Sanjay K Mohindroo

Technology has come to stay with us with accompanying ramifications and mixed blessings. The influence of current and future Information Technology and its applications is beyond human imagination. How pervasive or beneficial are information systems and technology? Well, this is a question worth discussing. Throughout my secondary education in my beloved country—Ghana—I never had the chance to practically see, touch, or work with computers until my first year in college; however, the good thing was that I was literate enough to read and understand some basic computer technologies. My first experience with computers occurred during my first year as an electrical engineering student at the School of Engineering, Kwame Nkrumah University of Science & Technology (KNUST) back in 1996. Theoretically, I did understand some computer concepts but practically it was a nightmare. What do we all see today, just a little over a decade? Well, the answer seems obvious. For instance, my five-year-old now uses a computer as a learning “tool” to play all of his computer games, watch movies, and study kindergarten-level math and reading online. 

Some of us must change our mindset to embrace the proliferation of technology, and if possible, embed it in our DNA; we must however be aware of the negative consequences associated with technology. In a nutshell, being current and immersed in information technology concepts and applications is a catalyst to be able to siphon the good part of technology for our daily needs. Some of these state-of-the-art technologies include digital and multimedia convergence; intelligent applications; embedded systems; mobile, satellite, and wireless communications; and distributed computing among others. Today, technology finds useful applications in medicine, legal systems, and in almost every facet of our lives, as shown in Figure 1in the appendix. We need to be inquisitive of Information Technology and its vibrant applications in shaping our future together. The next sections delineate a few contributions of IT in our world today.


Software Applications and Social Media: A computer without software or relevant applications is like a car without fuel and loses its real value. Software planning and development is ever-changing the phase of businesses, organizations, and human-computer interactions, for instance. Here are a few examples. Everyone may agree with me that software applications continue to change more innovatively without our explicit understanding of these changes. Of course, software applications need to be aligned with current and future changes and adjust to these changes accordingly. Typical examples are the embedded operating systems (OS) in smartphones, PDAs; and applications like online calendars, word processors, and spreadsheets that we have at our disposal today. Also, Web 2.0 (or Web 3.0) applications such as blogs, wikis, and social networks, as well as Web-based e-mail clients (such as Yahoo or Gmail) can be provided via cloud computing or some relevant means. It is fascinating to see the e-Government application in global politics today. Yeah, prospects are high for Web 2.0 and its subsequent technologies to be the mainstream for transparency globally. Additionally, we see how social networking establishments like Twitter, Facebook, LinkedIn, Myspace, Orkut, and others continue to galvanize global politics. A typical example is what we are witnessing now in some parts of the world where social media is perceived to be a powerful tool in politics. Fortunately, it helps to maintain transparency while exposing the tyrants characterized by all sorts of negative behavior paradigms. Greedy and autocratic leaders in certain parts of the world are being exposed and “teardown” day after day. At the time of writing this article, some tyrants are struggling to cling to power while others have “crashed downhill” previously. Well, let's hope others follow like it seems to be happening now. I think social media tools must take most credit because, without them, the United Nations or the World would have little or no evidence, and sanctions and other forms of punishments could have been difficult to implement —does this sound familiar? What a world of High-Tech is! Well, I leave this part for readers to evaluate. 



World Peace and Security: Who else does not want to see peace and security permeate our society? If for some reason, individuals or certain groups of people distance themselves from peace and security then, probably, they do not belong to us. How can technology maintain international peace and security? Recently, the United States Ambassador to the United Nations, Susan Rice, hosted a session of the United Nations Security Council titled, “Voices of a New Generation," that sought to open new doors of opportunity to the world’s youth (ages between 13 and 21 years old) on matters concerning international peace and security. I watched the video that genuinely touched my heart. Unfortunately, I’m yet to know if such a program is or can be extended to older folks. The point is, we see how technology can help “fuel and energize” such excellent initiatives. As the speaker noted, “They poured in by e-mail, on YouTube, and through Facebook. And some were even written by hand” (para. 7). Again, as I illustrated earlier, this certainly demonstrates the power of social media. In the next year or so, I hope to embark on behavioral science research studies that thoroughly investigate the effects of human behavior on advances in technology and society in general.



Medical Applications: As medical practitioners continue to face complex medical systems, emerging technologies continue to relieve them of such complexities. There are currently advances in wireless devices with accompanying advanced processors, memory chips, and relevant operating system implementations that are found useful in medicine. Typical examples are Bluetooth and smartphone technologies. To delineate further, Bluetooth wireless technology has helped in areas of remote patient monitoring, wireless biometric data, and medicine dispensers. The use of smartphones has also become an important technology in healthcare establishments. A smartphone, for example, has advanced capabilities and functionality much like that of laptop computers. Medical doctors can remotely monitor their patients’ lifestyle changes like their daily exercises (Marshall, Medvedev & Antonov, 2008). The use of this technology can help patients manage chronic diseases from home, regardless of their location. 



Business Opportunities: The aviation and transportation industries have come a long way. Today’s airline industry has been deeply rooted in the complexity of Internet technology in terms of e-services, e-communications, and e-business for day-to-day business operations. Also, Bluetooth technology has paved the way for an electronic boarding pass to be issued for air travelers thus eliminating the need for a traditional paper boarding pass. Technology has over the past decades influenced many organizations’ internal and external IT operations in alignment with strategic business goals. There is a mounting business imperative to make strategic decisions when it comes to investing in information technology. We have already seen the interplay of business and technology on the horizon. We see how Walmart makes use of Radio-frequency identification (RFID) tags to provide automatic tracking of its inventory systems. RFID, as an emerging technology, has generated an enormous amount of interest in supply chain initiatives and others. Wal-Mart is not alone; according to Potgantwar and Wadhai (2009), “RFID technology has been used in many organizations and agencies such as the U.S. Department of Defense (DoD), the Food and Drug Administration (FDA)” (p. 154). Also, RFID technology has useful applications in wireless systems. Research notes that “There are several approaches in location-sensing systems that use RFID technology” (Potgantwar & Wadhai, 2009, p. 154). Moreover, Technology has become a huge drive for e-businesses through such implementations as data integration, network storage systems, and database systems. E-commerce, for example, is a striking technology for businesses and their respective customers due to the growth and proliferation of the Internet. Now consumers buy all sorts of items such as books, music, videos, toys, and games online rather than shopping in a traditional setting. In a nutshell, all these together tend to “ignite” business initiatives.



Judiciary Systems: There may be contentions between governments, citizens, and judicial systems but the contribution of science and technology to our legal systems cannot be overemphasized. For instance, DNA has served a good purpose in this direction: using DNA to solve crimes, protect the innocent, and identify missing persons. According to the Department of Justice "since the creation in 2000 of the Department of Justice’s (DOJ’s) Convicted Offender DNA Backlog Reduction Program, more than 493,600 offender samples from 24 states have been analyzed"(p. 4). This was an effort to solve criminal cases. So one can imagine what impact technology may have on the judicial systems in the coming decades. It’s imperative to know how these advances influence the court’s interaction with the public now and in the future. Consequently, future technological innovations in the decision-making process in our legal systems are quite beyond imagination. 



Sports and Entertainment: There’s no doubt that the world of digital entertainment and high-tech sports is here to stay with us. Technology has shaped the way we humans plan, organize, analyze, or do business with sports and entertainment. Technically speaking, technology helps or may replace, human involvement in sporting events. Using lasers for instance is believed to limit sporting controversies as this became evident during the FIFA World Cup 2010 in South Africa. This advancement can well relieve referees and linesmen of attacks and humiliations. The future of home entertainment is likely to be software related than hardware like the one already seen in Microsoft's Media Center or the Apple TV. The “soft” part will certainly need the support of the “hard” counterpart or the underlying hardware components. It is amazing to see how digital entertainment has been transformed from CDs to DVDs technologies, and now to Blu-ray technology. This technology is a high-definition media format designed to supplant the DVD format we are familiar with today. Fortunately, Blu-ray designers were smart enough to make disc drives backward compatible to allow ease of smooth transition from the traditional DVDs and CD technologies. Well, this is just a piece of how technology seems to be driving innovations in the world of entertainment and sports. 



Future Trend: The above discussion so far is just the tip of the iceberg viewing from both current and future lenses. The future of technology looks more promising now than ever before. Practically speaking, our world may very well be dictated thoroughly by computers due to advances in information systems and technology with accompanying human-computer interactions. In the future, information systems and technology would be expected to be evolving, converging, and ubiquitous technologies in all facets of human needs. Likewise, we can’t even think of the innovations that space exploration, military technologies, online education, and the world of sports and entertainment could bring. For instance, some plans for space exploration have been announced recently by both government agencies and private sectors. According to El-Rayis, Arslan, and Erdogan’s (2008) study on space technology, space computation challenges are projected to confront future space missions. Evidence notes that “rapid developments in semiconductor technologies have led to progression in sensors technology and an enormous increase in their capability and accuracy addresses the architectural requirements and processing demands for future space missions” (El-Rayis et al., 2008, p. 199). In short, IT is believed to play a vital role in the convergence of computing and application in science, engineering, business, aviation, entertainment, politics, culture, and medicine as well as other disciplines. Intuitively, computers might be viewed as a central home storage containing a full stream of digital information where many of these demands could be met at home. For instance, we do not know for sure—thinking of a virtual world—if physical office buildings and traditional brick-and-mortar classrooms in our educational systems today will continue to exist in the future. 



Conclusion: In summary, it is a fact that advances in information technology are dynamic and continue at an ever-increasing rate. We all need to be conscious of this and continue to explore innovative ways that advance and transform our neighborhood in particular, and the world as a whole. In this discussion, the author outlines a few ways that these advances can promote opportunities for us to become successful in our society now and in the future. Also, these innovations may well put us in a metaphorical dilemma beyond human imagination. Therefore, to be able to siphon the good part of technology for our needs, we need to be inquisitive of technology with a drive to shape our future together. In any case, the advantages that technology brings outweigh the disadvantages. It is vitally important to promote state-of-the-art research in future IT disciplines. In the final analysis, we need to be current and immersed in information technology concepts and applications going forward.

Cybercriminals make enormous amounts of money by exploiting weak defenses in corporate and personal email defenses, deficiencies in corporate policies focused on protecting email users, and user ignorance. Criminals are aided in their efforts by three key trends that are becoming increasingly prevalent: 

Criminals can develop highly sophisticated malware because they are well-funded, and often supported directly by organized criminal groups. 

Many users share large amounts of information through social media and other venues that enable criminals to obtain useful information about their potential victims that can be used to develop sophisticated spear phishing attacks. 

There are a growing number of devices and access points from which users access email, making it more difficult for organizations to defend against email-borne threats, and that makes it easier for criminals to exploit weak defenses on several levels. 

KEY TAKEAWAYS 

Email-delivered malware, as well as the total volume of new malware, are increasing at a rapid pace. 

Cybercriminals use a variety of techniques, including spearphishing, shortened URLs, advanced persistent threats, traditional phishing, man-in-the-middle attacks, spam, botnets, ransomware, scareware, and other techniques to defeat corporate defenses. Scareware is often delivered as a pop-up message but sometimes is delivered via spam messages in email. 

The financial and auxiliary consequences of cybercrime can be enormous and can be multi-faceted: direct costs of remediating the cybercriminal activity, lost business opportunities, a damaged corporate reputation, and the like. 

Cybercrime is a business – albeit a nefarious one – that is driven by fairly traditional business decision-making. The goal of any email defense solution, therefore, is to make continued attacks against an organization unprofitable so that cybercrime activity is reduced. 

To minimize the impact and effectiveness of cybercriminal activity, an organization should undertake an ongoing program of user education, as well as deploy appropriate technologies designed to address new cybercriminal techniques. 

This paper focuses on key issues that organizations should address in the context of cybercrime delivered through email, and it offers some practical advice on what organizations should do to protect themselves. 

WHAT DO CYBERCRIMINALS DO? 

THE PROBLEM IS GETTING WORSE 

Cybercriminals use several methods to deliver email-based threats to their victims and they do so quite successfully, as evidenced by the following figure that demonstrates the large proportion of mid-sized and large organizations in North America that have been the victims of email and Web-based threats during the previous 12 months. Illustrating the seriousness of the malware problem itself, the next figure shows the rapid increase in new malware over the past few years. 

Percentage of Organizations Infiltrated by Email-Based Malware 2007-2012 

New Malware Detected (millions of malware programs detected) 2005-2012 

It’s important to note that while we saw something of a hiatus in the infection growth rate from email-based malware during 2011, as well as a flattening in the amount of new malware detected, this may have been due to the March 2011 takedown of the Rustock botnet – a key delivery path for spam and malware – that had infected more than 800,000 Windows-based computers. 

METHODS USED BY CYBERCRIMINALS 

Among the many methods used by cybercriminals are: 

Spearphishing is a more focused variant of phishing in which a single individual or a small group of individuals within a firm are targeted by cybercriminals. Quite often, a company’s CFO or CEO will be targeted because they are likely to have access to a company’s financial accounts. A common method for gaining access to this information is through the delivery of a highly targeted email that will contain an attachment or a link, clicking on which will infect the victim’s PC with a Trojan that can then be used to harvest login credentials to a bank account. Smaller companies, churches, school districts, and similar types of small to mid-sized organizations are among the more common targets of spearphishing attacks because they often lack sophisticated defenses that can protect against these types of attacks. 

Spearphishing has been aided to a great extent by social media since cybercriminals can use content posted to Facebook, Twitter, or other social media sites to improve the likelihood of delivering their content. For example, a CFO that posts to Facebook information about their recent online purchase of a new Lytro camera will be very likely to open a malicious email with the subject line “Problem with your Lytro camera order” and to click on any links contained therein. 

One spearphishing attack may have derailed Coca-Cola’s $2.4 billion acquisition of China Huiyuan Juice Group. Coca-Cola’s Pacific Group deputy president received an email from what he thought was the company’s CEO, but in reality, the email was from a (probably) Chinese firm known as the Comment Group. The email contained malware that allowed the perpetrator to access sensitive content for more than 30 days. Shortly thereafter, the Chinese government blocked the acquisition because of concerns over competition in the beverage industry.

Short URLs Shortened URLs – that might appear in emails, Tweets, etc. – are commonly used to bring unsuspecting victims to malicious sites with the hope of infecting their devices with malware. The attraction of a short URL for potential victims is that they fit nicely in character-limited tools like Twitter, and they can also condense very long links into a short URL when used in non-HTML emails. More importantly for cybercriminals, they mask the identity of the malicious site, hiding it from both individuals who might be suspects when reviewing the URL, as well as automated systems. 

Advanced Persistent Threats Advanced Persistent Threats (APTs) are protracted attacks against a government, company, or some other entity by cyber criminals. Underscoring the seriousness of APTs is the fact that these threats are generally directed by human agents (as opposed to botnets) that are intent on penetrating corporate or other defenses, not simply random or automated threats that are looking for targets of opportunity. As a result, those responsible for APTs will change tactics as they encounter resistance to their attacks by their targets, such as the deployment of new defense mechanisms. 

Phishing A phishing attack is a campaign by a cybercriminal designed to penetrate anti-spam and/or anti-malware defenses. The goals of such an attack can include infection of users’ PCs to steal login credentials, gain access to corporate financial accounts, steal intellectual property, search through an organization’s content, or simply gain access for a purpose to be determined at a later date. Email is a useful threat vector for phishing attacks and can be quite successful for cybercriminals. For example, a common phishing 

the scheme is to send an email citing UPS’ inability to deliver a package and a request for a user to click on a link to print an invoice. 

THE EASE OF GATHERING INFORMATION THROUGH SOCIAL MEDIA 

To see how much information we could gather on a senior executive, in late February 2013 Choose a company at random, A do a quick Google search for companies in the area. 

Our researcher then visited this company’s Web site, found an owner listed, and then searched for his name on Facebook. Although we have no relationship with this individual, a quick look at his wall revealed his former employers, where he went to high school, the fact that he is also a realtor, where he had lunch last Friday, his phone number, information about his Ferry ride on the previous Tuesday, information about an upcoming company event in early March 2013, the names of two people who gave him gifts in late January 2013, and what he had for dessert on January 13, 2013. 

A cybercriminal could have used any of this information to craft a spearphishing email with a subject line that would likely have attracted his attention and made it more likely for him to click on a link to a malware site that might have infected his PC. 

Man-in-the-Middle Attacks A man-in-the-middle attack is one in which a third party intercepts messages between two parties when both parties are attempting to exchange public keys. In essence, the third party impersonates both the recipient and sender, so that the two legitimate recipients and senders think they are communicating with each other, when in fact each is communicating directly with the unauthorized third party. The result of a man-in-the-middle attack can be relatively innocuous, with the third party simply listening in on a conversation; or it can be more malicious and result in the loss of network credentials or sensitive information. 

Spam While in some ways spam is less of a problem today than it was before the successful takedown of various botnets at the end of 2010 and early 2011, it remains a serious and vexing problem for organizations of all sizes. Spam consumes storage and bandwidth on corporate servers, users must scan spam quarantines to ensure that valid messages have not been misidentified and placed into the quarantine, and malicious content can mistakenly be withdrawn from a spam quarantine, thereby increasing the potential for infecting one or more PCs on the corporate network. 

Spam filters can often be defeated by simple text obfuscation like the misspelling of particular words, Bayesian poisoning, the introduction of valid text into spam messages to make them look legitimate, the use of various HTML techniques to trick spam filters, the use of various languages, etc. Spam filters that use less sophisticated filtering techniques and Bayesian approaches to filtering can be fooled by these tactics. 

