Lecture No. 9

1
Lecture No. 9
Thats 2 to go, plus the review !
Decision Making Security Coles
2
Lecture Objectives

• 1. To provide you with some contact with Decision
  Making Processes and to illustrate support from
  Computer Technology
• 2. A few thoughts about Security (including
  Database Security) will appear
• 3. And we will go shopping at Coles.

3

SOME ASPECTS OF THE DECISION PROCESS
4
Goedels Theorem
Mathematical statements exist for which no
systematic procedure could determine whether they
are true or false also known as undecidable
propositions Some statements This statement
is a lie We cannot prove this statement to be
true Socrates What Plato is about to say is
false Plato Socrates has spoken
truly If the statement is true then it is
false If it is false, it is true. self
referential paradoxes
5
The Decision Process

Determine Conditions Requiring Management Attentio
n/Decision Develop and Analyse Possible Courses
(Alternatives) of Action Select a particular
course of action from the available alternatives
(models, QA, Projections)
INTELLIGENCE
DESIGN
CHOICE
6
Decision Making

• Rules form an important part of the
  decision-making environment of an organisation
  (enterprise)
• Rules may be
• word of mouth
• referenced in a rules manual
• embedded inn application code (DBMS Integrity)
• installed in a separate structure (e.g. law)
• Rules affect
• hiring and firing procedures
• product return policies
• sales markdown strategies (January sales ?)
• manufacturing methods

7
Decision Making

• Can there be decisions without rules ?
• What conditions, agendas, goals can affect a
  decision ?
• Are the reasons for decisions be analysed ?
• Is there some way of knowing that the right
  decision was made ?
• Decisions are frequently associated with action
• Decisions may be about ? ? ?
• Goals of a corporation (enterprise) - for
  instance diversification or concentration
• Rules of a corporation - e.g. dress code on
  Fridays to be casual (Telstra)

8
Decision Making

• Another example is a decision to alter a
  predictive model Business and Financial Analysts
  may change the components or domains for credit
  risk prediction - any recent examples spring to
  mind ?
• Decisions can only be implemented on things which
  can be changed
• Is a decision to increase sales by say selling
  solar panels on Jupiter or Mars really a decision
  ? Can it be implemented ?

9
Decision Making

• Making a decision is the function of combining
  goals and predictive models
• The lowering of prices of some products (e.g.
  K-Mart sales) is the result of
• a goal to maximise sales
• a model which relates sales to prices
• The denial of credit by a bank to a loan
  applicant is the result of
• a goal to minimise loan write-offs
• a predictive model which relates selected
  applicant attributes (properties) with the
  likelihood of a loan default

10
Decision Making

• Without goals there would be difficulty in
  deciding what course of action to take.
• Without the goal of maximising sales, there is no
  correct decision concerning product pricing
• Without a predictive model which equates product
  prices to product sales, there is no clear
  indication which decision will be most likely to
  maximise sales

11
Decision Making
Consider these decision making challenges 1.
The need to automate some decision-making
functions 2. The need to ensure consistent
decisions 3. Difficulties in analysing how a
decision was made 4. Complexities in the
predictive model 5. Difficulties in interpreting
stated goals (which may change) 6. Instability in
the goals 7. Interpersonal dynamics (know any
recent examples ?) 8. Fluctuations in the
predictive models 9. Conflict between data-driven
and model-driven understanding or knowledge
(beliefs)
12
Decision Making
Business-rule automation tools focus on 1. The
need to automate some decision-making
functions 2. The need to ensure consistent
decisions Decision analysis tools focus on 3.
Difficulties in analysing how a decision was
made 4. Complexities in the predictive model 5.
Difficulties in interpreting stated goals (which
may change) 6. Instability in the goals Group
decision-support tools focus on 7. Interpersonal
dynamics
13
Decision Making
And items 8 and 9 ? 8. Fluctuations in the
predictive models 9. Conflict between data-driven
and model-driven understanding or knowledge
(beliefs) more on these later on. Business
rules connect to transaction systems and help to
automate decision-making processes which were
previously the function and responsibility of
persons - the goals are fixed and are explicit.
14
Decision Making

