Medical professionals are often reluctant to expose fraudulent activity. Applebaum, Grewal, Mousseau, and Molson (2006) reference research by Firth-Cozens in 2003,

The rationales doctors gave for not reporting were “that it would be impossible to prove, feared retribution, didn’t want to cause trouble, wouldn’t have been listend to, and no one would support me. The reasons nurses did not report “was fear of retribution, wouldn’t have been listened to, didn’t want to cause trouble, impossible to prove and no one would support me.” For those doctors and nurses who had not contemplated whistle blowing [hypothetical causes] were “that it would be impossible to prove, …not sure if they were right, and that they would be hurting a colleague.” (p.

Fears of retaliation are not unfounded. Smith (2007) presents journalistic evidence of retribution against physicians that report “unsafe conditions or a colleague’s poor work in their hospitals” (p. 45). Smith proceeds to present results of a 1998 survey stating that 15% of emergency room physicians reporting substandard care were terminated (p. 45).

The primary legal instrument used by the Department of Justice for investigating medical fraud and abuse is the False Claims Act (FCA) (Newbold and Sullivan, p. 21). According to Newbold and Sullivan, “the False Claims Act covers virtually all forms of fraudulent behavior except tax fraud” (p. 22). Recognizing the challenges associated with protecting whistleblowers and the fact that serious frauds often require a whistleblower to be detected, the FCA includes special protections known as the qui tam provisions. “Qui tam is short for “qui tam pro domino rege quam pro se ipso in hac part sequitur”, which is Latin for “he who brings the action for the king as well as himself” (Newbold and Sullivan, p. 22). As Newbold and Sullivan explain, “When a private citizen files a qui tam case, it is submitted as a “sealed document” (that is, not to be seen by anyone but the claimant and the government) to the Department of Justice” (p. 22). By enabling private citizens to file suits on behalf of the federal government and with strong protections for claimant confidentiality, the government hopes to encourage participation in “its battle on fraud” (p. 21).

Schreiber and Marshall (2006) provide generic best practices for mitigating whistleblower risks across the following categories:

• Reporting complaints
• Conducting the investibation
• Protecting privacy
• Preventive measures

For medical businesses seeking to mitigate risks of fraud, abuse, and legal action being brought under the FCA, Schreiber and Marshall’s best practices may be combined with Newbold and Sullivan’s recommendations: training employees, having written policies and procedures, maintaining a disclosure program, and conducting internal compliance audits (p. 24). In addition, medical businesses must understand that the FCA’s qui tam provisions mean that the claim will be sealed and many of the details will be kept confidential. In situations like this, effective internal policies and controls will enable the business to respond to the claim; ineffective internal policies and controls will plunge he business into serious legal and regulatory difficulties.

References

Appelbaum, S. H., Grewal, K., & Mousseau, H. (2006). Whistleblowing: International implications and critical case incidents. Journal of American Academy of Business, Cambridge, 10(1), 7. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1061620821&Fmt=7&clientId=62763&RQT=309&VName=PQD

Newbold, J., & Sullivan, L. (2008). Odyssey healthcare: A department of justice investigation related to the false claims act. Journal of the International Academy for Case Studies, 14(7), 11. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1493109981&Fmt=7&clientId=62763&RQT=309&VName=PQD

Schreiber, M. E., & Marshall, D. R. (2006). Reducing the risk of WHISTLEBLOWER COMPLAINTS. Risk Management, 53(11), 42. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1164965031&Fmt=7&clientId=62763&RQT=309&VName=PQD

Smith, W. R. (2007). Pseudoevidence-based medicine: What it is, and what to do about it. Clinical Governance, 12(1), 42. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1198553061&Fmt=7&clientId=62763&RQT=309&VName=PQD

Specifically, large-scale IT outsourcing increases the risk that top management and boards of directors will be unable to fulfill their oversight duties; that firms will employ ineffective internal controls over financial statements; that financial reports will be inaccurate and/or misleading; and that firms will fail to protect shareholder wealth. (p. 97)

Businesses engaging in IT outsourcing may find themselves held liable for actions taken by the contracting firm.

The credit card company Visa USA found itself in exactly the described position in 2005. Visa outsourced credit card data processing to CardSystems Solutions. As Rustad and Koenig (2007) explain, “Cybercriminals used a computer virus to gain illegal access to CardSystems Solution’s computer system in order to steal 40 million credit card users’ personal data” (p. 3). When a class action lawsuit was brought against CardSystems Solutions, Visa was also named as a defendant. The outsourcing of the card processing operation did not protect Visa from liability for CardSystems Solutions mishandling of data that Visa provided. Visa’s defense rests upon a contention that, as David Bank reports in his Wall Street Journal article, “Security Breaches of Customers’ Data Trigger Lawsuits,” in 2005, “CardSystems Solutions Inc. violated Visa’s standards for holding card data.” However, the resolution of the class-action allegations against Visa and the dispute over CardSystems Solutions’ contractual obligations will only be resolved through costly legal disputes that undermine the value of the original outsourcing agreement and further highlight the risks associated with outsourcing. Although the class-action lawsuit was eventually dismissed, Visa incurred significant legal costs and negative publicity as a result of the outsourcing.

Businesses choosing to outsource must ensure that strong controls are in place to ensure that significant risks are avoided. The risks associated with outsourcing can be substantial and experts believe that the trend toward lawsuits and other risks is increasing. As Rustad and Koenig state, “Unless US companies voluntarily police the security practices of Third World back-office operations, they will face a litigation nightmare over data leak- ages. The coming wave of negligent entrustment lawsuits threatens the future of the back-office industry throughout the world” (p. 5). Although Rustad and Koenig are discussing global outsourcing, the statements apply to all outsourcing arrangements.

References

Bank, David. (2005). “Security Breaches of Customers’ Data Trigger Lawsuits,” Wall Street Journal, July 21, 2005. Retrieved from http://online.wsj.com/article/0,,SB112190567640291593,00.html

Gorla, N., & Mei, B. L. (2010). Will negative experiences impact future it outsourcing? Journal of Computer Information Systems, 50(3), 91-101. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=49548282&site=ehost-live&scope=site

Hall, J. A., Liedtka, S. L., Gupta, P., Liedtka, J., & Tompkins, S. (2007). The sarbanes-oxley act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the ACM, 50(3), 95-100. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=24209679&site=ehost-live&scope=site

Rustad, M. L., & Koenig, T. H. (2007). Negligent entrustment liability for out sourced data. Journal of Internet Law, 10(10), 3-6. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=24619583&site=ehost-live&scope=site

As identity theft continues to grow as a crime and a social, financial and security concern, questions of liability become more crucial. In light of the criminal and social considerations, the litigious environment of the United States, and existing and emerging laws concerning corporate responsibility for the protection of personal data, commercial entities have begun to take actions of their own to protect the data of their customers and, increasingly, their employees. (p. 14)

The federal government has enacted several laws aimed at improving protections related to identity theft. Many states have also taken legislative action regarding identity theft protections. Businesses are faced with the challenges of understanding and following federal and state laws in order to ensure customer and employee information is protected.

