TCX2005 | Information Systems Finals Cheatsheet (L1-L9)

Open-book print cheatsheet for TCX2005 Final Exam (Jul 11): trap triggers, frameworks, risk strategies, L1-L9 full coverage.

0. Mock recap

Flip the sheet before committing — check every non-obvious answer against it.

  • “NOT / EXCEPT / LEAST / rather than”: underline the direction word, pick, then re-read it against your choice. (Q11, Q16)
  • Risk strategy (insurance, vendor, contract, SLA, firewall, shut down): ask “who bears the risk after this action?” someone else = transference; reduce impact with own plans = mitigation; own technical controls = defense; drop the asset = termination. (Q3, Q22, 5 marks)
  • Rivals/buyers/suppliers vs inbound logistics/operations/service: outsiders = Five Forces; our own internal stages = Value Chain. (Q18)
  • Table with “overall / across / total”: sum the numerators and denominators over the rows first, then divide; any option equal to a single visible cell is the planted trap. (Q15)
  • Fill-in-the-blank chain (options are full term sequences): verify every blank; one definitionally-wrong term kills the whole option (e.g. “cloud… closer to source” is really edge). (Q7)
  • “Critical vs Strategic” task: strategic = competitive advantage → build (trading algorithm); critical = essential + high reliability → buy (payroll, EHR). (Q16)
  • “Two-way relationship between organisation and IS”: the D1/D2 horizontal pair: D1 org→IS choice, D2 IS→org structural change. NOT vertical management feedback, NOT build-vs-buy (both are past misreads). (repeat miss ×2)

