Guido Schryen

Revisiting IS business value research: what we already know, what we still need to know, and how we can get there

The business value of investments in Information Systems (IS) has been, and is predicted to remain, one of the major research topics for IS researchers. While the vast majority of research papers on IS business value find empirical evidence in favour of both the operational and strategic relevance of IS, the fundamental question of the causal relationship between IS investments and business value remains partly unexplained. Three research tasks are essential requisites on the path towards addressing this epistemological question: the synthesis of existing knowledge, the identification of a lack of knowledge and the proposition of paths for closing the knowledge gaps. This paper considers each of these tasks. Research findings include that correlations between IS investments and productivity vary widely among companies and that the mismeasurement of IS investment impact may be rooted in delayed effects. Key limitations of current research are based on the ambiguity and fuzziness of IS business value, the neglected disaggregation of IS investments, and the unexplained process of creating internal and competitive value. Addressing the limitations we suggest research paths, such as the identification of synergy opportunities of IS assets, and the explanation of relationships between IS innovation and change in IS capabilities.

Emergency Response in Natural Disaster Management: Allocation and Scheduling of Rescue Units

Natural disasters, such as earthquakes, tsunamis and hurricanes, cause tremendous harm each year. In order to reduce casualties and economic losses during the response phase, rescue units must be allocated and scheduled efficiently. As this problem is one of the key issues in emergency response and has been addressed only rarely in literature, this paper develops a corresponding decision support model that minimizes the sum of completion times of incidents weighted by their severity. The presented problem is a generalization of the parallel-machine scheduling problem with unrelated machines, non-batch sequence-dependent setup times and a weighted sum of completion times – thus, it is NP-hard. Using literature on scheduling and routing, we propose and computationally compare several heuristics, including a Monte Carlo-based heuristic, the joint application of 8 construction heuristics and 5 improvement heuristics, and GRASP metaheuristics. Our results show that problem instances (with up to 40 incidents and 40 rescue units) can be solved in less than a second, with results being at most 10.9% up to 33.9% higher than optimal values. Compared to current best practice solutions, the overall harm can be reduced by up to 81.8%.

Is open source security a myth

What does vulnerability and patch data say?

A formal approach towards measuring trust in distributed systems

Emerging digital environments and infrastructures, such as distributed security services and distributed computing services, have generated new options of communication, information sharing, and resource utilization in past years. However, when distributed services are used, the question arises of to what extent we can trust service providers to not violate security requirements, whether in isolation or jointly. Answering this question is crucial for designing trustworthy distributed systems and selecting trustworthy service providers. This paper presents a novel trust measurement method for distributed systems, and makes use of propositional logic and probability theory. The results of the qualitative part include the specification of a formal trust language and the representation of its terms by means of propositional logic formulas. Based on these formulas, the quantitative part returns trust metrics for the determination of trustworthiness with which given distributed systems are assumed to fulfill a particular security requirement.

A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors

While many theoretical arguments against or in favor of open source and closed source software development have been presented, the empirical basis for the assessment of arguments is still weak. Addressing this research gap, this paper presents a comprehensive empirical investigation of the patching behavior of software vendors/communities of widely deployed open source and closed source software packages, including operating systems, database systems, web browsers, email clients, and office systems. As the value of any empirical study relies on the quality of data available, this paper also discusses in detail data issues, explains to what extent the empirical analysis can be based on vulnerability data contained in the NIST National Vulnerability Database, and shows how data on vulnerability patches was collected by the author to support this study. The results of the analysis suggest that it is not the particular software development style that determines patching behavior, but rather the policy of the particular software vendor.

Security in Large-Scale Internet Elections: A Retrospective Analysis of Elections in Estonia, The Netherlands, and Switzerland

Remote voting through the Internet provides convenience and access to the electorate. At the same time, the security concerns facing any distributed application are magnified when the task is so crucial to democratic society. In addition, some of the electoral process loses transparency when it is encapsulated in information technology. In this paper, we examine the public record of three recent elections that used Internet voting. Our specific goal is to identify any potential flaws that security experts would recognize, but that may have not been identified in the rush to implement technology. To do this, we present a multiple exploratory case study, looking at elections conducted between 2006 and 2007 in Estonia, The Netherlands, and Switzerland. These elections were selected as particularly interesting and accessible, and each presents its own technical and security challenges. The electoral environment, technical design, and process for each election are described, including reconstruction of details which are implied but not specified within the source material. We found that all three elections warrant significant concern about voter security, verifiability, and transparency. Usability, our fourth area of focus, seems to have been well-addressed in these elections. While our analysis is based on public documents and previously published reports, therefore lacking access to any confidential materials held by electoral officials, this comparative analysis provides interesting insight and consistent questions across all these cases. Effective review of Internet voting requires an aggressive stance towards identifying potential security and operational flaws, and we encourage the use of third-party reviews with critical technology skills during design, programming, and voting to reduce the changes of failure or fraud that would undermine public confidence.

