Chapter 14: Google: Search, Online Advertising, and Beyond

14.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the extent of Google’s rapid rise and its size and influence when compared with others in the media industry.
  2. Recognize the shift away from traditional advertising media to Internet advertising.
  3. Gain insight into the uniqueness and appeal of Google’s corporate culture.

Google has been called a one-trick pony,C. Li, “Why Google’s One-Trick Pony Struggles to Learn New Tricks,” Harvard Business Publishing, May 2009. but as tricks go, it’s got an exquisite one. Google’s “trick” is matchmaking—pairing Internet surfers with advertisers and taking a cut along the way. This cut is substantial—about $23 billion in 2009. In fact, as Wired’s Steve Levy puts it, Google’s matchmaking capabilities may represent “the most successful business idea in history.”S. Levy, “The Secrets of Googlenomics,” Wired, June 2009. For perspective, consider that as a ten-year-old firm, and one that had been public for less than five years, Google had already grown to earn more annual advertising dollars than any U.S. media company. No television network, no magazine group, no newspaper chain brings in more ad bucks than Google. And none is more profitable. While Google’s stated mission is “to organize the world’s information and make it universally accessible and useful,” advertising drives profits and lets the firm offer most of its services for free.

Figure 14.1 U.S. Advertising Spending (by selected media)

Online advertising represents the only advertising category trending with positive growth. Figures for 2009 and beyond are estimates.

Figure 14.2 U.S. Online Ad Spending (by format)

Search captures the most online ad dollars, and Google dominates search advertising. Figures for 2009 and beyond are estimates.

As more people spend more time online, advertisers are shifting spending away from old channels to the Internet; and Google is swallowing the lion’s share of this funds transfer.J. Pontin, “But Who’s Counting?” Technology Review, March/April 2009. By some estimates Google has 76 percent of the search advertising business.C. Sherman, “Report: Google Leads U.S. Search Advertising Market With 76% Market Share,” Search Engine Land, January 20, 2009. Add to that Google’s lucrative AdSense network that serves ads to sites ranging from small time bloggers to the New York Times, plus markets served by Google’s acquisition of display ad leader DoubleClick, and the firm controls in the neighborhood of 70 percent of all online advertising dollars.L. Baker, “Google Now Controls 69% of Online Advertising Market,” Search Engine Journal, March 31, 2008. Google has the world’s strongest brandL. Rao, “Guess Which Brand Is Now Worth $100 Billion?” TechCrunch, April 30, 2009. (its name is a verb—just Google it). It is regularly voted among the best firms to work for in America (twice topping Fortune’s list). While rivals continue to innovate (see Note 14.85 “Search: Google Rules, but It Ain’t Over”) through Q1 2009, Google continues to dominate the search market.

Figure 14.3 U.S. Search Market Share (Volume of Searches, March 2010)Adapted from Experian Hitwise, “Top Search Engine Volume, All Categories, 4 Weeks Ending March 27, 2010.”

Wall Street has rewarded this success. The firm’s market capitalization (market cap)The value of a firm calculated by multiplying its share price by the number of shares., the value of the firm calculated by multiplying its share price by the number of shares, makes Google the most valuable media company on the planet. By early 2009, Google’s market cap was greater than that of News Corp (which includes Fox, MySpace, and the Wall Street Journal), Disney (including ABC, ESPN, theme parks, and Pixar), Time Warner (Fortune, Time, Sports Illustrated, CNN, and Warner Bros.), Viacom (MTV, VH1, and Nickelodeon), CBS, and the New York Times—combined! Not bad for a business started by two twenty-something computer science graduate students. By 2007 that duo, Sergey Brin and Larry Page, were billionaires, tying for fifth on the Forbes 400 list of wealthiest Americans.

Genius Geeks and Plum Perks

Brin and Page have built a talent magnet. At the Googleplex, the firm’s Mountain View, California headquarters, geeks are lavished with perks that include on-site laundry, massage, carwash, bicycle repair, free haircuts, state of the art gyms, and Wi-FiA term used to brand wireless local-area networking devices. Devices typically connect to an antenna-equipped base station or hotspot, which is then connected to the Internet. Wi-Fi devices use standards known as IEEE 802.11, and various version of this standard (e.g., b, g, n) may operate in different frequency bands and have access ranges. equipped shuttles that ferry employees between Silicon Valley and the San Francisco Bay area. The Googleplex is also pretty green. The facility gets 30 percent of its energy from solar cells, representing the largest corporate installation of its kind.D. Weldon, “Google’s Power Play,” EnergyDigital, August 30, 2007.

The firm’s quirky tech-centric culture is evident everywhere. A T-Rex skeleton looms near the volleyball court. Hanging from the lobby ceiling is a replica of SpaceShipOne, the first commercial space vehicle. And visitors to the bathroom will find “testing on the toilet,” coding problems or other brainteasers to keep gray matter humming while seated on one of the firm’s $800 remote-controlled Japanese commodes. Staff also enjoy an A-list lecture series attracting luminaries ranging from celebrities to heads of state.

And of course there’s the food—all of it free. The firm’s founders felt that no employee should be more than 100 feet away from nourishment, and a tour around Google offices will find espresso bars, snack nooks, and fully stocked beverage refrigerators galore. There are eleven gourmet cafeterias on-site, the most famous being “Charlie’s Place,” first run by the former executive chef for the Grateful Dead.

CEO Eric Schmidt says the goal of all this is “to strip away everything that gets in our employees’ way.”L. Wolgemuth, “Forget the Recession, I Want a Better Chair,” U.S. News and World Report, April 28, 2008. And the perks, culture, and sense of mission have allowed the firm to assemble one of the most impressive rosters of technical talent anywhere. The Googleplex is like a well-fed Manhattan project, and employee ranks include a gaggle of geniuses that helped invent critical technologies such as the Macintosh user interface, the python programming language, the XML standard, and even the protocols that underlie the Internet itself.

Engineers find Google a particularly attractive place to work, in part due to a corporate policy of offering “20 percent time,” the ability to work the equivalent of one day a week on new projects that interest them. It’s a policy that has fueled innovation. Google Vice President Marissa Mayer (who herself regularly ranks among Fortune’s most powerful women in business) has stated that roughly half of Google products got their start in 20 percent time.B. Casnocha, “Success on the Side,” The American: The Journal of the American Enterprise Institute, April 24, 2009.

Studying Google gives us an idea of how quickly technology-fueled market disruptions can happen, and how deeply these disruptions penetrate various industries. We’ll also study the underlying technologies that power search, online advertising, and customer profiling. We’ll explore issues of strategy, privacy, fraud, and discuss other opportunities and challenges the firm faces going forward.

Key Takeaways

  • Online advertising represents the only advertising category trending with positive growth.
  • Google dominates Internet search volume and controls the lion’s share of the Internet search advertising business and online advertising dollars. The firm also earns more total advertising revenue than any other firm, online or off.
  • Google’s market cap makes it the most valuable media company in the world; it has been rated as having the world’s strongest brand.

Questions and Exercises

  1. List the reasons why Google has been considered a particularly attractive firm to work for. Are all of these associated with perks?
  2. Market capitalization and market share change frequently. Investigate Google’s current market cap and compare it with other media companies. Do patterns suggested in this case continue to hold? Why or why not?
  3. Search industry numbers presented are through March 2010. Research online to find out the most current Google versus Bing versus Yahoo! market share. Does Google’s position seem secure to you? Why or why not?

14.2 Understanding Search

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the mechanics of search, including how Google indexes the Web and ranks its organic search results.
  2. Examine the infrastructure that powers Google and how its scale and complexity offer key competitive advantages.

Before diving into how the firm makes money, let’s first understand how Google’s core service, search, works.

Perform a search (or querySearch.) on Google or another search engine, and the results you’ll see are referred to by industry professionals as organic or natural searchSearch engine results returned and ranked according to relevance.. Search engines use different algorithms for determining the order of organic search results, but at Google the method is called PageRankAlgorithm developed by Google cofounder Larry Page to rank Web sites. (a bit of a play on words, it ranks Web pages, and was initially developed by Google cofounder Larry Page). Google does not accept money for placement of links in organic search results. Instead, PageRank results are a kind of popularity contest. Web pages that have more pages linking to them are ranked higher.

Figure 14.4

The query for “Toyota Prius” triggers organic search results, flanked top and right by sponsored link advertisements.

The process of improving a page’s organic search results is often referred to as search engine optimization (SEO)The process of improving a page’s organic search results.. SEO has become a critical function for many marketing organizations since if a firm’s pages aren’t near the top of search results, customers may never discover its site.

Google is a bit vague about the specifics of precisely how PageRank has been refined, in part because many have tried to game the system. In addition to in-bound links, Google’s organic search results also consider some two hundred other signals, and the firm’s search quality team is relentlessly analyzing user behavior for clues on how to tweak the system to improve accuracy.S. Levy, “Inside the Box,” Wired, March 2010. The less scrupulous have tried creating a series of bogus Web sites, all linking back to the pages they’re trying to promote (this is called link fraudAlso called “spamdexing” or “link farming.” The process of creating a series of bogus Web sites, all linking back to the pages one is trying to promote., and Google actively works to uncover and shut down such efforts). We do know that links from some Web sites carry more weight than others. For example, links from Web sites that Google deems as “influential,” and links from most “.edu” Web sites, have greater weight in PageRank calculations than links from run-of-the-mill “.com” sites.

Spiders and Bots and Crawlers—Oh My!

When performing a search via Google or another search engine, you’re not actually searching the Web. What really happens is that the major search engines make what amounts to a copy of the Web, storing and indexing the text of online documents on their own computers. Google’s index considers over one trillion URLs.A. Wright, “Exploring a ‘Deep Web’ That Google Can’t Grasp,” New York Times, February 23, 2009. The upper right-hand corner of a Google query shows you just how fast a search can take place (in the example above, rankings from over eight million results containing the term “Toyota Prius” were delivered in less than two tenths of a second).

To create these massive indexes, search firms use software to crawl the Web and uncover as much information as they can find. This software is referred to by several different names—software robots, spiders, Web crawlersSoftware that traverses available Web links in an attempt to perform a given task. Search engines use spiders to discover documents for indexing and retrieval.—but they all pretty much work the same way. In order to make its Web sites visible, every online firm provides a list of all of the public, named servers on its network, known as domain name service (DNS)Internet directory service that allows devices and services to be named and discoverable. The DNS, for example, helps your browser locate the appropriate computers when entering an address like listings. For example, Yahoo! has different servers that can be found at,,,, and so on. Spiders start at the first page on every public server and follow every available link, traversing a Web site until all pages are uncovered.

Google will crawl frequently updated sites, like those run by news organizations, as often as several times an hour. Rarely updated, less popular sites might only be reindexed every few days. The method used to crawl the Web also means that if a Web site isn’t the first page on a public server, or isn’t linked to from another public page, then it’ll never be found.Most Web sites do have a link where you can submit a Web site for indexing, and doing so can help promote the discovery of your content. Also note that each search engine also offers a page where you can submit your Web site for indexing.

While search engines show you what they’ve found on their copy of the Web’s contents; clicking a search result will direct you to the actual Web site, not the copy. But sometimes you’ll click a result only to find that the Web site doesn’t match what the search engine found. This happens if a Web site was updated before your search engine had a chance to reindex the changes. In most cases you can still pull up the search engine’s copy of the page. Just click the “Cached” link below the result (the term cacheA temporary storage space used to speed computing tasks. refers to a temporary storage space used to speed computing tasks).

But what if you want the content on your Web site to remain off limits to search engine indexing and caching? Organizations have created a set of standards to stop the spider crawl, and all commercial search engines have agreed to respect these standards. One way is to put a line of HTML code invisibly embedded in a Web site that tells all software robots to stop indexing a page, stop following links on the page, or stop offering old page archives in a cache. Users don’t see this code, but commercial Web crawlers do. For those familiar with HTML code (the language used to describe a Web site), the command to stop Web crawlers from indexing a page, following links, and listing archives of cached pages looks like this:


There are other techniques to keep the spiders out, too. Web site administrators can add a special file (called robots.txt) that provides similar instructions on how indexing software should treat the Web site. And a lot of content lies inside the “dark WebInternet content that can’t be indexed by Google and other search engines.,” either behind corporate firewalls or inaccessible to those without a user account—think of private Facebook updates no one can see unless they’re your friend—all of that is out of Google’s reach.

What’s It Take to Run This Thing?

Sergey Brin and Larry Page started Google with just four scavenged computers.M. Liedtke, “Google Reigns as World’s Most Powerful 10-Year-Old,” Associated Press, September 5, 2008. But in a decade, the infrastructure used to power the search sovereign has ballooned to the point where it is now the largest of its kind in the world.David F. Carr, “How Google Works,” Baseline, July 6, 2006. Google doesn’t disclose the number of servers it uses, but by some estimates, it runs over 1.4 million servers in over a dozen so-called server farmsA massive network of computer servers running software to coordinate their collective use. Server farms provide the infrastructure backbone to SaaS and hardware cloud efforts, as well as many large-scale Internet services. worldwide.R. Katz, “Tech Titans Building Boom,” IEEE Spectrum 46, no. 2 (February 1, 2009). In 2008, the firm spent $2.18 billion on capital expenditures, with data centers, servers, and networking equipment eating up the bulk of this cost.Google, “Google Announces Fourth Quarter and Fiscal Year 2008 Results,” press release, January 22, 2009. Building massive server farms to index the ever-growing Web is now the cost of admission for any firm wanting to compete in the search market. This is clearly no longer a game for two graduate students working out of a garage.

Google’s Container Data Center

(click to see video)

Take a virtual tour of one of Google’s data centers.

The size of this investment not only creates a barrier to entry, it influences industry profitability, with market-leader Google enjoying huge economies of scale. Firms may spend the same amount to build server farms, but if Google has nearly 70 percent of this market (and growing) while Microsoft’s search draws less than one-seventh the traffic, which do you think enjoys the better return on investment?

The hardware components that power Google aren’t particularly special. In most cases the firm uses the kind of Intel or AMD processors, low-end hard drives, and RAM chips that you’d find in a desktop PC. These components are housed in rack-mounted servers about 3.5 inches thick, with each server containing two processors, eight memory slots, and two hard drives.

In some cases, Google mounts racks of these servers inside standard-sized shipping containers, each with as many as 1,160 servers per box.S. Shankland, “Google Unlocks Once-Secret Server,” CNET, April 1, 2009. A given data center may have dozens of these server-filled containers all linked together. Redundancy is the name of the game. Google assumes individual components will regularly fail, but no single failure should interrupt the firm’s operations (making the setup what geeks call fault-tolerantCapable of continuing operation even if a component fails.). If something breaks, a technician can easily swap it out with a replacement.

Each server farm layout has also been carefully designed with an emphasis on lowering power consumption and cooling requirements. And the firm’s custom software (much of it built upon open source products) allows all this equipment to operate as the world’s largest grid computer.

