Internet and Technology

Article by ATV

Health information technology, or health informatics, is emerging as one of the most promising tools in the fields of biomedical research, health care and public health. Around the world, and especially in the US and Europe, it has become a high priority to invest and fund research, education and infrastructure to improve health care systems. The goals are to identify and reduce medical errors in hospitals and pharmacies, increase the safety and effectiveness of therapies and to make diagnostic and laboratory results available to clinicians anywhere and as quickly as possible. A further goal is to reduce health care costs due to misdiagnoses, medication errors and incomplete patient information and history.

How information technology can help clinicians is by making information available to them quickly, offering analyses of populations and diseases, notifying them about new therapies, etc. It can also help advance biomedical research with further implications on the treatment of human disease. For example, the field of biomedical research is generating loads of data regarding the human genome, the function of genes and their role in disease. Technology is needed to analyze this data more quickly, with the ultimate goal of producing therapies – and particularly individualized therapies – based on an individual’s genes.

Another example that has great impact on individuals is the availability of health records electronically. Would it not be wonderful to have an individual’s health history, allergies, intolerances, prescriptions and disease diagnoses all in one electronic file that can be retrieved at a moment’s notice? Would it not be wonderful to not have to repeat this information every time we went to the doctor, hospital or pharmacy? Would it not be wonderful if the pharmacy could refill and dispense your prescription and give you a call at home to indicate it is ready to be picked up? These conveniences cannot happen without the help of information technology. Furthermore, it is the accuracy of this information that makes it even more desirable. If technology can help to provide accurate information, then it significantly eases the burdens on health professionals and individuals.

Despite all the benefits of health information technology, there are still barriers to fully implementing it. There are the infrastructure and specialist costs required for acquiring the technology; and having the skills to use the technology. There are technical challenges, especially the issue of interoperability – how information can be transferred, exchanged and updated by different facilities. It is worth noting that there are efforts under way to develop standards and certifications to outline the requirements for successful implementation. Other barriers are the issues of privacy and confidentiality, who has access to the information, how is it controlled and how can it be changed and by whom. A whole field has emerged to address the legal and ethical problems. Another barrier has been identified as the lack of specialized individuals to work in this field. It is not so much the lack of computer programmers, but the lack of clinicians or individuals in the health care field who can interact with the computer and technology gurus to explain to them the clinicians’ needs. The gurus can then translate these needs into workable solutions.

There is no doubt that the field of health informatics has come a long way. Much funding and investment has been provided, both governmental and private, to fully realize the benefits of its implementation into healthcare and public health systems. However, there is still untapped potential and questions remain about its use.

The rise of the Internet has resulted in many important issues being raised. One of these major issues relates to privacy and security concerns.

These issues become important ones for organizations to consider for several reasons. Firstly, because private employee information is recorded on computers, secondly because organizations have their own important information recorded on computers, and thirdly because many organizations conduct business over the Internet via an informational home page or by Internet retailing.

The question of security will become an important one for organizations and will likely become the responsibility of the human resource department in many organizations, with the questions of security and privacy an extension of information systems generally handled by the human resource department (Bernardin & Russell).

In this paper, the privacy and security issues that arise from the Internet will be investigated. Recognizing that the Internet is relatively new and rapidly changing, the investigation will be completed with an eye for looking forward to the future.

Firstly, I will discuss the modern history of the Internet and how it relates to privacy and security concerns. I will then discuss several key security and privacy issues relevant to organizations. I will then briefly discuss the protection options available to deal with these issues.

THE INTERNET AND PRIVACY & SECURITY

Privacy is not a new concept, but one that has been of importance to people for centuries.

The advent of the Internet however, is taking privacy issues to a new level. Privacy is described as “the ability of individuals to determine for themselves when, how and to what extent information about them is communicated to others” (IBM).

Security also becomes of wider concern. With the importance of the Internet and information technology to society, it becomes a tool that can be used against national security, against individuals or against organizations.

As well as this, the mass of information available on the Internet can be misused.

The Internet has become a profound part of our society, impacting on every aspect of it. With this wide impact, security issues reach out across various topics and take on various forms.