• Decision-analysis tools (software)
• Decisions are based on multiple predictive models
• There are complex measures of uncertainty or
  imprecision
• The goals may be variable
• Decision analysis is related to operations
  research - the area where
• mutually exclusive goals
• shared scarce resources
• The intention is to maximise profit, stability

15
Decision Making

• Group decision support tools
• Consider the situation of many managers of an
  organisation attempting to arrive at a common
  decision to
• fire 300 staff
• increase sales to justify no firings
• increase sales and increase the number of staff
• reduce staff but maintain existing sales or
  improve sales
• Interpersonal / political challenges
• Anonymous electronic meeting environment
• Vote on merit of ideas rather than on identities

16
The Decision Process

• Stage Description
• 1. Determine objectives, problems
• 2. Identify courses of action available to
• achieve / rectify
• 3. Collect Information to assess available
  options
• 4. Select criteria for evaluation purposes
• 5. Evaluate information acquired
• 6. Select preferred course of action /
  strategy
• 7. Implement chosen option / strategy
• 8. Monitor results - post analysis

17
Decision Support Systems

• Characteristics
• Interactive Computer Base Information Systems
• Decision Models - Statistical Forecasting,
  Profiling ...
• Management Data Base
• OUTPUTS Information tailored to SUPPORT
  specific
• decisions faced by Managers ( Car Industry,
• Manufacturing Industry, Farming Industry,
• Financial, Accounting etc ...)

18
Decision Support Systems Components

• Data Base
• Report Writer
• Graphics
• Computing Facilities - Processor, Storage,
  I/O Devices
• Communications
• Human Skills
• Objectivity Communication
• Clear Thinking Analytical Ability
• Lateral Thinking Computer Literacy
• Adaptability Tenacity

19
The Decision Makers

• Who are The Decision Makers ?
• In the early days of decision support, the
  Decision Makers were a small group of high-level
  executives (does this sound familiar ?)
• Since then however, the business intelligence
  industry has helped push data-drive decisions to
  a much wider user environment

20
The Decision Makers

• Today, the decision makers are business people
  who are closest to the point where an action
  needs to be taken.
• This can be
• in the supply chain
• when in contact with a customer (email, web-mail,
  telephone, (fax ?)
• at a strategic executive meeting

21
Business Intelligence
Business Intelligence addresses Synthesising
or constructing useful knowledge from large sets
of data It involves integration summarisatio
n abstractions ratios trends allocations
22
Business Intelligence
It addresses comparing generalisations based
on data with model- based assumptions reconcili
ng these when they differ creative thinking
supported by data using data carefully underst
anding how to calculate derived data continual
learning modifying goals
23
Business Intelligence

• The functions which support Business Intelligence
  are
• data collection
• data storage (why ?)
• data translations - time, currencies
• dimensional structuring (allows for extractions
  on a number of bases)
• access models
• predictive models
• model verification
• knowledge sharing
• resource allocation scenarios
• decision implementation strategies

24
Decision Support Systems

• Provide a quick response to SIMULATED problems
  (software support)
• Generally LESS COSTLY than real life exercises
• Variety of business decision models
• - linear programming
• - decision trees
• - simulation
• - queueing
• - financial analysis DCF, EMV, NPV
• - forecasting / projections Which
  one(s)
• - risk analysis best
  suit the
• - sensitivity analysis
  conditions ?