1. Term Dictionary

TermDefinition
AAAAuthentication, Authorization, Accounting (common distractor for CIA)
Accept (risk)live with a minor risk
Adhocracyfluid specialist teams, low formalisation, novel problems (consulting, research & development)
Agency costcost of monitoring employees (falls → flatter hierarchy, wider span of control)
Behavioral view of an organizationrights, obligations, values, norms, working relationships. New systems need both views balanced
Buildfor a unique process that is a source of competitive advantage
Business analytics (BA)the tools + techniques (online analytical processing (OLAP), statistics, models, data mining)
Business firma collection of business processes (chain: routine → process → firm, small → big)
Business intelligence (BI)the infrastructure for collecting/storing/analyzing data (databases, warehouses, marts)
Business modelhow revenue/value is made (“subscription streaming”)
Business myopiadid not see the new tech’s potential (Kodak invented the digital camera in 1975, shelved it)
Business processstep-by-step operational sequence (“manage billing”)
Buywhen a standardized solution is acceptable
CIA triadConfidentiality, Integrity, Availability, the security triad
Cloud computingcentralized on-demand services in a distant data centre
Commercial off-the-shelf (COTS)packaged software installed per computer; prof classifies Microsoft Office 365 as COTS
Controlsmethods ensuring asset safety, record accuracy, adherence to management standards
CPSDthe information-system definition, static functions: Collect, Process, Store, Distribute (keyword Store)
Critical taskessential, needs high reliability → buy software as a service (payroll, electronic health records)
Customer relationship management (CRM)customer side
D1 (org → IS)organisational features drive the choice of information system (before adoption)
D2 (IS → org)the information system forces structural change (after adoption): new roles, processes, power/access. “User adoption / learning curve” = distractor, not D2
Dashboardreal-time, live screen, always-on
Data administrationestablishes policies and procedures
Data governancemanages data availability, integrity, security
Data lakeraw multi-format store (Astro case)
Data martsubject-specific subset of a warehouse
Data redundancysame data stored in many places, values disagree
Data warehousecentral store of current + historical data for analysis; data cannot be altered
Database management system (DBMS)software layer between applications and data files; centralizes data, controls redundancy
Defense (risk)own technical safeguards (firewalls, intrusion detection) that lower likelihood
Defense in depthlayered technical tools (firewall + intrusion detection + encryption + …)
Double downdeepen the existing strength, ignore the new game (Rolex mechanical watches)
Economic (PESTLE)money / return on investment
Edge computingprocess closer to the data source, lower latency, less network traffic
Enterprise resource planning (ERP)integrate all internal processes into one system
Environmental (PESTLE)green / sustainability (the second E, don’t drop it)
Evil twinfake Wi-Fi access point
Failed to adaptclung to old revenue (Kodak film)
Fast followerhas the size + resources to capitalize on it
First moverinventor of the disruptive technology
Golden Ruledo unto others as you would have done to you
Hybrid (build/buy)buy the core + build custom modules
IaaS / PaaS / SaaScloud service models: Infrastructure / Platform / Software, on-demand over the network
Information policyrules for data sharing
Information systemthe technology stack (“centralized database”)
IPOFthe data-flow stages: Input, Processing, Output, Feedback (keyword Feedback, unique to IPOF)
Knowledge management system (KMS)capture + share organisational knowledge
Least privilegeminimum permissions to do the task; stricter, implies need-to-know
Legal (PESTLE)Ministry of Health guideline / industry regulation / written law. Personal Data Protection Act (PDPA) can be either P or L, check the framing
Mitigate (risk)reduce the impact if it happens, own incident-response plans, backups
Need-to-knowaccess only the information a role requires
Nonobvious relationship awareness (NORA)find hidden connections across separate data sources (security benefit + privacy risk)
NoSQLdistributed database, flexible model; handles structured + unstructured, scales easily
Opt-in vs opt-outopt-in = data used only if you say yes (EU, stricter); opt-out = data used unless you say no (US default). Hook: opt-out = fight your way out
Organizational cultureshared assumptions about what to produce, how, where, for whom
Organizational politicsdivergent viewpoints → struggle, competition, conflict (resistance hampers change)
Pharmingredirects to a bogus site even when the correct web address is typed
Phishingfake email/website asks for your data
Political (PESTLE)government policy / IT mandate / data localization
Professional bureaucracyexperts applying standardized skills (hospital, university)
Profilingcombine multi-source data into dossiers on individuals
Program-data dependenceprograms coupled to file formats (widen a field → must edit every program)
Quality assurance (data)data quality audits + data cleansing + monitoring
Ransomwareencrypts data, demands payment
Reportperiodic, static, pushed on a schedule
Retrench“can’t beat you, will survive”: defensive mergers and acquisitions, lobby regulators (taxis vs Grab)
Return on investment (ROI)the return gained on an investment (a benefit measure, not a cost measure)
Routineprecise rule/procedure/practice for an expected situation
Routine taskstandard, low impact → buy commercial off-the-shelf (email)
Securitypolicies, procedures and technical measures preventing unauthorized access, alteration, theft, damage
Semi-structured decisionmachine proposes, human disposes (middle management)
Slippery Slopeif an action cannot be taken repeatedly, do not take it at all
Software as a service (SaaS)cloud subscription (Salesforce)
Spywarekey loggers, browser redirects, monitoring
Strategic taskcore competitive advantage → build (trading algorithm)
Structured decisiona rule produces the answer, repetitive (operational)
Supply chain management (SCM)supplier side
Technical view of an organizationa process transforming inputs (capital, labor) → production → outputs, efficiency-driven
Terminate (risk)remove the vulnerable asset entirely
Total cost of ownership (TCO)direct + indirect cost of owning technology; hardware + software are only ~20% of it
Transaction costcost of dealing with external parties (falls → outsourcing becomes viable)
Transfer / transference (risk)shift the risk elsewhere, cyber insurance, vendor contract, renegotiated service-level agreement. Test: “who bears the risk after? someone else = transference, NOT mitigation”
Trojan horsedisguised as legitimate software
Unstructured decisionno procedure, intuition and judgement (senior management)
Virusattaches to a host file, needs human action to spread
Wormself-spreads over the network (no human action)
Zero trust“never trust, always verify”, continuous verification, micro-segmentation

1b. Building a system (SDLC · testing · conversion)

Three frameworks, don’t mix: BPM = 5-step loop (Identify → Analyze → Design → Implement → Continuous measurement) · BPR = radical one-shot process redesign (§5) · SDLC = 6-step linear (Analysis → Design → Programming → Testing → Conversion → Production & Maintenance). (In L9, BPM = business performance management - different thing, see §6.)