Also relevant is the fact that the Internet remains in its infancy, with the Internet revolution described as “one that experts estimate is less than 10 percent complete” (IBM).

As the Internet grows and changes, new security and privacy issues will appear. As the environment changes, the privacy and security issues will be reconsidered.

There is no doubt that the issues the Internet creates are likely to change, as the Internet and society continue to adapt to each other. Even recognizing this, by assessing the issues now we can begin to see their current impact and also their future direction.

SECURITY AND PRIVACY ISSUES

Hackers

Everyone is under threat from hackers, from the organization, to government information, and through to individuals. The reason for hacking varies as widely as those that become victims of hacking,

“crackers are not necessarily after secret files or valuable corporate data, many just want a machine – fast. Most victimized machines are merely launch pads for other attacks” (Tanase). Essentially, hackers hide themselves by operating through a chain of machines.

Reasons for hacking are extremely varied and can include accessing information, changing information records and launching viruses.

For the organization, information may be extracted to be used against the organization. This information could then be used in various way. Disgruntled employees may seek information to use against the organization.

The threat of misuse also depends on the nature of the organization. A university for example has a threat of students changing their results records, while an organization involved in controversial issues, such as a gun manufacturer may be threatened by anti-gun protesters. Hackers may also operate by damaging company web sites.

The reasons and form of Internet hacking crimes are just as varied as typical crimes.

As the Internet becomes more widespread, Internet crimes may come to mirror all crimes. For example, just as a disgruntled employee may vandalize their place of employment, a disgruntled employee may vandalize the organization’s web site.

Current Effect on Business

Hacker attacks are the largest threats for governments and businesses, with ninety percent of business and governments suffering hacker attacks each year (Krebs).

Of those businesses, only one third were willing to report the attacks to the FBI (Krebs).

Eighty percent reported financial losses as a result but the majority were not willing to quantify these financial losses (Krebs).

The majority of organizations and government departments do suffer from security breaches. Also noted is that this is not all from hackers, a major component is also from company staff. The fact that the majority are not willing to report or verify the problems, is an indication that this is a problem that is thought to be significant as well as damaging.

Organizations generally avoid reporting such problems to avoid alarming shareholders, while government departments avoid public concern. With shareholders and the public warranted in their right to know of these breaches, there is a future likely, where such breaches will be required to be reported.

The reality is that these threats cannot be ignored. A study by the National Institute of Standards and Technology recognized that “information and the systems that process it are among the most valuable assets of any organization. Adequate security of these assets is a fundamental management responsibility” (NIST).

The report by the National Institute of Standards and Technology provides a framework for determining a security system program. The needs of the programs are twofold:

“Agency programs must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification” (NIST).

This considered system and approach to determining may mirror how organizations will approach security considerations in the future.

It is also noted that “many organizations and consumers are only just beginning to realize the value of applied information technology and the increased efficiency and effectiveness of innovations in data collection and management” (IBM).

With increased realization will come increased use of information by organizations, and with this increased use will come a greater need for privacy and security considerations.

Information on the Internet

The Internet is also capable of infringing on a person’s privacy as a publisher of information.

We can see the Internet as a tool for communicating information, just as television, newspapers and other media are.

The difference with the Internet is that the information published is not as well controlled.

With television and newspapers, controls are in place to determine what will be communicated. It is generally not possible for a person to publish information without it being verified in some way.

However, with the Internet, a person can publish and communicate messages to people from all over the world with no requirement to have checks on the information.

Essentially, the Internet allows anyone to say anything, and to say that anything to a lot of people.

This leads to the Internet being capable of being used as a tool to defame others.

A recent court case shows that this does happen, where the case is described as follows:

“A state-court jury awarded $3-million Tuesday to a University of North Dakota physics professor who sued a former student for libel after she accused him in an online article of being a pedophile. The professor, John L. Wagner, 41, filed his lawsuit after an article titled “Kinky, Torrid Romance by Randy Physics Professor” was published on the Web site Undnews.com” (Bartlett).

This example shows how information on any subject can be widely published on the Internet. The guilty verdict indicates that the law does consider this to be a case of defamation.

The ease of publication on the Internet and the difficulty in controlling it is also evidenced by the fact that the article is now posted on another web site (Bartlett).

