Tuesday, September 27, 2011

Conficker Worm - Interview with Mark Bowden

Good interview that provides an overview of the Conficker worm and the fragility of the Internet.

It's Difficult to Assess Student Writing

For the past year I've participated on my university's assessment committee. Although most universities struggle with assessment I think my university has some unique challenges. My university is currently upper division, possibly the only university left that begins at the junior level (although we're just beginning a year long campus debate over the merits of becoming a 4-year institution). The university's regional accrediting organization recently told us that we are still responsible for undergraduate student learning outcomes such as writing, critical thinking, etc.

Beginning with the assessment committee took a commonly used rubric from AAC&U and first decided to use the rubric to assess a small sample of student papers from different disciplines such as education, english, psychology, and business. As a business professor I found the task intriguing but difficult. I am not a writing professor and found it impossible to distinguish between criteria such as understanding audience vs. context vs. purpose vs. task vs. focus. It was a bit easier to assess content development and content syntax/usage/mechanics.  It was interesting and challenging to assess quality and quantity of sources used for a personal reflection paper such as a student's philosophy of teaching statement.

Assessment is an uncomfortable and humbling process. When working with my peers from my own college and also from other disciplines including english (literature and composition), nursing, psychology, chemistry, and business, we all expressed the same concerns about rating the papers totally different from the others. The papers were anonymous, but it was easy to figure out a paper was from an english course when it connected everything to Wuthering Heights. I was a bit nervous that my ratings would reveal that I am either a pushover, too tough, or, more worrisome, an incompetent instructor?

One of the papers was a competitive analysis of a specific industry, and I rated it as fairly well written across all criteria, addressing each of Porter's competitive forces.  As least one rater assessed it as totally unacceptable on most criteria. I am most comfortable in providing students with feedback on executive summaries, memos, white papers, case analyses, project proposals, RFPs, requirements documentation, or pure academic research papers. 

To be continued...

Security Expert: U.S. 'Leading Force' Behind Stuxnet [NPR]

One year ago, German cybersecurity expert Ralph Langner announced that he had found a computer worm designed to sabotage a nuclear facility in Iran. It's called Stuxnet, and it was the most sophisticated worm Langner had ever seen....

Click for full article: Security Expert: U.S. 'Leading Force' Behind Stuxnet : NPR

Saturday, September 24, 2011

Usernames Continued: Universities and FERPA

In my previous post I discussed usernames and their role in the authentication process. Systems in a university setting has similarities with any organization but have different regulatory requirements. Before Federated Identity Management (FIM) or Single-Sign-On (SSO), many universities also used to use SSN or a student ID or as a username to access some systems on campus. Using an ID# or personal pin# was probably not a good idea since the SSN or student ID may have also been used to authenticate students in a way similar to a password is used in other instances by some university departments to access student records.

In addition the Family Education Records Privacy Act (FERPA) helped push universities away from using confidential information such as SSN as a student ID or username. FERPA is the federal law protects certain pieces of student records from being made public without student consent. For example, faculty are no longer allowed to post a list of student grades attached to their SSN as was common in the past. But student email accounts are not protected by FERPA as they are considered "directory information". For campuses with FIM or SSO systems the email would likely be the same as the username and therefore also be made public. Students do have the option to make any of their "directory information" confidential if they choose.

Thursday, September 8, 2011

Are Usernames Supposed to be Private?

It is a common misperception is that system usernames are always meant to be private. In most cases, usernames are not meant to be private, and I would argue that in many cases in which they are meant to be private the people designing the access control and authentication systems may have made a mistake. A username is part of the identification & authentication process. The ID (e.g., username) is authenticated or verified through correct entry of at least one private piece of information, such as a password, and sometimes additional authentication factors something the user knows (password/challenge question), has (key card/security token), or is (biometric such as fingerprint or retina scan).
[Tip: Use a strong password.]

Think about your workplace account. Most organizations now have single-sign-on (SSO) systems that allow you to login to multiple systems with the same username and password. The username is typically the first part of the email address or the email address in its entirety. Most organizations assign an email/username rather than allow employees to choose their own to create a naming convention that allows for creation of unique account name. But if you know the basic naming convention for an email which includes a person's name or initials, then you will likely be able to determine anyone else's email address in the same organization if you know an individual's name, and thus you will know the username as well.

Problems may occur if an organization allows the user to choose the username or the naming convention used to create a username includes some information that should remain confidential. In the past it was more common for a username to include or be one's social security number, bank account number, or student ID number. A SSN username or similar should not be used as a username, when it may also be used in a different setting to authenticate someone in a way similar to a password. 

Wednesday, April 20, 2011

Should you email your cubicle neighbor?

From ISACA CEO, Susan M. Caldwell:

I recently read some interesting rules about e-mailed communication. They were suggested by D. Mark Schumann, chair of the International Association of Business Communicators. He calls these his “three e-mail rule”:

1. You should exchange only three e-mails with anybody on a single topic. If you haven’t resolved the issue after three e-mails, you should have an actual conversation.