Web search is a task particularly well suited for the massively parallel architecture used by Google and its rivals. For an analogy of how this works, imagine that working alone, you need try to find a particular phrase in a hundred-page document (that’s a one server effort). Next, imagine that you can distribute the task across five thousand people, giving each of them a separate sentence to scan (that’s the multi-server grid). This difference gives you a sense of how search firms use massive numbers of servers and the divide-and-conquer approach of grid computing to quickly find the needles you’re searching for within the Web’s haystack. (For more on grid computing, see Chapter 5 “Moore’s Law: Fast, Cheap Computing and What It Means for the Manager”, and for more on server farms, see Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”.)

Figure 14.5

The Google Search Appliance is a hardware product that firms can purchase in order to run Google search technology within the privacy and security of an organization’s firewall.

Google will even sell you a bit of its technology so that you can run your own little Google in-house without sharing documents with the rest of the world. Google’s line of search appliances are rack-mounted servers that can index documents within a corporation’s Web site, even specifying password and security access on a per-document basis. Selling hardware isn’t a large business for Google, and other vendors offer similar solutions, but search appliances can be vital tools for law firms, investment banks, and other document-rich organizations.

Trendspotting with Google

Google not only gives you search results, it lets you see aggregate trends in what its users are searching for, and this can yield powerful insights. For example, by tracking search trends for flu symptoms, Google’s Flu Trends Web site can pinpoint outbreaks one to two weeks faster than the Centers for Disease Control and Prevention.S. Bruce, “Google Says User Data Aids Flu Detection,” eHealthInsider, May 25, 2009. Want to go beyond the flu? Google’s Trends, and Insights for Search services allow anyone to explore search trends, breaking out the analysis by region, category (image, news, product), date, and other criteria. Savvy managers can leverage these and similar tools for competitive analysis, comparing a firm, its brands, and its rivals.

Figure 14.6

Google Insights for Search can be a useful tool for competitive analysis and trend discovery. The chart above shows a comparison (over a twelve-month period, and geographically) of search interest in the terms Wii, Playstation, and Xbox.

Key Takeaways

  • Ranked search results are often referred to as organic or natural search. PageRank is Google’s algorithm for ranking search results. PageRank orders organic search results based largely on the number of Web sites linking to them, and the “weight” of each page as measured by its “influence.”
  • Search engine optimization (SEO) is the process of using natural or organic search to increase a Web site’s traffic volume and visitor quality. The scope and influence of search has made SEO an increasingly vital marketing function.
  • Users don’t really search the Web; they search an archived copy built by crawling and indexing discoverable documents.
  • Google operates from a massive network of server farms containing hundreds of thousands of servers built from standard, off-the-shelf items. The cost of the operation is a significant barrier to entry for competitors. Google’s share of search suggests the firm can realize economies of scales over rivals required to make similar investments while delivering fewer results (and hence ads).
  • Web site owners can hide pages from popular search engine Web crawlers using a number of methods, including HTML tags, a no-index file, or ensuring that Web sites aren’t linked to other pages and haven’t been submitted to Web sites for indexing.

Questions and Exercises

  1. How do search engines discover pages on the Internet? What kind of capital commitment is necessary to go about doing this? How does this impact competitive dynamics in the industry?
  2. How does Google rank search results? Investigate and list some methods that an organization might use to improve its rank in Google’s organic search results. Are there techniques Google might not approve of? What risk does a firm run if Google or another search firm determines that it has used unscrupulous SEO techniques to try to unfairly influence ranking algorithms?
  3. Sometimes Web sites returned by major search engines don’t contain the words or phrases that initially brought you to the site. Why might this happen?
  4. What’s a cache? What other products or services have a cache?
  5. What can be done if you want the content on your Web site to remain off limits to search engine indexing and caching?
  6. What is a “search appliance?” Why might an organization choose such a product?
  7. Become a better searcher: Look at the advanced options for your favorite search engine. Are there options you hadn’t used previously? Be prepared to share what you learn during class discussion.
  8. Visit Google Trends and Google Insights for Search. Explore the tool as if you were comparing a firm with its competitors. What sorts of useful insights can you uncover? How might businesses use these tools?

14.3 Understanding the Increase in Online Ad Spending

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how media consumption habits are shifting.
  2. Be able to explain the factors behind the growth and appeal of online advertising.

For several years, Internet advertising has been the only major media ad category to show significant growth. There are three factors driving online ad growth trends: (1) increased user time online, (2) improved measurement and accountability, and (3) targeting.

American teenagers (as well as the average British, Australian, and New Zealander Web surfer) now spend more time on the Internet than watching television.“American Teenagers Spend More Time Online Than Watching Television,” MediaWeek, June 19, 2008; A. Hendry, “Connected Aussies Spend More Time Online Than Watching TV,” Computerworld Australia, May 21, 2008; and “Brits Spend More Time Online Than Watching TV,” BigMouthMedia, July 12, 2007. They’re reading fewer print publications, and radio listening among the iPod generation is down 30 percent.M. Tobias, “Newspapers under Siege,” Philstar, May 18, 2009. So advertisers are simply following the market. Online channels also provide advertisers with a way to reach consumers at work—something that was previously much more difficult to do.

Many advertisers have also been frustrated by how difficult it’s been to gauge the effectiveness of traditional ad channels such as TV, print, and radio. This frustration is reflected in the old industry saying, “I know that half of my advertising is working—I just don’t know which half.” Well, with the Internet, now you know. While measurement technologies aren’t perfect, advertisers can now count ad impressionsEach time an ad is served to a user for viewing. (the number of times an ad appears on a Web site), whether a user clicks on an ad, and the product purchases or other Web site activity that comes from those clicks.For a more detailed overview of the limitations in online ad measurement, see L. Rao, “Guess Which Brand Is Now Worth $100 Billion?” TechCrunch, April 30, 2009. And as we’ll see, many online ad payment schemes are directly linked to ad performance.

Various technologies and techniques also make it easier for firms to target users based on how likely a person is to respond to an ad. In theory a firm can use targeting to spend marketing dollars only on those users deemed to be its best prospects. Let’s look at a few of these approaches in action.

Key Takeaways

  • There are three reasons driving online ad growth trends: (1) increasing user time online, (2) improved measurement and accountability, and (3) targeting.
  • Digital media is decreasing time spent through traditional media consumption channels (e.g., radio, TV, newspapers), potentially lowering the audience reach of these old channels and making them less attractive for advertisers.
  • Measurement techniques allow advertisers to track the performance of their ads—indicating things such as how often an ad is displayed, how often an ad is clicked, where an ad was displayed when it was clicked, and more. Measurement metrics can be linked to payment schemes, improving return on investment (ROI) and accountability compared to many types of conventional advertising.
  • Advertising ROI can be improved through targeting. Targeting allows a firm to serve ads to specific categories of users, so firms can send ads to groups it is most interested in reaching, and those that are most likely to respond to an effort.

Questions and Exercises

  1. How does your media time differ from your parents? Does it differ among your older or younger siblings, or other relatives? Which media are you spending more time with? Less time with?
  2. Put yourself in the role of a traditional media firm that is seeing its market decline. What might you do to address decline concerns? Have these techniques been attempted by other firms? Do you think they’ve worked well? Why or why not?
  3. Put yourself in the role of an advertiser for a product or service that you’re interested in. Is the Internet an attractive channel for you? How might you use the Internet to reach customers you are most interested in? Where might you run ads? Who might you target? Who might you avoid? How might the approach you use differ from traditional campaigns you’d run in print, TV, or radio? How might the size (money spent, attempted audience reach) and timing (length of time run, time between campaigns) of ad campaigns online differ from offline campaigns?
  4. List ways in which you or someone you know has been targeted in an Internet ad campaign. Was it successful? How do you feel about targeting?

14.4 Search Advertising

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand Google’s search advertising revenue model.
  2. Know the factors that determine the display and ranking of advertisements appearing on Google’s search results pages.
  3. Be able to describe the uses and technologies behind geotargeting.

The practice of running and optimizing search engine ad campaigns is referred to as search engine marketing (SEM)The practice of designing, running and optimizing search engine ad campaigns..S. Elliott, “More Agencies Investing in Marketing with a Click,” New York Times, March 14, 2006. SEM is a hot topic in an increasingly influential field, so it’s worth spending some time learning how search advertising works on the Internet’s largest search engine.

Roughly two-thirds of Google’s revenues come from ads served on its own sites, and the vast majority of this revenue comes from search engine ads.Google, “Google Announces Fourth Quarter and Fiscal Year 2008 Results,” press release, January 22, 2009. During Google’s early years, the firm actually resisted making money through ads. In fact, while at Stanford, Brin and Page even coauthored a paper titled “The Evils of Advertising.”D. Vise, “Google’s Decade,” Technology Review, September 12, 2008. But when Yahoo! and others balked at buying Google’s search technology (offered for as little as $500,000), Google needed to explore additional revenue streams. It wasn’t until two years after incorporation that Google ran ads alongside organic search results. That first ad, one for “Live Mail Order Lobsters,” appeared just minutes after the firm posted a link reading “See Your Ad Here”).S. Levy, “The Secrets of Googlenomics,” Wired, June 2009.

Google has only recently begun incorporating video and image ads into search. For the most part, the ads you’ll see to the right (and sometimes top) of Google’s organic search results appear as keyword advertisingAdvertisements that are targeted based on a user’s query., meaning they’re targeted based on a user’s query. Advertisers bid on the keywords and phrases that they’d like to use to trigger the display of their ad. Linking ads to search was a brilliant move, since the user’s search term indicates an overt interest in a given topic. Want to sell hotel stays in Tahiti? Link your ads to the search term “Tahiti Vacation.”

Not only are search ads highly targeted, advertisers only pay for results. Text ads appearing on Google search pages are billed on a pay-per-click (PPC)A concept where advertisers don’t pay unless someone clicks on their ad. basis, meaning that advertisers don’t spend a penny unless someone actually clicks on their ad. Note that the term pay-per-click is sometimes used interchangeably with the term cost-per-click (CPC)The maximum amount of money an advertiser is willing to pay for each click on their ad..

Not Entirely Google’s Idea

Google didn’t invent pay-for-performance search advertising. A firm named (later renamed Overture) pioneered pay-per-click ads and bidding systems and held several key patents governing the technology. Overture provided pay-per-click ad services to both Yahoo! and Microsoft, but it failed to refine and match the killer combination of ad auctions and search technology that made Google a star. Yahoo! eventually bought Overture and sued Google for patent infringement. In 2004, the two firms settled, with Google giving Yahoo! 2.7 million shares in exchange for a “fully paid, perpetual license” to over sixty Overture patents.S. Olsen, “Google, Yahoo Bury the Legal Hatchet,” CNET, August 9, 2004.

If an advertiser wants to display an ad on Google search, they can set up a Google AdWords advertising account in minutes, specifying just a single ad, or multiple ad campaigns that trigger different ads for different keywords. Advertisers also specify what they’re willing to pay each time an ad is clicked, how much their overall ad budget is, and they can control additional parameters, such as the timing and duration of an ad campaign.

If no one clicks on an ad, Google doesn’t make money, advertisers don’t attract customers, and searchers aren’t seeing ads they’re interested in. So in order to create a winning scenario for everyone, Google has developed a precise ad ranking formula that rewards top performing ads by considering two metrics: the maximum CPC that an advertiser is willing to pay, and the advertisement’s quality score—a broad measure of ad performance. Create high quality ads and your advertisements might appear ahead of competition, even if your competitors bid more than you. But if ads perform poorly they’ll fall in rankings or even drop from display consideration.

Below is the formula used by Google to determine the rank order of sponsored links appearing on search results pages.

Ad Rank = Maximum CPC × Quality Score

One factor that goes into determining an ad’s quality score is the click-through rate (CTR)The number of users who clicked an ad divided by the number of times the ad was delivered (the impressions). The CTR measures the percentage of people who clicked on an ad to arrive at a destination-site. for the ad, the number of users who clicked an ad divided by the number of times the ad was delivered (the impressions). The CTR measures the percentage of people who clicked on an ad to arrive at a destination-site. Also included in a quality score are the overall history of click performance for the keywords linked to the ad, the relevance of an ad’s text to the user’s query, and Google’s automated assessment of the user experience on the landing pageThe Web site displayed when a user clicks on an advertisement.—the Web site displayed when a user clicks on the ad. Ads that don’t get many clicks, ad descriptions that have nothing to do with query terms, and ads that direct users to generic pages that load slowly or aren’t strongly related to the keywords and descriptions used in an ad, will all lower an ad’s chance of being displayed.Google, Marketing and Advertising Using Google: Targeting Your Advertising to the Right Audience (Boston: Cengage Learning, 2007).

When an ad is clicked, advertisers don’t actually pay their maximum CPC; Google discounts ads to just one cent more than the minimum necessary to maintain an ad’s position on the page. So if you bid one dollar per click, but the ad ranked below you bids ninety cents, you’ll pay just ninety-one cents if the ad is clicked. Discounting was a brilliant move. No one wants to get caught excessively overbidding rivals, so discounting helps reduce the possibility of this so-called bidder’s remorse. And with this risk minimized, the system actually encouraged higher bids!S. Levy, “The Secrets of Googlenomics,” Wired, June 2009.

Ad ranking and cost-per-click calculations take place as part of an automated auction that occurs every time a user conducts a search. Advertisers get a running total of ad performance statistics so that they can monitor the return on their investment and tweak promotional efforts for better results. And this whole system is automated for self-service—all it takes is a credit card, an ad idea, and you’re ready to go.

How Much Do Advertisers Pay per Click?

Google rakes in billions on what amounts to pocket change earned one click at a time. Most clicks bring in between thirty cents and one dollar. However, costs can vary widely depending on industry, current competition, and perceived customer value. Table 14.1 “10 Most Expensive Industries for Keyword Ads” shows some of the highest reported CPC rates. But remember, any values fluctuate in real time based on auction participants.

Table 14.1 10 Most Expensive Industries for Keyword Ads

Business/Industry Keywords in the Top 25 Avg. CPC
Structured Settlements 2 $51.97
Secured Loans 2 $50.67
Buying Endowments 1 $50.35
Mesothelioma Lawyers 5 $50.30
DUI Lawyers 4 $49.78
Conference Call Companies 1 $49.64
Car Insurance Quotes 3 $49.61
Student Loan Consolidation 3 $49.44
Data Recovery 2 $49.43
Remortgages 2 $49.42

Since rates are based on auctions, top rates reflect what the market is willing to bear. As an example, law firms, which bring in big bucks from legal fees, decisions, and settlement payments often justify higher customer acquisition costs. And firms that see results will keep spending. Los Angeles–based Chase Law Group has said that it brings in roughly 60 percent of its clients through Internet advertising.C. Mann, “How Click Fraud Could Swallow the Internet,” Wired, January 2006.

IP Addresses and Geotargeting

GeotargetingIdentifying a user’s physical location (sometimes called geolocation) for the purpose of delivering tailored ads or other content. occurs when computer systems identify a user’s physical location (sometimes called the geolocation) for the purpose of delivering tailored ads or other content. On Google AdWords, for example, advertisers can specify that their ads only appear for Web surfers located in a particular country, state, metropolitan region, or a given distance around a precise locale. They can even draw a custom ad-targeting region on a map and tell Google to only show ads to users detected inside that space.