This situation is one that may find controls placed on it in the future, controls that act as a safeguard for what can and cannot be published on the Internet as fact.

The guilty verdict in this case also leads the way for other defamation claims to be made and defamation laws to be determined for the Internet.

While this is a case against a person, it is also possible that this same type of defamation could be carried out in regards to an organization, its products or its services. It is feasible that a disgruntled customer could publish damaging reports about the company.

More Possibilities

The possibilities of using the Internet for illegal advantages include scams as new and ingenious as the Internet itself.

One opportunity that is not currently illegal, though is concerning, is using one piece of software as a means for distributing another.

One example that is causing universities concern is KaZaA, software that is used to store and swap video clips and MP3 files. This software is specifically targeted at students and is downloaded by large numbers of students. It has been reported that this software has “software attached to it that could allow the company to use student computers and university bandwidth for commercial ventures, such as serving Internet advertisements or selling computer storage space” (Carlson).

While this is not an illegal process, it is a misleading one for the user. It also shows how technology can be used for purposes other than that which we purchase them for. This is important because this is one way information can be hidden within programs and there is potential for this to be used illegally in the future. It is also said that universities are specifically targeted because they have a considerable amount of unused hard drive space (Carlson). This could apply equally to many organizations, so organizations may also become a target of these programs in the future.

SECURITY AND PRIVACY PROTECTION

Security Programs

Security programs currently consist of two main types. The first are virus programs that prevent damaging computer viruses from being received. One of the most interesting things about these programs is that they require constant updating.

These constant updates illustrate how quickly virus concerns change. Essentially, one group of people are constantly creating new viruses, while a second group remain alert to these viruses and create antidotes for the viruses.

The second type of security program is firewall software. Firewall software prevents hackers from accessing a computer. Just like viruses, these programs are under constant upgrading to keep up with hacker technology changes.

Security and Privacy Consultants

Security and privacy concerns have also created a new industry of consultants, who offer advice, personnel and systems to governments, organizations and also individuals.

An example of one of these firms is Rent-A-Hacker, whose company profile reads as follows:

“Rent-A-Hacker was formed to afford anyone the means to protect their valuable information assets. Unlike most Cybersecurity firms whose goal is to sell you security products, our focus is on auditing, detection and proactive prevention” (Rent-A-Hacker).

To achieve these goals, the organizations makes use of experts in Internet security and in hacking. This organization is an example of where the future of Internet security may lead.

With experts developing new ways to breach Internet security, software programs may no longer be enough. A defence system of equally effective experts may be the only way to combat hackers and other breachers of both security and privacy.

Government Actions

The Government plays an important role in effecting privacy and security concerns and does this on two levels. The first is in their role in setting the rules for the private sector. The second is in establishing guidelines for the government’s own use of information (IBM).

With the broad implications of the Internet it is also recognized that government control becomes essential, “the growing interconnectedness of society underscores the need for government officials to understand the broad implications of the Internet and the information technology revolution (IBM).

The government meets this challenge by producing a set of internationally-accepted principles, with these principles developed by the Organization for Economic Cooperation and Development and are known as the OECD guidelines (IBM).

These guidelines include ‘fair information practices’ for organizations that outline appropriate security of data and disclosure of data practices (IBM).

IBM describes the US security and privacy measures, saying:

“The US has legislatively-required protections in focus areas: government, credit reporting, banking and finance, health, and children’s information. In other commercial areas, such as retail and online marketing, the US relies on its common-law traditions coupled with industry responsibility and leadership to chart the way” (IBM).

Legal Protection

The legal component of the Internet is handled largely by the Computer Crime and Intellectual Property Section of the Department of Justice. The actions of the section are described, saying:

“Section attorneys advise federal prosecutors and law enforcement agents; comment upon and propose legislation; coordinate international efforts to combat computer crime; litigate cases; and train all law enforcement groups. Other areas of expertise possessed by CCIPS attorneys include encryption, electronic privacy laws, search and seizure of computers, e-commerce, hacker investigations, and intellectual property crimes” (CCIPS).

Legal protection in the US is wide and varied, covering a variety of issues that the Internet relates to.