At the federal level, three laws are principally involved: the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), and the Identity Theft Penalty Enhancement Act (ITPEA). Both FACTA and ITPEA build upon and extend the FCRA specifically in the area of identity theft protection. ITPEA increases the penalties for felonious identity theft. FACTA provides several regulatory requirements aimed at improving the identity theft problem. Specifically,

The purpose of the FACTA is to ‘amend the Fair Credit Reporting Act (FCRA), to prevent identity theft, improve resolutions of customer disputes, improve the accuracy of consumer records (and), make improvements in the use of, and consumer access to, credit information.’ (One Hundred Eight Congress of the United States of America, 2003) (Holtfreter and Holtfreter, 2006, p. 57)

Holtfreter and Holtfreter describe the major enhancements provided by FACTA,

• national fraud alert systems;
• truncation of credit and debit card receipts;
• “Red flag” indicators of identity theft;
• information sharing by debt collectors and creditors with identity theft victims;
• identity theft account blocking;
• keeping fraudulent debt from being transferred or reported; (p. 57 – 58)

For businesses that are operating in the financial and banking industries and are subject to FACTA, the implications are that regulators will begin to require that measures are taken to ensure compliance with these new requirements. FACTA may mean, for example, information systems that identify and truncate credit and debit card numbers before printing to receipts. FACTA pre-empts some state laws, so businesses in Texas, California, and Massachusetts may find a lessened legal burden (p. 63).

At the state level, there is significant variation in the extent of legal requirements. For example, California has significant legal protections for consumers and several laws provide a variety of protections, including breach notification and data protection laws for both financial and medical records. By contrast, Arizona has no legal requirements or protections (except those provided by applicable federal laws). California and Massachusetts are considered to have the most stringent breach notification and data protection laws. Businesses operating within these states can expect to implement significant internal controls, including data encryption, access controls to provide traceability and non-repudiation for confidential information, and notification to consumers and state authorities in the event of security breaches and unauthorized data access.

Identity theft is a growing problem. Businesses must take pro-active measures to ensure that risks and liabilities associated with identity theft and related security incidents are minimized. As Deybach states,

Many of the corporate risks associated with identity theft can be mitigated by the development and implementation of sound policies, systems and procedures. Others will ultimately become matters for the courts. (p. 17)

Understanding statutory and regulatory requirements and complying with applicable federal and state laws is an important aspect of mitigating these risks for any business.

References

Deybach, G. (2007). Identity theft and employer liability. Risk Management, 54(1), 14. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1195022681&Fmt=7&clientId=62763&RQT=309&VName=PQD

Holtfreter, R. E., & Holtfreter, K. (2006). Gauging the effectiveness of US identity theft legislation. Journal of Financial Crime, 13(1), 56. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=994688151&Fmt=7&clientId=62763&RQT=309&VName=PQD

To protect the confidentiality, integrity, and availability of information, while also assuring authenticity and non-repudiation, organizations are investing large sums of money in IS activities. Since security investments are competing for funds that could be used elsewhere, its’ not surprising that CFOs are demanding a rational economic approach to such expenditures. (p. 26)

On the other hand, finance represents a significant target for attackers and a strong influence on the business’ security culture. As Spontak (2006) states,

These are the non-technical elements that speak to the heart of the organization and influence people’s behavior: the business culture, policies and procedures, separation of duties and security awareness. The financial executive can exert considerable influence in these areas and become an important part of the organization’s security arsenal. (p. 51)

From either point of view, finance plays a critical role in information security. Unfortunately, information security is often focused on technical issues and does not incorporate business factors that matter to finance into risk analyses.

Salmela (2008) undertakes to evaluate the use of business process analysis (BPA) to improve information security availability risks by incorporating business losses – a measure that finance understands well. Salmela utilizes action research to evaluate the use of BPA to incorporate business losses into IS risk assessments at two companies: a paper mill and a credit card department. Salmela found that using BPA increased the awareness of participants regarding security related business losses.  Salmela concludes that the problem is complex and that more research is needed,

For years, such managers and researchers have been aware of the significant negative effect that computer problems can have on business operations. Still, this effect has often been considered as complex and difficult to analyse. The findings herein – that business process analysis can be used to systematically assess the nature and significance of such effects – should stimulate the imaginations of IS security managers and researchers alike. (p. 201)

BPA was not a panacea for the challenge of incorporating business losses into IS risk analyses. While Salmela’s method resulted in improvements, “the business process analysis needs to be complemented with other loss evaluation methods” (p. 200).

Finance plays an important role in information security. However, the inclusion of meaningful business loss calculations in IS technical risk assessments remains a challenging prospect. Business methods such as business process analysis offer a means for bridging the gap between finance and IS. However, BPA as a means of incorporating business losses into IS risk measures is not perfect and additional research and exploration is required. As Salmela states, “more research on the methods that assist in identification of business losses is needed” (p. 201)

References

Gordon, L. A., & Loeb, M. P. (2002). Return on information security investments: Myths vs. realities. Strategic Finance, 84(5), 26. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=229418161&Fmt=7&clientId=62763&RQT=309&VName=PQD

Salmela, H. (2008). Analysing business losses caused by information systems risk: A business process analysis approach. Journal of Information Technology, 23(3), 185. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1534334211&Fmt=7&clientId=62763&RQT=309&VName=PQD

Spontak, S. (2006). DEFENSE IN DEPTH: How financial executives can boost IT security. Financial Executive, 22(10), 51. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1182662141&Fmt=7&clientId=62763&RQT=309&VName=PQD

Yet, many employers have well-founded – and often compelling – reasons to engage in employee monitoring. Competent risk management involves protecting against losses from within. Thoughtful and effective employee supervision can help companies manage the risks of reduced productivity, liability claims and loss of assets. (p. 31)

Many companies have begun extending employee monitoring to include off-hours or off duty activities. Mujtaba, Griffin, and Oskal (2004) attribute reduction in employee privacy rights, including employer monitoring off-hours, to recent terrorist attacks such as the Columbine shootings and the events of 9/11 (p. 35). Companies pursuing a risk management strategy that includes off duty monitoring of employees must proceed cautiously to avoid legal action from employees for privacy violations.

Dillon, Hamilton, Thomas, and Usry (2008) describe the case Fatland v. Quaker State Corp., in which Quaker State was found to have a legitimate case for off duty monitoring of employees. Quaker State terminated Fatland’s employment for violation of the company’s conflict of interest policy when he failed to sell his ownership interest in a business that competed with Quaker State. Fatland filed a discrimination lawsuit in response. As Dillon et al. describe, “the court found that Quaker State had a legitimate concern in prohibiting employees, such as Fatland from operating off-hours businesses that would benefit from confidential information” (p. 130).

Crucial to the court ruling in Fatland v. Quaker State Corp. is the concept that the employer has a bona fide occupational qualification requirement that justifies the application of company policies to employee activities outside the workplace. Companies evaluating employee monitoring that includes off duty should adhere to best practices such as those described by Latto,

[Risk management] can be achieved by careful identification of the risks of concern, analysis of how monitoring would help manage those risks, and clear communication of expectations and consequences (p. 34).

In addition, Dillon et al. identify two key factors to ensure that the risk of privacy lawsuits related to off duty employee monitoring are mitigated: signed consent and clear electronic communications policies. Without a published conflict of interest policy that Fatland had consented to follow as an employment condition, it is uncertain that Quaker State would have prevailed.