BPM vs BPR vs SDLC decision rule: first ask what is being changed? A business process/workflow → BPM or BPR (never SDLC, even if a new system is mentioned - that’s a distractor). The software itself being built/tested/converted → SDLC. Then for process questions ask two tests: (1) how much survives? tweak, old process kept = BPM · scrapped, from scratch = BPR; (2) cadence? repeating cycle = BPM · one-time transformation = BPR. Signal words: “tweak / continuously improve / measure & repeat” = BPM · “scrap / radical / from scratch / fundamental rethink” = BPR · “programming / testing / conversion / go-live” = SDLC. WARNING both BPM and BPR contain analyze-design-implement steps - never classify by activity words, only by magnitude + cadence.

SDLC stageWhat happensBuy-path twist (ERP/COTS)
1. Analysisstudy current processes + pain points → define requirements; includes feasibilitypick the package with closest fit
2. Designspecify how the system meets requirements= configure the package (modules, roles/permissions, business rules)
3. Programmingtranslate specs into codereplaced by vendor package + data migration (old DBs → one shared DB, cleaned first)
4. Testingunit (each module in isolation) → system (integrated whole) → acceptance (final user sign-off, production-ready)same order, non-negotiable
5. Conversionpick a strategy ↓ERP → phased or parallel (minimise disruption + staff resistance)
6. Production & maintenancelive operation: train users, then review, fix, upgradesame
Conversion strategyHowTrade-off
Parallelrun old + new together till confidentsafest, costly
Direct cutoverswitch old → new overnightcheap, risky
Pilotone site/dept first, then spreadcontained
Phasedroll out module-by-modulegradual, low disruption

Buy-path customisation trap: prefer vanilla - on the buy path, processes bend to fit the software (not vice-versa); customise ONLY for genuine competitive advantage. Over-customising → vendor upgrades break your custom code → you lose the very reasons you bought instead of built.


2. Security (L8)

Business value of security and control: failed systems = loss of business function; firms hold confidential personal/financial data + trade secrets (Sony Pictures hack 2014); a breach cuts market value almost immediately (Equifax 2017); inadequate security also creates legal liability.

CIA Triad: Confidentiality = limit access to authorized users (encryption, data classification, education) · Integrity = whole, complete, uncorrupted (hashing) · Availability = accessible without obstruction. Data theft = only Confidentiality compromised; unaltered records = Integrity intact; no downtime = Availability intact (SingHealth pattern).

5 risk control strategies:

  • Defense (firewalls, anti-malware)
  • Transference (cyber insurance, vendor contract)
  • Mitigation (incident-response plans)
  • Acceptance (minor risks where the control costs more than the loss)
  • Termination (shut down the vulnerable legacy system)

Access control: need-to-know · least privilege · zero trust (“never trust, always verify”; Microsoft version: verify explicitly, least-privilege just-in-time / just-enough-access, assume breach = limit blast radius, segment the network, encrypt end-to-end) · role-based access control (RBAC) = permissions granted by job role · audit logging = record who accessed what and when (detective control, enables accountability).

People, process, technology: all three required, none sufficient alone. Weakest link = people (social engineering, convenience bypass, low awareness, insiders responsible for ~56% of data leaks in Asia).

Balance: perfect security is impossible; security = a process, not a goal; trade-offs: controls vs convenience, cost vs asset value, risk vs operations.

Supplier/vendor risk (5 steps): Planning → Due-diligence selection → Contracting (service-level agreements define responsibilities) → Monitor & assess → Termination (secure data deletion, revoke access). Cloud: responsibilities must be clearly defined (shared-responsibility model, Amazon Web Services service-level agreement).

Why systems are vulnerable: network accessibility · hardware/software faults · disasters and human error · devices outside the firm’s control · portable device loss. Internet-specific: fixed IP addresses = fixed targets, open to anyone. Wireless-specific: network names (SSIDs) broadcast openly, packet sniffers, war driving, rogue access points.

Malware: virus, worm, Trojan horse, SQL injection, ransomware, spyware / key loggers (+ mobile and social-network variants). Computer crimes: system intrusion/damage, cybervandalism, denial of service (DoS) and distributed denial of service (DDoS) via botnets, spam, identity theft (phishing, evil twins, pharming), click fraud, cyberterrorism / cyberwarfare. Hacker = gains unauthorised access; cracker = hacker with criminal/malicious intent (the exam pair). Zero-day vulnerability = flaw with no patch released yet; fix = patch management.