Spam that contains attachments used to be quite common as a means of delivering malware. While not as common today, spam with malicious attachments still finds its way into many organizations. PDF files, images, calendar invitations, spreadsheets, and zip files are all used as payloads to carry malicious content. 

Botnets Cybercriminals often use botnets that consist of tens of thousands of ‘zombie’ devices – personal and workplace devices that are infected with a virus, worm, or Trojan that permit them to be controlled by a remote entity. Spammers can rent botnets for the distribution of their content, typically at relatively modest rates. By using botnets, cybercriminals can send a small number of messages from each of thousands of computers, effectively hiding each sending source from detection by ISPs or network administrators using traditional detection tools. Botnets are a serious problem not only because they are responsible for a large proportion of spam sent today, but also because they are used for a range of purposes beyond simple spam delivery: perpetrating distributed denial-of-service attacks, click fraud, and credit card fraud. Botnets are successful because they can be difficult to detect and take down. 

Ransomware is a type of cybercriminal attack, most often introduced to a PC by an email-delivered or another worm, in which a user’s PC is locked or its files encrypted until a “ransom” is paid to a cybercriminal. For example, one variant of ransomware, Reveton, is a drive-by virus that displays a message informing victims that they have downloaded child pornography or pirated material, demanding payment of a fine to restore access to their PC. During two days in May 2012, victims paid a total of more than $88,000 to cybercriminals to restore access to their PCs. 

Scareware is a less invasive form of ransomware in that it warns users that their PC is infected with malware, often reporting the discovery of thousands of different instances of malware. It then offers to disinfect the computer by offering anti-virus software for a nominal fee. While the fee is typically on the order of $40 – albeit for software that does nothing – the real damage often results from providing cybercriminals with a valid credit card number and CVV code. Scareware is often delivered as a pop-up message but sometimes is delivered via spam messages in email. 

State-sponsored malware One example of state-sponsored malware is Stuxnet. This malware was designed to target a particular type of Siemens controller used in Iran’s uranium enrichment plant at Natanz, Iran, and was set to expire in June 2012 (although the malware propagated globally before its expiration date). While the malware was not designed to attack companies or consumers, it was a good example of how malware can be designed to go after a specific type of target and remain undetected by its victim. 

BENEFITS REALIZED BY CYBER CRIMINALS 

First and foremost, it is essential to understand that cybercrime is a business – an illegitimate one to be sure – but one that is guided by fundamental business principles focused on the benefits to be gained from a particular activity, return-on investment considerations, investments in research and development, and the like. 

The benefits to cybercriminals from their activities are substantial. For example, cybercriminals that use phishing, spearphishing, or other techniques can steal enormous amounts of money in a short period, as discussed below. Cybercriminals can also gain access to confidential information, intellectual property, Protected Health Information, or other information that might prove valuable at present or a future date. 

THE CONSEQUENCES TO BUSINESS AND GOVERNMENT 

The flip side of the benefit to cyber criminals is the pain experienced by their victims. Aside from the direct financial losses that can result, an organization that falls victim to email-based or other types of cybercrime can suffer a loss of reputation as news of the problem is reported in the press or among their customer base. Some customers may cancel orders or switch to a different supplier if they determine they can no longer trust the victims of cybercrime to safeguard their data and, by extension, the data provided to them by their customers or business partners. The negative publicity alone can be worse than the loss of funds. 

DATA BREACHES 

Among the more serious and expensive consequences of email-based or other cybercrime is the breach of customer data. Because 46 of the 50 US states, one Canadian province, and many countries around the world have data breach notification laws in place, organizations that are victims of cybercrime and a resulting data breach are liable for notifying the affected parties about the breach. Aside from the direct cost of notifying customers about the breach is the potentially much higher cost of losing customers who are upset about the loss of their data, paying for credit reporting services for customers as a means of ameliorating their concerns, and the negative publicity that can result. 

Underscoring the seriousness of data breaches is the sheer magnitude of the problem. For example, the Privacy Rights Clearinghouse maintains a database of data breaches dating back to 2005. Since they have been keeping records, there have been 3,680 data breaches made public as of mid-April 2013 resulting in the breach of 607.5 million records. Among the data breaches published are the following two examples that illustrate just how serious the problem has become. 

As reported in March 2013, Uniontown Hospital (Uniontown, PA) was the victim of one or more hackers who accessed patient information, including encrypted passwords, contact names, email addresses, and usernames. 

Between May and November 2012, a computer used by an employee of St. Mark’s Medical Center (La Grange, TX) was infected by malware, resulting in the potential exposure of sensitive content, including patient billing information that was stored on the device. 

DRAINING OF FINANCIAL ACCOUNTS 

A variety of organizations have been targeted with keystroke loggers like Zeus that allow criminals to transfer funds out of corporate financial accounts. There have been several cases of this type of theft – many targeted small and mid-sized organizations as noted earlier – resulting in major financial losses, as in the examples below: 

Hillary Machinery: $800,000v (its bank was able to recover only $600,000) 

1. The Catholic Diocese of Des Moines: $600,000

2. Patco: $588,000

3. Western Beaver County School District: $700,000 

4. Experi-Metal, Inc. : $560,000

5. Village View Escrow: $465,000

6. An unidentified construction company in California: $447,000

7. Choice Escrow: $440,000

8. The Government of Bullitt County, Kentucky: $415,000

9. The Town of Poughkeepsie, New York: $378,000

10. An unidentified solid waste management company in New York: $150,000 

11. An unidentified law firm in South Carolina: $78,421

12. Slack Auto Parts: $75,000

BEST PRACTICES TO ADDRESS THE PROBLEM 

To protect against email-borne threats, organizations should undertake a two-pronged course of action: 

Train users Most will agree that despite the enormous amounts spent on email security solutions, users are still the weak link in the security chain. The primary reason for this is that increasingly they are the targets, often supplying cybercriminals with the information they need by posting detailed personal information on social networks and other sites. Moreover, criminals can often harvest many corporate email addresses and use them to launch a phishing or spearphishing attack against a company’s employees. Smaller organizations are typically most vulnerable to attack because they often lack the budget or expertise to thwart sophisticated attacks. 

While users cannot prevent all attacks, they should be considered the first line of defense in any email-based defense system. Consequently, users should be trained to take a common-sense approach to managing email. Although the following recommendations seem obvious, many users are guilty of violating these basic provisions, often because they are rushed in their work or simply are not sufficiently cautious when dealing with email: 

• Do not click on links in emails from unknown sources. 
• Do not reuse passwords and change them frequently. 
• Do not connect to unsecured Wi-Fi hotspots, such as might be found in a coffee shop, at an airport, etc. 
• Double-check the URL of links that seem legitimate before clicking on them. Although the URL displayed may not match the URL behind the link, many email clients will display the actual URL upon mouseover. 
• If an email is trapped in spam quarantine, assume that the spam-filtering system accurately trapped the email – do not assume it is a false positive unless you are certain that it is. 
• Do not send sensitive content via email without encrypting either the content or the message. 
• Be careful to ensure that sensitive content is not openly posted on social media sites, particularly those that are used for corporate purposes. 

While initial training is important, ongoing training that is designed to remind employees of new cyber threats, new spam and malware techniques, etc. is essential as a means of maintaining a robust defense posture. This might include sending simulated phishing emails to employees to determine the effectiveness of employee training, just how carefully employees pay attention to their training, etc. The goal is to provide a feedback loop that consists of testing, training, testing, and remediation. Employees who fall prey to simulated phishing attempts or other cyber threats can receive additional training or other remediation education designed to help them become more careful when inspecting their email. 

Implement the appropriate technologies The next and more important step is to implement the appropriate technologies that will thwart cybercriminal activity. This should include a layered defense system designed to: 

• Filter spam with a high degree of accuracy and a minimum of false positives. 
• Detect incoming malware, denial-of-service attacks, zero-day threats, phishing and spearphishing attempts, blended threats, bounceback attacks, and other threats. 
• Detect threats that are presented in short URLs. 
• Evaluate solutions that offer not just protection at the time the message is scanned, but at the time the message is clicked – in other words, protect the user from the click. Criminals often get past defenses with unknown or good reputation URLs and switch the URL intent once it has gone through the initial defenses. 
• Integrate with other systems, including DLP, encryption, and other capabilities to provide an integrated solution that can be managed from a single pane of glass. 

An Information Assurance Policy is the cornerstone of an Information Assurance Program. It should reflect the organization's objectives for security and the agreed-upon management strategy for securing information.

To be useful in providing authority to execute the remainder of the Information Assurance Program, it must also be formally agreed upon by executive management. This means that to compose an Information Assurance policy document, an organization has to have well-defined objectives for security and an agreed-upon management strategy for securing information. If there is debate over the content of the policy, then the debate will continue throughout subsequent attempts to enforce it, with the consequence that the Information Assurance Program itself will be dysfunctional.

There are a plethora of security-policy-in-a-box products on the market, but few of them will be formally agreed upon by executive management without being explained in detail by a CSO (Chief Security Officer). This is not likely to happen due to time constraints inherent in executive management. Even if it was possible to immediately have management endorse an off-the-shelf policy, it is not the right approach to attempt to teach management how to think about security. Rather, the first step in composing a security policy is to find out how management views security. As a security policy is, by definition, a set of management mandates concerning information security, these mandates provide the marching orders for the CSO. If the CSO instead provides mandates to executive management to sign off on, management requirements are likely to be overlooked.

A CSO whose job it is to compose security policy must therefore assume the role of sponge and scribe for executive management. A sponge is a good listener who can easily absorb the content of each person's conversation regardless of the group's diversity concerning communication skills and culture. A scribe documents that content faithfully without embellishment or annotation. A good sponge and scribe will be able to capture common themes from management interviews and prepare a positive statement about how the organization as a whole wants its information protected. The time and effort spent to gain executive consensus on the policy will pay off in the authority it lends to the policy enforcement process.

Good interview questions that solicit management's opinions on Information Assurance are:

Ø  How would you describe the different types of information you work with?

Ø  Which types of information do you rely on to make decisions?

Ø  Are there any information types that are more of a concern to keep private than others?

From these questions, an information classification system can be developed (e.g. customer info, financial info, marketing info, etc.), and appropriate handling procedures for each can be described at the business process level.

Of course, a seasoned CSO will also have advice on how to mold management opinions concerning security into a comprehensive organizational strategy.

Once it is clear that the CSO completely understands management's opinions, it should be possible to introduce a security framework that is consistent with it. The framework will be the foundation of the organization's Information Assurance Program and thus will serve as a guide for creating an outline of the Information Assurance policy.

Often, a security industry standards document is used as the baseline framework. For example, the Security Forum's Standard of Good Practice (www.securityforum.org), the International Standards Organization's, Security Management series (27001, 27002, 27005, www.iso.org), and the Information Systems Audit and Control Association's Control Objectives for Information Technology (CoBIT, www.isaca.org). This is a reasonable approach, as it helps to ensure that the policy will be accepted as adequate not only by company management but also by external auditors and others who may have a stake in the organization's Information Assurance Program.

However, these documents are inherently generic and do not state specific management objectives for security. So they must be combined with management input to produce the policy outline. Moreover, it is not reasonable to expect the management of an organization to change the way the organization is managed to comply with a standards document. Rather, the Information Assurance professional may learn about good security management practices from these documents, and see if it is possible to incorporate them into the current structure of the target organization.

Security policy must always reflect actual practice. Otherwise, the moment the policy is published, the organization is not compliant. It is better to keep the policy as a very small set of mandates to which everyone agrees and can comply than to have a very far-reaching policy that few in the organization observe. The Information Assurance Program can then function to enforce policy compliance while the controversial issues are simultaneously addressed.

Another reason that it is better to keep the policy as a very small set of mandates to which everyone agrees is that, where people are aware that there are no exceptions to policy, they will generally be more willing to assist in getting it right up front to ensure that they will be able to comply going forward.

Once a phrase such as "exceptions to this policy may be made by contacting the executive in charge of...." slips into the policy itself or the program in which it is used, the document becomes completely meaningless. It no longer represents management commitment to an Information Assurance Program but instead communicates suspicion that the policy will not be workable. A CSO should consider that if such language were to make its way into a Human Resources or Accounting policy, people could thus be excused from sexual harassment or expense report fraud. A CSO should strive to ensure that the Information Assurance policy is observed at the same level as other policies enforced within the organization. Policy language should be crafted in such a way that guarantees complete consensus among executive management.

For example, suppose there is a debate about whether users should have access to removable media such as USB storage devices. A CSO may believe that such access should never be required while a technology executive may believe that technology operations departments responsible for data manipulation must have the ability to move data around on any type of media. At the policy level, the consensus-driven approach would produce a general statement that "all access to removable media devices is approved via a process supported by an accountable executive." The details of the approval processes used by the technology executive can be further negotiated as discussions continue. The general policy statement still prohibits anyone without an accountable executive supporting an approval process from using removable media devices.

In very large organizations, details on policy compliance alternatives may differ considerably. In these cases, it may be appropriate to segregate policies by the intended audience. The organization-wide policy then becomes a global policy, including only the least common denominator of security mandates. Different sub-organizations may then publish their policies. Such distributed policies are most effective where the audience of sub-policy documents is a well-defined subset of the organization. In this case, the same high level of management commitment need not be sought to update these documents.

For example, information technology operations policy should require only information technology department head approval as long as it is consistent with the global security policy, and only increases the management commitment to a consistent security strategy overall. It would presumably include such directives as "only authorized administrators should be provided access capable of implementing operating system configuration changes" and "passwords for generic IDs should be accessed only in the context of authorized change control processes."

Another type of sub-policy may involve people in different departments engaged in some unusual activity that is nevertheless subject to similar security controls, such as outsourcing information processing or encrypting email communications. On the other hand, subject-specific policies that apply to all users should not be caused to draft new policies but should be added as sections in the global policy. Multiple policies containing organization-wide mandates should be discouraged because multiple policy sources make it more difficult to accomplish a consistent level of security awareness for any given individual user. It is hard enough to establish policy-awareness programs that reach all in the intended community, without having to clarify why multiple policy documents were created when one would do. For example, new organization-wide restrictions on Internet access need not be caused to create a new "Internet Access" policy. Rather, an "Internet Access" section can be added to the global security policy.

Another caveat for the CSO using the sub-policy approach is to make sure sub-policies do not repeat what is in the global policy, and at the same time are consistent with it. Repetition must be prohibited, as it would allow policy documents to get out of sync as they individually evolve. Rather, the sub-documents should refer back to the global document and the two documents should be linked in a manner convenient for the reader. Even while giving sub-policies due respect, wherever there is an Information Assurance directive that can be interpreted in multiple ways without jeopardizing the organization's commitment to Information Assurance goals, a CSO should hesitate to include it in any policy.

The policy should be reserved for mandates. Alternative implementation strategies can be stated as a responsibility, standard, process, procedure, or guideline. This allows for innovation and flexibility at the department level while still maintaining firm security objectives at the policy level. This does not mean that the associated information protection goals should be removed from the Information Assurance Program. It just means that not all security strategies can be documented at the policy level of executive mandate. As the Information Assurance Program matures, the policy can be updated, but policy updates should not be necessary to gain incremental security improvements. Additional consensus may be continuously improved using other types of Information Assurance Program documents.

Supplementary documents to consider are:

Roles and responsibilities — Descriptions of security responsibilities executed by departments other than the security group.

For example, technology development departments may be tasked with testing for security vulnerabilities before deploying code, and human resources departments may be tasked with keeping accurate lists of current employees and contractors.

Technology standards — Descriptions of technical configuration parameters and associated values that have been determined to ensure that management can control access to electronic information assets.

Process - Workflows demonstrating how security functions performed by different departments combine to ensure secure information handling.

Procedures — Step-by-step instructions for untrained staff to perform routine security tasks in ways that ensure that the associated preventive, detective, and/or response mechanisms work as planned.

Guidelines — Advice on the easiest way to comply with security policy, usually written for non-technical users who have multiple options for secure information handling processes. This leaves the question:

What is the minimum information required to be included in an Information Assurance Policy?

It must be at least enough to communicate management aims and direction concerning security.

It should include:

1.    Scope — should address all information, systems, facilities, programs, data, networks, and all users of technology in the organization, without exception.

2.    Information classification - should provide content-specific definitions rather than generic "confidential" or "restricted".

3.    Management goals for secure handling of information in each classification category (e.g. legal, regulatory, and contractual obligations for security, may be combined and phrased as generic objectives such as "customer privacy entails no authorized clear-text access to customer data for anyone but customer representatives and only for purposes of communicating with the customer,". "information integrity entails no write access outside accountable job functions," and "prevent loss of assets")

4.    Placement of the policy in the context of other management directives and supplementary documents (e.g., is agreed by all at the executive level, all other information handling documents must be consistent with it)

5.    References to supporting documents (e.g. roles and responsibilities, process, technology standards, procedures, guidelines)

6.    Specific instruction on well-established organization-wide security mandates (e.g. all access to any computer system requires identity verification and authentication, no sharing of individual authentication mechanisms)

7.    Specific designation of well-established responsibilities (e.g. the technology department is the sole provider of telecommunications lines)

8.    Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)

This list of items will suffice for Information Assurance policy completeness concerning current industry best practices as long as accountability for prescribing specific security measures is established within the "supplementary documents" and "responsibilities" sections. While items 6 and 7 may contain a large variety of other agreed-upon details concerning security measures, it is ok to keep them to a minimum to maintain policy readability and rely on sub-policies or supporting documents to include the requirements. Again, it is more important to have complete compliance at the policy level than to have the policy include a lot of detail.