Ads in Google Search are geotargeted based on IP addressA value used to identify a device that is connected to the Internet. IP addresses are usually expressed as four numbers (from 0 to 255), separated by periods.. Every device connected to the Internet has a unique IP address assigned by the organization connecting the device to the network. Normally you don’t see your IP address (a set of four numbers, from 0 to 255, separated by periods; e.g., But the range of IP addresses “owned” by major organizations and Internet service providers (ISPs) is public knowledge. In many cases it’s possible to make an accurate guess as to where a computer, laptop, or mobile phone is located simply by cross-referencing a device’s current IP address with this public list.

For example, it’s known that all devices connected to the Boston College network contain IP addresses starting with the numbers 136.167. If a search engine detects a query coming from an IP address that begins with those two numbers, it can be fairly certain that the person using that device is in the greater Boston area.

Figure 14.7

Figure 14.8

In this geotargeting example, the same search term is used at roughly the same time on separate computers located in Silicon Valley area (top) and Boston (bottom). Note how geotargeting impacts results.

IP addresses will change depending on how and where you connect to the Internet. Connect your laptop to a hotel’s Wi-Fi when visiting a new city, and you’re likely to see ads specific to that location. That’s because your Internet service provider has changed, and the firm serving your ads has detected that you are using an IP address known to be associated with your new location.

Geotargeting via IP address is fairly accurate, but it’s not perfect. For example, some Internet service providers may provide imprecise or inaccurate information on the location of their networks. Others might be so vague that it’s difficult to make a best guess at the geography behind a set of numbers (values assigned by a multinational corporation with many locations, for example). And there are other ways locations are hidden, such as when Internet users connect to proxy serversA third-party computer that passes traffic to and from a specific address without revealing the address of the connected user., third-party computers that pass traffic to and from a specific address without revealing the address of the connected users.

What’s My IP Address?

While every operating system has a control panel or command that you can use to find your current IP address, there are also several Web sites that will quickly return this value (and a best guess at your current location). One such site is (note the spelling has only one “d”). Visit this or a similar site with a desktop, laptop, and mobile phone. Do the results differ and are they accurate? Why?

Geotargeting Evolves Beyond the IP Address

There are several other methods of geotargeting. Firms like Skyhook Wireless can identify a location based on its own map of Wi-FiA term used to brand wireless local-area networking devices. Devices typically connect to an antenna-equipped base station or hotspot, which is then connected to the Internet. Wi-Fi devices use standards known as IEEE 802.11, and various version of this standard (e.g., b, g, n) may operate in different frequency bands and have access ranges. hotspots and nearby cell towers. Many mobile devices come equipped with global positioning system (GPS)A network of satellites and supporting technologies used to identify a device’s physical location. chips (identifying location via the GPS satellite network). And if a user provides location values such as a home address or zip code to a Web site, then that value might be stored and used again to make a future guess at a user’s location.

Key Takeaways

  • Roughly two-thirds of Google’s revenues come from ads served on its own sites, and the vast majority of this revenue comes from search engine ads.
  • Advertisers choose and bid on the keywords and phrases that they’d like to use to trigger the display of their ad.
  • Advertisers pay for cost-per-click advertising only if an ad is clicked on. Google makes no money on CPC ads that are displayed but not clicked.
  • Google determines ad rank by multiplying CPC by Quality Score. Ads with low ranks might not display at all.
  • Advertisers usually don’t pay their maximum CPC. Instead, Google discounts ads to just one cent more than the minimum necessary to maintain an ad’s position on the page—a practice that encourages higher bids.
  • Geotargeting occurs when computer systems identify a user’s physical location (sometimes called geolocation) for the purpose of delivering tailored ads or other content.
  • Google uses IP addresses to target ads.
  • Geotargeting can also be enabled by the satellite-based global positioning system (GPS) or based on estimating location from cell phone towers or Wi-Fi hotspots.

Questions and Exercises

  1. Which firm invented pay-per-click advertising? Why does Google dominate today and not this firm?
  2. How are ads sold via Google search superior to conventional advertising media such as TV, radio, billboard, print, and yellow pages? Consider factors like the available inventory of space to run ads, the cost to run ads, the cost to acquire new advertisers, and the appeal among advertisers.
  3. Are there certain kinds of advertising campaigns and goals where search advertising wouldn’t be a good fit? Give examples and explain why.
  4. Can a firm buy a top ad ranking? Why or why not?
  5. List the four factors that determine an ad’s quality score.
  6. How much do firms typically pay for a single click?
  7. Sites like and provide a list of the keywords with the highest cost per click. Visit the Top Lists page at SpyFu, KeywordSpy, or a comparable site, to find estimates of the current highest paying cost per click. Which keywords pay the most? Why do you think firms are willing to spend so much?
  8. What is bidder’s remorse? How does Google’s ad discounting impact this phenomenon?
  9. Visit using a desktop, laptop, and mobile phone (work with a classmate or friend if you don’t have access to one of these devices). How do results differ? Why? Are they accurate? What factors go into determining the accuracy of IP-based geolocation?
  10. List and briefly describe other methods of geotargeting besides IP address, and indicate the situations and devices where these methods would be more and less effective.
  11. The field of search engine marketing (SEM) is relatively new and rising in importance. And since the field is so new and constantly changing, there are plenty of opportunities for young, knowledgeable professionals. Which organizations, professional certification, and other resources are available to SEM professionals? Spend some time searching for these resources online and be prepared to share your findings with your class.

14.5 Ad Networks—Distribution beyond Search

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand ad networks, and how ads are distributed and served based on Web site content.
  2. Recognize how ad networks provide advertiser reach and support niche content providers.
  3. Be aware of content adjacency problems and their implications.
  4. Know the strategic factors behind ad network appeal and success.

Google runs ads not just in search, but also across a host of Google-owned sites like Gmail, Google News, and Blogger. It will even tailor ads for its map products and for mobile devices. But about 30 percent of Google’s revenues come from running ads on Web sites that the firm doesn’t even own.Google, “Google Announces Fourth Quarter and Fiscal Year 2008 Results,” press release, January 22, 2009.

Next time you’re surfing online, look around the different Web sites that you visit and see how many sport boxes labeled “Ads by Google.” Those Web sites are participating in Google’s AdSense ad network, which means they’re running ads for Google in exchange for a cut of the take. Participants range from small-time bloggers to some of the world’s most highly trafficked sites. Google lines up the advertisers, provides the targeting technology, serves the ads, and handles advertiser payment collection. To participate, content providers just sign up online, put a bit of Google-supplied HTML code on their pages, and wait for Google to send them cash (Web sites typically get about seventy to eighty cents for every AdSense dollar that Google collects).B. Tedeschi, “Google’s Shadow Payroll Is Not Such a Secret Anymore,” New York Times, January 16, 2006.

Google originally developed AdSense to target ads based on keywords automatically detected inside the content of a Web site. A blog post on your favorite sports team, for example, might be accompanied by ads from ticket sellers or sports memorabilia vendors. AdSense and similar online ad networks provide advertisers with access to the long tail of niche Web sites by offering both increased opportunities for ad exposure as well as more-refined targeting opportunities.

Figure 14.9

The images above show advertising embedded around a story on the New York Times Web site. The page runs several ads provided by different ad networks. For example, the WebEx banner ad above the article’s headline was served by AOL-owned Platform-A/Tacoda. The “Ads by Google” box appeared at the end of the article. Note how the Google ads are related to the content of the Times article.

Running ads on your Web site is by no means a guaranteed path to profits. The Internet graveyard is full of firms that thought they’d be able to sustain their businesses on ads alone. But for many Web sites, ad networks can be like oxygen, sustaining them with revenue opportunities they’d never be able to achieve on their own.

For example, AdSense provided early revenue for the popular social news site Digg, as well as the multimillion-dollar TechCrunch media empire. It supports Disaboom, a site run by physician and quadriplegic Dr. Glen House. And it continues to be the primary revenue generator for That site’s founder, former builder Tim Carter, had been writing a handyman’s column syndicated to some thirty newspapers. The newspaper columns didn’t bring in enough to pay the bills, but with AdSense he hit pay dirt, pulling in over $350,000 in ad revenue in just his first year!R. Rothenberg, “The Internet Runs on Ad Billions,” BusinessWeek, April 10, 2008.

Figure 14.10

Tim Carter’s Ask the Builder Web site runs ads from Google and other ad networks. Note different ad formats surrounding the content. Video ads are also integrated into many of the site’s video tutorials.

Beware the Content Adjacency Problem

Contextual advertisingAdvertising based on a Web site’s content. based on keywords is lucrative, but like all technology solutions it has its limitations. Vendors sometimes suffer from content adjacency problemsA situation where ads appear alongside text the advertiser would like to avoid. when ads appear alongside text they’d prefer to avoid. In one particularly embarrassing example, a New York Post article detailed a gruesome murder where hacked up body parts were stowed in suitcases. The online version of the article included contextual advertising and was accompanied by…luggage ads.A. Overholt, “Search for Tomorrow,” Fast Company, December 19, 2007.

To combat embarrassment, ad networks provide opportunities for both advertisers and content providers to screen out potentially undesirable pairings based on factors like vendor, Web site, and category. Advertisers can also use negative keywords, which tell networks to avoid showing ads when specific words appear (e.g., setting negative keywords to “murder” or “killer” could have spared luggage advertisers from the embarrassing problem mentioned above). Ad networks also refine ad-placement software based on feedback from prior incidents (for more on content adjacency problems, see Chapter 8 “Facebook: Building a Business from the Social Graph”).

Google launched AdSense in 2003, but Google is by no means the only company to run an ad network, nor was it the first to come up with the idea. Rivals include the Yahoo! Publisher Network, Microsoft’s adCenter, and AOL’s Platform-A. Others, like Quigo, don’t even have a consumer Web site yet manage to consolidate enough advertisers to attract high-traffic content providers such as ESPN, Forbes, Fox, and USA Today. Advertisers also aren’t limited to choosing just one ad network. In fact, many content provider Web sites will serve ads from several ad networks (as well as exclusive space sold by their own sales force), oftentimes mixing several different offerings on the same page.

Ad Networks and Competitive Advantage

While advertisers can use multiple ad networks, there are several key strategic factors driving the industry. For Google, its ad network is a distribution play. The ability to reach more potential customers across more Web sites attracts more advertisers to Google. And content providers (the Web sites that distribute these ads) want there to be as many advertisers as possible in the ad networks that they join, since this should increase the price of advertising, the number of ads served, and the accuracy of user targeting. If advertisers attract content providers, which in turn attract more advertisers, then we’ve just described network effects! More participants bringing in more revenue also help the firm benefit from scale economies—offering a better return on investment from its ad technology and infrastructure. No wonder Google’s been on such a tear—the firm’s loaded with assets for competitive advantage!

Google’s Ad Reach Gets Bigger

While Google has the largest network specializing in distributing text ads, it had been a laggard in graphical display ads (sometimes called image ads). That changed in 2008, with the firm’s $3.1 billion acquisition of display ad network and targeting company DoubleClick. Now in terms of the number of users reached, Google controls both the largest text ad network and the largest display ad network.L. Baker, “Google Now Controls 69% of Online Advertising Market,” Search Engine Journal, March 31, 2008.

Key Takeaways

  • Google also serves ads through non-Google partner sites that join its ad network. These partners distribute ads for Google in exchange for a percentage of the take.
  • AdSense ads are targeted based on keywords that Google detects inside the content of a Web site.
  • AdSense and similar online ad networks provide advertisers with access to the long tail of niche Web sites.
  • Ad networks handle advertiser recruitment, ad serving, and revenue collection, opening up revenue earning possibilities to even the smallest publishers.

Questions and Exercises

  1. On a percentage basis, how important is AdSense to Google’s revenues?
  2. Why do ad networks appeal to advertisers? What do they appeal to content providers? What functions are assumed by the firm overseeing the ad network?
  3. What factors determine the appeal of an ad network to advertisers and content providers? Which of these factors are potentially sources of competitive advantage?
  4. Do dominant ad networks enjoy strong network effects? Are there also strong network effects that drive consumers to search? Why or why not?
  5. How difficult is it for a Web site to join an ad network? What does this imply about ad network switching costs? Does it have to exclusively choose one network over another? Does ad network membership prevent a firm from selling its own online advertising, too?
  6. What is the content adjacency problem? Why does it occur? What classifications of Web sites might be particularly susceptible to the content adjacency problem? What can advertisers do to minimize the likelihood that a content adjacency problem will occur?

14.6 More Ad Formats and Payment Schemes

Learning Objectives

After studying this section you should be able to do the following:

  1. Know the different formats and media types that Web ads can be displayed in.
  2. Know the different ways ads are sold.
  3. Know that games can be an ad channel under the correct conditions.

Online ads aren’t just about text ads billed in CPC. Ads running through Google AdSense, through its DoubleClick subsidiary, or on most competitor networks can be displayed in several formats and media types, and can be billed in different ways. The specific ad formats supported depend on the ad network but can include the following: image (or display) adsGraphical advertising (as opposed to text ads). (such as horizontally oriented banners, smaller rectangular buttons, and vertically oriented “skyscraper” ads); rich media adsOnline ads that include animation, audio, or video. (which can include animation or video); and interstitialsAds that run before a user arrives at a Web site’s contents. (ads that run before a user arrives at a Web site’s contents). The industry trade group, the Internet Advertising Bureau (IAB)A nonprofit industry trade group for the interactive advertising industry. The IAB evaluates and recommends interactive advertising standards and practices and also conducts research, education, and legislative lobbying. sets common standards for display ads so that a single creative (the design and content of the advertisement) can run unmodified across multiple ad networks and Web sites.See Interactive Advertising Bureau Ad Unit Guidelines for details at

And there are lots of other ways ads are sold besides cost-per-click. Most graphical display ads are sold according to the number of times the ad appears (the impression). Ad rates are quoted in CPMCost per thousand impressions (the M representing the roman numeral for one thousand)., meaning cost per thousand impressions (the M representing the roman numerical for one thousand). Display ads sold on a CPM basis are often used as part of branding campaigns targeted more at creating awareness than generating click-throughs. Such techniques often work best for promoting products like soft drinks, toothpaste, or movies.

Cost-per-action (CPA)A method of charging for advertising whenever a user performs a specified action such as signing up for a service, requesting material, or making a purchase. ads pay whenever a user clicks through and performs a specified action such as signing up for a service, requesting material, or making a purchase. Affiliate programsA cost-per-action program, where program sponsors (e.g.,, iTunes) pay referring Web sites a percentage of revenue earned from the referral. are a form of cost-per-action, where vendors share a percentage of revenue with Web sites that direct purchasing customers to their online storefronts. Amazon runs the world’s largest affiliate program, and referring sites can earn 4 percent to 15 percent of sales generated from these click-throughs. Purists might not consider affiliate programs as advertising (rather than text or banner ads, Amazon’s affiliates offer links and product descriptions that point back to Amazon’s Web site), but these programs can be important tools in a firm’s promotional arsenal.

