Controlling the Conversation

American automakers adopted computer controls to deal with complicated engineering problems only when pushed by forces beyond their control.     

Insuring computer risks

Individuals and organizations who own or use computers in daily operations face many exposures to the risk of loss of hardware, software, and other computing assets, including liability arising from computing operations. Many loss prevention techniques have been developed to lessen the frequency and severity of such losses but in the end, insurance coverage must be obtained for maximum protection.Securing proper computer insurance coverage at a reasonable price is not always easy. In fact, much time and expense can go into a well-planned insurance program for computing operations. This article examines ways to minimize premiums for computer coverage as part of an overall plan of loss prevention, risk control, and contingency funding. It explains why computer insurance premiums fluctuate and how to take advantage of the fluctuation in the computer insurance market. It also identifies some of the factors that are important to insurers and how they relate to computer insurance. The techniques explained in the article, when used as a part of the comprehensive risk management plan, can help the insured computing operation provide for loss contingencies and minimize the overall cost.     

Controlling the supply of drugs

As part of its computerization plan, Guy's hospital in the U K is using a database package to aid its drug dispensing systems. The database holds information about drugs such as instructions and cautions.     

Controlling the Evolution of Resistance

Evolution has long been understood as the driving force for many problems of medical interest. The evolution of drug resistance in HIV and bacterial infections is recognized as one of the most significant emerging problems in medicine. In cancer therapy, the evolution of resistance to chemotherapeutic agents is often the differentiating factor between effective therapy and disease progression or death. Interventions to manage the evolution of resistance have, up to this point, been based on steady-state analysis of mutation and selection models. In this paper, we review the mathematical methods applied to studying evolution of resistance in disease. We present a broad review of several classical applications of mathematical modeling of evolution, and review in depth two recent problems which demonstrate the potential for interventions which exploit the dynamic behavior of resistance evolution models. The first problem addresses the problem of sequential treatment failures in HIV; we present a review of our recent publications addressing this problem. The second problem addresses a novel approach to gene therapy for pancreatic cancer treatment, where selection is used to encourage optimal spread of susceptibility genes through a target tumor, which is then eradicated during a second treatment phase. We review the recent in vitro laboratory work on this topic, present a new mathematical model to describe the treatment process, and show why model-based approaches will be necessary to successfully implement this novel and promising approach.     

Managing the risks of information systems implementation

Managing the risks imposed by the complexity of system design and the uncertainty of requirements are key issues in implementing an information system (IS). It is commonly argued that complexity can be reduced by using rational approaches such as abstraction, decomposition and structuring of the design problem. Similarly, uncertainty can be reduced by using experimental approaches allowing for user participation, learning and feedback to the developers. An important but only recently studied issue in managing the risks of implementation is, then, how to find a proper mix of the rational and experimental approaches in a given situation. To do so, we first extracted some guidelines from the literature and formulated a model describing the economics of the allocation of experimental and rational efforts. The model illustrates the trade-offs and optimal conditions for managing the risks of implementation. The predictions of the model were tested by studying major information system development projects in Finnish companies. The results confirmed the contingent guidelines in general. Some interesting deviations were detected, however, such as a tendency to rely on rather heavy formal design even in simple but uncertain projects, probably owing to the long tradition of standardised life cycle planning and documentation methods in Finnish companies. Use of a proper mix of the rational and experimental approaches turned out to be especially important in projects with both high complexity and high uncertainty. Finally, practical implications and applications of the model are discussed.     

Software Controlling

Zusammenfassung  Die Entwicklung von gro?en Softwaresystemen erfordert ein effektives und effizientes Projektmanagement. Insbesondere muss im Hinblick auf die Softwarequalit?t in die Entwicklungsprozesse ein zielgerichtetes Risikomanagement integriert werden. Der bisher meist verfolgte ,,klassische“ Ansatz des Projektcontrollings fokussiert vielfach nur auf die Erreichung von externen Qualit?tseigenschaften des Endprodukts (wie der Erfüllung funktionaler Anforderungen, die vom Anwender wahrgenommen werden) und die Einhaltung von Zeit- und Budgetvorgaben. Die Erfahrung aus vielen lang laufenden Projekten zeigt, dass im Hinblick auf nachhaltige Entwicklung eine feink?rnigere und ganzheitlichere Betrachtung der Qualit?t von Softwaredokumenten und Entwicklungszwischenprodukten notwendig ist, um qualit?tsbezogene Projektrisiken frühzeitig zu erkennen und geeignete Steuerungsma?nahmen im Entwicklungsprozess ergreifen zu k?nnen. Bei Capgemini sd&m (München) wird deshalb gerade unter dem Begriff Software Controlling ein Bündel von technischen und organisatorischen Ma?nahmen zum ganzheitlichen qualit?tsbezogenen Risikomanagement in Softwareprojekten eingeführt. Wesentliche Komponenten sind ein Qualit?tsmodell auf der Grundlage eines aus bisherigen Projekterfahrungen gewonnenen Kennzahlensystems, das interne Produkteigenschaften mit Aufwands-, Test- und Fehlerdaten verknüpft, ein in die Entwicklungsumgebung integrierter Projektleitstand und spezifische Prozesselemente zur Qualit?ts- und Risikobewertung auf der Grundlage der Kennzahlen.     