Note: The policy production process itself is something that necessarily exists outside of the policy document itself. Documentation concerning policy approvals, updates, and version control should also be carefully preserved and available if the policy production process itself is audited.

Information is the key to decision-making in any business, therefore getting the right information at the right time, at the right place, and faster makes a lot of difference in any business and so, especially in Hospitality Business where the decisions are taken instantly at some levels. In this context, the age-old phrase “Garbage In and Garbage Out” is valid even today as incorrect information may lead to problems. It is not uncommon that one may have a good computer system yet may not be successfully getting the right information for the business. 

It is a combination of the Right People and the Right System that makes a business successful. Although lots of developments have taken place in terms of computers and their applications, making use of them completely rests with the person using them. Computers cannot replace men! With this, I would like to put a few of my thoughts that may be useful to the Hotel Fraternity.

There was a time when people used to write simple expense statements and general ledgers to balance sheets manually. Most difficult front office operations used to be monitored manually through a long sheet of paper. Computer pundits came out with great solutions specifically to the hotel industry making life easier for front-end staff who need to attend to guests most of their time rather than looking at the paper. Information and good service are the keys to success in the hospitality industry. 

Today, computers do magic for the front-end staff enabling them to devote more time to pleasingly attending guest requirements without compromising the Standard Operating Procedures (SOP). From the time of reservation until the time the customer checks out of the hotel, everything is recorded and the data is available. The computer system monitors the guest's requirements, likes and dislikes, wants, and satisfaction levels in a readable way that helps the hotel enhance its future services.

To achieve good results through the computer system one should first understand one’s requirement in terms of fastness of information, kinds of reports, formats, etc. Second, the flow of work that takes place in each activity. Third comes the procedures and last its effective implementation. All this becomes the system component. Once this is understood, the next step is to make a program or customize it accordingly through the software. The software cannot work without hardware. A good Information Technology System comprises three components, Systems, Software, and Hardware.

Selecting the right type of system is most important for any hotel operation. Most of the hotels use special software made for hotels which is generally called Property Management System (PMS). PMS comprises both front-end and back-end solutions. Various other solutions are not part of PMS but, get interfaced with the PMS. There are very few property management systems that have integrated solutions built in with both front and back ends, like IDS Fortune Enterprise. Choosing the right system requires expertise and knowledge about the hotel operation. 

Normally, all systems come with Room Division – with Front Office System and House Keeping Module, Food, and Beverage Division – with Point of Sale and Back End system – with Accounting, Inventory, and Human Resources. 

System requirement for each facility differs and it should preferably be a cost-effective solution. Not all hotels need to require the most expensive computer systems. Small hotels need a simpler system than big operations where complicated services, standards, data assimilation, and decision-making tools are required. Many big operations require various interfacing such as Telephones, Internet, Interactive Television, Door Locking systems, Yield Management, Global Distribution Systems, Visa/Master Card, etc. 

All these can be automated through the Property Management System efficiently and effectively. This reduces not only the manpower but also reduces mistakes that happen when handled manually.

While choosing the system, a proper evaluation of the PMS has to be made. The evaluation must be in terms of User Friendliness, Menu Driven navigation, Key defined access, Lesser number of keystrokes, Easy access to required data, Visual Impacts, Meaningful reports, various levels of security access, the possibility of customization at the user level, etc.

Some of the systems are more strong in the front end and weak in the back end. Some of the properties may require a strong front end and the back end could just be reasonable. Some of the properties such as Hotel Apartments generate more room-oriented business and hence Front Office system must be stronger. Similarly, a property with various food and beverage outlets must use the right Point of Sale (POS) system. 

One has to choose the system that is sufficient for the property depending on the number of keys, food and beverage outlets, other minor operating departments, facilities, and services offered in the property. Many times, one may come across choosing a very powerful system for a small operation by paying huge sums of money or vice-versa. Many of the features of the system may not be even useful or under-utilized and similarly, big operations may not have the right system offering sufficient features.

Good IT personnel should have knowledge of all three components, i.e., System (flow of each activity), Software (that translates the activity in measurable terms both quantitatively and qualitatively), and Hardware (Media through which we can see these activities). All this should reflect primarily guest satisfaction, staff satisfaction, management satisfaction, and owner satisfaction. 

Most PMS software gives generic solutions. Customization is important to achieve what one wants from the system chosen. Some of the PMS software is customer friendly and customization becomes easier there is also rigid software that does not allow customization. It all depends on the architecture one has used to build the software. User-friendly software will allow customization without making structural changes.

Many times, I have come across hotels not using the software to its full extent. Although the system is capable of delivering various reports and usage, they are not fully utilized due to the lack of proper training and induction in using the software. This happens when properties are opened in a hurry without giving sufficient time for training. Due to the vastness of the PMS, a person has to undergo training for a minimum of two months to understand the complete system. Out of two months, one month must be on-the-job training. Most of the users will come across various problems while on the real job. A good PMS supplier will be able to give solutions for all the problems that have logical answers. Proper training is the key to effective implementation.

While choosing PMS software for a property, one has to derive the guest needs in the front end on one side and the needs of the management and the owner at the back end on the other side. Staff should be able to use the system comfortably in achieving both ends. One has to set the right parameters in the system that can be used to create meaningful reports that help in decision-making easier and faster at all levels. This, as said before, requires expertise and knowledge of all three components of IT.

Today, computers and software can give solutions to the most complicated logical problems in any operation. Computers make life easier in getting the right reports at the right time which helps in the decision-making process easier and faster. Computer systems can prompt if any mistake is made, it can prompt opportunities and it can prompt to take corrective action proactively. Yield Management in the rooms division or Menu Engineering in the food and beverage division is an example of such functions. The computer system can be used to enable both planning and control functions to achieve the objectives of the organization.

Yet, man made the computer and not the other way. One has to understand, that man is intelligent and intellectual. The computer is made with the intellect of man and hence works only with the logic of the mind. The logic of the mind cannot go beyond mathematics! Intelligence is beyond mathematics. 

Man cannot be replaced at any level. Despite having the most advanced system, one has to rely on the supervision of a man to see the level of satisfaction guests get in a hotel. Expression of satisfaction from the guests can be seen only when you see them eye to eye.

Release management helps you preserve customers' production systems when new software and hardware are deployed.

The release management process is a demanding operation. The goal of release management is to preserve the integrity and availability of production systems while deploying new software and hardware.

Several processes are included under the umbrella of release management:

·     Planning software and hardware releases

·     Testing releases

·     Developing software distribution procedures

·     Coordinating communications and training about releases

The release management process is the bridge that moves assets from development into production.

Planning Releases

Planning releases is often the most time-consuming area of the release management process because there are so many factors that must be taken into consideration. For example, when deploying a new sales support system, the release managers must address:

·     How to distribute client software to all current users

·     How to migrate data from the current application's database to the new database with minimal disruption to database access

·     How to verify the correct migration of data

·     How to uninstall and decommission the applications replaced by the new system

·     Verifying all change control approvals are secured

Each of these issues breaks down into a series of more granular tasks. Consider distributing client software. Release managers must account for variations in OSs and patch levels of client devices, the need for administrative rights to update the registry if the software is installed, and the possibility of conflicts or missing software on clients.

Testing and Verifying Releases

Release managers can play an important part in the testing phase of the software development life cycle; the key areas for testing and verification are:

·     Software testing

·     Data migration testing

·     Integration testing

In each case, the testing process should constitute the final test and primary verification that the newly deployed applications operate as expected in the production environment.

Software Testing

Software should be thoroughly tested before it is released. In the ideal world, software developers work in the development environment and deploy their code to a testing and quality assurance environment that is identical to the production environment. It is in the test environment that integrated module testing and client acceptance testing is performed. This is not always possible. Large production environments may not be duplicated in test environments because of cost and other practical limitations. It is especially important in these cases that release managers work closely with software developers.

With responsibility for deploying software, release managers can provide valuable implementation details about the production environment that developers should test. For example, release managers will have information about the types of client devices and the types of network connectivity supported as well as other applications that may coexist with the system under development. Release managers may need to address data migration issues as well.

Data Migration Testing

In addition to supporting software developers on application testing and quality assurance processes, release managers may also have to support database administrators who are responsible for migrating data between applications. When the release of a new application entails shutting down one system, exporting data, transforming it to a new data model, and importing it into the new system, release managers will share responsibility for ensuring the data is extracted, transformed, and loaded correctly. Again, this process should be thoroughly tested before release, but realistic data loads are not always possible in test environments.

Integration Testing

Integration testing is the process of testing the flow of processing across different applications that support an operation. For example, an order processing system may send data to business partners' order fulfillment system, which then sends data to a billing system and an inventory management system. Certainly, these would have been tested before deployment, but real-world conditions can vary and uncommon events can cause problems. For example, spikes in network traffic can increase the number of server response timeouts forcing an unacceptable number of transactions to roll back. In this case, it is not that the systems have a bug that is disrupting operations, but that the expected QoS levels are not maintained. Testing and verifying software functions, data migration, and integrated services can be easily overlooked as "someone else's job," but release managers have to share some of this responsibility.

Software Distributions

Software distribution entails several planning steps. At the aggregate level, release managers must determine whether a phased release is warranted, and if so, which users will be included in each phase. Phases can be based on several characteristics, including:

·     Organizational unit

·     Geographic distribution

·     Role within the organization

·     Target device

When deploying new software or major upgrades, a pilot group often receives the software first. This deployment method limits the risks associated with the release. (Even with extensive testing and evaluation, unexpected complications can occur—especially with end users' response to a new application).

When distributing software, several factors must be considered:

·     Will all clients receive the same version of the application? Slightly different versions may be required for Windows 2000 (Win2K) clients and Windows XP clients.

·     Will all clients receive the same set of modules? If a new business intelligence application is to be deployed, power users may need the full functionality of an ad hoc query tool and analysis application, while managers and executives may require only summary reports and basic drill-down capability.

·     How will the installation recover from errors or failure? Downloads can fail and need to be restarted. There may be a power failure during the installation process. Disk drives can run out of space. In some cases, the process can restart without administrator intervention (for example, when the power is restored) but not in other cases (such as when disk space must be freed).

·     How will the installation be verified? Depending on the regulations and policies governing IT operations, differing levels of verification may be required. At the very least, the CMDB must be updated with basic information about the changes.

Software distribution is the heart of the release management process, but the ancillary process of communication and training is also important.

Communications and Training

The goal of communication in release management is to make clear to all stakeholders the schedule and impact of releases. This is the responsibility of release managers.

Training users and support personnel on the released system is not the responsibility of release managers, but both training and release managers should coordinate their activities. When training occurs too far in advance or too late following the release of the software, it may be of little use; the users may forget what they are taught or have already learned the basics by the time training occurs.

The release management process is a bridge from project-oriented software development and application selection to production operations. Although testing can be a well-defined and well-executed part of the development life cycle, release management still maintains a level of testing and verification responsibilities. In addition, the core operations of planning, software distribution, and communications constitute the bulk of what is generally considered release management.

See how experts and industry analysts take on prevalent myths surrounding the cloud.

While the Cloud eliminates numerous challenges in environmental management, particularly in the area of deployment it is also creating new ones, like in the area of change monitoring and configuration management.

The myth and mistaken assumption have been propagated that monitoring applications in a cloud is only slightly different from monitoring traditional internal enterprise applications. That assumption is far from the truth.

To bring more clarity to managing the data center in a cloud platform, we illustrate and explore some of the prevalent and persistent myths surrounding cloud-based operations, revealing the truth.

Myth: Cloud Configuration Management is Less Complicated for IT Operations

Take the management of the automation deployment infrastructure. This is still another software system that must be installed and maintained.

There is the mistaken assumption regarding script-driven deployment, that you don't need to check the scripts. However, like any other software system, scripts could be quite sophisticated, with varying tasks executed based on parameters.

The actual results of the script execution, i.e. the actual configuration need to be analyzed and controlled together with the scripts themselves. When errors occur in the automated scenario, they happen on a much larger scale, and hence additional processes and tools are required to recover from them.

Cloud configuration management is also affected as there is no control of artifacts or monitoring across environments, making partial deployment rollback extremely difficult. When deployment errors occur, lacking the ability to easily investigate the errors and recover can lead to failed launches, with costly downtime delays.

Let's Trade Myths For Reality: What Are You Doing In The Cloud?

Today In my oodles of conversations with enterprise clients about the cloud, there isn't a day that goes by without some myth about cloud use coming up. It's time we, together, did something about this.

If it's not "devs are only using it for test & dev," then it's "all those cloud apps are noncritical experiments." The other common ones are "It's all startups and web businesses" and "nothing critical is going there because of security." I use our ForrSights survey data, aggregated learnings from client inquiries, and evidence gathered through case study analysis to refute these rumors - all of which are untrue - but some beliefs just won't die. This week, we published an update to our definitive report from 2008, "Is Cloud Computing Ready for the Enterprise?" that shows that, yes indeed, the leading clouds have matured to the point that there are few legitimate excuses left for not using them. Who isn't ready are the enterprises - IT ops team in particular. And frankly, many enterprise IT ops teams aren't moving quickly enough to get ready for the cloud because they don't see the sense of urgency - they believe the myths above.

5 Big Myths Of Cloud Computing

We are living through a wave of cloud computing hype. It seems like there is a new cloud feature or product being launched by big technology companies almost every day - and sometimes concurrently - and the cloud is at the center of all the important tech industry discussions today, from job creation and destruction to the growth and decline of companies. This hype generates several false expectations and concerns that may lead companies to make bad decisions about the technology.

The simple possibility of helping people avoid bad decisions would be reason enough to look into these “myths” that surround the cloud, but other advantages may also come from this exploration: a better understanding of fundamental concepts that can help in the dialogue between vendors, early adopters and those who are still holding back.

The Myth of the Green Cloud

For a few years before the 2008 crisis hit the world’s economy, being green was even more fashionable for tech companies than being in the cloud today. Green IT movements were in full force, and some cloud vendors have been once again raising this banner claiming that moving to the cloud is the greenest decision a company can make. The logic behind this myth is that cloud data centers can optimize the use of computing resources, making them more efficient than any privately-owned data center around.

This, however, is only partly true. What most companies forget is to look for the source of that energy for their data centers. If you operate your servers in a country where most energy comes from renewable sources (such as Brazil, with a large percentage of hydroelectric power), and you move them to a cloud-based in a country whose energy matrix is dominated by thermoelectric power (coal and oil), the net effect may be an increase in your company’s carbon footprint. Any cloud is only as green as its power sources.

The Myth of “No More IT Worries”

This is one that almost always causes trouble for first-time cloud users. People move their servers/applications to a cloud environment (IaaS or PaaS) and think that everything will be magically backed-up and updated regularly and that multiple server copies will be hosted on redundant servers without them having to ever worry about it again. This is not true. Rackspace has been sending out emails to its customers warning them that cloud servers don’t come with automated backups enabled and that they must do this manually. The same thing goes for having contingency servers: you must set this up manually.

The Myth of 100% Uptime

This is perhaps the culprit of the “no worries” myth above. Service providers, especially on the IaaS level of the cloud stack, have for some time been offering 100% uptime guarantees. What they don’t seem to understand is that no technology is foolproof. I haven’t heard of a single service provider out there that has been able to deliver on this 100% uptime promise for all customers, so this is simply a misleading promise that may make newcomers feel more at ease than they should. As I’ve said before, your cloud servers will eventually suffer downtime, and you better be ready for it.

The Myth of Security

The second most discussed issue about the cloud is security and saying that the cloud is less secure than a private setup has become sort of a knee-jerk reaction for many companies. The truth of the matter is that the cloud by itself is no more (nor less) secure than anything else. On one hand, having services and data concentrated on just a few data centers makes these places much better targets; on the other hand, the concentration increases the likelihood that security patches and updates get properly applied to servers. Who is more likely to maintain updated servers with security monitoring: Rackspace or the thousands of small businesses with Windows XP servers out there?

That is not to say that security shouldn’t be a concern. Cloud vendors tend to downplay security to such an extent that it only makes companies more worried about what is going on. What they need to understand is that to keep the cloud secure, they need to work together with their customers to establish the proper processes. And, in working together, they need to share the responsibility for the security of the environment as a whole.

The Myth of Cost Savings

Saving the best for last, we come to the greatest enduring myth about the cloud: cloud computing will result in great cost savings for companies. It won’t. Cloud computing is about the optimization of computing resources, not their reduction. It allows savings only in the sense that you no longer have to provision servers based on your peak demands, but can instead dynamically grow and shrink your capacity as necessary, paying only for what is in use. If your computing resource needs are fairly steady, there isn’t any real gain.

One possible origin for this myth is the fact that, by using the cloud, startups can avoid spending large amounts of money upfront on infrastructure or software licenses. They perceive this lack of upfront investment as cost savings, even if in the long run they may spend more.

Myths are a natural part of any hype cycle. Some come from vendors who are overeager to please their customers, others from early adopters who desperately want to defend their positions. By looking at them in a detached manner, we can improve the dialogue surrounding the cloud. While I tried to cover the greatest cloud myths, this list is far from complete.

2 More Cloud Myths Busted: Lock-In And Locked-Up

The world of cloud computing grows like a weed in summer, and many assumptions are being made that just aren't correct. I've previously exposed four cloud myths you shouldn't believe. Now it's time for me to climb up on my soapbox and correct a few more.

Myth 1: Cloud computing is bringing back vendor lock-in.