References

Dillon, T., Hamilton, A., Thomas, D., & Usry, M. (2008). The importance of communicating workplace privacy policies. Employee Responsibilities and Rights Journal, 20(2), 119. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1475837351&Fmt=7&clientId=62763&RQT=309&VName=PQD

Latto, A. (2007). Managing risk from within: Monitoring employees the right way. Risk Management, 54(4), 30. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1255455821&Fmt=7&clientId=62763&RQT=309&VName=PQD

Mujtaba, B. G., Griffin, C., & Oskal, C. (2004). Emerging ethical issues in technology and countermeasures for management and leadership consideration in the twenty first century’s competitive environment of global interdependence. Journal of Applied Management and Entrepreneurship, 9(3), 34. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1178660741&Fmt=7&clientId=62763&RQT=309&VName=PQD

In 2004, President Bush issued an executive order mandating the implementation of nationwide electronic health records (p. 15).  Just as traditional identity theft existed prior to electronic financial records and just as having financial data online increases the impact of risks associated with identity theft, the implementation of electronic health records brings increased risks of medical identity theft. Lafferty describes medical identity theft as, “both an information (i.e., identity theft) and health care (i.e., fraud and abuse) crime that results in financial, medical, and other harms to its victims” (p. 13).

Both identity theft and medical identity theft have significant negative impacts for the victims. Since the victim’s identity has been stolen, the process of establishing that the victim did not actually complete the financial transactions is lengthy and difficult. Holtfreter and Holtfreter (2006) present a case study of an identity theft victim that required, “close to a year and thousands of dollars to cover her losses and restore her excellent credit history” (p. 57). The victims of medical identity theft face similar financial challenges. In addition, medical identity theft can also have potentially life-threatening results. Imagine a case where a criminal commits medical identity theft that results in a victim’s record showing a diagnosis of diabetes. In an emergency, medical workers utilizing those records might administer insulin, which can be fatal to non-diabetics. As Lafferty states,

Without doubt the most significant harm that results from medical identity theft is when health care providers unknowingly base their medical decisions in treating a victim on inaccurate information from the thief’s medical history. The harm caused by false entries in a victim’s medical history is compounded because the entries are shared with a multitude of other health care providers, creating a significant risk of future harm (p. 13).

In addition, medical identity theft results in similar financial harms to victims as traditional identity theft, with insurance limits charged to their maximums.

As with identity theft, insiders most often perpetrate medical identity theft, with access to the records. Criminal penalties exist for both identity theft and medical identity theft. The Fair and Accurate Credit Transactions Act of 2003 and the Identity Theft Penalty Act of 2004 provide penalties for identity theft and aggravated identity theft respectively (Holtfreter and Holtfreter, 2006). These laws and regulations relating to identity theft also pertain to medical identity theft. In addition the Health Insurance Portability and Accountability Act provides penalties for those who commit crimes that violate the privacy of medical records (Lafferty, 2007). The Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, “was introduced [in 2007] with the intent of “empowering consumers and giving them a say in how companies buy, sell, and market their private data, while entitling them to effective security protections,” including a patient’s bill of rights (Lafferty, p. 18).

Identity theft and medical identity theft are insidious crimes that are growing in frequency and result in lasting financial, reputational, and medical consequences. Businesses that process, transmit, or in any way handle financial and medical identity information must take steps to ensure that the risks associated with these data types are mitigated. For businesses to succeed at these daunting efforts, the National Institute of Standards and Technology recommends implementing an enterprise risk management framework to ensure, “a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI” (Scholl, Stine, Hash, Bowen, Johnson, Smith, and Steinberg, 2008).

References

Holtfreter, R. E., & Holtfreter, K. (2006). Gauging the effectiveness of US identity theft legislation. Journal of Financial Crime, 13(1), 56. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=994688151&Fmt=7&clientId=62763&RQT=309&VName=PQD

Lafferty, L. “. T. “. (2007). Medical identity theft: The future threat of health care fraud is now. Journal of Health Care Compliance, 9(1), 11-20. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=23843738&site=ehost-live&scope=site

Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, A., Smith, C. D., Steinberg, D. I. (2008). “NIST SP 800-66 – Revision 1 – An Introductory Resource Guide for Implementing the HIPAA Security Rule”, Computer Security Division, Information Technology Laboratory (ITL), National Institute of Standards and Technology, October 2008.

Beasley describes three real-world events where a breakdown in traditional risk management resulted in issues for businesses. The first case concerned a retailer that was unable to expand operations because individual locations had accumulated ill will from local governments due to violations of local ordinances. The individual stores were assuming risks that had small impact for the store, but large impact for the enterprise. The second case described a scenario where a consumer product company’s sales contracts contained delivery times that would not be met if the information technology disaster recovery plan were activated. Fortunately, the company had an ERM process that identified the gap and remediated the situation prior to an issue occurring. The third case described by Beasley involved a fire at a supplier’s factory that impacted two manufacturers. One manufacturer had an effective ERM process and survived the disruption to its supply chain; the other manufacturer was not prepared and exited the market.

Beasley describes a framework for ERM called the Return Driven Strategy. The Return Driven Strategy framework consists of 11 core tenets and 3 foundations that enable companies to “identify flawed strategies” (Beasley, 2007, p. 30). Beasley explains that the Return Driven Strategy framework would have enabled the retailer in the first case to, “[align] employee engagement and incentives with the overall higher-level growth strategy of the company,” and avoid the issues that prevented expansion (p. 53). In the second case, the company’s ERM process successfully identified the gap between sales and IT; and, Beasley asserts that the company was aligned with the Return Driven Strategy and, thus, realized the benefits. In the third case of the factory fire, the manufacturer with an effective ERM process survived a catastrophic event from a critical supplier while the company without an effective ERM process ceased operations within that market, which is a strong statement regarding ERM.

Beasley’s 2007 article, “Strategic risk management: Creating and protecting value,” makes a strong case for the benefits of ERM. Beasley provides a framework for implementing ERM known as the Return Driven Strategy and provides concrete examples of how the framework did or could have performed in three cases.

References

Beasley, M. S., Frigo, M. L., & Litman, J. (2007). Strategic risk management: Creating and protecting value. Strategic Finance, 88(11), 24. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1278145811&Fmt=7&clientId=62763&RQT=309&VName=PQD

The first aspect of Glen’s statement is the assertion that, “technology has permeated all functional areas of organizations” (p. 18). At Raytheon, there are 17 functional organizations that constitute the business: Business Development; Communications; Contracts; Engineering & Technology; Environmental, Health, & Safety; Ethics; Export Import; Facilities; Finance; Human Resources; Information Technology; Legal; Manufacturing; Program Management; Quality; Security; and, Supply Chain Management. Technology plays a critical role in the operation of the business across all functions. Supply Chain Management monitors material movement using bar code readers integrated with the company’s enterprise resource planning (ERP) systems to the granularity of individual cubicles (e.g., package XXXXX was delivered to cubicle YYYYY at 3:35pm on July 12, 2010). Contracts utilizes a business partner extranet to share standard terms and conditions with vendors and suppliers. Manufacturing uses sophisticated factory floor automation systems to ensure products meet quality requirements. Glen’s statement that technology reaches all aspects of business is clearly upheld at Raytheon.