Tools (defense-in-depth layers): firewall · intrusion detection system (IDS) · encryption (at rest + in transit) · identity and access management (IAM) · multi-factor authentication (MFA) · security information and event management (SIEM) · endpoint protection · email security gateways · data loss prevention (DLP).

Technical safeguard → what it stops: encryption → stolen data unreadable · multi-factor authentication → stolen password alone insufficient · intrusion detection / SIEM → detects abnormal activity early · patch management → closes known entry points.


3. Infrastructure, Data, Networks (L6+L7)

Total cost of ownership (TCO): direct + indirect costs; hardware + software = only ~20%. Direct: hardware acquisition, software licenses, installation, training (trap: training is a direct cost). Indirect: support/maintenance, infrastructure management, downtime, space and energy. Reduce TCO: cloud, centralisation + standardisation.

Evolution (5 stages, order + dates): Mainframe 1959 → Personal Computer 1981 → Client/Server 1980s → Enterprise Computing 1990s → Cloud & Mobile mid-2000s. (“My PC Eventually Clouds”)

7 infrastructure components (binning: software that works → #5; raw machines → #3; humans → #7):

  1. data management & storage (Amazon S3, Redshift)
  2. internet platforms (web servers, AWS Lambda)
  3. computer hardware (EC2, servers = the metal)
  4. operating systems (Linux, iOS)
  5. enterprise software applications (SAP, SageMaker, EMR = software that does work)
  6. networking/telecommunications (content delivery networks, Cisco, internet service providers)
  7. consulting & system integration (Accenture = people you hire)

Hardware trends: cloud computing (infrastructure / platform / software as a service) · edge computing (closer to the source, lower latency) · green computing · mobile platform · consumerization of IT / bring your own device (BYOD) · quantum computing. Software trends: open-source software / Linux · web services (XML, service-oriented architecture) · outsourcing + cloud services · software for the web (browsers, Java, HTML/HTML5).

System integration services (type → key challenge): point-to-point → legacy system integration · hub-and-spoke → cross-platform compatibility · (enterprise) service bus → data migration · API-based → security compliance. Federated system = independent systems keep autonomy but share data so they act as one (vs full consolidation into a single system).

3 infrastructure challenges: scalability (expand to serve more users) · governance (centralised IT department vs business-unit decentralisation; who pays) · investment (rent vs buy; under-investment and over-investment both hurt).

Data hierarchy: bit → byte → field → record → file → database. Entity = the thing you store data about; attribute = a characteristic of it.

Traditional file environment problems: data redundancy & inconsistency · program-data dependence · lack of flexibility · poor security · limited sharing. Database management system (DBMS) fixes: single consistent view, controls redundancy, separates programs from data (physical data independence: change the definition once, applications unaffected). Capabilities: data definition, data dictionary, data manipulation language (SQL).

Big data / business-intelligence infrastructure: big data = massive unstructured + semi-structured data (web, social media, sensors, Internet of Things), too big for a typical DBMS. Data warehouse (central, current + historical, immutable) · data mart (subject subset) · Hadoop (distributed processing across cheap machines, Hadoop Distributed File System) · in-memory computing (RAM speed).

Data quality & governance: >25% of critical data in Fortune 1000 databases is inaccurate or incomplete; before a new database, identify and correct faulty data + establish better editing routines. Term split (data administration / information policy / data governance / quality assurance): see term dictionary.

Networks: an internet service provider (ISP) provides access, each device gets an IP address; the backbone is owned by network service providers. Governance bodies: Internet Architecture Board (IAB), ICANN (domain names), World Wide Web Consortium (W3C, web standards). Cellular 5G (1-10 Gbps) · Wi-Fi 802.11 (local area network) · Bluetooth 802.15 (personal area network, device-to-device) · Internet of Things sensors feed big data.


4. Strategy (L3+L4)

Porter’s Five Forces (+ the information-system lever for each) — names outsiders: rivals, entrants, substitutes, suppliers, buyers:

  • rivalry among competitors (differentiate or cut cost via IS)
  • threat of new entrants (IS as entry barrier: network effects, switching costs)
  • threat of substitutes (deepen dependence: integrations, data lock-in)
  • supplier bargaining power (supply chain management, multi-sourcing)
  • buyer bargaining power (raise switching cost: loyalty programmes, ecosystem)

Generic strategies: cost leadership · differentiation · focus/niche. An app with exclusive fares + personalization = differentiation (possibly + low-cost hybrid).