The notion that using cloud computing features (such as APIs) created by one provider or another causes dreaded lock-in seems to be a common mantra. The reality is that using any technology, except the most primitive, causes some degree of dependency on that technology or its service provider. Cloud providers are no exception.

Here's the truth about technology, past, present, and future: Companies that create technology have no incentive to fly in close enough formation to let you move data and code willy-nilly among their offerings and those provided by their competitors. The cloud is no different in that respect.

We can talk about open-source distributions and emerging standards until we're blue in the face, but you'll find that not many changes in terms of true portability. As long as technology and their service providers' profitability and intellectual property value trump data and code portability, this issue will remain. It's not a new situation.

Myth 2: Cloud computing use will put you in jail.

Yes, you need to consider compliance issues when moving to any new platform, including private, public, and hybrid clouds. However, stating in meetings that moving data and processes to cloud-based platforms somehow puts you at risk for arrest is a tad bit dramatic, don't you think? Yet I hear that attention-getting claim frequently.

We've been placing data, applications, and processes outside of our enterprises for years, and most rules and regulations you find in vertical markets (such as health care and finance) already take this into account. Cloud computing is just another instance of using computing resources outside your span of control, which is nothing new, and typically both perfectly legal and not at all risky. Cut out the false drama as an excuse to say no.

7 Stubborn Myths About Cloud Computing

Early adopters of the cloud had to iron out a lot of teething troubles. Because of their pioneering work, building and deploying a cloud is now much easier, making the benefits available to all kinds of businesses, says Gerry Carr, Director of Communications at Canonical.

The cloud has been the preserve of technology-focused companies until recently - but not anymore. IT departments across all industries are getting interested in what the cloud can offer - from increased service flexibility to lower capital expenditure and infrastructure costs.

Although many companies are turned on to the cloud, there are still barriers to adoption. A common one, for example, is the lingering perception that cloud environments are too complex, difficult to deploy, and onerous to manage.

Here, we show how the cloud has come of age, and de-bunk some common cloud myths that are holding back adoption.

Myth 1) Building a cloud can take months

Not anymore. The whole operation now takes just a few days. This is largely thanks to the global open-source community, which has developed great tools to speed up cloud deployment - from installing and configuring physical servers in the cloud to creating, deploying, and scaling cloud-based services dynamically.

Myth 2) You need new hardware to deploy a cloud

Not necessarily. The best cloud solutions can be deployed on your existing X86 hardware - increasing server utilization and performance. What's more, you can convert old servers into additional compute nodes - increasing your processing capacity at no extra cost.

Myth 3) There aren't many applications available for the cloud

Not true. There are now a large number of excellent open-source applications designed specifically for the cloud - from databases and web-based applications to big data applications.

Myth 4) Developers need to learn new languages to deploy services in the cloud

No. While working with new languages such as Node.js or Go is useful if you want your cloud-based apps to look like desktop apps, they're far from essential.

Myth 5) It's complex to move from public to private clouds (and vice versa)

Only if you choose proprietary platforms, which use their APIs. By choosing the best open-source clouds instead, you can ensure compatibility with all the major public and private clouds, and move workloads around easily in the future.

Myth 6) The cloud isn't secure

It is if you do things right. If you take services from a public cloud provider, you should review the security service level agreement (SLA) thoroughly. If you're building a private cloud, you should standardize the way software is deployed in the cloud and regularly review your firewall rules.

Myth 7) It's hard to support a cloud environment

Not at all. There are now great support packages specifically designed for open-source clouds - both public and private.

As we've seen here, the old barriers to cloud adoption are falling away. This is largely thanks to the immense effort of the global open-source community, which is building cloud products and standards that simplify cloud deployment, management, and support.

4 Cloud Myths That Won't Go Away

You would think that rank-and-file IT staffers and leaders would understand the advantages and disadvantages of cloud computing by now. However, the misconceptions continue to show up, some of which are disconcerting. Here are a few of the most common:

If I use public clouds, I give up security.

This one is tossed at me about once a day, and I've addressed it in this blog many times. The fact is, when you use public clouds, you do not necessarily put data and processes at a security risk. The degree of risk comes down to your planning and the use of the right technologies -- just as it does in an on-premises deployment.

Cloud computing will put my job at risk.

Chances are, if you're worried about the use of some technology taking your job, you're already at risk. In reality, cloud computing won't displace many jobs in enterprise IT, but IT roles and responsibilities will change over time.

Cloud computing is an all-or-nothing proposition.

Not really. You can move to cloud-based systems, such as storage and compute services, as needed, both intersystem and intrasystem. Moreover, you can move in a fine-grained manner, shifting only certain system components, such as user interface processing or storage, and leaving the remainder on the premises. You do have to consider the colocation of data for data-process-intensive system components.

Cloud computing requires a complete replacement of the enterprise network.

This is true only if your existing network is awful and needs replacement anyway or if you plan to keep most of the data in the cloud, with the data processing occurring within the firewall (a bad architectural call). Other than that, bandwidth is typically not an issue. However, bandwidth does need to be considered and monitored, as it is a core component of the overall business systems that use cloud platforms.

3 Myths Clouding CIO Judgment

For today's CIO, the perceived barriers to cloud computing remain security, regulation, and compliance. The danger that data loss poses to brand equity, customer trust, and share price is just the same whether data is stored in a cloud computing or traditional infrastructure model.

The severity of the issue is reflected in legislation like the recent Criminal Justice and Immigration Bill which states that the Information Commissioner's Office (ICO) now has the authority to levy fines of up to £500,000 on organizations that recklessly lose confidential or personal information.

Security quite rightly should be at the top of every CIO's agenda but several myths lead to over-simplification or indeed dangerous assumptions about cloud computing. In light of this, we explore three myths that we have encountered recently and why they may be distracting CIOs from the real questions that need to be asked.

Security and compliance are "external issues"

Whether you choose to place your data "in the cloud" or create a hosting platform from dedicated servers, security must remain your concern. Security cannot be handed over wholesale to a cloud service provider because the very real question of security policies and procedures concerns your users as well. Firewalls and the rules that govern them still stand irrespective of whether the infrastructure is virtual or physical. Likewise, the usual security processes such as changing passwords and enforcing permission levels need to be observed within your organization.

These are simple examples but they serve to illustrate the point. Robust data protection is critical to preserving the brand value and reputation of any company. Every week there seems to be another high-profile example of a security breach undermining customers' trust in a brand, whether that is an online gaming site; web retailer, or even a government department. Regulations regarding the security, control, and privacy of data are complex. CIOs need to be certain that their service providers can help them navigate these rules and clearly understand where the responsibility for applying each part of the security policy sits.

Better SLAs will give sufficient protection

To some degree, the question of SLAs reinforces the same point. If you are using a traditional managed-to-host service to host your data, you will ask for a robust SLA that leaves you confident that you can deliver your SLA to the business. Businesses adopting cloud computing need to take the same approach.

However, relying on the SLA alone does not guarantee performance. It may mean there are penalties in the event of downtime, but that is cold comfort to an e-commerce organization at the height of its busiest season faced with a website that has been offline for hours. Uptime availability figures aren't enough. 99.99% uptime may sound impressive until you work out the cost of 0.01% downtime.

CIOs should be asking the same questions about cloud services as they would about any other IT service they use. What is your organization's tolerance for downtime? What are the disaster recovery and backup services available? What will happen in the event of a failure at any point in the service? This does not point to the lowest cost, best endeavors service. The economy of scale should mean that your chosen service provider can invest to minimize these failures.

CIOs have to be confident their service provider can respond and support their business, especially in the face of a "disaster". Furthermore, this should form a key part of your organization's business continuity plan.

The private cloud is inherently more secure than public cloud services

Cloud services have moved on since the first definition from NIST in 2009. The background of early public cloud services has contributed to the perception that this type of cloud has lower levels of security. A private cloud should not be seen as a guarantee of security. The private cloud is dedicated to your organization. By definition, this can reduce the risk of using a platform shared by many customers, but again it is only as secure as the policies and procedures that you enforce. Firewalls still need rules. Data centers still need physical security. A private cloud can be more secure than a public cloud, but like any other system, it is at risk of poor housekeeping and human error. Assumptions should not be made.

The decision criteria for private or public cloud implementation should be far wider than which is perceived to be more secure. As a CIO you will be asking what your organization wants to achieve. Is it cost savings, speed to market, flexibility to scale up or down, or more likely, a combination of all three?

As one of the most significant changes in IT in a generation, cloud computing can deliver real benefits in the way organizations consume IT. However, like any significant business change, careful consideration needs to be given to what the organization is trying to achieve and why. Our own annual CIO cloud research demonstrates that the majority of businesses are using or piloting cloud computing services across parts of the enterprise, but very few businesses are deploying cloud services 'in full'.

The deployment of cloud services across the entire enterprise was only 16 percent, while the deployment of cloud services 'in part' averages out at 35 percent. This demonstrates that companies are engaging in cloud computing, but very few are making or will ever make the shift to cloud computing outright. Cloud computing is not simply about buying CPU cycles at the cheapest rate, it represents a fundamental change in how we consume and take advantage of IT. The consumerization of IT is increasing this rate of change and old methods just won't hack it. While going on this journey from old methods to new is daunting, choosing who you take with you on the journey is perhaps the most important decision any CIO can make at this stage.

6 Biggest Cloud Computing Myths

It’s insecure.

People are afraid of losing control,” says Leandro Balbinot, CIO of Brazilian retailer Lojas Renner. But “just because your data is somewhere else, doesn’t mean it’s less—or more—secure,” says Accenture CIO Frank Morrison. Test, monitor, and review. That’s the only way to mitigate risk in or out of the cloud.

It’s simple.

Vendors will always tell you it’s a turnkey implementation,” says Carmen Malangone, global director of information management for Coty. “But moving customized systems to the cloud takes time—eight months or more to standardize and test in the new environment.” And modify cloud systems with care. “Configuration can quickly become customization and each upgrade will be a major headache,” says Malangone.

CFOs love it.

Here’s the pitch: The cloud turns sunk capital expenditure (capex) into flexible operational expenditure (OPEX). But your company may not want that. “The assumption is that there’s an economic preference for opex over capex,” says Mark White, CTO of Deloitte Consulting’s technology practice. “But not every business wants opex; some want capex.” The years of friendly capex tax depreciation left on a data center may be most important.

The fact that it isn’t done much doesn’t mean that it can’t be done at all. Balbinot, for example, is running a billion-dollar business’ core retail systems in the cloud.

Malangone was looking at a cloud-based single-sign-on tool, but with each additional application and user, the bill rose. “[The tool] was a great idea,” he says. “But you have to negotiate the right price based on your expected growth.”

Only the business benefits.

Most CIOs funnel cloud savings to the business. But there’s no law against reinvesting in IT. “I take some of my cost savings and put it into team building,” says David Riley, senior director of information systems for Synaptics. “We need to keep morale high.”

It can’t be used for core systems.

The fact that it isn’t done much doesn’t mean that it can’t be done at all. Balbinot, for example, is running a billion-dollar business’ core retail systems in the cloud.

It’s always cheaper.

Malangone was looking at a cloud-based single-sign-on tool, but with each additional application and user, the bill rose. “[The tool] was a great idea,” he says. “But you have to negotiate the right price based on your expected growth.”

Dispelling the Cloud's Myths

The pace of cloud computing will only accelerate in 2012. The increasing development of information technology, and the intense focus on cost reduction, are highlighting the benefits of moving IT administration off-site. One cloud computing expert wants CFOs to be aware of the short-term challenges and long-term benefits to organizations.

"Large enterprises must realize cloud computing will not(in all cases) provide immediate cost benefits to their organizations," Sadagopan (Sada) Singam, global vice president, of cloud computing, of HCL Technologies, said in a recent interview. CEOs and CFOs "must understand how cloud computing technologies will drive long-term benefits two to three years following the initial implementation."

Many organizations look for cloud computing technologies to provide immediate and sustainable cost benefits to drive bottom-line improvements. However, there are several implementation and security issues that CFOs must address with their IT departments before a successful cloud migration takes place.

Finance chiefs and their controllers must look at information security measures beyond the minimum standards required by legal and regulatory requirements. "We consider SAS 70 (Statement on Auditing Standards) as a basic standard for cloud computing security efforts," Singam says. "Companies must recognize the value and importance of their data and ensure they have multiple backups to protect their data and information."

Cloud computing allows companies of all sizes to quickly scale their IT operations, and minimize the fixed costs traditionally associated with major implementation efforts.

However, moving to the cloud does present a unique set of challenges for organizations of all sizes. With many IT departments now reporting to the CFO, cost often becomes the key consideration during cloud implementations. When looking for the right cloud technologies, CFOs must focus on long-term productivity and value to their companies. Cloud computing is more than a fad, and companies must make sure they are focused on more than the next quarter's financial results when making their decisions on the future of their IT operations.

"Hard is soft and soft is hard when considering major changes," Singam asserts when advising CFOs on the key factors for cloud computing decisions. Organizations must focus on so much more than the hard, short-term costs when identifying the right opportunities for their organizational IT.

Coming in part two of this blog: CFOs and their IT directors must understand the importance of hard costs, but they should not forget their employees who will ultimately be impacted by these changes.

There is Only 1 Cloud-Computing Myth

The only cloud-computing myth is that there are cloud-computing myths.

Instead, there are many articles about cloud myths, an endless parade of strawman arguments put out by writers, analysts, and marketers that lecture us on why we're so stupid to believe the "myths" that the cloud is inexpensive, is easy to deploy and maintain, that it automatically reduces costs, etc.

Anyone who's ever written a line of code or approved an enterprise IT contract knows there are no simple solutions and no universal solvents in their world. Never have been and never will be.

However, there are many powerful arguments in favor of enterprises migrating some of their apps and processes to the cloud, and there is a separate consumer-cloud industry that allowed me to listen to Igor Presnyakov rip through AC/DC's "All Night Long" and Dire Straits' "Sultans of Swing" on my Android phone last night.

I thank Google for the latter opportunity, even as the company remains as enigmatic as Mona Lisa about what's going on behind the scenes.

It's too bad Google is not one of our great sharers because the enterprise IT shops of the world could no doubt learn a lot more about cloud computing from watching Google at work than it can from using Google Apps.

Find Your Cloud

But enough whining. Each organization needs to find its cloud, and this should be a rigorous, perhaps time-consuming process. Discussion of particular cloud strategies and vendors should come at the end of this process. First, figure out what you want to do and why.

A nice cost analysis is helpful, of course, but my brain starts to seize up when the term "ROI" is put into play. At this point, it becomes a contest to game the system and produce an ROI forecast that will have false advertising of the direct impacts of the technology on the company's business. When used to justify technology, ROI and its sinister cousin, TCO, are the enemies of business success.

A nice thing about the cloud is that the heated political and religious debates over Open Source have been (mostly) replaced by practical arguments over which specific product, framework, or architecture provides the best option for a particular initiative. If discussion of the cloud should come at the end of the overall decision-making process, discussion of Open Source should come at the end of that discussion.

Don't try to transform the organization overnight. This will happen on its own as more and more clouds float into the enterprise. And don't believe in the myth that there are cloud myths. There isn't; only more wondrous technology that needs to be examined carefully as you continue the eternal quest to keep things as unscrewed up as possible in your organization.   

The Enterprise Resource Planning (ERP) industry is continuously evolving to fit the needs of its users. Let’s take a look at four of the top ERP trends for 2014 and beyond.

1.     Mobility. The use of smartphones, tablets, and other mobile devices is on the rise and showing no signs of slowing. Today’s workforce is increasingly becoming more and more mobile, driving demand for greater flexibility and the ability to access information from all sorts of remote locations. ERP offerings are evolving to accommodate a more mobile environment – giving business professionals remote access to critical information such as key performance indicators (KPIs), finances, inventory levels, sales orders, and customer information. We expect ERP mobile business intelligence solutions to remain a priority in 2014 and beyond.

2.     Cloud-based ERP. These days it seems everything is moving towards an “in the cloud” model, and ERP is not immune from that trend. Demand has been growing for cloud-based ERP solutions, which tend to be less expensive and quicker to implement than their on-premise counterparts. Many ERP vendors have jumped on the “in the cloud” bandwagon, and we expect this to continue to gather steam in 2014.

3.     More informed buyers. An abundance of ERP information, case studies, white papers, and so forth are making it easier for businesses to do their due diligence and become better-informed buyers of ERP software.

4.     Tough competition. In the ERP market, ERP vendors are divided loosely into tiers or types. Tier 1 vendors generally serve large global businesses, while Tier 2 serves mainly small to mid-market businesses. Even though the larger and well-known Tier 1 vendors have done a pretty good job retaining market share, Tier 2 vendors continue to gain momentum. It is often said that Tier 1 vendors “buy” innovations while Tier 2 vendors “create” them. This boost in innovation has led Tier 2 to gain market share and introduce some fierce competition into the mix.

The ERP Evolution

Fundamentally reshaping business processes using in-memory technologies

Data is exploding in size—with incredible volumes of varying forms and structures—and coming from inside and outside of your company’s walls. No matter what the application—on-premise or cloud, package or custom, transactional or analytical—data is at its core. Any foundational change in how data is stored, processed, and put to use is a big deal. Welcome to the in-memory revolution.

With in-memory, companies can crunch massive amounts of data, in real-time, to improve relationships with their customers. As in-memory technologies move from analytical to transactional systems, the potential to fundamentally reshape business processes grows.

Technical upgrades of analytics and ERP engines may offer total cost of ownership improvements, but potential also lies in using in-memory technologies to solve tough business problems. CIOs can help the business identify new opportunities and provide the platform for the resulting process transformation.