25
Decision Support Systems Software

• Model Building
• Relationships between parameters
• What-if Incremental Assumptions
• Highly useful aspects
• Backward Iteration
• Establish a Target and work back - ( ?
  regression)
• Risk Analysis
• Use probability distributions to assess outcomes
• Statistical Analysis and Management Science
  Models
• Regression Time Series Analyses
• Financial Functions
• Depreciation Methods Return on Investment

26
Decision Support Systems

• Programmable Tasks Rules / Procedures Known
• Clear Rules
• Rules can be built into a software program
• All required data is available
• The Decision Maker is supported by software
  processes
• Complex situations may indicate a very deep
  but
• modular and / or progressive structure
• Some Examples
• Mergers, Takeovers, Off-Loadings
• Plant Expansion
• New Products
• Portfolio Management Marketing

27
Decision Support Systems

• Non-Programmable Tasks
• Unstructured No Definable Rules
• Does not permit software programs to be
  developed
• Cannot determine
• - Objectives
• - Trade Offs
• - Relevant Information
• - Methods for analyses

28
Decision Support

• Some Offsets
• Managers tend to be busy and highly paid
• This will normally lead to a reluctance to
  learn the special features of a software
  package
• OR to understand the problem which the software
  BEST addresses
• A brief and cursory understanding may lead to
• lack of understanding of limitations
• lack of clarity in interpretation of results

29
Decision Support

• Related Matters
• Economic models invariably are developed for
• General Cases
• Quality of Information Used
• Some models have default values/options - may
  not be suitable for specific instances

30
Decision Support

• Uncertainties - types and sources of
• - effects on decision making
• A few examples
• response to direct mailings
• Internet home page accesses
• default rates for loans
• sales reports
• sales reports - doubts - are ALL sales reflected
  ?
• - how is
  missing data handled - 0 ?
• - is the
  program 100 error free ?
• Can such doubts be quantified ? Should they be ?

31
Business Intelligence
Data uncertainty can be predictions
historical Budgeting, marketing are widely
analysed using spreadsheets. Uncertainties are
handled (generally) with a single valued
estimate. Next years sales may include a single
estimate in the budgeting exercise. Healthcare
(as in Medicare) may be based on a single value
for doctors productivity (or hospital case-mix).
32
Business Intelligence

• Lets look at a company which is trying to float
  a new product, or increase its sales of an
  existing product.
• 5 possible promotional methods are available
• radio
• newspaper (local, local/country, local/interstate
  ?)
• television advertising
• direct mail
• an all-bells presence on the World Wide Web
• There is a hidden agenda - what is the
  Competition doing or how is it going to react
  ?

33
Business Intelligence

• There could be
• no competition
• low competition
• medium competition
• high competition
• multiple competitor competition (e.g. car
  industry)
• and what is low, medium, high ?
• A decision analysis tool will accommodate a
  probabilistic component.
• The unknown is a spreadsheet model is the range
  of likelihood of competitive promotions, and of
  course their effect on sales

34
Business Intelligence

• A decision analysis tool will simulate a number
  of scenarios based on the specified
  probabilities, and will indicate the decision
  which will (in this case) have the best
  likelihood of maximising profit.
• And the past ? - meaning legacy or historical
  data ?
• Quality of data is important here
• Customer code structures - any changes over 3 to
  5 years /
• Customer name spelling ?
• Incorrect replication
• Regional boundary alterations ? - are we able to
  compare oranges to oranges ?

35
Business Intelligence

• What about missing data - is it shown as zero ?
  
• Should it be zero ? (is this accurate ?)
• Data in the wrong field - a name in an address
  field ?
• The number of items on an invoice the number
  actually received ?
• Deliberate errors on response cards - age,
  income, number of people living at an address,
  types of goods normally purchased etc.
• And finally, does software assume for example an
  even distribution of error ?

