maintenance of a
large information system, focusing on the technical prob-
lems encountered. The novel aspect of this paper is that it is
one of the few that provide insights into the specifics that
one has to include in any outsourcing contract, for back-
sourcing to be possible.
Keywords Code comprehension � Software maintenance �
Backsourcing � E-government � Technology management
Introduction
Backsourcing refers to the process of bringing previously
outsourced operations back. Backsourcing occurs when
outsourcing is deemed as unsuccessful, or when a company
wants to take back control of its own operations. Solli-
Sæther and Gottschalk (2015) reported that 34% of the
firms surveyed in the US and Canada had backsourced at
one point. Contrary to what one would expect then, the
literature looking into the problems of this process is scant.
102. Most of the published literature on the subject, like -
Akoka and Comyn-Wattiau (2006), Whitten and Leidner
(2006), or Wong and Jaya (2008), narrowly focuses only
on the reasons behind backsourcing.
Akoka and Comyn-Wattiau (2006) present a framework
to understand the antecedent of backsourcing and clarify
why organisations backsource. Similarly, in Whitten and
Leidner (2006) the factors that are associated with the
decision to backsource or switch vendors are examined.
Similar research is also presented in Wong and Jaya
(2008), which examines the factors that drive organisations
towards backsourcing.
In Solli-Sæther and Gottschalk (2015), a stages-of-
growth model is proposed and it is argued that the constant
move of services from an in-house function to an out-
sourced and offshored function and finally to a backsourced
function is an evolution path and not simply a return to the
beginning.
103. There are very few studies or case studies that look into
the problems that one can expect when attempting to
backsource: Butler et al. (2011) present a case study of an
organisation that had backsourced its IT department. The
authors look into the different phases of the backsourcing
process, concluding that the research on the transitional
phase from one mode of operation to the other has attracted
little attention so far.
Two case studies of IT backsourcing are also presented
in Kotlarsky and Bognar (2012). One of these studies
looked into the backsourcing of an IT service, whereas the
other one looked into the backsourcing of an IT product
development. The focus of both case studies, though, is the
process through which backsourcing occurred and not the
problems that the projects faced.
The challenges of backsourcing information systems in
the case of government organisations are presented in
& Nicholaos Petalidis
[email protected]
104. 1
Department of Informatics Engineering, TEI of Central
Macedonia, Serres, Greece
J Info Technol Teach Cases (2018) 8:90–96
DOI 10.1057/s41266-017-0026-2
Samsudin et al. (2012). The study is based on interviews
contacted with government agencies and focuses on the
process that an agency should follow, suggesting that a
knowledge transfer should start at least a year earlier from
when the actual backsourcing takes place. Finally, in Nu-
jen et al. (2015) a specific strategy is suggested to be fol-
lowed in order to re-integrate knowledge coming back into
the organisation.
Thus, with the exception of Samsudin et al. (2012)
and Nujen et al. (2015), all of the studies try to answer the
why of backsourcing, providing little insight into the how.
Nujen et al. (2015) on the other hand do not focus on IT-
specific problems, whereas Samsudin et al. (2012) present
105. findings from information gathered through questionnaires
from external observers.
This report, similarly to Samsudin et al. (2012), also
looks into the case of backsourcing an e-government ser-
vice. However, unlike Samsudin et al. (2012), it is based
on first-hand experience and presents the resultant guide-
lines to help avoid the problem of knowledge re-integration
and increase the chances of backsourcing success.
In the next section, the environment under which the
backsourcing was attempted is described, followed by a
section that presents the backsourcing attempt. Conclusions
are presented in the final section.
Background
Despite the push for the use of open source software in the
public sector during the later years, a large number of
government agencies still base their operations on custom-
made software that is outsourced to private contractors.
The case study in this report focuses on such a government
106. agency. The agency in question has a multitude of IT
systems, the development and operation of which have
been outsourced. The agency has an IT department, but so
far the department has tackled only the development of
considerably smaller projects.
The particular system to which this case study refers has
been under development for at least a decade. In its current
state, the system consists of a number of PL/SQL databases
and their associated Java-based back end with a Javascript-
based front end. Most of the logic of the system is however
implemented at the database level as stored procedures.