Trends in Enterprise Resource Planning Systems

With a new year comes both reflection of the past and contemplation of the future. It is with these thoughts in mind that many manufacturing companies are now looking at the possibility of a new enterprise resource planning (ERP) system. Regardless of whether the ERP evaluation is to replace an existing system or to purchase a first system, knowing the trends in ERP can be a critical factor in decision-making.

ERP has evolved through the years. What began as a Material Resource Planning (MRP) system has grown to include most aspects of the enterprise such as estimating, sales and distribution, quality, maintenance, and accounting. With so many ERP companies in business today, it is important to know what sets each package apart and the common trends among the ERP players.

One significant and recent trend is increased interest in Software as a Service (SaaS) applications as a solution to reduce workload for network administrators. Whether it is an online option (data hosted offsite) or a Managed Service (on-premise solution where the data resides locally), the ability to have an ERP system that doesn’t require any system administration has quickly gained momentum in the manufacturing ERP segment. Each option may have both advantages and disadvantages over the other and those may vary greatly by salesperson or User Company. For instance, Saas and Managed Service solutions are much costlier in the long run because you pay “forever”, but appear cheaper up-front because of lower start-up costs. Additionally, some might find the automatic updates of SaaS versions a plus but others, like medical device manufacturers that require validation before software updates, may want to control their update frequency and therefore have a vastly different take.

Another trend that has gained momentum is mobility because people need to stay connected to their companies. As computers become smaller, manufacturing company employees are becoming more mobile, and therefore ERP systems themselves are pushing to keep up. From laptops to smartphones, Blackberries to iPhones, people have never been more in touch technologically speaking. With mobility on the rise, many ERP companies have found the need to create applications that focus solely on the need to have information on the go, even while away from a facility. A smartphone, Blackberry, or iPhone application will be a must for an ERP company to stay viable and relevant.

Shop floor integration and automation continue to gain traction in a growing number of ERP systems. From true, real-time shop floor-to-ERP compatibility to extremely basic batch data transfers, ERP system companies understand that packages that can reach down into the plant floor are more valuable than packages that do not place as much emphasis on this. The challenge for the manufacturing company is to understand the vital difference between a simple claim of shop floor automation and integration and the actual reality of execution. Some ERP systems today are capable of updating schedules in real-time based on machine output, providing two-way communication with shop floor equipment, automating shop floor equipment based on preset indicators (such as box count, etc.), and providing alerts via facility PA systems. It is important to keep in mind that while some ERP companies can do this, others just make claims. Due diligence will be key for manufacturing companies to weed out the “who can” and the “who cannot” when it comes to shop floor integration and automation.

Trends in manufacturing are like trends in everything else – everything old is new again. Some might say this idea can be attributed to Service Oriented Architecture (SOA). While losing some of its steam over the last few months, this catchphrase for how disparate systems will now communicate is reminiscent of the old best-of-breed idea that ‘interfaces’ between systems would make seamless transitions. Many ERP companies claim their SOA system can create better communication from totally unrelated software packages – Quality from ERP Company X can talk to Payroll from ERP Company K. But, like the old best-of-breed interface talk, what happens when upgrade paths are not the same? No one can pinpoint or explain exactly how it works. For every ERP company that claims SOA, there is an article, blog, or comment from a reporter or analyst that counters with an “SOA what?”

In the last few years, the consolidation of ERP companies has subsided. Gone are the times when a new buy-out was announced almost every week. The ERP graveyard websites (i.e., http://www.erpgraveyard.com/tombs.html) are updated less regularly and it is easier to remember who owns which package and who bought what. With that in mind, ERP systems are being thought of as more of a commodity now. Because there are still many ERP companies in the manufacturing segments, manufacturers aren’t cognizant of the variances that lie in the ERP systems and companies themselves. Yes, all ERP systems indeed have bills of material, inventory management, scheduling, and shipping functions, and even an AR and AP capability. But is having that module or function enough to say there is no variance between the ERP packages? Not really. It is still an “apples to oranges” comparison for some. On the plus side, at least for the manufacturer, ERP systems are becoming less expensive due to commoditization. The key point to remember here is that, regardless of how low the entry cost is, if the ERP can’t reach beyond the core features inherent in all packages and show true value or developmental growth potential for the future, then it really shouldn’t be compared to a system that can.

The last trend is the need for scalability. Perhaps it is a by-product of one of the toughest manufacturing times in history, but people want to manage cash flow like never before. Purchasing an ERP system is no different. It used to be that people would buy everything they needed, regardless of when they planned to implement it. The thought was, “Get the best deal I can now and implement when the company is ready.” This is not the case anymore. If a manufacturing company leaps a new ERP, the change that could doom a project is best handled in smaller doses. Therefore, the realization that companies should only pay for what they plan to use now and shortly is a strong negotiation point. Why put out money for a quality system that will not begin implementation for another four or five months? Therefore, an ERP system that is scalable and modular has a big advantage over a system that isn’t. Cash flow is handled more smartly, change is more manageable, and the process changes that always come with a new system are employed and more valued. Think of scalability as the small, continuous improvement steps in the ERP journey. A steadier pace is realized and is more likely to achieve a successful implementation.

There are certainly more trends in the ERP industry, including hot-button topics like industry specificity and the shift in database popularity. The key point is that the manufacturing industry itself is poised for recovery. An ERP system can be a make-or-break factor in the success of a company. Knowing the trends, evaluating an ERP system based on all the facts, and separating the hype from the real value are essential in choosing and sustaining an ERP vendor relationship.

Daniele Fresca is the director of marketing for IQMS. Since 1989, IQMS has been designing and developing ERP software for the repetitive, process, and discrete manufacturing industries. Today, IQMS provides leading real-time manufacturing, accounting, production monitoring, quality control, supply chain, CRM, and eBusiness solutions to the automotive, medical, packaging, consumer goods, and other manufacturing markets. The innovative, single-source enterprise software solution, EnterpriseIQ offers complete functionality and scalable solutions all in a single database. With offices across North America, Europe, and Asia, IQMS serves manufacturers around the world. 

Three major trends are impacting Enterprise Resource Planning (ERP) systems today.

1. The emergence of new business models that require ERP support.

2. The broadening interest in cloud computing for ERP systems.

3. The growing need to push ERP functionality out to mobile devices.

Keeping Pace with the New Business Models

Throughout much of our economic history, competition between companies was driven by who produced the best products and services.   Today, success in dominating a market is influenced more from behind the scenes (back offices, cubicles, factory floors warehouses, etc.), than by who builds the better product or service.

Companies compete far more aggressively in trying to understand their customers and prospects as individuals rather than selling to cold buyers.  Getting close to customers by developing better relationships has become the primary aim of most companies, even more than convincing buyers how excellent their products or services are.  Those companies that possess a solid understanding of their customer base, and apply that knowledge to build brand loyalty, often dominate their respective markets.

The closeness a company can get to its customer base compared to is determined by how well its business model matches the needs of the market. The closer a company is to its target audience – the more competitive they are in the marketplace. Ultimately, this comes down to competing business models for market share, not products as one may think.

Taking this idea one step further, in complex organizations the business models need ERP systems to manage the information flow throughout the entire company and its supply chain.  Without ERP systems, most large and mid-size companies simply could not compete.

ERP systems are now one of the most powerful weapons in the battle to win customers and keep them coming back.  By supporting business models and enabling companies to adapt to changing market conditions, ERP has emerged as the central player in Information Technology ecosystems.  Whether the ERP product is from Oracle, SAP, Microsoft, Epicor, Plex Online, Sage ERP X3, QAD Enterprise, or a host of other vendors; they all have one thing in common – ERP systems must always be transformed to satisfy constantly evolving business models.

However, most ERP solutions in use today were designed years ago and, although they have been enhanced and updated, the logic behind much of the source code still reflects the business mindset of the mid and late 20th century.  As a result, one of the biggest challenges for ERP has been to keep pace with a manufacturing sector that has been rapidly moving from a product-centric focus to a customer-centric focus.  This change in attitude required most ERP vendors to add a variety of functions and modules on top of their core systems, while the basic design of most ERP systems remained product-centric.

ERP in the Cloud

The ERP vendors are gradually re-designing their systems, in some cases completely rebuilding them, to accommodate the change in business perspectives supporting different industries.  This redesign effort is also being influenced by new infrastructure outsourcing trends for ERP systems.  Many buyers of ERP software want to maintain their systems in either public or private clouds.   They are also more likely to look for third-party hosting providers that can offer technical assistance and ongoing support, in addition to a stable physical infrastructure.

Since updating old ERP designs to meet the needs of the new business models requires a considerable amount of programming, building in the additional functionality to support cloud computing at the same time makes sense.   The variety of trends that drive organizations to change are the same trends that drive ERP systems and vendors to consistently innovate and improve their products and services.

Modern programming technologies and new access technologies like cloud computing have made ERP more accessible and with a broader appeal than they were just 5 years ago. The cloud delivery model has reduced IT costs since implementation is fast, and data storage and management are handled by third-party outsourcing providers.   The cloud has also made ERP affordable to many more businesses, which enables companies to replace old accounting packages with more robust financial tools.

One example of how ERP vendors are innovating to stay current is SAP’s Business One.  This product, which is a smaller version of the full SAP ERP system, is aimed at meeting the needs of small businesses. It is also available on-premises or hosted by a third-party enterprise outsourcing firm.

Chasing Mobility

Another significant trend related to ERP is mobility.  Most ERP vendors offer their solutions on mobile devices, but some have simply enabled their web interface to be accessible from web browsers.  Others have created mobile applications, or applets, that provide the same functionality as their core ERP product.   No matter how an ERP vendor chooses to provide mobile computing options to their users, it is difficult to deliver all the functionality of an ERP system via mobile devices with the technology available today.  However, the mobility trend is still in its infancy, but ERP vendors large and small are providing apps that plug into their core ERP systems, causing the mobility trend to rapidly evolve and mature.

Key Takeaways

ERP has been and still is the cornerstone of the corporate computing environment, but its full potential can only be realized through integration with 21st-century business models.  Contemporary enterprises now depend on customer relationship management (CRM), product lifecycle management (PLM), human capital management (HCM), supply chain management (SCM), and many other modules that take them beyond the core ERP functionality that was sufficient just a few years ago.

ERP vendors are scrambling to bring their products and services in line with the new needs of their customers and prospective customers.  Of course, the product development struggle never ends because the world is constantly changing.  However, the trends mentioned here are particularly challenging for traditional ERP vendors because meeting these new needs requires a deeper commitment and a significant amount of time to make adjustments to their software.  These trends also open the door for niche competitors to enter the fray.  These new competitors have the advantage of building applications from the ground up and in perfect alignment with current trends; so there is no need to retrofit and redesign anything.

Protecting Your Organization Today, Tomorrow, and Beyond

Most established organizations have large IT departments with staff exclusively devoted to IT security. As your business grows, hopefully, your IT security team is thriving, too, and getting the intelligence and resources needed to stay abreast of the latest threats to your organization.

Unfortunately, the bad guys are keeping pace, and in some cases, they’re taking the lead. To keep your organization safe, it’s imperative to stay at least a few steps ahead of the cybercriminals. Education is a key component of this defensive strategy in today’s cybercriminal ecosystem. If you don’t know it’s there, you can’t defend against it.

Threats are increasing in frequency and sophistication. In fact, according to the recently released Verizon Data Breach report, there were 1,367 confirmed data breaches and 63,437 security incidents in 2013. The severity and cause of these incidents vary depending on the goals of the cyber criminals and, sometimes, the size of the potential victim. Although you may be more equipped to fight cybercrime, larger organizations are vulnerable to a wider array of attacks, including Advanced Persistent Threats (APTs), cyber espionage, and more sophisticated malware.

Advanced Persistent Threats (APTs)

Every corporation, regardless of its size or industry, is at risk of becoming the victim of a targeted attack by a variety of threat actors including APT groups, politically-driven “hacktivists,” and more advanced cybercriminals, who offer their services for hire. These adversaries will target any organization that has valuable information or data relevant to their objectives.

Depending on the adversaries’ operational motives and objectives, the information identified as valuable will vary. However, it’s important to note that regardless of the motive, attackers are targeting very specific information from a specific set of victims, and they will relentlessly customize and optimize their techniques until they successfully realize their objective.

All APTs are vehicles for cybercrime but not all cybercrimes involve APTs. Although both are based on monetary gain, APTs specifically target more sensitive data including passwords, competitive intelligence, schematics, blueprints, and digital certificates, and are paid for by third-party clients or resold in the underground. General cybercrime operations are direct “for profit” attacks and target customers’ personal and financial information which can be quickly monetized and laundered underground for ID theft and fraud.

Cybercriminals will either provide the hijacked information to the third party who hired them to steal it, or they will repackage and resell the data underground to interested parties, such as nation-states or competing organizations. Earned through years of hard work and investment, stolen intellectual property enables third parties to accelerate their technological and commercial developments while weakening corporations’ intellectual and competitive advantages in the global economy.

There are many different types of targeted attacks, including:

• Economic Espionage Targeted Information: Intellectual property; proprietary information; geopolitical, competitive,                                                  or strategic intelligence
• Insider Trading TheftTargeted Information: Pending M&A deals or contracts; upcoming financial earnings; future IPO dates
• Financial & Identify TheftTargeted Information: Employee and customer personally identifiable information; payment transactions; account numbers; financial credentials
• Technical Espionage Targeted Information: Password or account credentials, source code, digital certificates; network and security configurations; cryptographic keys; authentication or access codes
• Reconnaissance and Surveillance: Targeted Information: System and workstation configurations; keystrokes; audio recordings; emails; IRC communications; screenshots; additional infection vectors; logs; cryptographic keys

One of the biggest challenges in defending against targeted attacks is being able to correlate data and identify attack patterns amidst the high volume of incidents coming from disparate sources at various times. However, with careful observation, research, and proper analysis, concrete information can show similarities in targeted attack campaigns.

Icefog

Most APT campaigns are sustained over months or years, continuously stealing data from their victims. By contrast, the attackers behind Icefog, an APT discovered by the Kaspersky Security Network in September 2013, focused on their victims one at a time, in short-lived, precise hit-and-run attacks designed to steal specific data. Operational since at least 2011, Icefog involved the use of a series of different versions of the malware, including one aimed at Mac OS.

The Mask

In February 2013, the Kaspersky Lab security research team published a report on a complex cyberespionage campaign called The Mask or Careto (Spanish slang for ‘ugly face’ or ‘mask’). This campaign was designed to steal sensitive data from various types of targets. The victims, located in 31 countries around the world, included government agencies, embassies, energy companies, research institutions, private equity firms, and activists.

The Mask attacks start with a spear-phishing message containing a link to a malicious website rigged with several exploits. Once victims are infected, they are then redirected to the legitimate site described in the e-mail they received (e.g. a news portal, or video). The Mask includes a sophisticated backdoor Trojan capable of intercepting multiple communication channels and harvesting all kinds of data from the infected computer. Like Red October and other targeted attacks before it, the code is highly modular, allowing the attackers to add new functionality at will. The Mask also casts its net wide - there are versions of the backdoor for Windows and Mac OS X and there are references that suggest there may also be versions for Linux, iOS, and Android. The Trojan also uses very sophisticated stealth techniques to hide its activities.

The key motivation of The Mask attackers is to steal data from their victims. The malware collects a range of data from the infected system, including encryption keys, VPN configurations, SSH keys, RDP files, and some unknown file types that could be related to bespoke military/government-level encryption tools. Security researchers don’t know who’s behind the campaign. Some traces suggest the use of the Spanish language but that fact doesn’t help pin it down, since this language is spoken in many parts of the world. It’s also possible that this could have been used as a false clue, to divert attention from whoever wrote it. The very high degree of professionalism of the group behind this attack is unusual for cybercriminal groups – one indicator that The Mask could be a state-sponsored campaign.

SecureList

This campaign underlines the fact that there are highly professional attackers who have the resources and the skills to develop complex malware – in this case, to steal sensitive information. It also highlights the fact that targeted attacks, because they generate little or no activity beyond their specific victims, can ‘fly under the radar’.

The entry point of The Mask involves tricking individuals into doing something that undermines the security of the organization they work for – in this case, by clicking on a link or an attachment. Currently, all known C&C (Command-and-Control) servers used to manage infections are offline. However, researchers believe that the danger hasn’t been eradicated and that the attackers can renew the campaign in the future.

Bitcoin

Bitcoin is a digital crypto-currency. It operates on a peer-to-peer model, where the money takes the form of a chain of digital signatures that represent portions of a Bitcoin. There is no central controlling authority and there are no international transaction charges – both of which have contributed to making it attractive as a means of payment.

As the use of Bitcoin has increased, it has become a more attractive target for cybercriminals. In end-of-year forecasts, security researchers anticipated attacks on Bitcoin. “Attacks on Bitcoin pools, exchanges, and Bitcoin users will become one of the most high-profile topics of the year. Such attacks will be especially popular with fraudsters as their cost-to-income ratio is very favorable.”

MtGox, one of the biggest Bitcoin exchanges, was taken offline in February 2014.6 This followed a turbulent month in which the exchange was beset by problems – problems that saw the trading price of Bitcoins on the site fall dramatically. There have been reports that the exchange’s insolvency followed a hack that led to the loss of $744,408.

Spammers are also quick to make use of social engineering techniques to draw people into a scam. They took advantage of the climb in the price of Bitcoins in the first part of this quarter (before the MtGox collapse) to try to cash in on people’s desire to get rich quickly. There were several Bitcoin-related topics used by spammers. They included offers to share secrets from a millionaire on how to get rich by investing in Bitcoins; and offers to join a Bitcoin lottery.