This includes the considerations of e-commerce, covering topics including Internet gambling, online sales of healthcare products and consumer protection (CCIPS).

Laws are also existent relating to computer crimes. These crimes include cyberstalking, Internet fraud, child pornography and identity theft (CCIPS).

Insurance Protection

Another industry that reflects the rising importance of Internet security is the insurance industry.

Policies purchased for 2001 were just under $100 million in 2001, with it expected to rise to at least $1 billion by the year 2007 (Salkever).

The policies available for organizations include protection from “virus attacks, denial-of-service assaults, cracking into company systems, and Web-site defacements. Some companies even write policies that cover cyber-extortion, where an online intruder or an insider steals crucial data such as customer credit-card files and demands a payoff. The rising tide of lawsuits against companies whose employees have used corporate e-mail inappropriately has also caught the attention of e-insurers” (Salkever).

It is also noted that with the insurance industry becoming a major part of Internet security, they will have the opportunity to shape the computer security business.

This will occur by insurance companies defining what types of security products and practices are acceptable. Following this, premiums will differ based on what software protection systems are used, effectively rating product systems and influencing the business consumers choice.

This is also expected to effect business, with e-insurance becoming a requirement, “as cyber-insurance goes from exotica to a business necessity, the computer-security industry will have to adapt to keep the insurers happy” (Salkever).

There is certainly potential for insurance companies to influence both the coverage required by organizations and the products and actions required to attain this coverage, “that’s the wave of the future, as insurers exert even more pressure on the technology practices of any company wishing to insure this increasingly important facet of business” (Salkever).

Also recognized is the possible relationship between insurance companies and security products with it being argued “that insurers will demand responsibility from software companies for flaws in their products — and that they’ll have the legal firepower to hold the software outfits accountable” (Salkever).