And rather than buying targeted ads, a firm might sometimes opt to become an exclusive advertiser on a site. For example, a firm could buy access to all ads served on a site’s main page; it could secure exclusive access to a region of the page (such as the topmost banner ad); or it may pay to sponsor a particular portion or activity on a Web site (say a parenting forum, or a “click-to-print” button). Such deals can be billed based on a flat rate, CPM, CPC, or any combination of metrics.

Ads in Games?

As consumers spend more time in video games, it’s only natural that these products become ad channels, too. Finding a sensitive mix that introduces ads without eroding the game experience can be a challenge. Advertising can work in racing or other sports games (in 2008 the Obama campaign famously ran virtual billboards in EA’s Burnout Paradise), but ads make less sense for games set in the past, future, or on other worlds. Branding ads often work best, since click-throughs are typically not something you want disrupting your gaming experience.

Advertisers have also explored sponsorships of Web-based and mobile games. Sponsorships often work best with casual games, such as those offered on Yahoo! Games or EA’s Pogo. Firms have also created online mini games (so-called advergames) for longer term, immersive brand engagement (e.g., Mini Cooper’s Slide Parking and Stride Gum’s Chew Challenge). Others have tried a sort of virtual product placement integrated into experiences. A version of The Sims, for example, included virtual replicas of real-world inventory from IKEA and H&M.

Figure 14.11 Obama Campaign’s Virtual Billboard in EA’s Burnout Paradise

In-game ad-serving technology also lacks the widely accepted standards of Web-based ads, so it’s unlikely that ads designed for a Wii sports game could translate into a PS3 first-person shooter. Also, one of the largest in-game ad networks, Massive, is owned by Microsoft. That’s good if you want to run ads on Xbox, but Microsoft isn’t exactly a firm that Nintendo or Sony want to play nice with.

In-game advertising shows promise, but the medium is considerably more complicated than conventional Web site ads. That complexity lowers relative ROI and will likely continue to constrain growth.

Key Takeaways

  • Web ad formats include, but are not limited to, the following: image (or display) ads (such as horizontally oriented banners, smaller rectangular buttons, and vertically oriented skyscraper ads), rich media ads (which can include animation or video), and interstitials (ads that run before a user arrives at a Web site’s contents).
  • In addition to cost-per-click, ads can be sold based on the number of times the ad appears (impressions), whenever a user performs a specified action such as signing up for a service, requesting material, or making a purchase (cost-per-action), or on an exclusive basis which may be billed at a flat rate.
  • In-game advertising shows promise, with successful branding campaigns run as part of sports games, through in-game product placement, or via sponsorship of casual games, or in brand-focused advergames.
  • A lack of standards, concerns regarding compatibility with gameplay, and the cost of developing and distributing games are all stifling the growth of in-game ads.

Questions and Exercises

  1. What is the IAB and why is it necessary?
  2. What are the major ad format categories?
  3. What’s an interstitial? What’s a rich media ad? Have you seen these? Do you think they are effective? Why or why not?
  4. List four major methods for billing online advertising.
  5. Which method is used to bill most graphical advertising? What’s the term used for this method and what does it stand for?
  6. How many impressions are recorded if a single user is served the same ad one thousand times? How many if one thousand users are served the same ad once?
  7. Imagine the two scenarios below. Decide which type of campaign would be best for each: text-based CPC advertising or image ads paid for on a CPM basis). Explain your reasoning.

    1. Netflix is looking to attract new customers by driving traffic to its Web site and increase online subscriptions.
    2. Zara has just opened a new clothing store in major retailing area in your town. The company doesn’t offer online sales; rather, the majority of its sales come from stores.
  8. Which firm runs the world’s largest affiliate program? Why is this form of advertising particularly advantageous to the firm (think about the ROI for this sort of effort)?
  9. Given examples where in-game advertising might work and those where it might be less desirable. List key reasons why in-game advertising has not be as successful as other forms Internet-distributed ads.

14.7 Customer Profiling and Behavioral Targeting

Learning Objectives

After studying this section you should be able to do the following:

  1. Be familiar with various tracking technologies and how they are used for customer profiling and ad targeting.
  2. Understand why customer profiling is both valuable and controversial.
  3. Recognize steps that organizations can take to help ease consumer and governmental concerns.

Advertisers are willing to pay more for ads that have a greater chance of reaching their target audience, and online firms have a number of targeting tools at their disposal. Much of this targeting occurs whenever you visit a Web site, where a behind-the-scenes software dialogue takes place between Web browser and Web server that can reveal a number of pieces of information, including IP address, the type of browser used, the computer type, its operating system, and unique identifiers, called cookiesA line of identifying text, assigned and retrieved by a given Web server and stored by your browser..

And remember, any server that serves you content can leverage these profiling technologies. You might be profiled not just by the Web site that you’re visiting (e.g.,, but also by any ad networks that serve ads on that site (e.g., Platform-A, DoubleClick, Google AdSense, Microsoft adCenter).

IP addresses are leveraged extensively in customer profiling. An IP address not only helps with geolocation, it can also indicate a browser’s employer or university, which can be further matched with information such as firm size or industry. IBM has used IP targeting to tailor its college recruiting banner ads to specific schools, for example, “There Is Life After Boston College, Click Here to See Why.” That campaign garnered click-through rates ranging from 5.0 to 30 percentM. Moss, “These Web Sites Know Who You Are,” ZDNet UK, October 13, 1999. compared to average rates that are currently well below 1 percent for untargeted banner ads. DoubleClick once even served a banner that included a personal message for an executive at then-client Modem Media. The ad, reading “Congratulations on the twins, John Nardone,” was served across hundreds of sites, but was only visible from computers on the Modem Media corporate network.M. Moss, “These Web Sites Know Who You Are,” ZDNet UK, October 13, 1999.

The ability to identify a surfer’s computer, browser, or operating system can also be used to target tech ads. For example, Google might pitch its Chrome browser to users detected running Internet Explorer, Firefox, or Safari; while Apple could target those “I’m a Mac” ads just to Windows users.

But perhaps the greatest degree of personalization and targeting comes from cookies. Visit a Web site for the first time, and in most cases, a behind-the-scenes dialogue takes place that goes something like this:

Server: Have I seen you before?

Browser: No.

Server: Then take this unique string of numbers and letters (called a cookie). I’ll use it to recognize you from now on.

The cookie is just a line of identifying text assigned and retrieved by a given Web server and stored on your computer by your browser. Upon accepting this cookie your browser has been tagged, like an animal. As you surf around the firm’s Web site, that cookie can be used to build a profile associated with your activities. If you’re on a portal like Yahoo! you might type in your zip code, enter stocks that you’d like to track, and identify the sports teams you’d like to see scores for. The next time you return to the Web site, your browser responds to the server’s “Have I see you before?” question with the equivalent of “Yes, you know me;,” and it presents the cookie that the site gave you earlier. The site can then match this cookie against your browsing profile, showing you the weather, stock quotes, sports scores, and other info that it thinks you’re interested in.

Cookies are used for lots of purposes. Retail Web sites like Amazon use cookies to pay attention to what you’ve shopped for and bought, tailoring Web sites to display products that the firm suspects you’ll be most interested in. Sites also use cookies to keep track of what you put in an online “shopping cart,” so if you quit browsing before making a purchase, these items will reappear the next time you visit. And many Web sites also use cookies as part of a “remember me” feature, storing user IDs and passwords. Beware this last one! If you check the “remember me” box on a public Web browser, the next person who uses that browser is potentially using your cookie, and can log in as you!

An organization can’t read cookies that it did not give you. So can’t tell if you’ve also got cookies from But you can see all of the cookies in your browser. Take a look and you’ll almost certainly see cookies from dozens of Web sites that you’ve never visited before. These are third-party cookiesSometimes called “tracking cookies” and are served by ad networks or other customer profiling firms. Tracking cookies are used to identify users and record behavior across multiple Web sites. (sometimes called tracking cookies), and they are usually served by ad networks or other customer profiling firms.

Figure 14.12

The Preferences setting in most Web browsers allows you to see its cookies. This browser has received cookies from several ad networks, media sites, and the University of Minnesota Carlson School of Management.

By serving and tracking cookies in ads shown across partner sites, ad networks can build detailed browsing profiles that include sites visited, specific pages viewed, duration of visit, and the types of ads you’ve seen and responded to. And that surfing might give an advertising network a better guess at demographics like gender, age, marital status, and more. Visit a new parent site and expect to see diaper ads in the future, even when you’re surfing for news or sports scores!

But What If I Don’t Want a Cookie!

If all of this creeps you out, remember that you’re in control. The most popular Web browsers allow you to block all cookies, block just third-party cookies, purge your cookie file, or even ask for your approval before accepting a cookie. Of course, if you block cookies, you block any benefits that come along with them, and some Web site features may require cookies to work properly. Also note that while deleting a cookie breaks a link between your browser and that Web site, if you supply identifying information in the future (say by logging into an old profile), the site might be able to assign your old profile data to the new cookie.

While the Internet offers targeting technologies that go way beyond traditional television, print, and radio offerings, none of these techniques is perfect. Since users are regularly assigned different IP addresses as they connect and disconnect from various physical and Wi-Fi networks, IP targeting can’t reliably identify individual users. Cookies also have their weaknesses. They’re assigned by browsers and associated with a log-in account profile on that computer. That means that if several people use the same browser on the same computer without logging on to that machine as separate users, then all their Web surfing activity may be mixed into the same cookie profile. (One solution is to create different log-in accounts on that computer. Your PC will then keep separate cookies for each account.) Some users might also use different browsers on the same machine, or use different computers. Unless a firm has a way to match up these different cookies with a single user account or other user-identifying information, a site may be working with multiple, incomplete profiles.

Key Takeaways

  • The communication between Web browser and Web server can identify IP address, the type of browser used, the computer type, its operating system, time and date of access, and duration of Web page visit, and can read and assign unique identifiers, called cookies—all of which can be used in customer profiling and ad targeting.
  • An IP address not only helps with geolocation; it can also be matched against other databases to identify the organization providing the user with Internet access (such as a firm or university), that organization’s industry, size, and related statistics.
  • A cookie is a unique line of identifying text, assigned and retrieved by a given Web server and stored on a computer by the browser, that can be used to build a profile associated with your Web activities.
  • The most popular Web browsers allow you to block all cookies, block just third-party cookies, purge your cookie file, or even ask for your approval before accepting a cookie.

Questions and Exercises

  1. Give examples of how the ability to identify a surfer’s computer, browser, or operating system can be used to target tech ads.
  2. Describe how IBM targeted ad delivery for its college recruiting efforts. What technologies were used? What was the impact on click-through rates?
  3. What is a cookie? How are cookies used? Is a cookie a computer program? Which firms can read the cookies in your Web browser?
  4. Does a cookie accurately identify a user? Why or why not?
  5. What is the danger of checking the “remember me” box on a public Web browser?
  6. What’s a third-party cookie? What kinds of firms might use these? How are they used?
  7. How can users restrict cookie use on their Web browsers? What is the downside of blocking cookies?
  8. Work with a faculty member and join the Google Online Marketing Challenge (held spring of every year—see Google offers ad credits for student teams to develop and run online ad campaigns for real clients and offers prizes for winning teams. Some of the experiences earned in the Google Challenge can translate to other ad networks as well; and first-hand client experience has helped many students secure jobs, internships, and even start their own businesses.

14.8 Profiling and Privacy

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the privacy concerns that arise as a result of using third-party or tracking cookies to build user profiles.
  2. Be aware of the negative consequences that could result from the misuse of third-party or tracking cookies.
  3. Know the steps Google has taken to demonstrate its sensitivity to privacy issues.
  4. Know the kinds of user information that Google stores, and the steps Google takes to protect the privacy of that information.

While AdSense has been wildly successful, contextual advertising has its limits. For example, what kind of useful targeting can firms really do based on the text of a news item on North Korean nuclear testing?R. Singel, “Online Behavioral Targeting Targeted by Feds, Critics,” Wired News, June 3, 2009. So in March 2009, Google announced what it calls “interest-based ads.” Google AdSense would now issue a third-party cookie and would track browsing activity across AdSense partner sites, and Google-owned YouTube (the firm had not previously used tracking cookies on its AdSense network). AdSense would build a profile, initially identifying users within thirty broad categories and six hundred subcategories. Says one Google project manager, “We’re looking to make ads even more interesting.”R. Hof, “Behavioral Targeting: Google Pulls Out the Stops,” BusinessWeek, March 11, 2009.

Of course, there’s a financial incentive to do this too. Ads deemed more interesting should garner more clicks, meaning more potential customer leads for advertisers, more revenue for Web sites that run AdSense, and more money for Google.

But while targeting can benefit Web surfers, users will resist if they feel that they are being mistreated, exploited, or put at risk. Negative backlash might also result in a change in legislation. The U.S. Federal Trade Commission has already called for more transparency and user control in online advertising and for requesting user consent (opt-inProgram (typically a marketing effort) that requires customer consent. This program is contrasted with opt-out programs, which enroll all customers by default.) when collecting sensitive data.R. Singel, “Online Behavioral Targeting Targeted by Feds, Critics,” Wired News, June 3, 2009. Mishandled user privacy could curtail targeting opportunities, limiting growth across the online advertising field. And with less ad support, many of the Internet’s free services could suffer.

Google’s roll-out of interest-based ads shows the firm’s sensitivity to these issues. First, while major rivals have all linked query history to ad targeting, Google steadfastly refuses to do this. Other sites often link registration data (including user-submitted demographics such as gender and age) with tracking cookies, but Google avoids this practice as well.

Figure 14.13

Here’s an example of one user’s interests, as tracked by Google’s “Interest-based Ads” and displayed in the firm’s “Ad Preferences Manager.”

Google has also placed significant control in the hands of users, with options at program launch that were notably more robust than those of its competitors.S. Hansell, “A Guide to Google’s New Privacy Controls,” New York Times, March 12, 2009. Each interest-based ad is accompanied by an “Ads by Google” link that will bring users to a page describing Google advertising and which provides access to the company’s “Ads Preferences Manager.” This tool allows surfers to see any of the hundreds of potential categorizations that Google has assigned to that browser’s tracking cookie. Users can remove categorizations, and even add interests if they want to improve ad targeting. Some topics are too sensitive to track, and the technology avoids profiling race, religion, sexual orientation, health, political or trade union affiliation, and certain financial categories.R. Mitchell, “What Google Knows about You,” Computerworld, May 11, 2009.

Google also allows users to install a cookie that opts them out of interest-based tracking. And since browser cookies can expire or be deleted, the firm has gone a step further, offering a browser plug-inA small computer program that extends the feature set or capabilities of another application. that will remain permanent, even if a user’s opt-outPrograms that enroll all customers by default, but that allow consumers to discontinue participation if they want to. cookie is purged.

Google, Privacy Advocates, and the Law

Google’s moves are meant to demonstrate transparency in its ad targeting technology, and the firm’s policies may help raise the collective privacy bar for the industry. While privacy advocates have praised Google’s efforts to put more control in the hands of users, many continue to voice concern over what they see as the increasing amount of information that the firm houses.M. Helft, “BITS; Google Lets Users See a Bit of Selves” New York Times, November 9, 2009. For an avid user, Google could conceivably be holding e-mail (Gmail), photos (Picasa), a Web surfing profile (AdSense and DoubleClick), medical records (Google Health), location (Google Latitude), appointments (Google Calendar), transcripts of phone messages (Google Voice), work files (Google Docs), and more.