This is typical of many government IT systems, although
the one in question is probably one of the bigger ones in the
Greek public sector. For each new version, more than 3000
tables and 3 million lines of Oracle PL/SQL code are
added, even though it seems that a lot of it is simply copied
and slightly altered from previous years. The system serves
more than six hundred thousand citizens; at its peak it has
107. around 3000 concurrent users.
Architecturally, it consists of a number of diverse sub-
systems, each related to a specific function in the agency.
The outsourcing process
Each year, a new Request for Tenders is issued (RFT)
asking potential contractors to bid for the maintenance of
previous versions as well as for the development of new
functions required to take into account new government
regulations. The tender also lays down the legal, financial,
and technical framework for the required services.
The outsourcing process starts with the drafting of the
Request for Tenders. Each of the agency’s departments is
asked to fill in the relevant section regarding the new
functionality that will be desired for the next year. It is
quite common that the exact requirements for the next
year’s version are not known, mainly because the legisla-
tion is not ready yet, so in most cases the requirements are
quite vague, e.g. The software must conform to the direc-
108. tive XXX. On the one hand, having a too generic description
makes the process of cost and time estimations difficult; on
the other hand, having overspecified the requirements
might create problems if the final version of legislature
differs from the initial.
Once the functional requirements are gathered, one or
more software engineers are tasked with completing the
tender with non-functional requirements such as the system
architecture, adherence to standards, mode of delivery, and
training requirements. As a matter of fact, the list of such
non-functional requirements is longer than the one of the
functional requirements.
Quite often, however, the non-functional requirements
are routinely copied from the previous year’s tender to the
current year’s tender, given that not a lot changes in these
areas. The non-functional requirements typically include
generic statements such as
The system must be parameterisable, modular and of
109. an open architecture.
The tender also tries to make clear that any source code
developed for the project is owned by the agency and not
by the contractor. To this end, statements such as the
following are included in the tender:
For any modification to the system, the source code
should be delivered to the agency. The source code is
property of the agency. Any modifications will be
accompanied by associated documentation describing
the implemented functionality, the data structures and
its dependence on other parts of the system.
The general understanding in this and other tenders as
mentioned later is that ownership of source code ensures
Lessons from backsourcing an IT system 91
that the agency is not tied to any particular vendor for
maintenance or extensions of the system in the future.
A committee is responsible for making sure that all the
110. requirements laid out in the tender, as well as the signed
agreement, are met. The committee usually consists of
people from the departments that will be using the system
as well as at least one from the agency’s IT department.
At predefined points in time, the contractor submits the
required artefacts and the committee ensures that they are
according to standards. When the software is finally
delivered, the committee’s focus is usually on ensuring that
it conforms to its functional requirements. After all, the
running software is the artefact to watch for. From our own
experience, other artefacts like documentation or source
code were noted but were rarely examined with respect to
their quality or usability.
During the system’s development, there is a close co-
operation between the agency’s departments and the con-
tractor in order to lay down the specific functional
requirements. The agency’s IT department has a small part
in this, as most requirements are communicated directly
111. from each of the departments to the contractor in various
forms: word documents and e-mails, which are a common
form of requirement exchange. An issue-tracking system is
in place but not always used.
Outsourcing perceptions
The process that was described previously is not unique,
but it is similar to the way outsourcing takes place in many
government agencies. As a matter of fact, we have
reviewed five more requests for tenders, published by
various agencies of the Greek public sector. The main
procurement requirement for all of them was the devel-
opment of a software system and a total budget that
amounted (for the five of them) to more than 11,000,000,
i.e. they were large and complex systems. They all con-
sisted of multiple subsystems and had to be integrated with
existing systems. Moreover, they required the contractor to
pass ownership of the source code developed for the pro-
ject to the procuring agency.
112. The tenders were about projects from different services in
the public sector, handling different problems: These ranged
from information systems handling digitisation and encod-
ing of rules for managing Social Security benefits, to Man-
agement Information Systems and workflow management.
In all of these tenders there is a common pattern:
• The contractor is responsible for drafting the require-
ments document.
• The main documentation required by the contractor as
far as the system’s design is concerned is an ER
diagram (or class diagram in some cases).
• In all of the calls, there is a requirement for a modular
solution but this seems to refer to the communication of
the system under development with the rest of the
agency’s systems. For this reason, all calls require
adherence to the Greek e-Government Interoperability
Framework (see http://www.e-gif.gov.gr/portal/page/
portal/egif/) or the more abstract European Interoper-
ability Framework, which describe, among other things,