Tor

Tor (short for The Onion Router) is software designed to allow someone to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. However, the use of the Tor network has spiked in recent months, largely because of growing concerns about privacy. Tor has become a helpful solution for those who, for any reason, fear surveillance and the leakage of confidential information.

Tor’s hidden services and anonymous browsing enable cybercriminals to cover their operations and provide a hosting platform to sell stolen information using bitcoins as the currency. Since Bitcoin’s architecture is decentralized and more difficult to trace than traditional financial institutions, it provides a more efficient way for cybercriminals to launder their ill-gotten gains.

In 2013, security experts began to see cybercriminals actively using Tor to host their malicious malware infrastructure, and Kaspersky Lab experts have found various malicious programs that specifically use Tor. Investigation of Tor network resources reveals lots of resources dedicated to malware, including Command-and-Control servers, administration panels, and more. By hosting their servers in the Tor network, cybercriminals make them harder to identify, blacklist, and eliminate.

Cybercriminal forums and marketplaces have become familiar on the ‘normal’ Internet. But recently a Tor-based underground marketplace has also emerged. It all started with the notorious Silk Road market and has evolved into dozens of specialist markets — for drugs, arms, and, of course, malware. Carding shops are firmly established in the Darknet, where stolen personal information is for sale, with a wide variety of search attributes like country, bank, etc. The goods on offer are not limited to credit cards: dumps, skimmers, and carding equipment are for sale too.

A simple registration procedure, trader ratings, guaranteed service, and a user-friendly interface are standard features of a Tor underground marketplace. Some stores require sellers to deposit a pledge – a fixed sum of money – before starting to trade. This is to ensure that a trader is genuine and his services are not a scam or of poor quality.

The development of Tor has coincided with the emergence of the anonymous crypto-currency, Bitcoin. Nearly everything on the Tor network is bought and sold using Bitcoins. It’s almost impossible to link a Bitcoin wallet and a real person, so conducting transactions in the dark net using Bitcoin means that cybercriminals can remain virtually untraceable. Kaspersky Lab’s expert blog, Securelist, discusses bitcoins extensively.

It seems likely that Tor and other anonymous networks will become a mainstream feature of the Internet as increasing numbers of ordinary people using the Internet seek a way to safeguard their personal information. But it’s also an attractive mechanism for cybercriminals – a way for them to conceal the functions of the malware they create, trade in cybercrime services, and launder their illegal profits. Researchers believe that the use of these networks for cybercrime will only continue.

Like technology, the specifics of cybercrime are constantly changing. To keep your organization safe today and into the future, partnering with a cybersecurity expert is critical.

Digital technology and always-on connectivity have created new and impressive opportunities for the enterprise. But behind the façade of browser interfaces, mobile apps,                                  and cloud-based data that's accessible anywhere and anytime across the organization, there's one simple truth: IT is becoming far more complex.

Businesses, educational institutions, and government agencies are discovering that they must approach IT in new and radically different ways. Here are six information technology trends that will sweep through the enterprise over the next year:

The app-centric enterprise emerges.

Consumerization, bring your device (BYOD), personal clouds and mobility have created an entirely different IT and computing environment. Today, the focus is less on a traditional client-server computing model that requires monolithic enterprise applications and more on narrow, highly targeted functionality through apps, which are increasingly delivered via an enterprise app store.

"The explosion of mobile devices has increased the number of tech-savvy employees over the past five years, all of whom are pushing to consumerize the way that IT departments operate," observes James Gordon, vice president of information technology at Needham Bank in Massachusetts. "Employees want to be able to download the apps they need, and they don't want to have to ask for download permissions or access rights to get their job done."

This translates into a greater need to monitor how apps and data are used on the network and to block unwanted software that poses a security risk.

It also requires business and IT leaders to "fundamentally rethink how they deliver applications and services," says Tiffani Bova, a Gartner vice president and distinguished analyst. "It's not about devices, but, rather, what you can do on the devices."

PwC technology industry sector lead Tom Archer adds that business and IT decision-makers must examine how best to adopt an app-centric framework, but they also must understand how the enterprise can fully tap the environment. "It changes engagement models, economic models, and operating models," Archer explains. "It alters workflows and creates different cost and pricing paradigms."  

The shift from personal devices to personal clouds accelerates.

Cloud computing is changing the face of the enterprise in profound ways. One of the most significant but overlooked areas involves personal clouds. Employees are turning to applications such as Salesforce, DropBox, and Evernote in droves—in some cases leading organizations down the path of shadow IT. Personal clouds are also ushering in a more mobile-centric approach that allows users to rely on a spate of devices, including smartphones, tablets, laptops, and desktop computers.

Gartner predicts that in 2014 the personal cloud will replace the PC at the center of users' digital lives. "Personal clouds offer a much more flexible and productive way to manage applications and data," says Bova.

She notes that the trend is fueling further consumerization of IT and creating a more application-centric computing environment. It's also leading to a more OS-agnostic approach to IT and creating "new and different delivery models, pricing structures, usage patterns, and application design requirements," Bova adds.

Big data and analytics get real.

There has been no shortage of hype about big data and analytics. However, the technology is now advancing at a rapid pace and, thanks in part to clouds, better ways to extract data, and next-gen analytics tools such as IBM's Watson, organizations can transform a growing mountain of data (including unstructured data) into knowledge.

"With 80 to 90 percent of data today existing in an unstructured state, big data tools are essential for distinguishing the 'signal from the noise,'" says Menka Uttamchandani, vice president for business intelligence at Denihan Hospitality Group, which operates 14 boutique hotels in the United States. Although BI has been around for years, she says that organizations are now learning how to plug in the right tools and build better partnerships, cultivate the necessary internal skill sets and create an analytics-friendly culture that takes appropriate risks.

Joshua Greenbaum, principal at Enterprise Applications Consulting and an IEEE blogger, says that real-time capabilities are emerging. "There is now the opportunity to look at vast amounts of data in real-time and use the data to understand the supply chain, logistics, customer behavior, patient outcomes, and many other things in a way that wasn't possible in the recent past," he says. "Big data is creating a new lease on life for many traditional

The Internet of Things connects to business.

The growing number of connected devices and machines is radically changing the business and IT landscape. Cisco Systems Internet Business Solutions Group predicts that the number of Internet-connected devices will hit 25 billion by 2015 and reach 50 billion by 2020. The firm also forecasts that 99 percent of physical objects will eventually become part of a network.

"Any sensor—physical or virtual—can be transformed into the source of data," says Dejan Milojicic, 2014 IEEE Computer Society president and senior research manager at HP Labs. "And all that data, once collected, can be analyzed, so the opportunities are infinite."

John Devlin, a practice director at ABI Research, says that businesses must begin to understand market opportunities for the Internet of Things, a.k.a. the Internet of Everything. Big data and the cloud are integral components.

"The underlying technologies for the Internet of Things already exist," Devlin says."A large part of the puzzle is understanding how to fit all the pieces together in an appropriate manner." That includes understanding which systems and tools work best, and building in secure access and authentication, he points out.

Séverin Kezeu, CEO of SK Solutions, a Dubai-based manufacturer of anti-collision and safety systems for aerospace, construction, and oil and gas drilling, says that the Internet of Things provides a way to dive deeper into big data and analytics, including historic, real-time and predictive systems. SK Solutions has already built connected capabilities into its ERP system through an SAP Internet of Things solution. The system is used to deliver relevant and actionable insights, as well as better decisions.

"This can be an iterative process for many companies as they uncover unexpected insights and connections from new streams of data," Kezeu says.

Emerging standards take hold in software-defined everything.

The virtualization of networking, storage solutions, and data centers has revolutionized the way businesses operate, manage content and connect with third parties. However, "The explosion of software-defined solutions has grown so rapidly that there are few standards that mandate how data is stored, shared, and managed between vendors and businesses," states Needham Bank's Gordon. Software-defined everything (SDx) takes direct aim at that challenge.

The term, as defined by Gartner, strives for "improved standards for infrastructure programmability and data center interoperability driven by automation inherent to cloud computing." But decoupling the hardware that executes the data transactions from the software layer that orchestrates them isn't an easy task—and not only for technical reasons.

Currently, SDx incorporates various initiatives, such as OpenStack, OpenFlow, the Open Compute Project, and Open Rack. However, Gartner notes that other sticking points exist: "Vendors that dominate a sector of the infrastructure may only reluctantly want to abide by standards that have the potential to lower margins and open broader competitive opportunities—even when the consumer will benefit by simplicity, cost reduction, and consolidation efficiency."

There are also the realities of operating a business. For example, Gordon says that public clouds are not compliant with the regulations he faces at Needham Bank.

Nevertheless, "Software-defined everything is moving beyond technology as organizations apply the concept to business models, including people, structure, and data," PwC's Archer says. "We are likely to see quite a bit of movement in the space in 2014."

Enterprise social collaboration grows and becomes more holistic.

Although it's nearly impossible to find an organization that hasn't been touched by social media, business, and IT leaders continue to underutilize these tools internally. A recent McKinsey & Co. survey found that 80 percent of executives believe collaboration is critical to growth, but only 25 percent describe their organization as "effective" at collaboration.

"The value of social tools extends far beyond marketing and listening," Archer points out. "Employee collaboration is a natural next step as organizations look to increase the speed at which data moves."

Emerging social collaboration tools largely deliver on the lost promise of 1990s-era knowledge management systems. Mobility, clouds, unified messaging, and the always-on Internet have made real-time communication possible, as well as making it easy to find experts within an enterprise. Archer says that these systems when used effectively, serve as platforms for a wide array of interactions.

Open-source software developers have created an array of amazing programs that provide a great working environment with rich functionality. At work and home, I routinely run Fedora Linux on my desktop, using Firefox and LibreOffice for most of my daily tasks. I’m sure you do, too. But as great as open source can be, we’re all aware of a few programs that just seem hard to use. Maybe it’s confusing has awkward menus, or has a steep learning curve. These are hallmarks of poor usability.

But what do we mean when we talk about usability? Usability is just a measure of how well people can use a piece of software. You may think that usability is an academic concept, not something that most open-source software developers need to worry about, but I think that’s wrong. We all have a sense of usability – we can recognize when a program has poor usability, although we don’t often recognize when a program has good usability.

So how can you find good usability? When a problem has good usability, it just works. It is really easy to use. Things are obvious or seem intuitive.

But getting there, and making sure your program has good usability, may take a little work. But not much. All it requires is taking a step back to do a quick usability test.

A usability test doesn’t require a lot of time. Usability consultant Jakob Nielsen says that as few as 5 usability testers are enough to find the usability problems for a program. Here’s how to do it:

1. Figure out who are the target users for your program.

You probably already know this. Are you writing a program for general users with average computer knowledge? Or are you writing a specialized tool that will be used by experts? Take an honest look. For example, one open-source software project I work on is the FreeDOS Project, and we figured out long ago that it wasn’t just DOS experts who wanted to use FreeDOS. We determined there were three different types of users: people who want to use FreeDOS to play DOS games, people who need to use FreeDOS to run work applications, and developers who need FreeDOS to create embedded systems.

2. Identify the typical tasks for your users.

What will these people use your program for? How will your users try to use your program? Come up with a list of typical activities that people would do. Don’t try to think of the steps they will use in the program, just the types of activities. For example, if you were working on a web browser, you’d want to list things like visiting a website, bookmarking a website, or printing a web page.

3. Use these tasks to build a usability test scenario.

Write up each task in plain language that everyone can understand, with each task on its page. Put a typical scenario behind the tasks, so that each step seems natural. You don’t have to build on each step – each task can be separate from its scenario. But here’s the tricky part: be careful not to use terminology from your program in the scenario. Also avoid abbreviations, even if they seem common to you – they might not be common to someone else. For example, if you were writing a scenario for a simple text editor, and the editor has a “Font” menu, try to write your scenario without using the word “Font.” For example, instead of this: “To see the text more clearly, you decide to change the font size. Increase the font size to 14pt.” write your scenario like this: “To see the text more clearly, you decide to make the text bigger. Increase the size of the text to 14 points.”

Once you have your scenarios, it’s just a matter of sitting down with a few people to run through a usability test. Many developers find the usability test to be extremely valuable – there’s nothing quite like watching someone else try to use your program. You may know where to find all the options and functionality in your program, but will an average user with typical knowledge be able to?

A usability test is simply a matter of asking someone to do each of the scenarios that you wrote. The purpose of a usability test is not to determine if the program is working correctly, but to see how well real people can use the program. In this way, a usability test is not judging the user; it’s an evaluation of the program. So start your usability test by explaining that to each of your testers. The usability test isn’t about them; it’s about the program. It’s okay if they get frustrated during the test. If they hit a scenario that they just can’t figure out, give them some time to work it through, then move on to the next scenario.

Your job as the person running the usability test is the hardest of all. You are there to observe, not to make comments. There’s nothing tougher than watching a user struggle through your program, but that’s the point of the usability test. Resist the temptation to point out “It’s right there! That option there!”

Once all your usability testers have had their chance with the program, you’ll have lots of information to go on. You’ll be surprised how much you’ll learn just by watching people using the program.

But what if you don’t have time to do a usability test? Or maybe you aren’t able to get people together. What’s the shortcut?

While it’s best to do your usability test, I find there are a few general guidelines for good usability, without having to do a usability test:

In general, I see Familiarity as a theme. When I did a usability test of several programs under the GNOME desktop, testers indicated that the programs seemed to operate more or less like their counterparts in Windows or Mac. For example, Gedit wasn’t too different from Windows Notepad, or even Word. Firefox is like other browsers. Nautilus is very similar to Windows Explorer. To some extent, these testers had been trained under Windows or Mac, so having functionality – and paths to that functionality – that was approximately equivalent to the Windows experience was an important part of their success.

Consistency was a recurring theme in the feedback. For example, right-click menus worked in all programs, and the programs looked and acted the same.

Menus were also helpful. While some said that icons (such as in the toolbar) were helpful to them during the test, most testers did not use the quick-access toolbar in Gedit – except to use the Save button. Instead, they used the program’s drop-down menus: File, Edit, View, Tools, etc. Testers experienced problems when the menus did not present possible actions.

And finally, Obviousness. When an action produced an obvious result or indicated success – such as saving a file, creating a folder, opening a new tab, etc. – the testers were able to quickly move through the scenarios. When the action did not produce obvious feedback, the testers became confused. These problems were especially evident when trying to create a bookmark or shortcut in the Nautilus file manager, but the program did not provide feedback and did not indicate whether or not the bookmark had been created.

Usability is important in all software – but especially open-source software. People shouldn’t have to figure out how to use a program, aside from specialized tools. Typical users with average knowledge should be able to operate most programs. If a program is too hard to use, the problem is more likely with the program than with the user. Run your usability test, apply the four themes for good usability, and make your open-source project even better!

Jim Hall is a long-time open-source software developer, best known for his work on the FreeDOS Project, including many of the utilities and libraries. Jim also wrote GNU Robots and has previously contributed to other open-source software programs including CuteMouse, GTKPod, Atomic Tanks, GNU Emacs, and Freemacs. At work, Jim is the Director of Information Technology at the University of Minnesota Morris. Jim is also working on his M.S. in Scientific & Technical Communication (Spring 2014); his thesis is “Usability in Open Source Software.”

Open-source communities have successfully developed a great deal of software. Most of this software is used by technically sophisticated users, in software development or as part of the larger computing infrastructure. Although the use of open-source software is growing, the average user computer user only directly interacts with proprietary software. There are many reasons for this situation; one of which is the perception that open-source software is less usable. This paper examines how the open-source development process influences usability and suggests usability improvement methods that are appropriate for community-based software development on the Internet.

One interpretation of this topic can be presented as the meeting of two different paradigms:

• The Open Source Developer-User Who Both Uses The Software And Contributes To Its Development
• The User-Centred Design Movement That Attempts To Bridge The Gap Between Programmers And Users Through Specific Techniques (Usability Engineering, Participatory Design, Ethnography Etc.)

Indeed the whole rationale behind the user-centered design approach within human-computer interaction (HCI) emphasizes that software developers cannot easily design for typical users. At first glance, this suggests that open-source developer communities will not easily live up to the goal of replacing proprietary software on the desktop of most users (Raymond, 1998). However, as we discuss in this paper, the situation is more complex and there are a variety of potential approaches: attitudinal, practical, and technological.

In this paper, we first review the existing evidence of the usability of open-source software (OSS). We then outline how the characteristics of open-source development influence the software. Finally, we describe how existing HCI techniques can be used to leverage distributed networked communities to address issues of usability.

Is there an open-source usability problem?

Open-source software has gained a reputation for reliability, efficiency, and functionality that has surprised many people in the software engineering world. The Internet has facilitated the coordination of volunteer developers around the world to produce open-source solutions that are market leaders in their sector (e.g. the Apache Web server). However most of the users of these applications are relatively technically sophisticated and the average desktop user is using standard commercial proprietary software (Lerner and Tirole, 2002). There are several explanations for this situation: inertia, interoperability, interacting with existing data, user support, organizational purchasing decisions, etc. In this paper, we are concerned with one possible explanation: that (for most potential users) open-source software has poorer usability.

Usability is typically described in terms of five characteristics: ease of learning, efficiency of use, memorability, error frequency and severity, and subjective satisfaction (Nielsen, 1993). Usability is separate from the utility of software (whether it can perform some function) and from other characteristics such as reliability and cost. Software, such as compilers and source code editors, which is used by developers does not appear to represent a significant usability problem for OSS. In the following discussion, we concentrate on software (such as word processors, e-mail clients,                                                        and Web browsers) that is aimed predominantly at the average user.