Google insists that reports portraying it as a data-hoarding Big Brother are inaccurate. The firm is adamant that user data exists in silos that aren’t federated (linked) in any way, nor are employees permitted access to multiple data archives without extensive clearance and monitoring. Data is not sold to third parties. Activities in Gmail, Docs, or most other services isn’t added to targeting profiles. And any targeting is fully disclosed, with users empowered to opt out at all levels.R. Mitchell, “What Google Knows about You,” Computerworld, May 11, 2009. But critics counter that corporate intentions and data use policies (articulated in a Web site’s Terms of Service) can change over time, and that a firm’s good behavior today is no guarantee of good behavior in the future.R. Mitchell, “What Google Knows about You,” Computerworld, May 11, 2009.

Google does enjoy a lot of user goodwill, and it is widely recognized for its unofficial motto “Don’t Be Evil.” However, some worry that even though Google might not be evil, it could still make a mistake, and that despite its best intentions, a security breach or employee error could leave data dangerously or embarrassingly exposed.

Such gaffes and oversights have happened. A March 2009 system flaw inadvertently shared some Google Docs with contacts who were never granted access to them.J. Kincaid, “Google Privacy Blunder Shares Your Docs without Permission,” TechCrunch, March 7, 2009. And when the firm introduced its Google Buzz social networking service in early 2010, many users were horrified that their most frequently used Gmail contacts were automatically added to Buzz, allowing others to see who you’re communicating with. As one report explained, “Suddenly, journalists’ clandestine contacts were exposed, secret affairs became dramatically less secret, and stalkers obtained a new tool to harass their victims. Oops.”A. Gold, “Keep Your Buzz to Yourself: Google Misjudged Its Users’ Right to Privacy,” The Harvard Crimson, February 22, 2010. Eleven congressmen subsequently asked the U.S. Federal Trade Commission to investigate the Google Buzz for possible breaches of consumer privacy.G. Gross, “Lawmakers Ask for FTC Investigation of Google Buzz,” PCWorld, March 29, 2010.

Privacy advocates also worry that the amount of data stored by Google serves as one-stop shopping for litigators and government investigators. The counter argument points to the fact that Google has continually reflected an aggressive defense of data privacy in court cases. When Viacom sued Google over copyright violations in YouTube, the search giant successfully fought the original subpoena, which had requested user-identifying information.R. Mitchell, “What Google Knows about You,” Computerworld, May 11, 2009. And Google was the only one of the four largest search engines to resist a 2006 Justice Department subpoena for search queries.A. Broache, “Judge: Google Must Give Feds Limited Access to Records,” CNET, March 17, 2006.

Google is increasingly finding itself in precedent-setting cases where the law is vague. Google’s Street View, for example, has been the target of legal action in the United States, Canada, Japan, Greece, and the United Kingdom. Varying legal environments create a challenge to the global rollout of any data-driven initiative.L. Sumagaysay, “Not Everyone Likes the (Google Street) View,” Good Morning Silicon Valley, May 20, 2009.

Ad targeting brings to a head issues of opportunity, privacy, security, risk, and legislation. Google is now taking a more active public relations and lobbying role to prevent misperceptions and to be sure its positions are understood. While the field continues to evolve, Google’s experience will lay the groundwork for the future of personalized technology and provide a case study for other firms that need to strike the right balance between utility and privacy. Despite differences, it seems clear to Google, its advocates, and its detractors that with great power comes great responsibility.

Key Takeaways

  • Possible consequences resulting from the misuse of customer tracking and profiling technologies include user resistance and legislation. Mishandled user privacy could curtail targeting opportunities and limit growth in online advertising. With less ad support, many of the Internet’s free services could suffer.
  • Google has taken several steps to protect user privacy and has thus far refused to link query history or registration data to ad targeting.
  • Google’s “Ads Preferences Manager” allows surfers to see, remove, and add to, any of the categorizations that Google has assigned to that browser’s tracking cookie. The technology also avoids targeting certain sensitive topics.
  • Google allows users to install a cookie or plug-in that opts them out of interest-based tracking.
  • Some privacy advocates have voiced concern over what they see as the increasing amount of information that Google houses.
  • Even the best-intentioned and most competent firms can have a security breach that compromises stored information. Google has suffered privacy breaches from product flaws and poorly planned feature rollouts. Such issues may lead to further investigation, legislation, and regulation.

Questions and Exercises

  1. Gmail uses contextual advertising. The service will scan the contents of e-mail messages and display ads off to the side. Test the “creep out” factor in Gmail—create an account (if you don’t already have one), and send messages to yourself with controversial terms in them. Which ones showed ads? Which ones didn’t?
  2. Google has never built user profiles based on Gmail messages. Ads are served based on a real-time scanning of keywords. Is this enough to make you comfortable with Google’s protection of your own privacy? Why or why not?
  3. List the negative consequences that could result from the misuse of tracking cookies.
  4. What steps has Google taken to give users control over the ads they wish to see?
  5. Which topics does “Ads Preferences Manager” avoid in its targeting system?
  6. Visit Google’s Ad Preferences page. Is Google tracking your interests? Do you think the list of interests is accurate? Browse the categories under the “Ad Interest” button. Would you add any of these categories to your profile? Why or why not? What do you gain or lose by taking advantage of Google’s “Opt Out” option? Visit rival ad networks. Do you have a similar degree of control? More or less?
  7. List the types of information that Google might store for an individual. Do you feel that Google is a fair and reliable steward for this information? Are there Google services or other online efforts that you won’t use due to privacy concerns? Why?
  8. What steps does Google take to protect the privacy of user information?
  9. Google’s “interest-based advertising” was launched as an opt-out effort. What are the pros and cons for Google, users, advertisers, and AdSense partner sites if Google were to switch to an opt-in system? How would these various constituencies be impacted if the government mandated that users explicitly opt in to third-party cookies and other behavior-tracking techniques?
  10. What is Google’s unofficial motto?
  11. What is “Street View”? Where and on what grounds is it being challenged?
  12. Cite two court cases where Google has mounted a vigorous defense of data privacy.
  13. Wired News quoted a representative of privacy watchdog group, The Center for Digital Democracy, who offered a criticism of online advertising. The representative suggested that online firms were trying to learn “everything about individuals and manipulate their weaknesses” and that the federal government should “investigate the role [that online ads] played in convincing people to take out mortgages they should not have.”R. Singel, “Online Behavioral Targeting Targeted by Feds, Critics,” Wired News, June 3, 2009. Do you think online advertising played a significant role in the mortgage crisis? What role do advertisers, ad networks, and content providers have in online advertising oversight? Should this responsibility be any different from oversight in traditional media (television, print, radio)? What guidelines would you suggest?
  14. Even well-intentioned firms can compromise user privacy. How have Google’s missteps compromised user privacy? As a manager, what steps would you take in developing and deploying information systems that might prevent these kinds of problems from occurring?

14.9 Search Engines, Ad Networks, and Fraud

Learning Objectives

After studying this section you should be able to do the following:

  1. Be able to identify various types of online fraud, as well as the techniques and technologies used to perpetrate these crimes.
  2. Understand how firms can detect, prevent, and prosecute fraudsters.

There’s a lot of money to be made online, and this has drawn the attention of criminals and the nefarious. Online fraudsters may attempt to steal from advertisers, harm rivals, or otherwise dishonestly game the system. But bad guys beware—such attempts violate terms-of-service agreements and may lead to prosecution and jail time.

Studying ad-related fraud helps marketers, managers, and technologists understand potential vulnerabilities, as well as the methods used to combat them. This process also builds tech-centric critical thinking, valuation, and risk assessment skills.

Some of the more common types of fraud that are attempted in online advertising include the following:

  • Enriching click fraudGenerating bogus clicks, either for financial gain (enriching fraud), or to attack rivals by draining their online ad budget (depleting fraud).—when site operators generate bogus ad clicks to earn PPC income.
  • Enriching impression fraud—when site operators generate false page views (and hence ad impressions) in order to boost their site’s CPM earnings.
  • Depleting click fraud—clicking a rival’s ads to exhaust their PPC advertising budget.
  • Depleting impression fraud—generating bogus impressions to exhaust a rival’s CPM ad budget.
  • Rank-based impression fraud—on-sites where ad rank is based on click performance, fraudsters repeatedly search keywords linked to rival ads or access pages where rival ads appear. The goal is to generate impressions without clicks. This process lowers the performance rank (quality score) of a rival’s ads, possibly dropping ads from rank results, and allowing fraudsters to subsequently bid less for the advertising slots previously occupied by rivals.
  • Disbarring fraud—attempting to frame a rival by generating bogus clicks or impressions that appear to be associated with the rival, in hopes that this rival will be banned from an ad network or punished in search engine listings.
  • Link fraud (also known as spamdexing or link farming)—creating a series of bogus Web sites, all linking back to a page, in hopes of increasing that page’s results in organic search.
  • Keyword stuffing—packing a Web site with unrelated keywords (sometimes hidden in fonts that are the same color as a Web site’s background) in hopes of either luring users who wouldn’t normally visit a Web site, or attracting higher-value contextual ads.

Disturbing stuff, but firms are after the bad guys and they’ve put their best geeks on the case. Widespread fraud would tank advertiser ROI and crater the online advertising market, so Google and rivals are diligently working to uncover and prosecute the crooks.

Busting the Bad Guys

On the surface, enriching click fraud seems the easiest to exploit. Just set up a Web site, run PPC ads on the page, and click like crazy. Each click should ring the ad network cash register, and a portion of those funds will be passed on to the perpetrating site owner—ka ching! But remember, each visitor is identified by an IP address, so lots of clicks from a single IP make the bad guys easy to spot.

So organized crime tried to raise the bar, running so-called click farmsRecruiting a network of users to engage in click fraud with the goal of spreading IP addresses across several systems and make a fraud effort more difficult to detect. to spread fraud across dozens of IP addresses. The Times of India uncovered one such effort where Indian housewives were receiving up to twenty-five cents for each ad click made on fraudster-run Web sites.N. Vidyasagar, “India’s Secret Army of Online Ad ‘Clickers,’” Times of India, May 3, 2004. But an unusually large number of clicks from Indian IP addresses foiled these schemes as well.

Fraudsters then moved on to use zombie networksSometimes called “clickbots” or “bot nets,” these are hordes of surreptitiously infiltrated computers, linked and controlled remotely. This technique is used to perpetrate click fraud, as well as a variety of other computer security crimes.—hordes of surreptitiously infiltrated computers, linked and controlled by rogue software.C. Mann, “How Click Fraud Could Swallow the Internet,” Wired, January 2006. To create zombie networks (sometimes called bot nets), hackers exploit security holes, spread viruses, or use so-called phishing techniques to trick users into installing software that will lie dormant, awaiting commands from a central location. The controlling machine then sends out tasks for each zombie, instructing them to visit Web sites and click on ads in a way that mimics real traffic. Zombie bot nets can be massive. Dutch authorities once took down a gang that controlled some 1.5 million machines.T. Sanders, “Dutch Botnet Gang Facing Jail,” IT News Australia, January 18, 2007; and N. Daswani and M. Stoppleman, “The Anatomy of Clickbot” (paper, Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, April 11–13, 2007).

Scary, but this is where scale, expertise, and experience come in. The more activity an ad network can monitor, the greater the chance that it can uncover patterns that are anomalous. Higher click-through rates than comparable sites? Caught. Too many visits to a new or obscure site? Caught. Clicks that don’t fit standard surfing patterns for geography, time, and day? Caught.

Sometimes the goal isn’t theft, but sabotage. Google’s Ad Traffic Quality Team backtracked through unusual patterns to uncover a protest effort targeted at Japanese credit card firms. Ad clicks were eventually traced to an incendiary blogger who incited readers to search for the Japanese word kiyashinku (meaning cashing credit, or credit cards), and to click the credit card firm ads that show up, depleting firm search marketing budgets. Sneaky, but uncovered and shut down, without harm to the advertisers.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008).

Search firm and ad network software can use data patterns and other signals to ferret out most other types of fraud, too, including rank-based impression fraud, spamdexing, and keyword stuffing. While many have tried to up the stakes with increasingly sophisticated attacks, large ad networks have worked to match them, increasing their anomaly detection capabilities across all types of fraud.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008). Here we see another scale and data-based advantage for Google. Since the firm serves more search results and advertisements than its rivals do, it has vastly more information on online activity. And if it knows more about what’s happening online than any other firm, it’s likely to be first to shut down anyone who tries to take advantage of the system.

Click Fraud: How Bad Is It?

Accounts on the actual rate of click fraud vary widely. Some third-party firms contend that nearly one in five clicks is fraudulent.S. Hamner, “Pay-per-Click Advertisers Combat Costly Fraud,” New York Times, May 12, 2009. But Google adamantly disputes these headline-grabbing numbers, claiming that many such reports are based on-site logs that reflect false data from conditions that Google doesn’t charge for (e.g., double counting a double click, or adding up repeated use of the browser back button in a way that looks like multiple clicks have occurred). The firm also offers monitoring, analytics, and reporting tools that can uncover this kind of misperceived discrepancy.

Google contends that all invalid clicks (mistakes and fraud) represent less than 10 percent of all clicks, that the vast majority of these clicks are filtered out, and that Google doesn’t charge advertisers for clicks flagged as mistakes or suspicious.M. Lafsky, “Google and Click Fraud: Behind the Numbers,” New York Times, February 27, 2008. In fact, Google says their screening bar is so high and so accurate that less than 0.02 percent of clicks are reactively classified as invalid and credited back to advertisers.M. Jakobsson and Z. Ramzan, Crimeware: Understanding New Attacks and Defenses (Cupertino, CA: Symantec Press, 2008).

So who’s right? While it’s impossible to identify the intention behind every click, the market ultimately pays for performance. And advertisers are continuing to flock to PPC ad networks (and to Google in particular). While that doesn’t mean that firms can stop being vigilant, it does suggest that for most firms, Google seems to have the problem under control.

Key Takeaways

  • Fraud can undermine the revenue model behind search engines, ad networks, and the ad-based Internet. It also threatens honest competition among rivals that advertise online.
  • There are many forms of online fraud, including enriching fraud (meant to line the pockets of the perpetrators), depleting fraud (meant to waste the ad budgets of rivals), disbarring fraud (meant to frame the innocent as fraudsters), and methods to lower rival ad rank performance, or gain search engine ranking algorithms.
  • While fraudsters have devised ingenious ways to exploit the system (including click farms and zombie attacks), IP addresses and detailed usage pattern monitoring increasingly reveal bogus activity.
  • Fraud rates are widely disputed. However, it is clear that if widespread fraud were allowed to occur, advertisers would see lower ROI from online ad efforts, and Internet business models would suffer. The continued strength of the online advertising market suggests that while fraud may be impossible to stop completely, most fraud is under control.