Distractor eliminators: Balanced Scorecard = performance measurement (4 perspectives, §6) - NOT for analysing industry structure or value-chain stages · network economics/effects = value rises as more users join (WhatsApp, marketplaces) - a moat/advantage concept, NOT an analysis framework.

Value chain → system decisions (4 steps): analyse value-chain stages → identify where IS can improve (operational efficiency / customer intimacy / supplier relationships) → generate candidate applications → prioritise which to develop first.

Value chainnames our own internal stages (at each stage ask “can an information system make it faster/cheaper/better?” via 3 axes: operational efficiency, customer intimacy, supplier intimacy):

  • Primary activities (5) (arrow = the IS tool it maps to):
    • inbound logistics (→ supply chain management)
    • operations (→ enterprise resource planning)
    • outbound logistics (→ supply chain management)
    • marketing & sales (→ customer relationship management)
    • service
  • Support activities (4):
    • firm infrastructure
    • human resources (→ human resource information system)
    • technology development
    • procurement (→ e-procurement)

Build vs Buy, 4 considerations:

  • strategic value (uniqueness)
  • resource availability (expertise, budget, time)
  • market solutions (existing fit, customization)
  • risk (development risk, vendor lock-in, integration, security) Task classification: strategic → build · critical → buy software as a service · routine → buy commercial off-the-shelf. Size is not the build trigger; uniqueness of advantage is. 6 decision factors: strategic importance · cost (initial + ongoing + hidden) · quality (reliability, scalability, security) · regulatory compliance (Personal Data Protection Act, HIPAA, Sarbanes-Oxley, General Data Protection Regulation) · time · risk. 3 acquisition strategies: internal = in-house development · external-prepackaged = commercial off-the-shelf (COTS) / cloud SaaS · external-outsourcing = hire a development firm.

6-step external acquisition process: Planning → Feasibility (5 dimensions: organizational, political, technical, economic, operational) → Analysis → Request for Proposal (RFP, step 4) → Proposal evaluation → Vendor selection. NUS learning-management-system case: IVLE (build, 1999-2018) → LumiNUS (build) → Canvas (software-as-a-service buy) = the classic build→buy migration once the system stopped being a differentiator.

PESTLE (external factors for IS acquisition):

  • Political (government IT policy, data localization)
  • Economic (budget, return on investment, cost reduction)
  • Social (digital literacy, training, adoption, resistance)
  • Technological (compatibility, cybersecurity, integration)
  • Legal (Personal Data Protection Act, Ministry of Health rules, industry regulation)
  • Environmental (green computing, paper reduction)

Match the question’s outcome to the letter, not the means: “automation reduces cost” = Economic; “integrates with systems” = Technological; “staff resist” = Social; “violates law” = Legal.

Disruptive technologies: substitutes that perform as well or better; sweep industries. 9 examples include the internet, digital photography, smartphone, Internet of Things, mobile payments, 3D printing, artificial intelligence / machine learning, blockchain, generative AI. 4 adaptation strategies (no strategy = death: Kodak, Blockbuster, Nokia):

  • Fight back (meet it head-on: carmakers building electric vehicles)
  • Double down (deepen the existing strength: Rolex)
  • Retrench (defensive survival: taxi industry lobbying against Grab)
  • Move away (pivot: IBM sold its PC business, moved to cloud/AI)

Two-way organisation and IS relationship: D1 = organisational features drive the choice of information system (Bytedance → Workday; a bakery → Xero). D2 = the information system forces structural change, 3 axes: new roles, new processes, new power/access. Economic impacts: transaction costs fall (external dealings cheaper, outsourcing viable) · agency costs fall (monitoring cheaper → flatter hierarchy, wider span of control). Behavioural impacts: organisational flattening · postindustrial shift (authority from expertise, not position) · resistance to change = the biggest reason information-system projects fail.