That there are usability problems with open source software is not significant by itself; all interactive software has problems. The issue is: how does software produced by an open-source development process compare with other approaches? Unfortunately, it is not easy to arrange a controlled experiment to compare the alternative engineering approaches; however, it is possible to compare similar tasks on existing software programs produced in different development environments. The only study we are aware of that does such a comparison is Eklund et al. (2002), using Microsoft Excel and StarOffice (this particular comparison is made more problematic by StarOffice's proprietary past).

There are many differences between the two programs that may influence such comparisons, e.g. development time, development resources, maturity of the software, the prior existence of similar software, etc. Some of these factors are characteristic of the differences between open source and commercial development but the large number of differences make it difficult to determine what a 'fair comparison' should be. Ultimately user testing of the software, as with Eklund et al. (2002), must be the acid test. However, as has been shown by the Mozilla Project (Mozilla, 2002), it may take several years for an open-source project to reach comparability and premature negative comparisons should not be taken as indicative of the whole approach. Additionally, the public nature of open-source development means that the early versions are visible, whereas the distribution of embryonic commercial software is usually restricted.

There is a scarcity of published usability studies of open source software, in addition to Eklund et al. (2002) we are aware only of studies on GNOME (Smith et al., 2001), Athena (Athena, 2001), and Greenstone (Nichols et al., 2001). The characteristics of open source projects emphasize continual incremental development that does not lend itself to traditional formal experimental studies (although culture may play a part as we discuss in the next section).

Although there are few formal studies of open-source usability there are several suggestions that open-source software usability is a significant issue (Behlendorf, 1999; Raymond, 1999; Manes, 2002; Nichols et al., 2001; Thomas, 2002; Frishberg et al., 2002):

"If this [desktop and application design] were primarily a technical problem, the outcome would hardly be in doubt. But it isn't; it's a problem in ergonomic design and interface psychology, and hackers have historically been poor at it. That is, while hackers can be very good at designing interfaces for other hackers, they tend to be poor at modeling the thought processes of the other 95% of the population well enough to write interfaces that J. Random End-User and his Aunt Tillie will pay to buy." (Raymond, 1999)

"Traditionally the users of OSS have been experts, early adopters, and nearly synonymous with the development pool. As OSS enters the commercial mainstream, a new emphasis is being placed on usability and interface design, with Caldera and Corel explicitly targeting the general desktop with their Linux distributions. Non-expert users are unlikely to be attracted by the available source code and more likely to choose OSS products based on cost, quality, brand, and support." (Feller and Fitzgerald, 2000)

Raymond is stating the central message of user-centered design (Norman and Draper, 1986): developers need specific external help to cater to the average user. The HCI community has developed several tools and techniques for this purpose: usability inspection methods, interface guidelines, testing methods, participatory design, interdisciplinary teams,                                                        etc. (Nielsen, 1993). The increasing attention being paid to usability in open-source circles (Frishberg et al., 2002) suggests that it may be passing through a similar phase to that of proprietary software in the 1980s.

As the users of software became more heterogeneous and less technically experienced, software producers started to adopt user-centered methods to ensure that their products were successfully adopted by their new users. Whilst many users continue to have problems with software applications, the HCI specialists employed by companies have greatly improved users' experiences.

As the user base of OSS widens to include many non-developers, projects will need to apply HCI techniques if they wish their software to be used on the desktop of the average user. There is recent evidence (Benson et al., 2002; Biot, 2002) that some open-source projects are adopting techniques from previous proprietary work, such as explicit user interface guidelines for application developers (Benson et al., 2002).

It is difficult to give a definitive answer to the question: is there an open-source usability problem? The existence of a problem does not necessarily mean that all OSS interfaces are bad or that OSS is doomed to have hard-to-use interfaces, just a recognition that the interfaces ought to be and can be made better. The opinions of several commentators and the actions of companies, such as Sun's involvement with GNOME, are strongly suggestive that there is a problem, although the academic literature (e.g. Feller and Fitzgerald, 2002) is largely silent on the issue (Frishberg et al. (2002) and Nichols et al. (2001) are the main exceptions). However, to suggest HCI approaches that mesh with the practical and social characteristics of open-source developers (and users) it is necessary to examine the aspects of the development process that may hurt usability.

"They just don't like to do the boring stuff for the stupid people!" (Sterling, 2002)

To understand the usability of current OSS we need to examine the current software development process. It is a truism of user-centered design that the development activities are reflected in the developed system. Drawing extensively from two main sources (Nichols et al., 2001; Thomas, 2002), we present here a set of features of the OSS development process that appear to contribute to the problem of poor usability. In addition, some features are shared with the commercial sector that help to explain why OSS usability is no worse than proprietary systems, nor is it any better.

This list of features is not intended to be complete but to serve as a starting point in addressing these issues. We note that there would seem to be significant difficulties in 'proving' whether several of these hypotheses are correct.

Developers are not typical end-users

This is a key point of Nielsen (1993) and is one shared with commercial systems developers. Teaching computer science students about usability issues is, in our experience, chiefly about helping them to try and see the use of their systems through the eyes of other people unlike themselves and their peers. In fact, for many more advanced OSS products, developers are indeed users, and these esoteric products with interfaces that would be unusable by a less technically skilled group of users are perfectly adequate for their intended elite audience. Indeed there may be a certain pride in the creation of a sophisticated product with a powerful, but challenging-to-learn interface. Mastery of such a product is difficult and so legitimates membership of an elite who can then distinguish itself from so-called 'lusers' [1]. Trudelle (2002) comments that "the product [a Web browser] should target people whom they [OSS contributors] consider to be clueless newbies."

However, when designing products for less technical users, all the traditional usability problems arise. In the Greenstone study (Nichols et al., 2001) common command line conventions, such as a successful command giving no feedback, confused users. The use of the terms 'man' (from the Unix command line), when referring to the help system, and 'regexp' (regular expression) in the GNOME interface are typical examples of developer terminology presented to end-users (Smith et al., 2001).

The OSS approach fails for end user usability because there are 'the wrong kind of eyeballs' looking at, but failing to see, usability issues. In some ways, the relatively new problem with OSS usability reflects the earlier problem with commercial systems development: initially, the bulk of applications were designed by computing experts for other computing experts, but over time an increasing proportion of systems development was aimed at non-experts, and usability problems became more prominent. The transition to non-expert applications in OSS products is following a similar trajectory, just a few years later.

The key difference between the two approaches is this: commercial software development has recognized these problems and can employ specific HCI experts to 're-balance' their historic team compositions and consequent development priorities in favor of users (Frishberg et al., 2002). However, volunteer-led software development cannot hire with missing skill sets to ensure that user-centered design expertise is present in the development team. Additionally, in commercial development, it is easier to ensure that HCI experts are given sufficient authority to promote the interests of users.

Usability experts do not get involved in OSS projects

Anecdotal evidence suggests that few people with usability experience are involved in OSS projects; one of the 'lessons learned' in the Mozilla project (Mozilla, 2002) is to "ensure that UI [user interface] designers engage the Open Source community" (Trudelle, 2002). Open source draws its origins and strength from a hacker culture (O'Reilly, 1999). This culture can be extremely welcoming to other hackers, comfortably spanning nations, organizations, and time zones via the Internet. However, it may be less welcoming to non-hackers.

Good usability design draws from a variety of different intellectual cultures including but not limited to psychology, sociology, graphic design, and even theatre studies. Multidisciplinary design teams can be very effective but require particular skills to initiate and sustain. As a result, existing OSS teams may just lack the skills to solve usability problems and even the skills to bring in 'outsiders' to help. The stereotypes of low hacker social skills are not to be taken as gospel, but the sustaining of distributed multidisciplinary design teams is not trivial.

Furthermore, the skills and attitudes necessary to be a successful and productive member of an OSS project may be relatively rare. With a large candidate set of hacker programmers interested in getting involved, OSS projects have various methods for winnowing out those with the best skill sets and giving them progressively more control and responsibility. It may be that the same applies to potential usability participants, implying that a substantial number of potential usability recruits are needed to proceed with the winnowing process. If true, this adds to the usability expertise shortage problem.

There are several possible explanations for the minimal or non-participation of HCI and usability people in OSS projects:

• There are far fewer usability experts than hackers, so there are just not enough to go around.
• Usability experts are not interested in, or incentivized by the OSS approach in the way that many hackers are.
• Usability experts do not feel welcomed into OSS projects.
• Inertia: traditionally projects haven't needed usability experts. The current situation of many technically adept programmers and few usability experts in OSS projects is just a historical artifact.
• There is not a critical mass of usability experts involved for the incentives of peer acclaim and recruitment opportunities to operate.

The incentives in OSS work better for the improvement of functionality than usability

Are OSS developers just not interested in designing better interfaces? As most work on open-source projects is voluntary, developers work on the topics that interest them and this may well not include features for novice users. The importance of incentives in OSS participation is well recognized (Feller and Fitzgerald, 2002; Hars and Ou, 2001). These include gaining respect from peers and the intrinsic challenge of tackling a hard problem. Adding functionality or optimizing code provides opportunities for showing off one's talents as a hacker to other hackers. If OSS participants perceive improvements to usability as less high status, less challenging, or just less interesting, then they are less likely to choose to work on this area. The voluntary nature of participation has two aspects: choosing to participate at all and choosing which out of usually a large number of problems within a project to work on. With many competing challenges, usability problems may get crowded out.

An even more extreme version of this case is that the choice of the remit of an entire OSS project may be more biased towards the systems side than the applications side [2]. "Almost all of the most widely-known and successful OSS projects seem to have been initiated by someone who had a technical need that was not being addressed by available proprietary (or OSS) technology" [3]. Raymond refers to the motivation of "scratching a personal itch" (Raymond, 1998). The technically adept initiators of OSS projects are more likely to have a personal need for very advanced applications, development toolkits, or systems infrastructure improvements than an application that also happens to meet the needs of a less technically sophisticated user.

"From a developer's perspective, solving a usability problem might not be a rewarding experience since the solution might not involve a programming challenge, new technology, or algorithms. Also, the benefit of solving the usability problem might be a slight change to the behavior of the software (even though it might cause a dramatic improvement from the user's perspective). This behavior change might be subtle, and not fit into the typical types of contributions developers make such as adding features, or bug fixes." (Eklund et al., 2002)

The 'personal itch' motivation creates a significant difference between open source and commercial software development. Commercial systems development is usually about solving the needs of another group of users. The incentive is to make money by selling software to customers, often customers who are prepared to pay precisely because they do not have the development skills themselves. Capturing the requirements of software for such customers is acknowledged as a difficult problem in software engineering and consequently, techniques have been developed to attempt to address it. By contrast, many OSS projects lack formal requirements capture processes and even formal specifications (Scacchi, 2002). Instead, they rely on the understood requirements of initial individuals or tight-knit communities. These are supported by 'informalisms' and illustrated by the evolving OSS project code that embodies it, even if it does not articulate the requirements.

The relation to usability is that this implies that OSS is in certain ironic ways more egotistical than closed-source software (CSS). A personal itch implies designing software for one's own needs. Explicit requirements are consequently less necessary. Within OSS this is then shared with a like-minded community and the individual tool is refined and improved for the benefit of all — within that community. By contrast, a CSS project may be designed for use by a community with different characteristics, and where there is a strong incentive to devote resources to certain aspects of usability, particularly initial learnability, to maximize sales (Varian, 1993).

Usability problems are harder to specify and distribute than functionality problems

Functionality problems are easier to specify, evaluate, and modularize than certain usability problems. These are all attributes that simplify decentralized problem-solving. Some (but not all) usability problems are much harder to describe and may pervade an entire screen, interaction, or user experience. Incremental patches to interface bugs may be far less effective than incremental patches to functionality bugs. Fixing the problem may require a major overhaul of the entire interface — not a small contribution to the ongoing design work. Involving more than one designer in interface design, particularly if they work autonomously, will lead to design inconsistency and hence lower the overall usability. Similarly, improving an interface aspect of one part of the application may require careful consideration of the consequences of that change for overall design consistency. This can be contrasted with the incremental fixing of the functionality of a high-quality modularised application. The whole point of modularisation is that the effects are local. Substantial (and highly desirable) refactoring can occur throughout the ongoing project while remaining invisible to the users. However, many interface changes are global in scope because of their consistency effects.

The modularity of OSS projects contributes to the effectiveness of the approach (O'Reilly, 1999), enabling them to side-step Brooks' Law. Different parts can be swapped out and replaced by superior modules that are then incorporated into the next version. However, a major success criterion for usability is the consistency of design. Slight variations in the interface between modules and different versions of modules can irritate and confuse, marring the overall user experience. Their inevitably public nature means that interfaces are not amenable to the black-boxing that permits certain kinds of incremental and distributed improvement.

We must note that OSS projects do successfully address certain categories of usability problems. One popular approach to OSS interface design is the creation of 'skins': alternate interface layouts that dramatically affect the overall appearance of the application, but do little to change the nature of the underlying interaction dynamics. A related approach is software internationalization, where the language of the interface (and any culture-specific icons) is translated. Both approaches are amenable to the modular OSS approach whereas an attempt to address deeper interaction problems by a redesign of sets of interaction sequences does not break down so easily into a manageable project. The reason for the difference is that addressing the deeper interaction problems can have implications across not only the whole interface but also lead to requirements for changes to different elements of functionality.

Another major category of OSS usability success is in software (chiefly GNU/Linux) installation. Even the technically adept had difficulties in installing the early versions of GNU/Linux. The Debian project (Debian, 2002) was initiated as a way to create a better distribution that made installation easier, and other projects and companies have continued this trend. Such projects solve a usability problem, but in a manner that is compatible with traditional OSS development. Effectively a complex set of manual operations is automated, creating a black box for the end user with no wish to explore further. Of course, since it is an open-source project, the black box is openable, examinable, and changeable for those with the will and the skill to investigate.

Design for usability really ought to take place in advance of any coding

In some ways, surprisingly, OSS development is so successful, given that it breaks many established rules of conventional software engineering. Well-run projects are meant to plan carefully in advance, capturing requirements and specifying what should be done before ever beginning coding. By contrast, OSS often appears to involve coding as early as possible, relying on constant review to refine and improve the overall, emergent design: "Your nascent developer community needs to have something runnable and testable to play with" (Raymond, 1998). Similarly, Scacchi's (2002) study didn't find "examples of formal requirements elicitation, analysis and specification activity of the kind suggested by software engineering textbooks." Trudelle (2002) notes that skipping much of the design stage with Mozilla resulted in design and requirements work occurring in bug reports, after the distribution of early versions.

This approach does seem to work for certain kinds of applications, and in others, there may be a clear plan or shared vision between the project coordinator and the main participants. However good interface design works best by being involved before coding occurs. If there is no collective planning even for the coding, there is no opportunity to factor in interface issues in the early design. OSS planning is usually done by the project initiator before the larger group is involved. We speculate that while an OSS project's members may share a strong sense of vision of the intended functionality (which is what allows the bypassing of traditional software engineering planning), they often have a much weaker shared vision of the intended interface. Unless the initiator happens to possess significant interaction design skills, important aspects of usability will get overlooked until it is too late. As with many of the issues we raise, that is not to say that CSS always, or even frequently, gets it right. Rather we want to consider potential barriers within existing OSS practice that might then be addressed.

Open-source projects lack the resources to undertake high-quality usability work

OSS projects are voluntary so work on small budgets. Employing outside experts such as technical authors and graphic designers is not possible. As noted earlier there may currently be barriers to bringing in such skills within the volunteerism OSS development team. Usability laboratories and detailed large-scale experiments are just not economically viable for most OSS projects. Discussion on the K Desktop Environment (KDE) Usability (KDE Usability, 2002) mailing list has considered asking usability laboratories for donations of time in which to run studies with state-of-the-art equipment.

Recent usability activity in several open source projects has been associated with the involvement of companies, e.g. Benson et al. (2002), although it seems likely that they are investing less than large proprietary software developers. Unless OSS usability resources are increased, or alternative approaches are investigated (see below), then open-source usability will continue to be constrained by resource limitations.

Commercial software establishes state-of-the-art so that OSS can only play catch-up

Regardless of whether commercial software provides good usability, its overwhelming prominence in end-user applications creates a distinct inertia concerning innovative interface design. To compete for adoption, OSS applications appear to follow the interface ideas of the brand leaders. Thus the Star Office spreadsheet component, Calc, tested against Microsoft Excel (Eklund et al., 2002) was deliberately developed to provide a similar interface to make transfer learning easier. As a result, it had to follow the interface design ideas of Excel regardless of whether or not they could have been improved upon.

There does not seem to be any overriding reason why this conservatism should be the case, other than the perceived need to compete by enticing existing CSS users to switch to open-source direct equivalents. Another possibility is that current typical OSS developers, who may be extremely supportive of functionality innovation, just lack interest in interface design innovation. Finally, the underlying code of a commercial system is proprietary and hidden, requiring any OSS rival to do a form of reverse engineering to develop. This activity can inspire significant innovation and extension. By contrast, the system's interface is a very visible pre-existing solution that might dampen innovation — why not just copy it, subject to minor modifications due to concerns of copyright? One might expect in the absence of other factors that open-source projects would be much more creative and risk-taking in their development of radically new combinations of functionality and interface, since they do not suffer short-term financial pressures.