36
Business Intelligence

• And the next stage ?
• Business Performance Management
• A total view which ignores operational category
  boundaries
• Efficiency and profitability boost
• Key goals - reduced costs, higher productivity,
  faster cycle times
• Aligns corporate strategy with line operations
• Uses predictive techniques
• Control of out of control growth in data
  storage

37
Decision Support

• Results and Real Life
• Most simulators and models produce numeric,
  character and objects based results
• There may be a hidden component which has
  biased the result(s)
• It is advisable to associate
• - Sensitivity testing,
• - Reliability testing,
• - Risk analysis to provide a sound
  basis for results

38
Database Security
39
Database Access Security

• In a multi-user environment, security is
  important, if not essential
• Without security, malicious users could ( ?
  would)
• invade a database,
• view confidential information
• make unauthorised alterations

40
Database Access Security

• The major forms of security are
• 1. User Management and Authentication
• 2. Privilege Management and Roles
• 3. Database Resource Limits
• 4. User Password Management
• 5. Database Auditing
• 6. Special Security features

41
Database Security

• DATABASE SECURITY is the protection of a
  database from
• unauthorised access
• unauthorised modification
• destruction
• PRIVACY is the right of individuals to have some
  control over information about themselves
• INTEGRITY refers to the correctness, completeness
  and consistency of stored data

42
Database Access Security

• 1. User Management and Authentication
• A user must have a username (create user )
• The DBMS will authenticate that a connect attempt
  should proceed to connection, or not.

43
Database Access Security

• 2. Privilege Management
• After the create user process, a user needs
  privileges to perform specific database functions
• A user cannot connect unless a Create Session
  system privilege is allocated
• A user cannot create a table in the user schema
  unless the create table system privilege is
  allocated
• A user cannot delete rows from a table in a
  different schema unless the user has the delete
  object privilege for the table

44
Security

• Some Random Ideas
• Physical Access controls - badges, closed circuit
  TV, guards...
• Terminal Authentication User I/Ds, Passwords
• (System Level and Database Level)
• Authorisation - Authorisation Rules
• (which users can access what information
• What operation users can invoke
• Read Only, Read/Write, Update, Delete
• User Views - non updatable access, but access to
  latest
• level of information

45
Security

User
user name
Application
Security Table
Authority Checks (grants)
Database
Access authority
46
Server Security

• 1. First layer - LAN or Host Computer Operating
  System
• (1) Login / valid username / password
• (2) Privileges / permissions on directories
• and files (read/write/execute/delete)
• Operating System controls

47
Server Security

• 2. Second Layer - Database Server
• (1) Valid user accounts / password
• (some servers use operating system
  authentication
• - eliminates a level of security
  checking)
• (2) Privileges / permissions
• Database Administrator - GRANT and REVOKE
  
• commands
• Examples Create, Alter, Drop database
  objects .....
• (Databases, Tables, Views,
  Procedures ..)

48
Server Security

• More examples Create, Alter, Drop Database
  Users
• Start Up and Shut Down the Database Server
• Customise Specific Jobs or Locations Privileges
• Different Administrators and Different Functions

49
Server Security

• OBJECT PRIVILEGES
• All database servers control access to
• Tables, Views, Procedures with Object
  Privileges
• Examples Select, Insert, Update, Delete
  privileges on
• tables and views
• References privilege (associated with
  referential
• integrity
  constraints and Rules/Procedures
• Execute - controls the ability
  to execute a Procedure

50
Server Security

• A result of the application of attribute lists
  and object privileges.
• IF a server cannot insert a value for a not-null
  attribute, AND the attribute does not have a
  default attribute value, all INSERT statements on
  the table will
• (a) be suspended
  Y/N
• (b) override the not-null condition Y/N
• (c) fail
  Y/N

51
Oracle Security

• Security Manager (software)
• Menu Options
• - Create (a new user)
• - Create Like (an existing user)
• - Remove
• - Revoke Privilege (remove a selected
  privilege)
• - Add Privilege to user
• - Change Account Status (enable/disable
  access)

52
Oracle Security

• Role
• - Create (create a role)
• - Create Like (an existing role)
• - Remove (delete nominated role)
• - Revoke Privilege
• - Add Privilege

53
And Microsoft Access ?
There are a number of privileges available to the
System Administrator. They are similar in
application to the Security features of DB2,
SQLServer and Oracle, but are more
limited. Access in Network mode offers more
security features.
54
Database Access Security