Mintzberg’s 5 organisational structures:

  • simple structure (startup)
  • machine bureaucracy (factory, standardized + centralized)
  • divisionalized bureaucracy (GE, Samsung)
  • professional bureaucracy (hospital, standardized expert skills)
  • adhocracy (consulting firm, fluid teams, rapid innovation)

Features of organizations: all are bureaucracies with clear division of labor, impartial decision making, efficiency principle · routines and business processes (routine → process → firm chain, see term dictionary) · organizational politics · organizational culture · structure (Mintzberg) · environments. Environments: reciprocal relationship, environments change faster than organizations; information systems act as an environmental-scanning lens (track competitors, customer sentiment).

Resistance to change, 4 factors it centers on: nature of the innovation · structure of the organization · culture of the organization · tasks impacted. Implications for IS design, factors to evaluate before building: environment · organizational structure (hierarchy, specialization, routines) · culture and politics · type of organization and leadership style · groups affected · nature of the tasks the system will assist.

Strategic IS characteristics (Quiz 3 Q1, past miss): create deep organisational changes · often affect ALL business processes · may require cross-department coordination · do NOT mainly automate routine tasks (that’s TPS) · advantages are NOT long-term/sustainable (increasingly temporary - this is the trap statement).

Strategic IS challenges: socio-technical change (technology + culture together, Sharp’s Yammer case) · competitive advantage paradox (advantages get copied fast, so they are temporary) · business-IT alignment (only ~25% of firms achieve it, yet up to 50% of profits linked to alignment - Luftman; ComfortDelGro lagging Grab) · managing strategic transitions (transform while still running). Solutions: active management participation · measure IT impact (“you can’t manage what you can’t measure”).


5. IS Types and Enterprise Applications (L2)

Business model / business process / information system rule: “subscription service, revenue strategy” → business model · “step-by-step, manage billing” → business process · “database, technology” → information system. Slide 12-13 verbatim (prof recycles): “Netflix subscription streaming” = business model · “Netflix manages content acquisition or subscriber billing” = business process (no keyword present - classify by function: it is running an operation) · “ABC Bank centralised database” = information system.

IS as enabler: automating (faster) · learning (better) · strategising (smarter).

Business process reengineering (BPR): analysis + radical redesign of workflows (not just automating the old ones). Canonical example: credit-card approval 3 weeks → 4 days → immediate (digital card). vs BPM: BPR = rip up and restart, one-shot · BPM = maintain and improve, loop (full decision rule → §1b).

6 strategic business objectives of IS:

  • operational excellence (Walmart Retail Link)
  • new products, services, business models (Apple iTunes)
  • customer & supplier intimacy (Mandarin Oriental)
  • improved decision making
  • competitive advantage
  • survival (Barclays ATM, must-adopt-or-die)

The 4 IS types (Slide 42, scenario classification):

SystemUsersNatureExample
Transaction processing (TPS)operational staffroutine, structured, predefined; records daily transactionsorder entry, payroll, shipping
Management information (MIS)middle mgmtroutine predefined reports built from TPS dataweekly sales by region
Decision support (DSS)middle mgmtnon-routine what-if modelling (sensitivity analysis: change one input, watch the output)simulate supplier-switch cost
Executive support (ESS)senior mgmtstrategic dashboards, internal + external data, drill-down5-year market trends

Slide-42 trap: “what-if analysis on production capacity” = decision support system (non-routine + middle management + modelling), not management information system.

Enterprise applications (span functions, all levels):

  • enterprise resource planning (ERP): integrates manufacturing + finance + sales + human resources into one system (fragmented → unified, single data repository)
  • supply chain management (SCM): supplier coordination, lower operations cost
  • customer relationship management (CRM): retention, personalization, sales pipeline
  • knowledge management system (KMS): capture and share knowledge, onboarding, innovation ERP case skeleton (BrightTech-style): departments run separate systems → data re-entry, inconsistency, slow reporting → enterprise resource planning = single integrated platform + one database → real-time cross-department visibility, eliminated redundancy; risks = cost, disruption, change management, training.

ERP implementation order (9 steps): analyse processes & requirements → build-vs-buy + vendor selection → business process redesign → configure (modules · roles · rules) → data migration & integration → testing (end-to-end) → training & change management → conversion/cutover (parallel · phased · pilot · direct, table §1b) → maintain & evaluate. Hook: Analyse Buy Redesign Configure Migrate Test Train Cutover Maintain.