缓冲区溢出的安全隐患

本文主要介绍缓冲区溢出和输入检查漏洞利用技术,还介绍了计算机病毒是如何利用这些技术。     

Quantifying IT estimation risks

A statistical method is proposed for quantifying the impact of factors that influence the quality of the estimation of costs for IT-enabled business projects. We call these factors risk drivers as they influence the risk of the misestimation of project costs. The method can effortlessly be transposed for usage on other important IT key performance indicators (KPIs), such as schedule misestimation or functionality underdelivery. We used logistic regression as a modeling technique to estimate the quantitative impact of risk factors. We did so because logistic regression has been applied successfully in fields including medical science, e.g. in perinatal epidemiology, to answer questions that show a striking resemblance to the questions regarding project risk management. In our study we used data from a large organization in the financial services industry to assess the applicability of logistic modeling in quantifying IT risks. With this real-world example we illustrated how to scrutinize the quality and plausibility of the available data. We explained how to deal with factors that cannot be influenced, also called risk factors, by project management before or in the early stage of a project, but can have an influence on the outcome of the estimation process. We demonstrated how to select the risk drivers using logistic regression. Our research has shown that it is possible to properly quantify these risks, even with the help of crude data. We discussed the interpretation of the models found and showed that the findings are helpful in decision making on measures to be taken to identify potential misestimates and thus mitigate IT risks for individual projects. We proposed increasing the auditing process efficiency by using the found cost misestimation models to classify all projects as either risky projects or non-risky projects. We discovered through our analyses that projects must not be overstaffed and the ratio of external developers must be kept small to obtain better cost estimates. Our research showed that business units that report on financial information tend to be risk mitigating, because they have more cost underruns in comparison with business units without reporting; the latter have more cost overruns. We also discovered a maturity mismatch: an increase from CMM level 1 to 2 did not influence the disparity between a cost estimate and its actual if the maturity of the business is not also increased.     

Controlling the complexity in model-based diagnosis

We present IDA — an incrementaldiagnosticalgorithm which computes minimal diagnoses from diagnoses, and not from conflicts. As a consequence of this, and by using different models, one can control the computational complexity. In particular, we show that by using a model of the normal behavior, the worst-case complexity of the algorithm to compute thek+1st minimal diagnosis isO(n ^2k ), wheren is the number of components. On the practical side, an experimental evaluation indicates that the algorithm can efficiently diagnose devices consisting of a few thousand components. We propose to use a hierarchy of models: first a structural model to compute all minimal diagnoses, then a normal behavior model to find the additional diagnoses if needed, and only then a fault model for their verification. IDA separates model interpretation from the search for minimal diagnoses in the sense that the model interpreter is replaceable. In particular, we show that in some domains it is advantageous to use the constraint logic programming system CLP(ß) instead of a logic programming system like Prolog.This is an extended version of the paper by Igor Mozeti, A polynomial-time algorithm for model-based diagnosis, which appears in theProc. European Conf. on Artificial Intelligence, ECAI-92, ed. B. Neumann (Wiley, 1992) pp. 729–733.     

Managing software security risks

Most organizations manage computer security risk reactively by investing in technologies designed to protect against known system vulnerabilities and monitor intrusions as they occur. However, firewalls, cryptography, and antivirus protection address the symptoms, not the root cause, of most security problems. Buying and maintaining a firewall, for example, is ineffective if external users can access remotely exploitable Internet-enabled applications through it. Because hackers attack software, improving computer security depends on proactively managing risks associated with software and software development. The current "penetrate and patch" approach of fixing broken software only after it has been compromised is insufficient to control the problem