Questions and Exercises

  1. Why is it difficult for an unscrupulous individual to pull off enriching click fraud simply by setting up a Web site, running ad network ads, and clicking?
  2. Why did hackers develop zombie networks? What advantage do they offer the criminals? How are they detected? Why do larger ad networks have an advantage in click fraud detection?
  3. How can you prevent zombies from inhabiting your computers? Are you reasonably confident you are “zombie-free?” Why or why not?
  4. What are spamdexing and keyword stuffing? What risks does a legitimate business run if it engages in these practices, and if they are discovered by search engines? What would this mean for the career of the manager who thought he could game the system?
  5. Which types of fraud can be attempted against search advertising? Which are perpetrated over its ad network?
  6. What are the consequences if click fraud were allowed to continue? Does this ultimately help or hurt firms that run ad networks? Why?

14.10 The Battle Unfolds

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the challenges of maintaining growth as a business and industry mature.
  2. Recognize how the businesses of many firms in a variety of industries are beginning to converge.
  3. Critically evaluate the risks and challenges of businesses that Google, Microsoft, and other firms are entering.
  4. Appreciate the magnitude of this impending competition, and recognize the competitive forces that will help distinguish winners from losers.

Google has been growing like gangbusters, but the firm’s twin engines of revenue growth—ads served on search and through its ad networks—will inevitably mature. And it will likely be difficult for Google to find new growth markets that are as lucrative as these. Emerging advertising outlets such as social networks and mobile have lower click-through rates than conventional advertising, suggesting that Google will have to work harder for less money.

For a look at what can happen when maturity hits, check out Microsoft. The House that Gates Built is more profitable than Google, and continues to dominate the incredibly lucrative markets served by Windows and Office. But these markets haven’t grown much for over a decade. In industrialized nations, most Windows and Office purchases come not from growth, but when existing users upgrade or buy new machines. And without substantial year-on-year growth, the stock price doesn’t move.

Figure 14.14 A Comparison of Roughly Five Years of Stock Price Change—Google (GOOG) versus Microsoft (MSFT)

For big firms like Microsoft and Google, pushing stock price north requires not just new markets, but billion-dollar ones. Adding even $100 million in new revenues doesn’t do much for firms bringing in $24 billion and $58 billion a year, respectively. That’s why you see Microsoft swinging for the fences, investing in the uncertain, but potentially gargantuan markets of video games, mobile phone software, cloud computing (see Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”), music and video, and of course, search and everything else that fuels online ad revenue.

Search: Google Rules, but It Ain’t Over

PageRank is by no means the last word in search, and offerings from Google and its rivals continue to evolve. Google supplements PageRank results with news, photos, video, and other categorizations (click the “Show options…” link above your next Google search). Yahoo! is continually refining its search algorithms and presentation (click the little “down” arrow at the top of the firm’s search results for additional categorizations and suggestions). And Microsoft’s third entry into the search market, the “decision engine” Bing, sports nifty tweaks for specific kinds of queries. Restaurant searches in Bing are bundled with ratings stars, product searches show up with reviews and price comparisons, and airline flight searches not only list flight schedules and fares, but also a projection on whether those fares are likely go up or down. Bing also comes with a one-hundred-million-dollar marketing budget, showing that Microsoft is serious about moving its search market share out of the single digits. And in the weeks following Bing’s mid-2009 introduction, the search engine did deliver Microsoft’s first substantive search engine market share gain in years.

New tools like the Wolfram Alpha “knowledge engine” (and to a lesser extent, Google’s experimental Google Squared service) move beyond Web page rankings and instead aggregate data for comparison, formatting findings in tables and graphs. Web sites are also starting to wrap data in invisible tags that can be recognized by search engines, analysis tools, and other services. If a search engine can tell that a number on a restaurant’s Web site is, for example, either a street address, an average entrée price, or the seating capacity, it will be much easier for computer programs to accurately categorize, compare, and present this information. This is what geeks are talking about when they refer to the semantic WebSites that wrap data in invisible tags that can be recognized by search engines, analysis tools, and other services to make it easier for computer programs to accurately categorize, compare, and present this information.. All signs point to more innovation, more competition, and an increasingly more useful Internet!

Both Google and Microsoft are on a collision course. But there’s also an impressive roster of additional firms circling this space, each with the potential to be competitors, collaborators, merger partners, or all of the above. While wounded and shrinking, Yahoo! is still a powerhouse, ranking ahead of Google in some overall traffic statistics. Google’s competition with Apple in the mobile phone business prompted Google CEO Eric Schmidt to resign from Apple’s board of directors. Meanwhile, Google’s three-quarters-of-a-billion-dollar purchase of the leading mobile advertiser AdMob was quickly followed by Apple snapping up number two mobile ad firm Quattro Wireless for $275 million. Add in eBay, Facebook, Twitter, Amazon,, Netflix, the video game industry, telecom and mobile carriers, cable firms, and the major media companies, and the next few years have the makings of a big, brutal fight.

Strategic Issues

Google’s scale advantages in search and its network effects advantages in advertising were outlined earlier. The firm also leads in search/ad experience and expertise and continues to offer a network reach that’s unmatched. But the strength of Google’s other competitive resources is less clear.

Within Google’s ad network, there are switching costs for advertisers and for content providers. Google partners have set up accounts and are familiar with the firm’s tools and analytics. Content providers would also need to modify Web sites to replace AdSense or DoubleClick ads with rivals. But choosing Google doesn’t cut out the competition. Many advertisers and content providers participate in multiple ad networks, making it easier to shift business from one firm to another. That likely means that Google will have to retain its partners by offering superior value.

Another vulnerability may exist with search consumers. While Google’s brand is strong, switching costs for search users are incredibly low. Move from to and you actually save two letters of typing!

Still, there are no signs that Google’s search leadership is in jeopardy. So far users have been creatures of habit, returning to Google despite heavy marketing by rivals. And in Google’s first decade, no rival has offered technology compelling enough to woo away the googling masses—the firm’s share has only increased. Defeating Google with some sort of technical advantage will be difficult, since Web-based innovation can often be quickly imitated. Google now rolls out over 550 tweaks to its search algorithm annually, with many features mimicking or outdoing innovations from rivals.S. Levy, “Inside the Box,” Wired, March 2010.

The Google Toolbar helps reinforce search habits among those who have it installed, and Google has paid the Mozilla foundation (the folks behind the Firefox browser) upwards of $66 million a year to serve as its default search option for the open source browser.S. Shankland, “Thanks, Google: Mozilla Revenue Hits $75 Million,” CNET, November 19, 2008. But Google’s track record in expanding reach through distribution deals is mixed. The firm spent nearly $1 billion to have MySpace run AdSense ads, but Google has publicly stated that social network advertising has not been as lucrative as it had hoped (see Chapter 8 “Facebook: Building a Business from the Social Graph”). The firm has also spent nearly $1 billion to have Dell preinstall its computers with the Google browser toolbar and Google desktop search products. But in 2009, Microsoft inked deals that displaced Google on Dell machines, and it also edged Google out in a five-year search contract with Verizon Wireless.N. Wingfield, “Microsoft Wins Key Search Deals,” Wall Street Journal, January 8, 2009.

How Big Is Too Big?

Microsoft could benefit from embedding its Bing search engine into its most popular products (imagine putting Bing in the right-mouseclick menu alongside cut, copy, and paste). But with Internet Explorer market share above 65 percent, Office above 80 percent, and Windows at roughly 90 percent,Data source:; and E. Montalbano, “Forrester: Microsoft Office in No Danger from Competitors,” InfoWorld, June 4, 2009. this seems unlikely.

European antitrust officials have already taken action against Redmond’s bundling Windows Media Player and Internet Explorer with Windows. Add in a less favorable antitrust climate in the United States, and tying any of these products to Bing is almost certainly out of bounds. What’s not clear is whether regulators would allow Bing to be bundled with less dominant Microsoft offerings, such as mobile phone software, Xbox, and MSN.

But increasingly, Google is also an antitrust target. Microsoft has itself raised antitrust concerns against Google, unsuccessfully lobbying both U.S. and European authorities to block the firm’s acquisition of DoubleClick.A. Broach, “On Capitol Hill, Google and Microsoft Spar over DoubleClick,” CNET, September 27, 2007; and D. Kawamoto and A. Broach, “EU Extends Review of Google-DoubleClick Merger,” CNET, November 13, 2007. Google was forced to abandoned a fall 2008 search advertising partnership with Yahoo! after the Justice Department indicated its intention to block the agreement (Yahoo! and Microsoft have since inked a deal to share search technology and ad sales). The Justice Department is also investigating a Google settlement with the Authors’ Guild, a deal in which critics have suggested that Google scored a near monopoly on certain book scanning, searching, and data serving rights.S. Wildstrom, “Google Book Search and the Dog in the Manger,” BusinessWeek, April 18, 2009. And yet another probe is investigating whether Google colluded with Apple, Yahoo! and other firms to limit efforts to hire away top talent.E. Buskirk, “Antitrust Probe to Review Hiring Practices at Apple, Google, Yahoo: Report,” Wired News, June 3, 2009.

Of course, being big isn’t enough to violate U.S. antitrust law. Harvard Law’s Andrew Gavil says, “You’ve got to be big, and you have to be bad. You have to be both.”S. Lohr and M. Helft, “New Mood in Antitrust May Target Google,” New York Times, May 18, 2009. This may be a difficult case to make against a firm that has a history of being a relentless supporter of open computing standards. And as mentioned earlier, there is little forcing users to stick with Google—the firm must continue to win this market on its own merits. Some suggest regulators may see Google’s search dominance as an unfair advantage in promoting its related properties such as YouTube and Google Maps over those offered by rivalsF. Vogelstein, “Why Is Obama’s Top Antitrust Cop Gunning for Google?” Wired, July 20, 2009.—an advantage not unlike Microsoft’s use of Windows to promote Media Player and Internet Explorer. While Google may escape all of these investigations, increased antitrust scrutiny is a downside that comes along with the advantages of market-dominating scale.

More Ads, More Places, More Formats

Google has been a champion of increased Internet access. But altruism aside, more Net access also means a greater likelihood of ad revenue.

Google’s effort to catalyze Internet use worldwide comes through on multiple fronts. In the United States, Google has supported (with varying degrees of success) efforts to offer free Wi-Fi in San Francisco and Mountain View. In early 2010, Google announced it would offer high-speed, fiber-optic Net access to homes in select U.S. cities. The experimental network would offer competitively priced Internet access of up to 1GB per second—that’s a speed some one hundred times faster than many Americans have access to today. The networks are meant to be open to other service providers and Google hopes to learn and share insights on how to build high-speed networks more efficiently. Google will also be watching to see how access to ultrahigh-speed networks impacts user behavior and fuels innovation. Globally, Google is also a major backer (along with Liberty Global and HSBC) of the O3b satellite network. O3b stands for “the other three billion” of the world’s population who currently lack Internet access. O3b plans to have sixteen satellites circling the globe, blanketing underserved regions with low latencyLow delay. (low delay), high-speed Internet access.O. Malik, “Google Invests in Satellite Broadband Startup,” GigaOM, September 9, 2008. With Moore’s Law dropping computing costs as world income levels rise, Google hopes to empower the currently disenfranchised masses to start surfing. Good for global economies, good for living standards, and good for Google.

Another way Google can lower the cost of surfing is by giving mobile phone software away for free. That’s the thinking behind the firm’s Android offering. With Android, Google provides mobile phone vendors with a Linux-based operating system, supporting tools, standards, and an application marketplace akin to Apple’s AppStore. Android itself isn’t ad-supported—there aren’t Google ads embedded in the OS. But the hope is that if handset manufacturers don’t have to write their own software, the cost of wireless mobile devices will go down. And cheaper devices mean that more users will have access to the mobile Internet, adding more ad-serving opportunities for Google and its partner sites.

Developers are now leveraging tailored versions of Android on a wide range of devices, including e-book readers, tablets, televisions, set-top boxes, and automobiles. Google has dabbled in selling ads for television (as well as radio and print), and there may be considerable potential in bringing variants of ad targeting technology, search, and a host of other services across these devices. In 2009, Google also announced the Chrome operating system—a direct strike at challenge to Windows in the Netbook PC market. Powered by a combination of open source Linux and Google’s open source Chrome browser, the Chrome OS is specifically designed to provide a lightweight, but consistent user interface for applications that otherwise live in the cloud, preferably residing on Google’s server farms (see Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”).

Google has also successfully lobbied the U.S. government to force wireless telecom carriers to be more open, dismantling what are known in the industry as walled gardensA closed network or single set of services controlled by one dominant firm. Term is often applied to mobile carriers that act as gatekeepers, screening out hardware providers and software services from their networks.. Before Google’s lobbying efforts, mobile carriers could act as gatekeepers, screening out hardware providers and software services from their networks. Now, paying customers of carriers that operate over the recently allocated U.S. wireless spectrum will have access to a choice of hardware and less restrictive access to Web sites and services. And Google hopes this expands its ability to compete without obstruction.


Then there’s Internet video, with Google in the lead here too. It’s tough to imagine any peer-produced video site displacing YouTube. Users go to YouTube because there’s more content, while amateur content providers go there seeking more users (classic two-sided network effects). This critical advantage was the main reason why, in 2006, Google paid $1.65 billion for what was then just a twenty-month-old start-up.

That popularity comes at a price. Even with falling bandwidth and storage costs, at twenty hours of video uploaded to YouTube every minute, the cost to store and serve this content is cripplingly large.E. Nakashima, “YouTube Ordered to Release User Data,” Washington Post, July 4, 2008. Credit Suisse estimates that in 2009, YouTube will bring in roughly $240 million in ad revenue, pitted against $711 million in operating expenses. That’s a shortfall of more than $470 million. Analysts estimate that for YouTube to break even, it would need to achieve an ad CPM of $9.48 on each of the roughly seventy-five billion streams it’ll serve up this year. A tough task. For comparison, Hulu (a site that specializes in offering ad-supported streams of television shows and movies) earns CPM rates of thirty dollars and shares about 70 percent of this with copyright holders. Most user-generated content sports CPM rates south of a buck.B. Wayne, “YouTube Is Doomed,” Silicon Alley Insider, April 9, 2009. Some differ with the Credit Suisse report—RampRate pegs the losses at $174 million. In fact, it may be in Google’s interest to allow others to think of YouTube as more of a money pit than it really is. That perception might keep rivals away longer, allowing the firm to solidify its dominant position while getting the revenue model right. Even as a public company, Google can keep mum about YouTube specifics. Says the firm’s CFO, “We know our cost position, but nobody else does.”“How Can YouTube Survive?” Independent, July 7, 2009.

The explosion of video uploading is also adding to costs as more cell phones become Net-equipped video cameras. YouTube’s mobile uploads were up 400 percent in just the first week following the launch of the video-capturing iPhone 3GS.J. Kincaid, “YouTube Mobile Uploads Up 400% Since iPhone 3GS Launch,” TechCrunch, June 25, 2009. Viewing will also skyrocket as mobile devices and television sets ship with YouTube access, adding to revenue potential. The firm is still experimenting with ad models—these include traditional banner and text ads, plus ads transparently layered across the bottom 20 percent of the screen, preroll commercials that appear before the selected video, and more. Google has both the money and time to invest in nurturing this market, and it continues to be hesitant in saturating the media with ads that may annoy users and constrain adoption.