6. Decision Making and Business Intelligence (L9)

Decision types × organisational level: see term dictionary. Airline anchors: expand routes = senior/unstructured · daily crew assignment = operational/structured · aircraft type for a route = middle/semi-structured · ticket pricing strategy = senior/semi-structured (trap: senior level but semi) · emergency weather diversion = operational/semi-structured · merge with competitor = senior/unstructured · routine maintenance = operational/structured · overtime approval = middle/structured.

Simon’s 4 stages of decision making: Intelligence → Design → Choice → Implementation (monitoring lives inside implementation, it is not a 5th stage).

3 reasons IT/IS investments fail to improve decisions: information quality · management filters (selective attention, bias) · organizational inertia & politics.

High-velocity automated decisions: an algorithm fully defines a highly structured decision, humans removed from the loop (DBS Quick Finance, Lazada/Shopee dynamic pricing).

Business intelligence environment, 6 elements in order:

  1. data from the business environment
  2. business intelligence infrastructure
  3. business analytics toolset
  4. managerial users & methods
  5. delivery platform (management information / decision support / executive support systems)
  6. user interface

6 business-intelligence analytic functions: production reports · parameterized reports · dashboards/scorecards · ad hoc query/search · drill-down · forecasts/scenarios/models. Predictive analytics: statistical analysis + data mining + historical data + assumptions (credit scoring, marketing-campaign response, fraud detection). Text mining = extract patterns/sentiment from unstructured text (emails, reviews, call transcripts) · web mining = mine web content, structure (links), and usage (clickstream).

Executive support system extras: balanced scorecard, 4 dimensions: financial · business process · customer · learning & growth (key performance indicators measure each). Business performance management (this L9 BPM is not business process management) translates strategy → operational targets → key performance indicators. Executive-support-system data = internal + external + drill-down. Group decision-support system (GDSS) = unstructured decisions made by a group (collaboration rooms, anonymity, idea ranking).

Operational intelligence: business activity monitoring, real-time analytics on operations, sensor / Internet-of-Things data streams (PSA Singapore smart port: real-time container tracking). Location analytics / geographic information systems (GIS): business insight from the location component of data (phones, sensors, map data); GIS ties data to maps (Singapore Land Authority OneMap).

Emerging trends in business intelligence: artificial intelligence / machine learning (automated insights, natural-language queries) · augmented analytics (AI-assisted data preparation, automated pattern detection). Challenges implementing BI: data quality and integration · analytics skills gap · balancing automated vs human decisions · ethics of data use (GDPR, PDPA).


Five moral dimensions of the information age:

  • information rights (privacy, Personal Data Protection Act / General Data Protection Regulation)
  • property rights (intellectual property: copyright, patent, trademark, trade secret, Digital Millennium Copyright Act)
  • system quality (software bugs, hardware failure, poor input data)
  • quality of life (digital divide, work-life erosion, repetitive strain injury, computer vision syndrome, technostress)
  • accountability & control (who is liable when software fails)

Five-step ethical analysis: 1 identify the facts → 2 define the dilemma + higher-order values → 3 identify stakeholders → 4 identify options → 5 identify consequences.

Ethical rules (prof taught first 2; rest = textbook six): Golden Rule (“do unto others…”) · Slippery Slope (if not repeatable, not right at all) · Kant’s categorical imperative (if not right for everyone, not right for anyone) · utilitarian principle (highest / greatest value action) · risk aversion principle (least harm / lowest cost) · no free lunch (assume all created things are owned; value has a price). Technology trends raising ethical issues: computing power doubling every ~18 months · cheap storage enabling profiling · nonobvious relationship awareness (NORA) · mobile tracking without consent. Classic dilemma: convenience vs autonomy (employee monitoring).

Singapore laws: Personal Data Protection Act (PDPA: personal data collection, use, disclosure) · Computer Misuse Act 1993 (unauthorized access or modification, hacking) · Cybersecurity Act 2018 (protects critical information infrastructure; Cybersecurity Code of Practice 2022). Critical information infrastructure = 11 sectors: energy, water, banking & finance, healthcare, land transport, aviation, maritime, info-communications, media, security & emergency services, government.

Application shortcuts (T4 lesson): customer-data misuse → property rights + information rights · employee surveillance → quality of life · algorithmic harms → accountability & control.