Model-Based Decision Support in Manufacturing and Service Networks

In this paper, we sketch some of the challenges that should be addressed in future research efforts for model-based decision support in manufacturing and service networks. This includes integration issues, taking into account the autonomy of the decision-making entities in face of information asymmetry, the modeling of preferences of the decision makers, efficiently determining robust solutions, i.e. solutions that are insensitive with respect to changes in the problem data, and a reduction of the time needed for model building and usage. The problem solution cycle includes problem analysis, the design of appropriate algorithms and their performance assessment. We are interested in a prototypical integration of the proposed methods within application systems, which can be followed up with field tests of the extended application systems. We argue that the described research agenda requires the interdisciplinary collaboration of business and information systems engineering researchers with colleagues from management science, computer science, and operations research. In addition, we present some exemplifying, illustrative examples of relevant research results.

Security aspects of Internet voting

Voting via the Internet has become a feasible option for political as well as non-political ballots. However, there are many obstacles which have to be overcome, especially legal restrictions have to be transformed into technical and security solutions. The article starts with a brief presentation of advantages and disadvantages of Internet ballots and presents application fields and pilot schemes. Then, technological security aspects are derived due to democratic basic principles. Especially the applied voting procedures are critical in security terms. Hence, the most relevant cryptographic protocols are presented and their drawbacks and shortcomings are identified. However, this article does not propose a new voting protocol. Beyond fixing cryptographic procedures for ballots, more elements are to be specified, e.g. responsibilities and rights of involved authorities or security precautions regarding hardware and software. For this reason, a structural security framework for electronic voting systems is presented which can be used for their composition and analysis.

A Formal Approach towards Assessing the Effectiveness of Anti-Spam Procedures

Spam e-mails have become a serious technological and economic problem. So far we have been reasonably able to resist spam e-mails and use the Internet for regular communication by deploying complementary anti-spam approaches. However, if we are to avert the danger of losing the Internet e-mail service as a valuable, free, and worldwide medium of open communication, anti-spam activities should be performed more systematically than is done in current, mainly heuristic, anti-spam approaches. A formal framework within which the modes of spam delivery, anti-spam approaches, and their effectiveness can be investigated, may encourage a shift in methodology and pave the way for new, holistic anti-spam approaches. This paper presents a model of the Internet e-mail infrastructure as a directed graph and a deterministic finite automaton, and draws on automata theory to formally derive the modes of spam delivery possible. Finally the effectiveness of anti-spam approaches in terms of coverage of spamming modes is assessed.

A configuration-based recommender system for supporting e-commerce decisions

Multi-attribute value theory (MAVT)-based recommender systems have been proposed for dealing with issues of existing recommender systems, such as the cold-start problem and changing preferences. However, as we argue in this paper, existing MAVT-based methods for measuring attribute importance weights do not fit the shopping tasks for which recommender systems are typically used. These methods assume well-trained decision makers who are willing to invest time and cognitive effort, and who are familiar with the attributes describing the available alternatives and the ranges of these attribute levels. Yet, recommender systems are most often used by consumers who are usually not familiar with the available attributes and ranges and who wish to save time and effort. Against this background, we develop a new method, based on a product configuration process, which is tailored to the characteristics of these particular decision makers. We empirically compare our method to SWING, ranking-based conjoint analysis and TRADEOFF in a between-subjects laboratory experiment with 153 participants. Results indicate that our proposed method performs better than TRADEOFF and CONJOINT and at least as well as SWING in terms of recommendation accuracy, better than SWING and TRADEOFF and at least as well as CONJOINT in terms of cognitive load, and that participants were faster with our method than with any other method. We conclude that our method is a promising option to help support consumers’ decision processes in e-commerce shopping tasks.