Apps and Innovation

In 2007 the firm announced a tagline to sum up its intentions: “search, ads, and apps.” Google is king of the first two, but this last item hasn’t matured to the point where it impacts the firm’s financials.

Experimentation and innovation are deeply ingrained in Google’s tech-centric culture, and this has led to a flood of product offerings. Google released more than 360 products in 2008, and another 120 in Q1 2009.M. Shiels, “Google Unveils ‘Smarter Search,’” BBC News, May 13, 2009. It’s also cancelled several along the way, including Jaiku (which couldn’t beat Twitter), Google Video (which was superseded by the YouTube acquisition), and a bunch more you’ve likely not heard of, like Dodgeball, Notebook, Catalog Search, and Mashup Editor.R. Needleman, “Google Killing Jaiku, Dodgeball, Notebook, Other Projects,” CNET, January 14, 2009.

What’s Google Up To?

With all this innovation, it’s tough to stay current with Google’s cutting edge product portfolio. But the company does offer “beta” releases of some projects, and invites the public to try out and comment on its many experiments. To see some of these efforts in action, visit Google Labs at And to see a current list of more mature offerings, check out

Google’s “Apps” are mostly Web-based software-as-a-service offerings. Apps include an Office-style suite that sports a word processor, presentation tool, and spreadsheet, all served through a browser. While initially clunky, the products are constantly being refined. The spreadsheet product, for example, has been seeing new releases every two weeks, with features such as graphing and pivot tables inching it closer in capabilities to desktop alternatives.D. Girouard, “Google Inc. Presentation” (Bank of America and Merrill Lynch 2009 Technology Conference, New York, June 4, 2009). And new browser standards, such as HTML 5, will make it even easier for what lives in the browser to mimic what you’re currently using on your desktop, even allowing apps to be used offline when Net access isn’t available. That’ll be critical as long as Internet access is less reliable than your hard drive, but online collaboration is where these products can really excel (no pun intended). Most Google apps allow not only group viewing, but also collaborative editing, common storage, and version control. Google’s collaboration push also includes its wiki-like Google Sites tool, and a new platform called Wave, billed as a sort of next-step evolving beyond e-mail and instant messaging.

Unknown is how much money Google will make off all of this. Consumers and small businesses have free access to these products, with usage for up to fifty users funded by in-app ads. But is there much of a market serving ads to people working on spreadsheets? Enterprises can gain additional, ad-free licenses for a fee. While users have been reluctant to give up Microsoft Office, many have individually migrated to Google’s Web-based e-mail and calendar tools. Google’s enterprise apps group will now do the same thing for organizations, acting as a sort of outsourcer by running e-mail, calendar, and other services for a firm; all while handling upgrades, spam screening, virus protection, backup, and other administrative burdens. Arizona State University, biotech giant Genentech, and auto parts firm Valeo are among the Google partners that have signed on to make the firm’s app offerings available to thousands.S. Coughlin, “Google’s E-mail for Universities,” BBC News, June 11, 2007; Q. Hardy, “Google Muscles Further into Business Software,” Forbes, February 28, 2008; and T. Claburn, “Google’s Cloud Evangelism Converts Enterprise Customers,” InformationWeek, May 13, 2009.

And of course, Microsoft won’t let Google take this market without a fight. Office 10 was announced along with a simplified, free, ad-supported, Web-based, online options for Word, Excel, PowerPoint, and OneNote; and Microsoft can also migrate applications like e-mail and calendaring off corporate computers and onto Microsoft’s server farms.

Google’s Global Reach and the Censorship Challenge

In the spring of 2010, Google clashed publicly with the government of China, a nation that many consider to be the world’s most potentially lucrative market. For the previous four years and at the request of the Chinese government, Google had censored results returned from the firm’s domain (e.g., an image search on the term “Tiananmen” showed kite flying on, but protestors confronting tanks on However, when reports surfaced of Chinese involvement in hacking attempts against Google and at least twenty other U.S. companies and human rights dissidents, the firm began routing traffic outside the country. The days that followed saw access to a variety of Google services blocked within China, restricted by what many call the government’s “Great Firewall of China.”

Speaking for Google, the firm’s deputy counsel Nicole Wong states, “We are fundamentally guided by the belief that more information for our users is ultimately better.” But even outside of China, Google continues to be challenged by its interest in providing unfettered access to information on one hand, and the radically divergent laws, regulations, and cultural expectations of host nations on the other. Google has been prompted to block access to its services at some point in at least twenty-five of one hundred countries the firm operates in.

The kind of restriction varies widely. French, German, and Polish law requires Google to prohibit access to Nazi content. Turkish law requires Google to block access to material critical of the nation’s founder. Access in Thailand is similarly blocked from content mocking that nation’s king. In India, Google has been prompted to edit forums or remove comments flagged by the government as violating restrictions against speech that threatens public order or is otherwise considered indecent or immoral. At the extreme end of the spectrum, Vietnam, Saudi Arabia, and Iran, have aggressively moved to restrict access to wide swaths of Internet content.

Google usually waits for governments to notify it that offensive content must be blocked. This moves the firm from actively to reactively censoring access. Still, this doesn’t isolate the company from legal issues. Italian courts went after YouTube executives after a video showing local teenagers tormenting an autistic child remained online long enough to garner thousands of views.

In the United States, Google’s organic results often reveal content that would widely be viewed as offensive. In the most extreme cases, the firm has run ads alongside these results with the text, “Offensive Search Results: We’re disturbed about these results as well. Please read our note here.”

Other Internet providers have come under similar scrutiny, and technology managers will continue to confront similar ethically charged issues as they consider whether to operate in new markets. But Google’s dominant position puts it at the center of censorship concerns. The threat is ultimately that the world’s chief information gateway might also become “the Web’s main muzzle.”

It’s not until considered in its entirety that one gets a sense of what Google has the potential to achieve. It’s possible that increasing numbers of users worldwide will adopt light, cheap netbooks and other devices powered by free Google software (Android, Google’s Chrome browser and Chrome OS). Productivity apps, e-mail, calendaring, and collaboration tools will all exist in the cloud, accessible through any browser, with files stored on Google’s servers in a way that minimizes hard drive needs. Google will entertain you, help you find the information you need, help you shop, handle payment (Google Checkout), and more. And the firms you engage online may increasingly turn to Google to replace their existing hardware and software infrastructure with corporate computing platforms like Google Apps Engine (see Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”). All of this would be based on open standards, but switching costs, scale, and increasing returns from expertise across these efforts could yield enormous advantages.

Studying Google allowed us to learn about search and the infrastructure that powers this critical technology. We’ve studied the business of ads, covering search advertising, ad networks, and ad targeting in a way that blends strategic and technology issues. And we’ve covered the ethical, legal, growth, and competitive challenges that Google and its rivals face. Studying Google in this context should not only help you understand what’s happening today, it should also help you develop critical thinking skills for assessing the opportunities and threats that will emerge across industries as technologies continue to evolve.

Key Takeaways

  • For over a decade, Google’s business has been growing rapidly, but that business is maturing.
  • Slower growth will put pressure on the firm’s stock price, so a firm Google’s size will need to pursue very large, risky, new markets—markets that are also attractive to well-financed rivals, smaller partners, and entrepreneurs.
  • Rivals continue to innovate in search. Competing with technology is extremely difficult, since it is often easy for a firm to mimic the innovations of a pioneer with a substitute offering. Microsoft, with profits to invest in infrastructure, advertising, and technology, may pose Google’s most significant, conventional threat.
  • Although Microsoft has many distribution channels (Windows, Internet Explorer, Office) for its search and other services, European and U.S. regulators will likely continue to prevent the firm from aggressive product and service bundling.
  • Google is investing heavily in methods that promote wider Internet access. These include offering free software to device manufacturers, and several telecommunications and lobbying initiatives meant to lower the cost of getting online. The firm hopes that more users spending more time online will allow it to generate more revenue through ads and perhaps other services.
  • YouTube demonstrates how a firm can create a large and vastly influential business in a short period of time, but that businesses that host and serve large files of end-user content can be costly.
  • Google, Microsoft, and smaller rivals are also migrating applications to the Web, allowing Office-style software to execute within a browser, with portions of this computing experience and storage happening off a user’s computer, “in the cloud” of the Internet. Revenue models for this business are also uncertain.
  • With scale and influence comes increased governmental scrutiny. Google has increasingly become a target of antitrust regulators. The extent of this threat is unclear. Google’s extreme influence is clear. However, the firm’s software is based on open standards; competitors have a choice in ad networks, search engines, and other services; switching costs are relatively low; users and advertisers aren’t locked into exclusive contracts for the firm’s key products and services; and there is little evidence of deliberate, predatory pricing or other “red-flag” activity that usually brings government regulation.

Questions and Exercises

  1. Perform identical queries on both Google and on rival search engines. Try different categories (research for school projects, health, business, sports, entertainment, local information). Which sites do you think give you the better results? Why? Would any of these results cause you to switch to one search engine versus the other?
  2. Investigate new services that attempt to extend the possibilities for leveraging online content. Visit Bing, Google Squared, Wolfram Alpha, and any other such efforts that intrigue you. Assume the role of a manager and use these engines to uncover useful information. Assume your role as a student and see if these tools provide valuable information for this or other classes. Are you likely to use these tools in the future? Why or why not? Under what circumstances are they useful and when do they fall short?
  3. Assume the role of an industry analyst: Consider the variety of firms mentioned in this section that may become competitors or partners. Create a chart listing your thoughts on which firms are likely to collaborate and work together, and which firms are likely to compete. What are the advantages or risks in these collaborations for the partners involved? Do you think any of these firms are “acquisition bait?” Defend your predictions and be prepared to discuss them with your class.
  4. Assume the role of an IT manager: to the extent that you can, evaluate online application offerings by Google, Microsoft, and rivals. In your opinion, are these efforts ready for prime time? Why or why not? Would you recommend that a firm choose these applications? Are there particular firms or users that would find these alternatives particularly appealing? Would you ever completely replace desktop offerings with online ones? Why or why not?
  5. Does it make sense for organizations to move their e-mail and calendaring services off their own machines and pay Google, Microsoft, or someone else to run them? Why or why not?
  6. What are Chrome, the Chrome OS, and Android? Are these software products successful in their respective categories? Investigate the state of the market for products that leverage any of these software offerings. Would you say that they are successful? Why or why not? What do you think the outlook is for Chrome, the Chrome OS, and Android? As an IT manager, would you recommend products based on this software? As an investor, do you think it continues to make sense for Google to develop these efforts? Why or why not?
  7. Google’s unofficial motto is “Don’t be evil.” But sometimes it’s challenging for managers to tell what path is “most right” or “least wrong.” Google operates in countries that require the firm to screen and censor results. Short term, this is clearly a limitation on freedom of speech. But long-term, access to the Internet could catalyze economic development and spread information in a way that leads to more democratization. Investigate and consider both of these arguments and be prepared to argue the case either for limiting work in speech-limiting countries, or in working within them as a potential agent of change. What other pressures is a publicly traded firm under to choose one path or the other? Which path would you choose and why?

Chapter 13: Information Security: Barbarians at the Gateway

13.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize that information security breaches are on the rise.
  2. Understand the potentially damaging impact of security breaches.
  3. Recognize that information security must be made a top organizational priority.

Sitting in the parking lot of a Minneapolis Marshalls, a hacker armed with a laptop and a telescope-shaped antenna infiltrated the store’s network via an insecure Wi-Fi base station.Particular thanks goes to my Boston College colleague, Professor Sam Ransbotham, whose advice, guidance, and suggestions were invaluable in creating this chapter. Any errors or omissions are entirely my own. The attack launched what would become a billion-dollar-plus nightmare scenario for TJX, the parent of retail chains that include Marshalls, Home Goods, and T. J. Maxx. Over a period of several months, the hacker and his gang stole at least 45.7 million credit and debit card numbers and pilfered driver’s licenses and other private information from an additional 450,000 customers.R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009.

TJX, at the time a $17.5 billion Fortune 500 firm, was left reeling from the incident. The attack deeply damaged the firm’s reputation. It burdened customers and banking partners with the time and cost of reissuing credit cards. And TJX suffered under settlement costs, payouts from court-imposed restitution, legal fees, and more. The firm estimated that it spent more than $150 million to correct security problems and settle with consumers affected by the breach, and that was just the tip of the iceberg. Estimates peg TJX’s overall losses from this incident at between $1.35 billion and $4.5 billion.A. Matwyshyn, Harboring Data: Information Security, Law, and the Corporation (Palo Alto, CA: Stanford University Press, 2009).

A number of factors led to and amplified the severity of the TJX breach. There was a personnel betrayal: the mastermind was an alleged FBI informant who previously helped bring down a massive credit card theft scheme but then double-crossed the Feds and used insider information to help his gang outsmart the law and carry out subsequent hacks.D. Goldman, “Cybercrime: A Secret Underground Economy,” CNNMoney, September 17, 2009. There was a technology lapse: TJX made itself an easy mark by using WEP, a wireless security technology less secure than the stuff many consumers use in their homes—one known for years to be trivially compromised by the kind of “drive-by” hacking initiated by the perpetrators. And there was a procedural gaffe: retailers were in the process of rolling out a security rubric known as the Payment Card Industry Data Security Standard. Despite an industry deadline, however, TJX had requested and received an extension, delaying the rollout of mechanisms that might have discovered and plugged the hole before the hackers got in.G. Anthes, “The Grill: Security Guru Ira Winkler Takes the Hot Seat,” Computerworld, July 28, 2008.

The massive impact of the TJX breach should make it clear that security must be a top organizational priority. Attacks are on the rise. In 2008, more electronic records were breached than in the previous four years combined.R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. While the examples and scenarios presented here are shocking, the good news is that the vast majority of security breaches can be prevented. Let’s be clear from the start: no text can provide an approach that will guarantee that you’ll be 100 percent secure. And that’s not the goal of this chapter. The issues raised in this brief introduction can, however, help make you aware of vulnerabilities; improve your critical thinking regarding current and future security issues; and help you consider whether a firm has technologies, training, policies, and procedures in place to assess risks, lessen the likelihood of damage, and respond in the event of a breach. A constant vigilance regarding security needs to be part of your individual skill set and a key component in your organization’s culture. An awareness of the threats and approaches discussed in this chapter should help reduce your chance of becoming a victim.

As we examine security issues, we’ll first need to understand what’s happening, who’s doing it, and what their motivation is. We’ll then examine how these breaches are happening with a focus on technologies and procedures. Finally, we’ll sum up with what can be done to minimize the risks of being victimized and quell potential damage of a breach for both the individual and the organization.

Key Takeaways

  • Information security is everyone’s business and needs to be made a top organizational priority.
  • Firms suffering a security breach can experience direct financial loss, exposed proprietary information, fines, legal payouts, court costs, damaged reputations, plummeting stock prices, and more.
  • Information security isn’t just a technology problem; a host of personnel and procedural factors can create and amplify a firm’s vulnerability.