Match-it pairs (prof’s own L5 quiz, high recycle odds): competitive advantage paradox = strategic IS advantages become temporary once copied · business-IT alignment = tech investment supports business objectives (only ~25% achieve) · nonobvious relationship awareness (NORA) = combines multi-source data to find hidden connections · Personal Data Protection Act = Singapore personal-data law · critical information infrastructure = systems essential for national services (Cybersecurity Act) · socio-technical change = integrating tech change with organizational culture/behaviour (Sharp Yammer) · Golden Rule = “do unto others as you would have them do unto you”.

AI ethics vocabulary (T4 Amazon case, exam-trend topic): black-box decision-making (opaque model, outcome can’t be explained) · algorithmic transparency (duty to make it explainable) · human-in-the-loop (human keeps the final decision) · accountability = who answers when the algorithm harms.


8. Foundations (L1)

Information system definition (CPSD): interrelated components that Collect, Process, Store, Distribute information to support decision making and control. Data flow (IPOF): Input → Processing → Output → Feedback.

3 dimensions of information systems: technology · organization · management, all equally critical (trap: “which is most important” → none, this is the sociotechnical view).

Business-IS interdependence: growing two-way dependence between the ability to use IT and the ability to implement corporate strategy; IT limitations restrict business options, IT innovations enable new business models.

Reading an MIS report (arithmetic question routine): 1 read the column headers first · 2 check the asked scope: “overall / across / total” = sum numerators and denominators over the rows first, then divide; never lift a single row’s ratio · 3 distrust any answer choice that equals one visible cell (planted distractor) · 4 check units and per-cent vs absolute before answering.

Complementary assets: technology alone is insufficient; you need supportive culture + training + process redesign (TrendyThreads failed: staff ignored the AI tool, stock not synced, customer journey unchanged).

3 drivers of IS change: cost reduction · customer satisfaction · competition. 3 constraints: disruptions · IS limitations · external pressures. Competitor-caused change → competition driver (Rednote/TikTok). Quiz trap: the pandemic IoT-retail answer combined TWO drivers at once (competition + customer satisfaction) - drivers can co-occur, don’t force a single one.

Adopter-centric rule: analyse the adopter’s organisation, management and assets, not the vendor’s. Vendor-centric analysis = the planted wrong option.

Stakeholders (5 groups): customers, suppliers (transactions) · stockholders, regulators (governance) · competitors (market pressure). Approaches to studying IS: technical · behavioural · sociotechnical (preferred). Supporting fields: operations research (process optimisation, resource allocation) · legal studies (privacy, IP, liability).


9. Six-Mark Essay Skeletons

A. “Was this breach a failure of people, process, technology?” (L8):

  • People: name the human failure from the case (fell for phishing, ignored alerts, weak awareness) → weakest link
  • Process: name the missing procedure (no incident-response escalation, no patch cycle, no vendor service-level-agreement clarity)
  • Technology: name the missing tool (no multi-factor authentication, no intrusion detection / security monitoring, unpatched flaw, no encryption)
  • Close: all three must work together; none sufficient alone; propose one fix per layer.

B. “Which CIA dimension was compromised?” (L8):

  • Name the dimension with case evidence (records exfiltrated = confidentiality)
  • State which dimensions were not hit (data unaltered = integrity intact; systems kept running = availability intact)
  • Conclusion: a data-theft attack, not destructive; controls to restore (encryption, access control).

C. “Recommend build vs buy for this organisation” (L4):

  • Classify the task (strategic / critical / routine) → default answer
  • Walk the 4 considerations with case facts (uniqueness, resources, market solutions, risk)
  • State the acquisition mode (in-house build / commercial off-the-shelf / software as a service / outsource) + one risk of your choice + its mitigation.

D. “Apply PESTLE to this acquisition” (L4): one line per letter (Political, Economic, Social, Technological, Legal, Environmental) with a case-specific fact; remember both E’s; anchor Political vs Legal by policy-vs-written-law framing.

E. “Which system for this manager?” (L2/L9): identify the decision type (structured / semi-structured / unstructured) → who decides → map to transaction processing / management information / decision support / executive support system → justify with the scenario’s keywords (“what-if” = decision support; routine report = management information; external data + strategic = executive support).

comments powered by Disqus

Recent Updates

See all →