The second part of Glen’s (2003) statement asserts that the prevalence of technology implies that business leaders must be prepared to manage and lead knowledge workers. There is a prima facie case for Glen’s assertion based on the pervasiveness of technology within the business. In addition, articles by Maccoby (1996) and Badawy (2007) support the notion that technology innovators, aka knowledge workers, require different leadership styles than manual or traditional workers. Glen also argues that knowledge workers, which he refers to as “geeks,” require a different leadership style. Badawy argues for several modifications to traditional human resources services to enable better management of knowledge workers. The system of performance appraisals, dual-ladder career management, hiring practices, et al. that Badawy advocates largely represents the Raytheon Company approach to managing knowledge workers. For example, Raytheon Company offers a dual ladder career track where knowledge workers may choose to pursue either a managerial or a technical path. The compensation and rewards on the technical path are equivalent to those on the managerial path. Raytheon has won numerous awards for employee opportunity programs. Badawy discusses the compelling motivational power these systems provide to leaders of knowledge workers.

Glen’s (2003) assertion that, “Because technology has permeated all functional areas of organizations, every manager must now know how to lead geeks” (p. 18), is confirmed by examining Raytheon Company. The current state at Raytheon Company confirms both Glen’s assertion regarding the prevalence of technology throughout modern enterprises and the importance of managing knowledge workers using different leadership styles than traditional workers.

References

Badawy, M. K. (2007). Managing human resources. Research Technology Management, 50(4), 56. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1306931141&Fmt=7&clientId=62763&RQT=309&VName=PQD

Glen, P. (2003). Leading geeks: How to manage and lead people who deliver technology (First Edition ed.). San Francisco, CA: Jossey-Bass.

Maccoby, M. (1996). Resolving the leadership paradox: The doctor’s dialogue. Research Technology Management, 39(3), 57. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=9597925&Fmt=7&clientId=62763&RQT=309&VName=PQD

Raytheon 2009 annual report (2010). Retrieved from http://media.corporate-ir.net/media_files/irol/84/84193/Raytheon_AR_2009/index.html

Since most organizations utilize service level agreements (SLAs) to manage internal IT functions, SLAs are a natural choice for managing external IT. However, Martorelli (2009) describes significant flaws associated with using service level agreements to manage outsourcers. Outsourcing agreements that utilize SLAs as the primary performance management tool often result in antagonistic business-vendor relationships. In addition, penalty clauses are difficult to enforce (Martorelli, 2009).

Businesses seeking to achieve a beneficial outsourcing arrangement with a vendor need an alternative means of managing the relationship. Gottshalk and Solli-Sæther (2005) identify eleven critical success factors for IT outsourcing, including, “vendor behavior control.” (p. 694) Gottshalk and Solli-Sæther describe “vendor behavior control” as including the use of “outcome-based and behavior-based incentives […] to reduce and prevent opportunistic vendor behavior.” (p. 694) By implementing outcome-based and behavior-based incentives, the business mitigates the risks associated with SLA-based management and encourages vendors to adapt behaviors that align with the company’s vision and strategies.

A review of the literature on information technology outsourcing, behavior- and outcome-based management controls, and balanced scorecard to develops an understanding of the effectiveness of balanced scorecard as a performance management tool for IT outsourcing relationships.

Outsourcing and IT Delivery

In the book, “Multisourcing: Moving Beyond Outsourcing to Achieve Growth and Agility,” Linda Cohen and Allie Young (2006) define outsourcing as, “contracting with an external firm for the ongoing management and delivery of a defined set of services to a prescribed level of performance” (p. 2). Cohen and Young describe outsourcing as a critical success factor for businesses seeking to compete in the modern, global marketplace. Cohen and Young attribute the growth and popularity of outsourcing to Hamel and Prahalad’s writings on core competencies in Harvard Business Review and Champy and Hammer’s book, Reengineering the Corporation. (Cohen and Young, 2006). According to Cohen and Young, these management strategies, combined with demand for scalable, cost-effective service delivery in the 1990’s resulted in the development and maturation of outsourcing as a management strategy for service delivery (Cohen and Young, 2006).

The view of outsourcing as an important strategy for delivery of non-core information technology services is further reflected in Ward and Peppard (2002), “reducing the organization’s commitments to systems [that are not critical to an organization’s future] can be achieved in a number of ways [including] outsourcing their operation and support” (p. 329). Ward and Peppard see outsourcing as a key aspect of managing a company’s information systems portfolio (Ward and Peppard, 2002).

In their 2005 literature review, Gottshalk and Solli-Sæther found that core competencies theory was one of several theories relevant to IT outsourcing, in concurrence with Cohen and Young’s claims. In later research, Solli-Sæther and Gottshalk operational-ized their previously identified critical success factors and evaluated the relative contributions to a three-stage outsourcing maturity model (Gottshalk and Solli-Sæther, 2006; Solli-Sæther and Gottshalk, 2008). Solli-Sæther and Gottshalk’s three-stage model describes a maturing outsourcing relationship moving from cost to resource to partnership stages. Solli-Sæther and Gottshalk found that, “in terms of economic benefits, cost minimization and operational efficiency belonged,” to the cost stage (Solli-Sæther and Gottshalk, 2008, p. 646). Solli-Sæther and Gottshalk also found, “vendor behavior control was statistically significant by cost stage being associated with service level agreement and cost” (Solli-Sæther and Gottshalk, 2008, p. 646).

Koh, Ang, and Yeo (2007) found that the marketplace values information technology outsourcing in an examination of 420 IT outsourcing announcements by publicly traded companies that showed positive short-term stock returns related to the outsourcing. Koh, Ang, and Yeo’s results show that the market places value on outsourcing above and beyond popularity with business management.

Clearly, outsourcing is an important, market-approved option for business leaders responsible for the delivery of IT services. When properly executed, outsourcing offers businesses an opportunity to, “accelerate time to market, manage growth, and gain access to hard-to-find and expensive skills,” while also providing, “a cost-saving quick fix when budgets [come] under pressure” (Cohen and Young, 2006).

Service Level Agreements

Managing Outsourcing with Service Level Agreements

Service level agreements, also known as outcome-based measures, describe the delivery of information systems functionality using performance metrics that both IT and the customer acknowledge.  In the book, “Smarter Outsourcing: An executive guide to understanding, planning, and exploiting successful outsourcing relationships,” Bravard and Morgan describe, “the two key attributes of SLAs is that they
should be controllable and that they should continue to reflect real business
needs, rather than becoming a business activity in their own right” (Bravard and Morgan, 2009, p. 73) Cohen and Young similarly stipulate the importance of SLAs as a reflection of business needs. Cohen and Young also warn that SLAs may also limit the business. For example, Cohen and Young describe a business need, “process invoices within 72 hours,” that gets translated into a more limited service level agreement, “process 80% of invoices within 72 hours” (Cohen and Young, 2006, p. 162). The SLA provides a metric that can be used to benchmark, monitor, and manage IT investments and ensure business needs are met. In the context of outsourcing, SLAs also include penalty clauses that detail the expectations in the event that an SLA is not met.

Ward and Peppard describe SLAs as well recognized for delivery of services such as, “network uptime, response times and help-desk support” (Ward and Peppard, 2002, p. 524). Most organizations have developed internal service level agreements as part of their IT management strategy. As companies consider and engage in IT outsourcing arrangements, service level agreements are a natural tool for managing the contract. As Martorelli explains, “Virtually all of the outcome-based outsourcing contracts that Forrester Research has reviewed pay at least some attention to SLA targets and associated penalties” (Martorelli, 2009, p. 1).  SLAs represent a major tool for managing outsourcing contracts.