• There are 3 techniques
• 1. Password Authentication
• 2. Operating System Authentication - the
  Operating System forwards the user account
  details to the DBMS to determine if the user has
  database access. Used where direct connection to
  the database server is set up
• 3. Global User Authentication - used in network
  environments where users access multiple
  databases, and the network is not necessarily
  secure
• Accounts may be locked or unlocked by the
  Database Administrator or the System Administrator

55
Database Access Security

• There are 2 major types of Privileges -
• System privileges
• Object privileges
• A system privilege gives a user the ability to
  perform system-wide operations
• Create Session system privilege gives a user
  connection to the database server, and permits a
  database session to be established.
• Create Table system privilege gives a user the
  ability to create a table, or many tables, in the
  users schema

56
Database Access Security

• Create Any Table system privilege allows a user
  to create a table in any schema of the database
• Create Any Type gives a user the privilege to
  create types and associated type bodies in any
  schema in the database
• Select Any Table means the user can query any
  table in the database
• Execute Any Procedure - a user can execute any
  stored procedure, stored function or packaged
  component in the database
• Execute Any Type - a user can reference and
  execute methods of any type in the database

57
Database Access Security

• The ALTER DATABASE system privilege (which allows
  alteration to any table in a database) is
  normally restricted to the Database
  Administrator.
• Developers normally have create table, create
  view, and create type system privileges
• Every authorised user (including query users)
  would normally have the create session privilege

58
Database Access Security

• An Object Privilege gives a user the ability to
  perform a specific type of operations on a
  specific database object such as a table, view,
  or stored procedure
• The Select object privilege for a view named
  Extract for instance would allow the select
  function to execute the view.
• The Insert object privilege for say the
  Customer table would allow the user to insert
  new rows into the table
• The Execute privilege for an object type, for
  example Address, would permit a user to use
  this type when creating other database objects,
  and the use of the types methods.

59
Database Access Security

• In an Invoicing or Ordering application a user
  may be granted the privileges of
• Select, Insert, Update, Delete for say the
  Customers, Orders and Items tables,
• and could have the Select and Update privileges
  for the Parts table
• Privileges are granted to nominated users, or
  groups of users
• and are revoked to remove the privilege(s)
• The DBA or SA is normally the agent for these
  functions

60
Database Access Security

• Privilege Management and Roles.
• These are bundles of privileges which can be
  granted to many users who need the privileges to
  do their work.This is better than allocating
  individual privileges to each user
• - it is less time consuming
• - modifications affect all users simultaneously
• - number of different roles can be created
  depending on the nature of the
  application and the requirements for each user
• - roles can be enabled and disabled as required
• Roles can be made default and subject to
  authentication

61
Database Access Security

• Resource Limitation
• Typical Areas
• Tablespace Quotas - set as a number of bytes
• Resource Limit Profiles - this is a set of
  resource limit settings such as
• CPU time per session or per statement
  Logical disk I/O, per session or
  statement
• Concurrent database sessions
  per user
• Maximum amount of connect time and idle time
  per session
• Maximum amount of server memory available to
  a
• multithreaded server
  session

62
Database Access Security

• Resource Limit Profiles can also be used to
  enforce
• the number of consecutive failed connection
  attempts
• the user account password lifetime
• the number of days an expired account can be used
  before the account is
  locked
• the amount of elapsed before a previously used
  password can be reused (or never)
• obvious account password control (e.g. family
  name)

63
Database Access Security

• Database Auditing
• Selective Auditing
• the database can generate an audit record each
  time a user issues a drop table statement
• the database can generate an audit record each
  time a user makes use of the select any table
  system privilege to query a table in the database
• the database can generate an audit record each
  time a user deletes a record from a nominated
  table

64
Database Access Security

• Each audit record includes information about the
  audited statement - the operation, the user, data
  and time
• These records are stored in an audit trail. Its
  a storage area.
• The audit records can be stored in either the
  database audit trail, or the audit trail of the
  operating system which is resident in the Server.