OSS has an even greater tendency towards software bloat than commercial software

Many kinds of commercial software have been criticized for bloated code, consuming ever greater amounts of memory and numbers of processor cycles with successive software version releases. There is a commercial pressure to increase functionality and so to entice existing owners to purchase the latest upgrade. Naturally, the growth of functionality can seriously degrade usability as the increasing number of options becomes ever more bewildering, serving to obscure the tiny subset of features that a given user wishes to employ.

There are similar pressures in open source development, but due to different causes. Given the interests and incentives of developers, there is a strong incentive to add functionality and almost no incentive to delete functionality, especially as this can irritate the person who developed the functionality in question. Worse, given that peer esteem is a crucial incentive for participation, deletion of functionality in the interest of benefiting the end user creates a strong disincentive to future participation, perhaps considered worse than having one's code replaced by code that one's peers have deemed superior. The project maintainer, to keep volunteer participants happy, is likely to keep functionality even if it is confusing, and on receipt of two similar additional functionalities, keep both, creating options for the user of the software to configure the application to use the one that best fits their needs. In this way as many contributors as possible can gain clear credit for directly contributing to the application. This suggested a tendency to 'pork barrel' design compromise needs further study.

The process of 'release early and release often' can lead to an acceptance of certain clumsy features. People invest time and effort in learning them and creating their workarounds to cope with them. When a new, improved version is released with a better interface, there is a temptation for those early adopters of the application to refuse to adapt to the new interface. Even if it is easier to learn and use than the old one, their learning of the old version is now a sunk investment and understandably they may be unwilling to re-learn and modify their workarounds. The temptation for the project maintainer is to keep multiple legacy interfaces coordinated with the latest version. This pleases the older users, creates more development opportunities, keeps the contributions of the older interfaces in the latest version, and adds to the complexity of the final product.

OSS development is inclined to promote power over simplicity

'Software bloat' is widely agreed to be a negative attribute. However, the decision to add multiple alternative options to a system may be seen as a positive good rather than an invidious compromise. We speculate that freedom of choice may be considered a desirable attribute (even a design aesthetic) by many OSS developers. The result is an application that has many configuration options, allowing very sophisticated tailoring by expert users, but which can be bewildering to a novice. The provision of five different desktop clocks in GNOME (Smith et al., 2001) is one manifestation of this tendency; another is the growth of preference interfaces in many OSS programs (Thomas, 2002).

Thus there is a tendency for OSS applications to grow in complexity, reducing their usability for novices, but with that tendency to remain invisible to the developers who are not novices and relish the power of sophisticated applications. Expert developers will also rarely encounter the default settings of a multiplicity of options and so are unlikely to give much attention to their careful selection, whereas novices will often live with those defaults. Of course, commercial applications also grow in complexity, but at least there are some factors to moderate that growth, including the cost of developing the extra features and some pressures from a growing awareness of usability issues.

Potential approaches to improving OSS usability

The above factors aim to account for the current relatively poor state of the usability of many open-source products. However, some factors should contribute to better usability, although they may currently be outweighed by the negative factors in many current projects.

A key positive factor is that some end users are involved in OSS projects. This involvement can be in elaborating requirements, testing, writing documentation, reporting bugs, requesting new features, etc. This is clearly in accord with the advocacy of HCI experts, e.g. Shneiderman (2002), and also has features in common with participatory design (Kyng and Mathiassen, 1997). The challenge is how to enable and encourage far greater participation of non-technical end users and HCI experts who do not conform to the traditional OSS-hacker stereotype.

We describe several areas where we see potential for improving usability processes in OSS development.

Commercial approaches

One method is to take a successful OSS project with powerful functionality and involve companies in the development of a better interface. It is noticeable that several of the positive (from the HCI point of view) recent developments (Smith et al., 2001; Benson et al., 2002; Trudelle, 2002) in OSS development parallels the involvement of large companies with both design experience and considerably more resources than the typical volunteer-led open source project. However, the HCI methods used are the same as for proprietary software and do not leverage the distributed community that gives open-source software its perceived edge in other aspects of development. Does this imply that the only way to achieve a high level of end-user usability is to 'wrap' an open-source project with a commercially developed interface? Certainly, that is one approach, and the Apple OS X serves as a prime example, as to a lesser extent do commercial releases of GNU/Linux (since they are aimed at a (slightly) less technologically sophisticated market). The Netscape/Mozilla model of mutually informed development offers another model. However, as Trudelle (2002) notes, there can be conflicts of interest and mutual misunderstandings between a commercial partner and OSS developers about the direction of interface development so that it aligns with their interests.

Technological approaches

One approach to dealing with a lack of human HCI expertise is to automate the evaluation of interfaces. Ivory and Hearst (2001) present a comprehensive review of automated usability evaluation techniques and note several advantages to automation including cost reduction, increased consistency, and the reduced need for human evaluators. For example, the Sherlock tool (Mahjan and Shneiderman, 1997) automated checking of visual and textual consistency across an application using simple methods such as a concordance of all text in the application interface and metrics such as widget density. Applications with interfaces that can be easily separated from the rest of the code, such as Mozilla, are good candidates for such approaches.

An interesting approach to understanding user behavior is the use of 'expectation agents' (Hilbert and Redmiles, 2001) that allow developers to easily explicitly place their design expectations as part of an application. When a user does something unexpected (and triggers the expectation agent) program state information is collected and sent back to the developers. This is an extension of the instrumentation of applications but one that is focused on user activity (such as the order in which a user fills in a form) rather than the values of program variables. Extensive instrumentation has been used by closed-source developers as a key element of program improvement (Cusmano and Selby, 1995).

Academic involvement

It is noticeable some of the work described earlier has emerged from higher education (Athena, 2001; Eklund et al., 2002; Nichols et al., 2001). In these cases, classes of students involved in HCI have participated in or organized studies of OSS. This type of activity is effectively a gift to the software developers, although the main aim is pedagogical. The desirability of practicing skills and testing conceptual understanding on authentic problems rather than made-up exercises is obvious.

The model proposed is that an individual, group, or class would volunteer support following the OSS model, but involving aspects of any combination of usability analysis and design: user studies, workplace studies, design requirements, controlled experiments, formal analysis, design sketches, prototypes, or actual code suggestions. To support these kinds of participation, certain changes may be needed to the OSS support software, as noted below.

Involving the end users

The Mozilla bug database, Bugzilla, has received more than 150,000 bug reports at the time of writing. Overwhelmingly these bug reports concern functionality (rather than usability) and have been contributed by technically sophisticated users and developers:

"Reports from lots of users are unusual too; my usual rule of thumb is that only 10% of users have any idea what newsgroups are (and most of them lurk 90% of the time), and that much less than 1% of even mozilla users ever file a bug. That would mean we don't ever hear from 90% of users unless we make some effort to reach them."

Generally speaking most members [of an open-source community] are Passive Members. For example, about 99 percent of people who use Apache are Passive Users (Nakakoji, 2002).

One reason for users' non-participation is that the act of contributing is perceived as too costly compared to any benefits. The time and effort to register with Bugzilla (a pre-requisite for bug reporting) and understand its Web interface are considerable. The language and culture embodied in the tool are themselves barriers to participation for many users. In contrast, the crash reporting tools in both Mozilla and Microsoft Windows XP are simple to use and require no registration. Furthermore, these tools are part of the application and do not require a user to separately enter information on a Web site.

We suggest that integrated user-reported usability incidents are a strong candidate for addressing usability issues in OSS projects. That is, users report occasions when they have problems whilst they are using an application. Existing HCI research (Hartson and Castillo, 1998; Castillo et al., 1998; Thompson and Williges, 2000) has shown, on a small scale, that user reporting is effective at identifying usability problems. These reporting tools are part of an application, easy to use, free of technical vocabulary, and can return objective program state information in addition to user comments (Hilbert and Redmiles, 2000). This combination of objective and subjective data is necessary to make causal inferences about users' interactions in remote usability techniques (Kaasgaard et al., 1999). In addition to these user-initiated reports, applications can prompt users to contribute based on their behavior, (Ivory and Hearst, 2001). Kaasgaard et al. (1999) note that it is hard to predict how these additional functionalities affect the main usage of the system.

Another method to involve users is to create packaged remote usability tests that can be performed by anyone at any time. The results are collated on the user's computer and sent back to the developers. Tullis et al. (2002) and Winckler et al. (1999) both describe this approach for usability testing of Web sites; a separate browser window is used to guide a user through a sequence of tasks in the main window. Scholtz (1999) describes a similar method for Web sites within the main browser window — effectively as part of the application. Comparisons of laboratory-based and remote studies of Web sites indicate that users' task completion rates are similar and that the larger number of remote participants compensates for the lack of direct user observation (Tullis et al., 2002; Jacques and Savastano, 2001).

Both of these approaches allow users to contribute to usability activities without learning technical vocabulary. They also map well onto the OSS approach: they allow participation according to the contributor's expertise and leverage the strengths of a community in a distributed networked environment. Although these techniques lose the control of laboratory-based usability studies they gain authenticity in that they are firmly grounded in the user's environment (Thomas and Kellogg, 1989; Jacques and Savastano, 2001; Thomas and Macredie, 2002).

To further promote user involvement it should be possible to easily track the consequences of a report, or test result, that a user has contributed. The public nature of Bugzilla bug discussions achieves this for developers but a simpler version would be needed for average users so that they are not overwhelmed by low-level detail. Shneiderman. suggests that users might be financially rewarded for such contributions, such as discounts on future software purchases. However, in an open-source context, the user could expect information such as: "Your four recent reports have contributed to the fixing of bug X which is reflected in the new version 1.2.1 of the software."

Creating a usability discussion infrastructure

For functional bugs, a tool such as Bugzilla works well in supporting developers but presents complex interfaces to other potential contributors. If we wish such tools to be used by HCI people then they may need an alternative lightweight interface that abstracts away from some low-level details. In particular, systems that are built on top of code management systems can easily become overly focused on textual elements.

As user reports and usability test results are received they need to be structured, analyzed, discussed, and acted on. Much usability discussion is graphical and might be better supported through sketching and annotation functionality; it is noticeable that some Mozilla bug discussions include textual representations ('ASCII art') of proposed interface elements. Hartson and Castillo (1998) review various graphical approaches to bug reporting including video and screenshots which can supplement the predominant text-based methods. For example, an application could optionally include a screenshot with a bug report; the resulting image could then be annotated as part of an online discussion. Although these may seem like minor changes, a key lesson of usability research is that details matter and that a small amount of extra effort is enough to deter users from participating (Nielsen, 1993).

Fragmenting usability analysis and design

We can envisage various new kinds of lightweight usability participation, that can be contrasted with the more substantial experimental and analysis contributions outlined above for academic or commercial involvement. An end user can volunteer a description of their own, perhaps idiosyncratic, experiences with the software. A person with some experience of usability can submit their analysis. Furthermore, such a contributor could run a user study with a sample size of one, and then report it. It is often surprising how much usability information can be extracted from a small number of studies (Nielsen, 1993).

In the same way that OSS development work succeeds by fragmenting the development task into manageable sub-units, usability testing can be fragmented by involving many people worldwide each doing a single user study and then combining the overall results for analysis. Coordinating many parallel small studies would require tailored software support but it opens up a new way of undertaking usability work that maps well to the distributed nature of OSS development. Work on remote usability (Hartson et al., 1996; Scholtz, 2001) strongly suggests that the necessary distribution of work is feasible; further work is needed in coordinating and interpreting the results.

Involving the experts

A key point for involving HCI experts will be a consideration of the incentives of participation. We have noted the issues of a critical mass of peers, and a legitimization of the importance of usability issues within the OSS community so that design trade-offs can be productively discussed. One relatively minor issue is the lowering of the costs of participation caused by problems with articulating usability in a predominantly textual medium, and various solutions have been proposed. We speculate that for some usability experts, their participation in an OSS project will be problematic in cases where their proposed designs and improvements clash with the work of traditional functionality-centric development. How can this be resolved? Clear articulation of the underlying usability analysis, a kind of design rationale, may help. In the absence of such explanations, the danger is that a lone usability expert will be marginalized.

Another kind of role for a usability expert can be as the advocate of the end user. This can involve analyzing end-user contributions and creating a condensed version, perhaps filtered by the expert's theoretical understanding to address concerns of developers that the reports are biased or unrepresentative. The expert then engages in the design debate on behalf of the end users, attempting to rectify the problem of traditional OSS development only scratching the personal itches of the developers, not of intended users. As with creating incentives to promote the involvement of end users, the consequences of the evolving design of usability experts' interactions should be recorded and easily traceable.

Education and evangelism

In the same way that commercial software development organizations had to learn that usability was an important issue that they should consider, and which could have a significant impact on the sales of their product, so open-source projects will need to be convinced that it is worth the effort of learning about and putting into practice good usability development techniques. The incentive of greater sales will not usually be relevant, and so other approaches to making the usability case will need to be made. Nickell (2001) suggests that developers prefer that their programs are used and that "most hackers find gaining a userbase to be a motivating factor in developing applications."

Creating a technological infrastructure to make it easier for usability experts and end users to participate will be insufficient without an equivalent social infrastructure. These new entrants to OSS projects will need to feel welcomed and valued, even if (actually) they lack the technical skills of traditional hackers. References to 'clueless newbies' and 'lusers', and some of the more vituperative online arguments will need to be curtailed, and if not eliminated, at least moved to designated technology-specific areas. Beyond merely tolerating a greater diversification of the development team, it would be interesting to explore the consequences of certain OSS projects actively soliciting help from these groups. As with various multidisciplinary endeavors, including integrating psychologists into commercial interface design and ethnographers into computer-supported cooperative work projects, care needs to be taken in enabling the participants to be able to talk productively to each other (Crabtree et al., 2000).

Discussion and future work

We do not want to imply that OSS development has completely ignored the importance of good usability. Recent activities (Frishberg et al., 2002; Nickell, 2001; Smith et al., 2001) suggest that the open-source community is increasing its awareness of usability issues. This paper has identified certain barriers to usability and explored how these are being and can be addressed. Several of the approaches outlined above directly mirror the problems identified earlier; try automated evaluation where there is a shortage of human expertise and encourage various kinds of end user and usability expert participation to re-balance the development community in favor of average users. If traditional OSS development is about scratching a personal itch, usability is about being aware of and concerned about the itches of others.

A deeper investigation of the issues outlined in this paper could take various forms. One of the great advantages of OSS development is that its process is to a large extent visible and recorded. A study of the archives of projects (particularly those with a strong interface design component such as GNOME, KDE, and Mozilla) will enable verification of the claims and hypotheses ventured here, as well as the uncovering of a richer understanding of the nature of current usability discussions and development work. Example questions include: 'How do HCI experts successfully participate in OSS projects?', 'Do certain types of usability issues figure disproportionately in discussions and development efforts?' and 'What distinguishes OSS projects that are especially innovative in their functionality and interface designs?'

The approaches outlined in the previous section need further investigation and indeed experimentation to see if they can be feasibly used in OSS projects, without disrupting the factors that make traditional functionality-centric OSS development so effective. These approaches are not necessarily restricted to OSS; several can be applied to proprietary software. Indeed the ideas derived from discount usability engineering and participatory design originated in developing better proprietary software. However, they may be even more appropriate for open-source development in that they map well onto the strengths of a volunteer developer community with open discussion.

Most HCI research has concentrated on pre-release activities that inform design and relatively little on post-release techniques (Hartson and Castillo, 1998; Smilowitz et al., 1994). It is noteworthy that participatory design is a field in its own right whereas participative usage is usually quickly passed over by HCI textbooks. Thus OSS development in this case need not merely play catch-up with the greater end-user focus of the commercial world but potentially can innovate in exploring how to involve end users in subsequent redesign. There have been several calls in the literature (Shneiderman 2002; Lieberman and Fry, 2001; Fischer, 1998) for users to become actively involved in software development beyond standard user-centered design activities (such as usability testing, prototype evaluation, and fieldwork observation). It is noticeable that these comments seem to ignore that this involvement is already happening in OSS projects.

Raymond (1998) comments that "debugging is parallelizable", we can add to this that usability reporting, analysis, and testing are also parallelizable. However certain aspects of usability design do not appear to be so easily parallelizable. We believe that these issues should be the focus of future research and development, understanding how they have operated in successful projects and designing and testing technological and organizational mechanisms to enhance future parallelization. In particular, future work should seek to examine whether the issues identified in this paper are historical (i.e. they flow from the particular ancestry of open-source development) or are necessarily connected to the OSS development model.

Improvements in the usability of open-source software do not necessarily mean that such software will displace proprietary software from the desktop; there are many other factors involved, e.g. inertia, support, legislation, legacy systems, etc. However, improved usability is a necessary condition for such a spread. We believe this paper is the first detailed discussion of these issues in the literature.

Lieberman and Fry (2001) foresee that "interacting with buggy software will be a cooperative problem-solving activity of the end user, the system, and the developer." For some open-source developers this is already true, expanding this situation to (potentially) include all of the end-users of the system would mark a significant change in software development practices.

Many techniques from HCI can be easily and cheaply adopted by open-source developers. Additionally, several approaches seem to provide a particularly good fit with a distributed networked community of users and developers. If open source projects can provide a simple framework for users to contribute non-technical information about software to the developers then they can leverage and promote the participatory ethos amongst their users.

Raymond (1998) proposed that "given enough eyeballs all bugs are shallow." For seeing usability bugs, the traditional open-source community may comprise the wrong kind of eyeballs. However, it may be that by encouraging greater involvement of usability experts and end users it is the case that: given enough user experience reports all usability issues are shallow. By further engaging typical users into the development process OSS projects can create a networked development community that can do for usability what it has already done for functionality and reliability.