Limitations of Service Level Agreements

Outsourcing requires one company, the outsourcer, to trust another company, the vendor, with critical IT business capabilities. Clearly, the outsourcing relationship must be carefully managed to ensure that the outsourcer achieves the desired beneficial business outcomes. Many firms utilize service level agreements (SLA) to ensure vendors meet the obligations of the outsourcing contract. However, as Martorelli (2009) describes, SLA’s are often inadequate, “service-level agreement (SLA) penalties provide poor compensation for unsatisfying outsourcing relationships” (p. 1). Martorelli (2009) continues to explain why service level agreements often fail to produce satisfying results,

Outsourcing suppliers indicate that despite having significant sums at risk in the context of overall contract value, little money is ever “paid out.” Suppliers rightly boast about their strong performance against SLA targets, but the reality is that typically generous earn-back provisions would likely neutralize any real economic penalty. Faced with the burden of measurement, analysis, and root cause analysis before contractual penalties kick in, it is not surprising that at the end of the day limited monies ever change hands. (p. 1)

Aggressive enforcement of service level agreements by outsourcers results in vendors demanding contract renegotiation and an antagonistic relationship between outsourcer and vendor (Martorelli, 2009).

Balanced Scorecard

Managing Outsourcing with Balanced Scorecard

One of the critical methodologies for behavior-based performance management is the balanced scorecard. Originally introduced by Kaplan and Norton in a 1992 Harvard Business Review article, as a method for managing business unit performance, balanced scorecard provided an operational view of an organization from four perspectives: financial, customer, internal business process, and learning and growth (Kaplan and Norton, 1996). The balanced scorecard is “balanced” in the sense that the four perspectives provide a holistic view of the organization. The balanced scorecard is a “scorecard” in the sense that the organization develops measures to evaluate and benchmark each perspective in relation to business goals. The balanced scorecard provides an improvement over traditional financial management because it incorporates traditional lagging economic indicators as well as leading indicators (Kaplan and Norton, 2001b). As the balanced scorecard methodology has matured, it has been extended from business unit performance management to strategic alignment (Kaplan and Norton, 1996; Kaplan and Norton, 2001a; Kaplan and Norton, 2001b; Kaplan and Norton, 2001c).

One major factor for balanced scorecard’s proposed value as a strategic management tool is the incorporation of a means of valuation for intangible assets, which traditionally are difficult to assign a value (Kaplan and Norton, 2001b; Ittner, 2008). Intangible assets include human resources, database systems, and other aspects of the business that are not directly reflected on the financial statements, but may provide value. While Kaplan and Norton describe the balanced scorecard framework as a means of viewing intangible assets via a measure “other than currency,” Ittner identifies several flaws in current methods of intangible asset valuation, including balanced scorecard (Kaplan and Norton, 2001b, p. 89; Ittner, 2008). Ittner finds no statistically significant benefit for companies utilizing balanced scorecard for intangibles valuation compared to companies using a different method (Ittner, 2008). In terms of outsourcing, intangible assets may be the efficiency of a potential outsourcers processes or the level of experience of staff.

Somewhat ironically, one of the principal outcomes of the transformation of Kaplan and Norton’s system for managing business unit performance into a framework for strategic business management is that business leaders recognized an opportunity to leverage the balanced scorecard to manage outsourcer performance – from performance management to strategic governance and back to performance management.

As Weimer and Seuring (2009) state, “The balanced scorecard (Kaplan and Norton, 1992) plays a dominant role within current management accounting and controlling research and is considered as the preferred performance measurement system (Malina and Selto, 2001)” (p. 277) .

Weimar and Seuring (2009) describe balanced scorecard’s application as an outsourcing management tool,

The balanced scorecard is defined as a controlling tool that is particularly suited to implement corporate strategies and to link operational and strategic governance (Kaplan and Norton, 2004, 1992) and can therefore be described as a strategic controlling tool. Consequently, the balanced scorecard can also be considered as a potential outsourcing controlling tool that supports the implementation of the corporate outsourcing strategy and thereby governs and controls the external provider (p. 278).

It should be noted that “controlling” in the sense used by Weimar and Seuring is equivalent to “management accounting,” similar to the business role of a controller. Weimar and Seuring identify a relative gap in scholarly research related to outsourcing given the popularity of outsourcing as a business strategy (Weimar and Seuring, 2009). In a study of four case studies utilizing balanced scorecard to manage outsourcing agreements, Weimar and Seuring find, “the balanced scorecard characteristics represent under certain conditions an appropriate performance measurement system in the outsourcing context with the underlying compensation model being the major determinant for their applicability as it basically drives the characteristics of performance measurement systems in the outsourcing context” (p. 288). Thus, Weimar and Seuring find that, where balanced scorecard is compatible with the financial aspects of a contract, it serves as a suitable means of managing the outsourcing contract.

Benefits of Balanced Scorecard

The primary benefit of balanced scorecard when compared to service level agreements is that Kaplan and Norton’s framework addresses the outsourcing from a strategic, holistic point-of-view. As Paranjape, Rossiter, and Pantano (2006) state,

The traditional performance measurement systems based on financial metrics alone have been deemed inadequate and more attention is being paid to non-financial metrics. Several broader performance measurement systems have been designed, of which Balanced Scorecard (Kaplan and Norton, 1996) has been the least criticized and most widely accepted (p. 5).

One benefit of the balanced scorecard is that it is a behavior-based measure. As a relationship, an outsourcing agreement will fluctuate over time. As Epstein and Rejc (2005) state,

Performance measurement systems have to be modified as circumstances change, just like strategic objectives are modified according to the new strategy, drivers are revised, and new causal linkages among drivers are determined (p. 39).

Effective management of the outsourcing contract requires a flexible system. Outcome-based controls like service level agreements have limited flexibility (e.g., there is little that can be varied in a measure like 99.9% network uptime). Behavior-based measures can incorporate outcome-based components, but focus on incentivizing desired behaviors.

Another benefit of using balanced scorecard to manage outsourcing arrangements is that Kaplan and Norton’s framework enables a straightforward value chain analysis of the contract. In the 2005 article, “How to measure and improve the value of IT,” Epstein and Rejc (2005) propose a balanced scorecard framework tailored to IT. According to Epstein and Rejc, the balanced scorecard provides a means for understanding and realizing hidden value from within the IT value chain. Following the logic laid out in Kaplan and Norton’s 2004 article on valuing intangibles, Epstein and Rejc perform a value chain analysis on the IT function to demonstrate the business benefits of balanced scorecard performance management of IT (Epstein and Rejc, 2005; Kaplan and Norton, 2004). Epstein and Rejc’s results for IT parallel Barber’s findings for business use of balanced scorecard in determining value chains (Epstein and Rejc, 2005; Barber, 2008). Value chain analysis using balanced scorecard provides a richer, more meaningful view of the outsourcing relationship than a simple outcome-based measure like SLAs.