65
(No Transcript)
66
A Shopping Trip

• We are now going to visit Coles to look at
  some of the Technology, and Management
  Information which is generated
• You have probably visited Coles and bought a
  wide a variety of goods.
• The Company (Coles Myer Ltd) operates about 80
  stores in the Melbourne area and there are other
  stores in the Regional areas (Geelong, Ballarat,
  Bendigo) and large Country cities such as
  Warragul, Colac, Traralgon, Benalla, Shepparton,
  Ararat ..
• They also operate Interstate

67
Coles Myer Ltd

• The Company is updating its Customer outlet
  scanning equipment, but like most Companies
  cannot do this all at once or all at the same
  time - any suggestions why this is so ?
• As Coles refurbishes their stores, they are
  equipped with state of the art equipment
• Does this conflict with lower sales/ profits and
  a fluctuating share price ?

68
Coles Myer Ltd

• The equipment consists of
• multi dimensional laser scanners, which have
  built in scale (weighing) facilities
• 2 LCD screens per lane. Full colour and high
  resolution
• The Operators screen is a touch screen (also
  colour)
• The printer - high speed thermal printer

69
Coles Myer Ltd

• If you watch carefully you will notice that
  printing does not does not occur until the items
  have been paid for (any reason for this ?)
• Payments may be made by
• credit / debit card
• cash
• shareholder discount cards
• vouchers
• cheque
• CML gift vouchers
• Fly Buy credits are also active.

70
Coles Myer Ltd

• Each check out consists of the devices mentions
  plus a PC
• There is a LAN in each store (for what purpose
  ?)
• The checkouts will operate in a standalone mode
  if a network failure occurs (what about the
  credit cards ?)
• Fail safe Each store has a standby generator,
  Uninterruptable Power Supply (UPS) and battery
  backup emergency lighting

71
Coles Myer Ltd

• Prices are maintained in 2 databases
• Each store has a price look up local database
• Each Point of Sale unit has a copy of the
  database prices in case the unit has to operate
  on a stand-alone basis

72
Coles Myer Ltd

• Price changes are maintained in a central
  database (Coles System Reference), and this is
  sent to all stores once a week via
  communications.
• Individual stores use this new data to update
  item shelf prices (and of course for customer
  purchases)

73
Coles Myer Ltd

• Store devices
• Point of Sale
• Client
• Point of Sale Server
• Back Office Servers
• are Pentium PCs running on Windows NT
• Central Processing is on Alpha Mainframes (as is
  Oracle here at Monash)

74
Coles Myer Ltd

• The retail stores are divided
• into State operations
• then 2 geographic regions within each State
  except South Australia and Tasmania
• then into areas of 6 to 10 stores

75
Coles Myer Ltd

• State Operations
• Victoria New South Wales West Australia
• Region 1 Region 2
• S1 S2 S3 S4 S5 . S10

76
Coles Myer Ltd

• Information ?
• Hourly sales
• Customer counts are available in all
  stores
• Customer Resource Management ?
• Yes. Captured at Point of Sale
• Numerically via transactions
• Quantitatively via the Fly Buys program
  (Coles NAB Shell Qantas/Ansett)

77
Coles Myer Ltd

• Seasonal variations in Items
• Soups and chocolate biscuits are in demand
  during the cooler months
• Fruit juices, frozen drink demand drops off in
  the same period
• Item popularity
• Management of popular items - these are
  determined by the customers - and reported to the
  store manager.
• Success items stay on show - less successful
  or non successful items are withdrawn - replaced
  by new lines

78
Coles Myer Ltd

• There are also promotions and special analyses
  are made of the item performance during the
  promotion and for some time after the promotion.
• Item Procurement
• Item suppliers are generally locally based, but
  may also be part of an International Business
  (can you think of one ?)
• Suppliers are required to respond to tenders. A
  supplier might provide many items (fruit juices,
  butter, meat, vegetables) and there can be
  specialist suppliers - for instance organic
  products, health products.

79
(No Transcript)