Abstract
The dictionary defines maintenance as, “The work of keeping something in proper order.” However, this definition does not necessarily fit for software. Software maintenance is different from hardware maintenance because software doesn’t physically wear out, but often gets less useful with age. Software is typically delivered with undiscovered flaws. Therefore, software maintenance is: “The process of modifying existing operational software while leaving its primary functions intact.” Maintenance typically exceeds fifty percent of the systems’ life cycle cost . While software maintenance can be treated as a level of effort activity, there are consequences on quality, functionality, reliability, cost and schedule that can be mitigated through the use of parametric estimation techniques.
1. INTRODUCTION
One of the greatest challenges facing software engineers is the management of change control. It has been estimated that the cost of change control can be between 40% and 70% of the life cycle costs . Software engineers have hoped that new languages and new process would greatly reduce these numbers; however this has not been the case. Fundamentally this is because software is still delivered with a significant number of defects. Capers Jones estimates that there are about 5 bugs per Function Point created during Development . Watts Humphrey found “… even experienced software engineers normally inject 100 or more defects per KSLOC . Capers Jones says, “A series of studies the defect density of software ranges from 49.5 to 94.5 errors per thousand lines of code .” The purpose of this article is to first review the fundamentals of software maintenance and to present alternative approaches to estimating software maintenance. A key element to note is that development and management decisions made during the development process can significantly affect the developmental cost and the resulting maintenance costs.
2. SOFTWARE MAINTENANCE
Maintenance activities include all work carried out post-delivery and should be distinguished from block modifications which represent significant design and development effort and supersede a previously released software package. These maintenance activities can be quite diverse, and it helps to identify exactly what post-delivery activities are to be included in an estimate of maintenance effort. Maintenance activities, once defined, may be evaluated in a quite different light than when called simply “maintenance”. Software maintenance is different from hardware maintenance because software doesn’t physically wear out, but software often gets less useful with age and it may be delivered with undiscovered flaws. In addition to the undiscovered flaws, it is common that some number of known defects pass from the development organization to the maintenance group. Accurate estimation of the effort required to maintain delivered software is aided by the decomposition of the overall effort into the various activities that make up the whole process.
3. APPROACHING THE MAINTENANCE ISSUE
Maintenance is a complicated and structured process. In his textbook, Estimating Software Intensive Systems, Richard Stuzke outlines the typical software maintenance process. It is apparent that the process is more than just writing new code.
The following checklist can be used to explore the realism and accuracy of maintenance requirements.
• Which pieces of software will be maintained?
• How long will the system need to be maintained?
• Are you estimating the entire maintenance problem, or just incremental maintenance?
• What level of maintenance is required?
• Is that which is being called maintenance in fact a new development project?
• Who will do the maintenance? Will it be done organically by the original developer? Will there be a separate team?
• Will there be a separate organization?
• Will maintainers be using the same tools used during development? Are any proprietary tools required for maintenance?
• How much Commercial-Off-The-Shelf (COTS) is there? How tightly coupled are the interfaces?
• Some follow-on development may be disguised as maintenance. This will either inflate maintenance figures, or else cause shortfalls if basic maintenance gets pushed aside. These questions will help you ask whether maintenance is being honestly represented.
• Is the activity really an incremental improvement?
• Are healthy chunks of the original code being rewritten or changed?
• Will additional staff be brought in to perform the upgrade?
• Is the maintenance effort schedule regular and fairly flat, or does it contain staffing humps that look like new development?
4. SANITY CHECKS
Although sanity checks should be sought on a year-by-year basis, they should not be attempted for overall development. The reason for this is that maintenance activities can be carried on indefinitely, rendering any life-cycle rules useless. As an example, consider Grady (p. 17):
We spend about 2 to 3 times as much effort maintaining and enhancing software as we spend creating new software.
This and similar observations apply at an organizational level and higher, but not for a specific project. Any development group with a history will be embroiled in the long tail ends of their many delivered projects, still needing indefinite attention. Here are a few quick sanity checks:
• One maintainer can handle about 10,000 lines per year.
• Overall life-cycle effort is typically 40% development and 60% maintenance.
• Maintenance costs on average are one-sixth of yearly development costs.
• Successful systems are usually maintained for 10 to 20 years.
Finally, as in development, the amount of code that is new versus modified makes a difference. The effective size, that is, the equivalent effort if all the work were new code, is still the key input for both development and maintenance cost estimation.
5. FIVE ALTERNATIVE APPROACHES
All software estimation techniques must be able to model the theory and the likely real world result. The real world scenario is that over time, the overlay of changes upon changes makes software increasingly difficult to maintain and thus less useful. Maintenance effort estimation techniques range from the simplistic level of effort method, through more thoughtful analysis and development practice modifications, to the use of parametric models in order to use historical data to project future needs.
5.1 Level of Effort
As is sometimes the case in the development environment, software maintenance can be modeled as a level of effort activity. Given the repair category activities and the great variance that they show, this approach clearly has deficiencies. In this approach, a level of effort to maintain software is based on size and type.
5.2 Level of Effort Plus
Stuzke proposed that software maintenance starts with basic level of effort (minimum people needed to have a core competency and then that that basic core staff must be modified by assessing three additional factors; configuration management, quality assurance, and project management. His process addressed some of the additional factors affecting software maintenance.