Conclusions

Sharma (2009), Buhovac and Slapnicar (2007), Assiri, Zairi, and Eid (2006) all identify balanced scorecard as useful, but very complex to implement effectively (Sharma, 2009; Buhovac and Slapnicar, 2007; Assiri, Zairi, and Eid, 2006). Ittner (2008) and Buhovac and Slapnicar (2007) are unable to distinguish a statistical difference between the results of balanced scorecard and other systems (intangibles valuation for Ittner, alternative performance measurement systems for Buhovac and Slapnicar), suggesting that more research is needed to understand balanced scorecard’s relative popularity (Ittner, 2008; Buhovac and Slapnicar, 2007). As Paranjape et al. (2006) describe,

A high rate of failure and many practical difficulties however, are associated with the implementation of BSC. There is further scope for research in ‘‘design of performance measures’’ as the problems faced in selection and operationalisation of performance measures are well documented in literature (p. 5).

In addition, Paranjape et al. identify an additional need for research into process management systems that more directly address the needs of global virtual teams,

For a world-class performance it is important that the global processes, virtual teams and individuals within the teams in these multinationals, work in a smooth and integrated manner. Performance can be greatly enhanced if there is timely (often real-time) reporting, instant feedback, quick decisions and immediate actions. These radically different, ever changing process-team-individual structures have created a new and growing field of study, but there is currently very little in the literature on performance measurement in relation to global organizations (p.10).

While balanced scorecard stands out as the most popular and least criticized means of managing strategic performance of outsourcing agreements, additional research is needed.

Outsourcing has developed into a critical component of IT delivery and business strategy. Businesses seeking to be competitive in the global marketplace must evaluate outsourcing as a strategic decision. Managing an outsourcing relationship is complex and requires the hybridization of multiple business strategies (at the very least, the primary business and it’s supplier) (Bravard and Morgan, 2009). Service level agreements have been found to be inadequate for managing IT outsourcing agreements (Martorelli, 2009). Balanced scorecard provides an alternate, behavior-based means of managing outsourcing agreements that provides improved alignment between business and supplier strategies and overall greater satisfaction. The four perspectives of balanced scorecard enable a holistic view of the business relationship with the outsourcing vendor that is not provided by outcome-based measures. Businesses engaging an outsourcer should consider utilizing balanced scorecard to manage the performance of the supplier.

References

Assiri, A., Zairi, M., & Eid, R. (2006). How to profit from the balanced scorecard. Industrial Management + Data Systems, 106(7), 937. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1095870081&Fmt=7&clientId=62763&RQT=309&VName=PQD

Barber, E. (2008). How to measure the “value” in value chains. International Journal of Physical Distribution & Logistics Management, 38(9), 685. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1596438021&Fmt=7&clientId=62763&RQT=309&VName=PQD

Bravard, J., & Morgan, R. (2009). Smarter outsourcing: An executive guide to understanding, planning and exploiting successful outsourcing relationships. Harlow, England: FT Prentice Hall.

Buhovac, A. R., & Slapnicar, S. (2007). The role of balanced, strategic, cascaded and aligned performance measurement in enhancing firm performance. Economic and Business Review for Central and South – Eastern Europe, 9(1), 47. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1293062841&Fmt=7&clientId=62763&RQT=309&VName=PQD

Cohen, L., & Young, A. (2006). Multisourcing: Moving beyond outsourcing to achieve growth and agility. Boston, Massachusetts: Harvard Business School Press.

Epstein, M. J., & Rejc, A. (2005). How to measure and improve the value of it. Strategic Finance, 87(4), 34. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=911491291&Fmt=7&clientId=62763&RQT=309&VName=PQD

Gottschalk, P., & Solli-Sæther, H. (2005). Critical success factors from IT outsourcing theories: An empirical study. Industrial Management + Data Systems, 105(5/6), 685. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=889361741&Fmt=7&clientId=62763&RQT=309&VName=PQD

Gottschalk, P., & Solli-Sæther, H. (2006). Maturity model for IT outsourcing relationships. Industrial Management + Data Systems, 106(1/2), 200. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1018763611&Fmt=7&clientId=62763&RQT=309&VName=PQD

Ittner, C. (2008). Does measuring intangibles for management purposes improve performance? A review of the evidence. Accounting and Business Research, 38(3), 261. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1514388981&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (1996). Linking the balanced scorecard to strategy. California Management Review, 39(1), 53. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=10508873&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (2001a). The strategy-focused organization. Strategy & Leadership, 29(3), 41. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=77138189&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (2001b). Transforming the balanced scorecard from performance measurement to strategic management: Part I. Accounting Horizons, 15(1), 87. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=69789698&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (2001c). Transforming the balanced scorecard from performance measurement to strategic management: Part II. Accounting Horizons, 15(2), 147. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=74219756&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (2004). The strategy map: Guide to aligning intangible assets. Strategy & Leadership, 32(5), 10. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=700420621&Fmt=7&clientId=62763&RQT=309&VName=PQD

Kaplan, R. S., & Norton, D. P. (2006). Response to S. voelpel et al., “the tyranny of the balanced scorecard in the innovation economy,” journal of intellectual capital, vol. 7 no. 1, 2006, pp. 43-60. Journal of Intellectual Capital, 7(3), 421. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1105642321&Fmt=7&clientId=62763&RQT=309&VName=PQD

Koh, C., Ang, S., & Yeo, G. (2007). Does IT outsourcing create firm value? Paper presented at the Proceedings of the 2007 ACM SIGMIS CPR Conference on Computer Personnel Research: The Global Information Technology Workforce, St. Louis, Missouri, USA. doi:http://doi.acm.org/10.1145/1235000.1235020

Martorelli, B. (2009). In Parker A., Rose E.(Eds.), Observe the limitations of SLA penalty clauses Forrester. Retrieved from http://www.forrester.com/rb/Research/observe_limitations_of_sla_penalty_clauses/q/id/54577/t/2

Paranjape, B., Rossiter, M., & Pantano, V. (2006). Performance measurement systems: Successes, failures and future – a review. Measuring Business Excellence, 10(3), 4. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1140306941&Fmt=7&clientId=62763&RQT=309&VName=PQD

Sharma, A. (2009). Implementing balance scorecard for performance measurement. IUP Journal of Business Strategy, 6(1), 7. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1948666341&Fmt=7&clientId=62763&RQT=309&VName=PQD

Solli-Sæther, H., & Gottschalk, P. (2008). Maturity in IT outsourcing relationships: An exploratory study of client companies. Industrial Management + Data Systems, 108(5), 635. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1497860911&Fmt=7&clientId=62763&RQT=309&VName=PQD

Ward, J., & Peppard, J. (2002). Strategic planning for information systems (Third Edition ed.) John Wiley & Sons.

Weimer, G., & Seuring, S. (2009). Performance measurement in business process outsourcing decisions. Strategic Outsourcing: An International Journal, 2(3), 275. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1920070491&Fmt=7&clientId=62763&RQT=309&VName=PQD

Figure 1 Lin’s Analysis of 2005 CSI/FBI Cyber-crime Survey

Clearly, cyber-crime and computer and network abuse constitute a significant financial risk to businesses. Goodall, Lutters, and Komodi further report on the costs and risks associated with the digital world and e-business,

The problem of network security is a practical and pressing concern; a report calculated that the cost to organizations for each security breach is nearly $14 million per incident (Hall, 2007). Perhaps more troubling than the financial cost to organizations is a new form of cyber warfare; the nation of Estonia sustained a prolonged electronic attack on government web sites, requiring a digital quarantine, cutting off all access to the outside world (Kirk, 2007). (Goodall, Lutters, and Komodi, 2009, p. 93)

In addition to cyber-crime, Filipek (2006) explains that chief information officers are also concerned about insider threats, “66 percent of IT executives perceive insider threats to be an emerging danger to corporate security” (Filipek, 2006). Lin (2006) analyzes 2005 CSI/FBI survey data to determine that, “system security incidents were committed by insiders about as often as by outsiders” (Lin, 2006, p. 65).