2. You should copy only three people on any e-mail. If you need to copy more, you should have a meeting.

3. If you are in the same office with someone and that person is less than three feet or three floors away from you, you should talk with them in person or call them. The same applies if you are not in the same office, but the person is less than three hours away from you.


By the way, the Information Systems Audit and Control Association (ISACA) is an excellent organization!

Tuesday, April 19, 2011

FREE MIS Textbooks for Students

Flat World Knowledge and others have ‘open education resources’ (i.e., free) for some formats of the books. The site also has a list of universities that have adopted the book. For those teaching a core Information Systems course I encourage you to review Information Systems: A Manager’s Guide to Harnessing Technology—by John Gallaher: http://www.flatworldknowledge.com/printed-book/227252

The benefit is the price (free for students if read online) and availability of multiple formats for students. The book has exam/quiz supplements in Blackboard format as well as Powerpoint presentations. It may be an option to help reduce the cost of textbooks for students if the quality is reasonable. From what I can see the book is continuously being updated and quality is good.

Pricing for Books at Flat World Knowledge:
  • Read Online- FREE
  • Hard Copy (Color) - $69
  • Hard Copy (Black & White) - $35
  • Download a PDF to Read Offline and/or Print Yourself - $25
  • Audiobook - $40
  • Ebook (kindle, nook, ipad) - $25
I’m not opposed to textbooks from traditional publishers, but in the courses that may require multiple texts, I’m a proponent of finding inexpensive or free materials for students at least for some of those required texts, given they’re of similar quality and based on the purpose of the text for use in the course.

Thursday, March 24, 2011

Is the CIO the highest ranking IT executive in a company?

InformationWeek generates an annual list of 500 of the "nation's most innovative IT organizations, providing a unique opportunity to understand and examine the business practices of these firms across core areas of operations, including, technology deployment, IT budgets, business-technology infrastructure, and IT strategies" (IW500 FAQs). Although the IW500 collects a great deal of benchmark data I only took the publicly available (i.e. free) demographic information from the 2010 list and put the data in a spreadsheet.

Although the basic methodology for determining the IW500 may have weaknesses, the data still provides a useful snapshot of the current state of IT governance across industries. The variables include the organization name, industry, name of the 'highest IT executive' in the company as well as the title of the highest IT executive. I did a simple text analysis of the titles to determine how many companies identified their highest IT executive as someone holding the title of Chief Information Officer. Of the 500 companies on the list, 386 (77.2%) included CIO as one of the titles of the highest ranking IT executive. Some organizations listed other C-level executives or joint-titles including CTO, CFO, VP for Information Technology, and even CEO. See the chart I created that breaks down the number companies on the list by industry. For the 114 companies that included someone other than a CIO as the highest ranking IT executive, it remains unclear whether or not those organizations have a CIO at a lower level in the company. View or download the Google Spreadsheet I created for additional data [1=Yes; 0=No].

Sunday, January 23, 2011

Dharavi Slum Tour in Mumbai

One of the best experiences of my trip to India was a tour of the Dharavi Slum in Mumbai (by Reality Tours). The guy giving our tour was a college student who grew up and still lives in one of the other Mumbai slums. asked that we not take photos on the tour, but you can view some photos here, here, here, and here. A few scenes from Slumdog Millionaire were filmed in Dharavi.

Saturday, January 22, 2011

Tenure Portfolio Submitted... It's time to party!

I submitted my Tenure portfolio to the Dean's office yesterday at 4:45 PM (due by 5PM), and it was a weight lifted off my shoulders. I think if I would have had the weekend to complete work on it I would have continued to work up to the last minute. I think it may be my education courses that emphasized portfolios, organization, etc., so I like to have them well organized. I am confident in the work I included in my portfolio. My Statement of Accomplishments is likely way too lengthy, and I am sure I could have added more supporting documents for teaching, research or service, but I tried to be as concise as possible.

The past two weeks have been even crazier than normal. As soon as I returned from India our college faculty had an Assurance of Learning Retreat and an Online Teaching workshop. I had to prepare for my online course to make sure it was ready for Tuesday's first day of class, and then are those other two classes I teach. At the same time my tenure portfolio was due on Friday. Needless to say I breathed a huge sigh of relief yesterday afternoon at 5 PM. During this process I have been very thankful for a supportive division chair and dean. A small amount of encouragement and positive feedback goes a long way. I need to remember to do the same as an instructor.

Thursday, January 13, 2011

India 2010-2011

India iphone pics

India Trip...

My India trip was an amazing experience. I am very fortunate to have had the opportunity to visit India with a group of other faculty from different parts of the US, Canada, and Australia. It helped that three of those faculty are originally from India and provided even greater insight into our experience.

For more information visit the PDIB India site, hosted by Florida International University.