5.3 Maintenance Change Factor
Software Cost Estimation with COCOMO II (Boehm 2000) proposes a deceivingly simple, but also quite useful methodology for determining annual maintenance. Maintenance is one of the menu selections in the menu bar. In COCOMO II Maintenance encompasses the process of modifying existing operational software while leaving its primary functions intact. This process excludes:
• Major re-design and re-development (more than 50% new code) of a new software product performing substantially the same functions.
• Design and development of a sizeable (more than 20% of the source instructions comprising the existing product)
interfacing software package which requires relatively little redesigning of the existing product.
• Data processing system operations, data entry, and modification of values in the database.
The maintenance calculations are heavily based upon the Maintenance Change Factor (MCF) and the Maintenance Adjustment Factor (MAF). The MCF is similar to the Annual change Traffic in COCOMO81, except that maintenance periods other than a year can be used. The resulting maintenance effort estimation formula is the same as the COCOMO II Post Architecture development model.
As stated previously, three cost drivers for maintenance differ from development. Those cost drivers are software reliability, modern programming practices, and schedule. COCOMO II assumes that increased investment in software reliability and use of modern programming practices during software development has a strong positive effect upon the maintenance stage.
Annual Maintenance Effort = (Annual Change Traffic) * (Original Software Development Effort)
The quantity Original Software Development Effort refers to the total effort (person-months or other unit of measure) expended throughout development, even if a multi-year project.
The multiplier Annual Change Traffic is the proportion of the overall software to be modified during the year. This is relatively easy to obtain from engineering estimates. Developers often maintain change lists, or have a sense of proportional change to be required even before development is complete.
5.4 Managing Software Maintenance Costs by Developmental Techniques and Management Decisions During Development When it comes to maintenance, “a penny spent is a pound saved.” Better development practices (even if more expensive) can significantly reduce maintenance effort, and reduce overall life cycle cost. The more effort put into development, the less required in maintenance. As an example, the software development cost and schedule can be significantly impacted (reduced) by letting the number of defects delivered grow. This cost and schedule reduction is more than offset by the increase in maintenance cost. The following discussion is an example of how management decision can significantly affect/reduce software maintenance costs.
Lloyd Huff and George Novak of Lockheed Martin Aeronautics in their paper “Lockheed Martin Aeronautics Performance Based Software Sustainment for the F-35 Lightning II” propose a series of development and management decision designed to impact and reduce software maintenance costs. They propose an eight step process to estimate and control software maintenance . Their proposed steps are:
1. Strive for Commonality
2. Apply Industrial Engineering Practices to Software
3. Engage
4. Adopt a Holistic Approach to Sustainment
5. Develop Highly Maintainable Systems and Software
6. Manage the Off-the-Shelf Software
7. Plan for the Unexpected
8. Analyze and Refine the Software Sustainment Business Case (use Parametric software sustainment cost estimates)
5.5 A Parametric Assessment of Software Maintenance
Parametric models like SEER for Software allow maintenance to be modeled in either of two ways:
Estimating maintenance as a part of the total lifecycle cost. Choosing the appropriate Maintenance category parameters will include an estimate of maintenance effort with the development estimate for the individual software program. Several reports and charts show breakdowns of development vs. maintenance effort. This method is best used to evaluate life cycle costs for each individual software program.
Estimating maintenance as a separate activity. Using the appropriate maintenance parameters for the software to be maintained you can model the maintenance effort as a separate activity. This method will allow you to fine tune your maintenance estimate by adjusting parameters. Maintenance size should be the same as development size, but should be entered as all pre-existing code. This method can also be useful in breaking out total project maintenance costs from project development costs.
A good parametric estimate for maintenance includes a wide range of information. Critical information for completing a software maintenance estimate is the size or amount of software that will be maintained, the quality of that software, the quality and availability of the documentation, and the type or amount of maintenance that will be done. Many organizations don’t actually estimate maintenance costs; they simply have a budget for software maintenance. In this case, a parametric model should be used to compute how much maintenance can actually be performed with the given budget.
Estimating and planning for maintenance are critical activities if the software is required to function properly throughout its expected life. Even with a limited budget, a plan can be made to use the resources available in the most efficient, productive manner. Looking at the diagram above, you can see that not only are the multiple inputs that impact the maintenance, but there are several key outputs that provide the information necessary to plan a successful maintenance effort.
6. Conclusion
The conclusions of this article are:
• Software maintenance can be modeled using a simplistic method like Level of Effort Staffing, but this technique has significant drawbacks.
• Software maintenance costs can be significantly affected by management decisions during the developmental process.
• Software maintenance can be accurately estimated using parametric processes.
• Software maintenance is best modeled when development and management decisions are coupled with parametric cost estimation techniques.
REFERENCES
[1]Software Maintenance Concepts and Practices (second Edition) by Penny Grubb and Armstrong Takang, World Scientific, 2005.
[2]Estimating Software Intensive Systems; Richard Stuzke, 2005, Addison-Wesley.
[3]Lloyd Huff, George Novak; Lockheed Martin Aeronautics; Lockheed Martin Aeronautics Performance Based Software Sustainment for the F-35 Lightning II.
[4]G. Edward Bryan, “CP-6: Quality and Productivity Measures in the 15-Year Life Cycle of an Operating System,” Software Quality Journal 2, 129-144, June 1993.
[5] Software Sizing, Estimation, and Risk Management; Daniel D. Galorath, Michael W. Evans, 2006, Auerbach Publications.