One of the keys to providing a secure computing environment is rapidly detecting and responding to threats. In an ideal world, systems would not be vulnerable to denial of service attacks, access controls would prevent all unauthorized uses of a system, and intrusion detection systems would be unnecessary. Unfortunately, systems have vulnerabilities, access controls are imperfect, and IDS’ are a needed supplement to other security measures. Intrusion detection systems (IDS) seek to identify malicious network traffic. IDS’ provide detection and notification of attacks in progress or already past. Intrusion prevention systems (IPS) advance IDS technology with the ability to dynamically adjust network and systems configurations to block malicious traffic as it is detected.

Several challenges face IDS/IPS technology. The criminals that produce and utilize malicious software are strongly motivated by greed or revenge. Advanced denial of service attacks attempt to detect and evade IDS/IPS. The category of malicious software known as the Advanced Persistent Threat (APT) utilizes stealth and encryption to evade defensive systems. In addition, increasing network bandwidth is a challenge for systems that must process large volumes of data in real-time. As Gonzalez, Paxson, and Weaver (2007) state, “stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise” (Gonzalez, Paxson, and Weaver, 2007).

A review of the literature on intrusion detection systems provides insight into the current and future state of an important information systems security technology.

Types of Intrusion Detection

Methods of Detecting Intrusions

Dorothy Denning is generally credited with the seminal research article on intrusion detection systems. Denning’s 1987 article, “An Intrusion-Detection Model,” presented the first model for a real-time IDS utilizing expert systems (Denning, 1987). Denning describes the motivation and necessity of an intrusion detection system,

The development of a real-time intrusion-detection system is motivated by four factors: 1) most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for usual, technical and economic reasons;

2) existing systems with known flaws are not easily replaced by systems that are mores secure – mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons;

3) developing systems that are absolutely secure is extremely difficult, if not generally impossible; and

4) even the most secure systems are vulnerable to abuses by insiders who misuse their privileges (Denning, 1987, p. 222).

A key hypothesis in Denning’s research and in the concept of intrusion detection systems in general is that system abuse generates abnormalities that are detectable. Denning’s expert systems model of an IDS is the reference that modern IDS’ utilize. The general operation of an intrusion detection system is as, “a rule-based pattern matching system” (Denning, 1987, p. 223). The IDS analyzes system and network activity data according to configuration rules and statistical models and seeks to identify abnormal events.

Intrusion detection systems generally use some combination of three recognized methods for detecting intrusions: signature-based, anomaly-based, and state-ful protocol analysis (Scarfone and Mell, 2007).

Signature-based Intrusion Detection

Scarfone and Mell describe signature-based intrusion detection systems as simple to implement, but also limited in capability,

Signature-based detection is the simplest detection method because it just compares the current unit of activity, such as a packet or a log entry, to a list of signatures using string comparison operations. Signature-based detection technologies have little understanding of many network or application protocols and cannot track and understand the state of complex communications (Scarfone and Mell, 2007, p. 2-4)

Because the signatures are based on fixed binary strings, malicious software developers often implement code to dynamically modify and adapt to ensure that the signature is not a match. The same technique is also used to evade anti-virus scanners, which are primarily signature-based. In addition, signature-based intrusion detection systems lack an understanding of complex communications and state, which are important for fully understanding the threat posed by an alert.

Anomaly-based Intrusion Detection

The Denning model of an IDS relies primarily on anomaly-based detection (Denning, 1987). Scarfone and Mell explain that anomaly-based detection, “is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations” (Fan, et al., 2004; Scarfone and Mell, 2007, p. 2-4). The key advantage of anomaly-based detection for intrusion detection is the ability to recognize and respond to previously unknown attacks. Anomaly-based detection relies on a profile of normal system and network behavior developed during a training period. Once the normal profile is established, the system goes into production and utilizes a statistical model to compare data captured against the trained profile. Denning’s 1987 IDS model utilizes several statistical tests, including a multivariate model, a Markov process model and a time-series model, to evaluate whether or not an activity is abnormal (Denning, 1987).

As Scarfone and Mell explain, a common problem occurs when intrusion detection systems are exposed to malicious traffic during the training period, which effectively trains the expert system to recognized malicious data as normal. Other challenges with anomaly-based systems identified by Scarfone and Mell are false positives rates related to difficulty training the IDS on all activity that is genuinely normal and difficulty determining why an alert occurred related to the complexity of the IDS (Scarfone and Mell, 2007).

Stateful Protocol Analysis

Stateful protocol analysis, also known as deep packet inspection when applied to networks, is a resource intensive approach to intrusion detection that, “relies on vendor-developed universal profiles that specify how particular protocols should and should not be used” (Scarfone and Mell, 2007, p. 2-5). Stateful protocol analysis provides important capabilities for understanding and responding to attacks. For example,

Stateful protocol analysis can identify unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command without first issuing a command upon which it is dependent. Another state tracking feature of stateful protocol analysis is that for protocols that perform authentication, the IDPS can keep track of the authenticator used for each session, and record the authenticator used for suspicious activity (Scarfone and Mell, 2007, p. 2-6).

In addition, stateful protocol analysis can detect variations in command length, minimum and maximum values for attributes, and other potential anomalies that might be missed by signature- and anomaly-based systems (Scarfone and Mell, 2007).

The stateful protocol analysis method of intrusion detection relies upon well-defined and well-behaved protocol models. In cases where a protocol is proprietary, poorly defined, or a vendor implementation deviates from the standard, stateful protocol analysis becomes less accurate (Scarfone and Mell, 2007).

The biggest limitation of stateful protocol inspection for intrusion detection is the resource requirements. Tracking and analyzing the state information for enterprise systems requires significant resources. As performance capabilities of processors and networks increase, the resource challenges associated with stateful protocol analysis amplify (Scarfone and Mell, 2007). Another challenge of utilizing stateful protocol analysis with intrusion detection systems is that malicious traffic may properly utilize a protocol and, therefore, be undetected (Scarfone and Mell, 2007).

Means of Detecting Intrusions

There are two main methods for deploying intrusion detection systems: network and host. Network based intrusion detection systems analyze and identify threats from network traffic and include network-based, wireless, and network behavior analysis systems (Scarfone and Mell, 2007). Host based intrusion detection systems, “[monitor] the characteristics of a single host and the events occurring within that host for suspicious activity” (Scarfone and Mell, 2007). There is a trend amongst software vendors towards integrating anti-virus, anti-spyware, host-based firewalls, and host-based intrusion detection systems into endpoint protection systems.

Trends in Intrusion Detection Research

Research into general improvements to intrusion detection systems based on the Denning model is ongoing. Alfaro, et al. investigate formalizing configuration management as utilized in intrusion detection systems as a means of ensuring these systems’ complex rules reflect the security policies as intended (Alfaro, et al., 2008). The statistical models are refined, updated, and improved as new techniques are discovered, such as Goonatilake, et al.’s analysis of chi-squared statistical models for anomaly-based intrusion detection (Goonatilake, et al., 2007).  New methods are developed for detecting emerging attack types, such as man-in-the-middle attacks, that were not previously known or detected by IDS’ (Trabelsi and Shuaib, 2008). Protecting intrusion detection systems from distributed denial of service attacks is another critical research area, as DDoS attacks can cripple an IDS and leave an organization deaf and blind to incoming attacks (Chen, 2007; Sodiya, 2004). In addition, research is underway to enable intrusion detection systems to manage and process ever-increasing data volumes that result from increases in processing power and network bandwidth (Xinidis, et al., 2006; Gonzalez, et al., 2007).

Intrusion Prevention and Autonomic Network Defense Systems

Intrusion detection systems provide a valuable service to security practitioners seeking to defend systems and networks from attacks. By identifying and alerting upon the occurrence of an attack, IDS’ provide a trigger for responding to incidents in an efficient and effective way. Intrusion prevention systems advance the technology of IDS’ to include automated response to threats. An IPS may invoke additional firewall rules, shutdown network ports, and instigate other actions to respond to a detected attack.

The leading edge of IPS research is referred to as autonomic network defense. Autonomic network defense treats networks and systems holistically and seeks to apply an immune system metaphor to the defense of an organization’s systems and networks as a whole. In contrast to traditional defense-in-depth strategies, the autonomic network defense approach attempts to provide a whole system solution instead of many overlapping, piecemeal defenses. Anagnostakis et al. (2007) describe a system of cooperating, collaborating autonomous agents that, “share information about the spread of malicious virus in the Internet and use this infor- mation for controlling the behavior of detection and filtering resources” (Anagnostakis, et al., 2007, p. 374). Autonomous network defense systems, due to their distributed nature, should prove to be more resilient to denial of service attacks than current systems.

Intrusion prevention systems are an active area of research and development that promise to improve businesses’ defensive posture. However, as Goodall, Lutters, and Komlodi state, “because of false positives and the potential for self-damaging responses to inaccurate alerts, all of our participants agreed that fully automated IDSs are never a completely effective solution, and despite attempts at automated solutions, there is no substitute for the intuition that human analysts bring to bear on the process” (Goodall, Lutters, and Komlodi, 2009, p. 93).

Security Information Management Systems

Correlating alerts from host and network intrusion detection systems, firewalls, intrusion prevention systems, anti-virus and anti-spyware can result in an information overload for security practitioners. Providing tools to enable more efficient and effective processing and analysis of security information is critical. As Debar and Viinikka describe, “Owing to the volume and diversity of security and log information sources, SIM platforms have emerged in recent years as the solution for concentrating heterogeneous logs and providing the security officer with a homogenous view of the security state of its information system” (Debar and Viinikka, 2006, p. 417). Security information management system research dovetails with autonomic network defense,

SIM will continue to foster research in alert correlation, leading to more complex scenarios that actually provide reliable threat information to the security officer. Once this stage is reached, we will see a large body of research taking place on automated countermeasures, i.e. ensuring that attacks are dealt with efficiently and accurately, with as little human intervention as possible. (Debar and Viinikka, 2006, p. 433)

Goodall, et al. stress that innovations in information visualization are a critical success factor for these systems, “The next logical step for tool designers is to use innovative visualizations to drive the tuning process by using the understanding analysts glean from the analytic process to create and update the rule bases in automated systems” (Goodall, et al., 2009, p. 105).

Conclusions

Intrusion detection systems are a vital component for an effective defense-in-depth security strategy. IDS’ provide the primary mechanism for notifying security practitioners if and when policy has been violated. Intrusion protection systems are emerging as an evolution of IDS technology that includes automated responses to perceived attacks. Security information management systems promised to provide better correlation and understanding of the large volume of information and alerts generated by IDS’ and other security systems.

References

Alfaro, J., Boulahia-cuppens, N., & Cuppens, F. (2008). Complete analysis of configuration rules to guarantee reliable network security policies. International Journal of Information Security, 7(2), 103. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1459115061&Fmt=7&clientId=62763&RQT=309&VName=PQD

Anagnostakis, K., Greenwald, M., Ioannidis, S., & Keromytis, A. (2007). COVERAGE: Detecting and reacting to worm epidemics using cooperation and validation. International Journal of Information Security, 6(6), 361. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1363502201&Fmt=7&clientId=62763&RQT=309&VName=PQD

Chen, Z., Chen, Z., & Delis, A. (2007). An inline detection and prevention framework for distributed denial of service attacks. The Computer Journal, 50(1), 7. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1180225761&Fmt=7&clientId=62763&RQT=309&VName=PQD

Debar, H., & Viinikka, J. (2006). Security information management as an outsourced service. Information Management & Computer Security, 14(5), 416. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1143417571&Fmt=7&clientId=62763&RQT=309&VName=PQD

Denning, D. E. (1987). An intrusion-detection model. IEEE Trans.Softw.Eng., 13(2), 222-232. Retrieved from http://dx.doi.org.library.capella.edu/10.1109/TSE.1987.232894

Fan, W., Miller, M., Stolfo, S., Lee, W., & Chan, P. (2004). Using artificial anomalies to detect unknown and known network intrusions. Knowledge and Information Systems, 6(5), 507. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=690356861&Fmt=7&clientId=62763&RQT=309&VName=PQD

Filipek, R. (2006). Online security nightmares for CIOs. The Internal Auditor, 63(3), 19. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1061016441&Fmt=7&clientId=62763&RQT=309&VName=PQD

Gonzalez, J. M., Paxson, V., & Weaver, N. (2007). Shunting: A hardware/software architecture for flexible, high-performance network intrusion prevention. Paper presented at the CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA. 139-149. Retrieved from http://doi.acm.org.library.capella.edu/10.1145/1315245.1315264

Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network intrusion detection. Information Technology & People, 22(2), 92. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1880534761&Fmt=7&clientId=62763&RQT=309&VName=PQD

Goonatilake, R., Herath, A., Herath, S., Herath, S., & Herath, J. (2007). Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security. J.Comput.Small Coll., 23(1), 255-263.

Lin, P. P. (2006). System security threats and controls. The CPA Journal, 76(7), 58. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1082185941&Fmt=7&clientId=62763&RQT=309&VName=PQD

Roberts, G. K. (2005). Security breaches, privacy intrusions, and reporting of computer crimes. Journal of Information Privacy & Security, 1(4), 22. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=999547341&Fmt=7&clientId=62763&RQT=309&VName=PQD

Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2004). A new two-tiered strategy to intrusion detection. Information Management & Computer Security, 12(1), 27. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=644926111&Fmt=7&clientId=62763&RQT=309&VName=PQD

Trabelsi, Z., & Shuaib, K. (2008). A NOVEL MAN-IN-THE-MIDDLE INTRUSION DETECTION SCHEME FOR SWITCHED LANs. International Journal of Computers & Applications, 30(3), 234. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1632843071&Fmt=7&clientId=62763&RQT=309&VName=PQD

Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K. G., & Markatos, E. P. (2006). An active splitter architecture for intrusion detection and prevention. IEEE Transactions on Dependable and Secure Computing, 03(1), 31. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1018532191&Fmt=7&clientId=62763&RQT=309&VName=PQD