Questions and Exercises

  1. As individuals or in groups assigned by your instructor, search online for recent reports on information security breaches. Come to class prepared to discuss the breach, its potential impact, and how it might have been avoided. What should the key takeaways be for managers studying your example?
  2. Think of firms that you’ve done business with online. Search to see if these firms have experienced security breaches in the past. What have you found out? Does this change your attitude about dealing with the firm? Why or why not?
  3. What factors were responsible for the TJX breach? Who was responsible for the breach? How do you think the firm should have responded?

13.2 Why Is This Happening? Who Is Doing It? And What’s Their Motivation?

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the source and motivation of those initiating information security attacks.
  2. Relate examples of various infiltrations in a way that helps raise organizational awareness of threats.

Thieves, vandals, and other bad guys have always existed, but the environment has changed. Today, nearly every organization is online, making any Internet-connected network a potential entry point for the growing worldwide community of computer criminals. Software and hardware solutions are also more complex than ever. Different vendors, each with their own potential weaknesses, provide technology components that may be compromised by misuse, misconfiguration, or mismanagement. Corporations have become data packrats, hoarding information in hopes of turning bits into bucks by licensing databases, targeting advertisements, or cross-selling products. And flatter organizations also mean that lower-level employees may be able to use technology to reach deep into corporate assets—amplifying threats from operator error, a renegade employee, or one compromised by external forces.

There are a lot of bad guys out there, and motivations vary widely, including the following:

  • Account theft and illegal funds transfer
  • Stealing personal or financial data
  • Compromising computing assets for use in other crimes
  • Extortion
  • Espionage
  • Cyberwarfare
  • Terrorism
  • Pranksters
  • Protest hacking (hacktivism)
  • Revenge (disgruntled employees)

Criminals have stolen more than $100 million from U.S. banks in the first three quarters of 2009, and they did it “without drawing a gun or passing a note to a teller.”S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009. While some steal cash for their own use, other resell their hacking take to others. There is a thriving cybercrime underworld market in which data harvestersCybercriminals who infiltrate systems and collect data for illegal resale. sell to cash-out fraudstersFirms that purchase assets from data harvesters. Actions may include using stolen credit card numbers to purchase goods, creating fake accounts via identity fraud, and more.: criminals who might purchase data from the harvesters in order to buy (then resell) goods using stolen credit cards or create false accounts via identity theft. These collection and resale operations are efficient and sophisticated. Law enforcement has taken down sites like DarkMarket and ShadowCrew, in which card thieves and hacking tool peddlers received eBay-style seller ratings vouching for the “quality” of their wares.R. Singel, “Underground Crime Economy Health, Security Group Finds,” Wired, November 24, 2008.

Hackers might also infiltrate computer systems to enlist hardware for subsequent illegal acts. A cybercrook might deliberately hop through several systems to make his path difficult to follow, slowing cross-border legal pursuit or even thwarting prosecution if launched from nations without extradition agreements.

In fact, your computer may be up for rent by cyber thieves right now. BotnetsHordes of surreptitiously infiltrated computers, linked and controlled remotely, also known as zombie networks of zombie computers (networks of infiltrated and compromised machines controlled by a central command) are used for all sorts of nefarious activity. This includes sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click fraud efforts or staging what’s known as distributed denial of service (DDoS)An attack where a firm’s computer systems are flooded with thousands of seemingly legitimate requests, the sheer volume of which will slow or shut down the site’s use. DDoS attacks are often performed via botnets. attacks (effectively shutting down Web sites by overwhelming them with a crushing load of seemingly legitimate requests sent simultaneously by thousands of machines). Botnets have been discovered that are capable of sending out 100 billion spam messages a day,K. J. Higgins, “SecureWorks Unveils Research on Spamming Botnets,” DarkReading, April 9, 2008. and botnets as large as 10 million zombies have been identified. Such systems theoretically control more computing power than the world’s fastest supercomputers.B. Krebs, “Storm Worm Dwarfs World’s Top Supercomputer,” Washington Post, August 31, 2007.

Extortionists might leverage botnets or hacked data to demand payment to avoid retribution. Three eastern European gangsters used a botnet and threatened DDoS to extort $4 million from UK sports bookmakers,Trend Micro, “Web Threats Whitepaper,” March 2008. while an extortion plot against the state of Virginia threatened to reveal names, Social Security numbers, and prescription information stolen from a medical records database.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009. Competition has also lowered the price to inflict such pain. BusinessWeek reports that the cost of renting out ten thousand machines, enough to cripple a site like Twitter, has tumbled to just $200 a day.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.

Corporate espionage might be performed by insiders, rivals, or even foreign governments. Gary Min, a scientist working for DuPont, was busted when he tried to sell information valued at some $400 million, including R&D documents and secret data on proprietary products.J. Vijayan, “Software Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,” Computerworld, July 10, 2007. Spies also breached the $300 billion U.S. Joint Strike Fighter project, siphoning off terabytes of data on navigation and other electronics systems.S. Gorman, A. Cole, and Y. Dreazen. “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009.

Cyberwarfare has become a legitimate threat, with several attacks demonstrating how devastating technology disruptions by terrorists or a foreign power might be. Brazil has seen hacks that cut off power to millions.

The 60 Minutes news program showed a demonstration by “white hat” hackers that could compromise a key component in an oil refinery, force it to overheat, and cause an explosion. Taking out key components of the vulnerable U.S. power grid may be particularly devastating, as the equipment is expensive, much of it is no longer made in the United States, and some components may take three to four months to replace.S. Kroft, “Cyberwar: Sabotaging the System,” 60 Minutes, November 8, 2009.

“Hacker”: Good or Bad?

The terms hackerA term that, depending on the context, may be applied to either 1) someone who breaks into computer systems, or 2) to a particularly clever programmer. and hackA term that may, depending on the context, refer to either 1) breaking into a computer system, or 2) a particularly clever solution. are widely used, but their meaning is often based on context. When referring to security issues, the media widely refers to hackers as bad guys who try to break into (hack) computer systems. Some geezer geeks object to this use, as the term hack in computer circles originally referred to a clever (often technical) solution and the term hacker referred to a particularly skilled programmer. Expect to see the terms used both positively and negatively.

You might also encounter the terms white hat hackersSomeone who uncovers computer weaknesses without exploiting them. The goal of the white hat hacker is to improve system security. and black hat hackersA computer criminal.. The white hats are the good guys who probe for weaknesses, but don’t exploit them. Instead, they share their knowledge in hopes that the holes they’ve found will be plugged and security will be improved. Many firms hire consultants to conduct “white hat” hacking expeditions on their own assets as part of their auditing and security process. “Black hats” are the bad guys. Some call them “crackers.” There’s even a well-known series of hacker conventions known as the Black Hat conference.

Other threats come from malicious pranksters, like the group that posted seizure-inducing images on Web sites frequented by epilepsy sufferers.M. Schwartz, “The Trolls among Us,” New York Times, August 3, 2008. Others are hacktivistsA protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage., targeting firms, Web sites, or even users as a protest measure. In 2009, Twitter was brought down and Facebook and LiveJournal were hobbled as Russian-sympathizing hacktivists targeted the social networking and blog accounts of the Georgian blogger known as Cyxymu. The silencing of millions of accounts was simply collateral damage in a massive DDoS attack meant to mute this single critic of the Russian government.J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.

And as power and responsibility is concentrated in the hands of a few revenge-seeking employees can do great damage. The San Francisco city government lost control of a large portion of its own computer network over a ten-day period when a single disgruntled employee refused to divulge critical passwords.J. Vijayan, “After Verdict, Debate Rages in Terry Childs Case,” Computerworld, April 28, 2010.

The bad guys are legion and the good guys often seem outmatched and underresourced. Law enforcement agencies dealing with computer crime are increasingly outnumbered, outskilled, and underfunded. Many agencies are staffed with technically weak personnel who were trained in a prior era’s crime fighting techniques. Governments can rarely match the pay scale and stock bonuses offered by private industry. Organized crime networks now have their own R&D labs and are engaged in sophisticated development efforts to piece together methods to thwart current security measures.

Key Takeaways

  • Computer security threats have moved beyond the curious teen with a PC and are now sourced from a number of motivations, including theft, leveraging compromised computing assets, extortion, espionage, warfare, terrorism, pranks, protest, and revenge.
  • Threats can come from both within the firm as well as from the outside.
  • Cybercriminals operate in an increasingly sophisticated ecosystem where data harvesters and tool peddlers leverage sophisticated online markets to sell to cash-out fraudsters and other crooks.
  • Technical and legal complexity make pursuit and prosecution difficult.
  • Many law enforcement agencies are underfunded, underresourced, and underskilled to deal with the growing hacker threat.

Questions and Exercises

  1. What is a botnet? What sorts of exploits would use a botnet? Why would a botnet be useful to cybercriminals?
  2. Why are threats to the power grid potentially so concerning? What are the implications of power-grid failure and of property damage? Who might execute these kinds of attacks? What are the implications for firms and governments planning for the possibility of cyberwarfare and cyberterror?
  3. Scan the trade press for examples of hacking that apply to the various motivations mentioned in this chapter. What happened to the hacker? Were they caught? What penalties do they face?
  4. Why do cybercriminals execute attacks across national borders? What are the implications for pursuit, prosecution, and law enforcement?
  5. Why do law enforcement agencies struggle to cope with computer crime?
  6. A single rogue employee effectively held the city of San Francisco’s network hostage for ten days. What processes or controls might the city have created that could have prevented this kind of situation from taking place?

13.3 Where Are Vulnerabilities? Understanding the Weaknesses

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize the potential entry points for security compromise.
  2. Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more.
  3. Identify various methods and techniques to thwart infiltration.

Figure 13.1

This diagram shows only some of the potential weaknesses that can compromise the security of an organization’s information systems. Every physical or network “touch point” is a potential vulnerability. Understanding where weaknesses may exist is a vital step toward improved security.

Modern information systems have lots of interrelated components and if one of these components fails, there might be a way in to the goodies. This creates a large attack surface for potential infiltration and compromise, as well as one that is simply vulnerable to unintentional damage and disruption.

User and Administrator Threats

Bad Apples

While some of the more sensational exploits involve criminal gangs, research firm Gartner estimates that 70 percent of loss-causing security incidents involve insiders.J. Mardesich, “Ensuring the Security of Stored Data,” CIO Strategy Center, 2009. Rogue employees can steal secrets, install malware, or hold a firm hostage. Check processing firm Fidelity National Information Services was betrayed when one of its database administrators lifted personal records on 2.3 million of the firm’s customers and illegally sold them to direct marketers.

And it’s not just firm employees. Many firms hire temporary staffers, contract employees, or outsource key components of their infrastructure. Other firms have been compromised by members of their cleaning or security staff. A contract employee working at Sentry Insurance stole information on 110,000 of the firm’s clients.J. Vijayan, “Software Consultant Who Stole Data on 110,000 People Gets Five-Year Sentence,” Computerworld, July 10, 2007.

Social Engineering

As P. T. Barnum is reported to have said, “There’s a sucker born every minute.” Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as social engineering in security circles. In some ways, crooks have never had easier access to background information that might be used to craft a scam. It’s likely that a directory of a firm’s employees, their titles, and other personal details is online right now via social networks like LinkedIn and Facebook. With just a few moments of searching, a skilled con artist can piece together a convincing and compelling story.

A Sampling of Methods Employed in Social Engineering

  • Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges)
  • Identifying a key individual by name or title as a supposed friend or acquaintance
  • Making claims with confidence and authority (“Of course I belong at this White House dinner.”)
  • Baiting someone to add, deny, or clarify information that can help an attacker
  • Using harassment, guilt, or intimidation
  • Using an attractive individual to charm others into gaining information, favors, or access
  • Setting off a series of false alarms that cause the victim to disable alarm systems
  • Answering bogus surveys (e.g., “Win a free trip to Hawaii—just answer three questions about your network.”)

Data aggregator ChoicePoint sold private information to criminals who posed as legitimate clients, compromising the names, addresses, and Social Security numbers of some 145,000 individuals. In this breach, not a single computer was compromised. Employees were simply duped into turning data over to crooks. Gaffes like that can be painful. ChoicePoint paid $15 million in a settlement with the Federal Trade Commission, suffered customer loss, and ended up abandoning once lucrative businesses.G. Anthes, “The Grill: Security Guru Ira Winkler Takes the Hot Seat,” Computerworld, July 28, 2008.


PhishingA con executed using technology, typically targeted at acquiring sensitive information or tricking someone into installing malicious software. refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information. The cons are crafty. Many have masqueraded as a security alert from a bank or e-commerce site (“Our Web site has been compromised, click to log in and reset your password.”), a message from an employer, or even a notice from the government (“Click here to update needed information to receive your tax refund transfer.”). Sophisticated con artists will lift logos, mimic standard layouts, and copy official language from legitimate Web sites or prior e-mails. Gartner estimates that these sorts phishing attacks cost consumers $3.2 billion in 2007.L. Avivah, “Phishing Attacks Escalate, Morph, and Cause Considerable Damage,” Gartner, December 12, 2007.

Other phishing attempts might dupe a user into unwittingly downloading dangerous software (malware) that can do things like record passwords and keystrokes, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet. One attempt masqueraded as a message from a Facebook friend, inviting the recipient to view a video. Victims clicking the link were then told they need to install an updated version of the Adobe Flash plug-in to view the clip. The plug in was really a malware program that gave phishers control of the infected user’s computer.B. Krebs, “‘Koobface’ Worm Resurfaces on Facebook, MySpace,” Washington Post, March 2, 2009. Other attempts have populated P2P networks (peer-to-peer file distribution systems such as BitTorrent) with malware-installing files masquerading as video games or other software, movies, songs, and pornography.

So-called spear phishing attacks specifically target a given organization or group of users. In one incident, employees of a medical center received e-mails purportedly from the center itself, indicating that the recipient was being laid off and offering a link to job counseling resources. The link really offered a software payload that recorded and forwarded any keystrokes on the victim’s PC.C. Garretson, “Spam that Delivers a Pink Slip,” NetworkWorld, November 1, 2006. And with this type of phishing, the more you know about a user, the more convincing it is to con them. Phishers using pilfered résumé information from crafted targeted and personalized e-mails. The request, seemingly from the job site, advised users to download the “Monster Job Seeker Tool”; this “tool” installed malware that encrypted files on the victim’s PC, leaving a ransom note demanding payment to liberate a victim’s hard disk.T. Wilson, “Trojan On Steals Personal Data,” Forbes, August 20, 2007.

Don’t Take the Bait: Recognizing the “Phish Hooks”

Web browser developers, e-mail providers, search engines, and other firms are actively working to curtail phishing attempts. Many firms create blacklists that block access to harmful Web sites and increasingly robust tools screen for common phishing tactics. But it’s still important to have your guard up. Some exploits may be so new that they haven’t made it into screening systems (so-called zero-day exploits).

Never click on a link or download a suspicious, unexpected enclosure without verifying the authenticity of the sender. If something looks suspicious, don’t implicitly trust the “from” link in an e-mail. It’s possible that the e-mail address has been spoofedTerm used in security to refer to forging or disguising the origin or identity. E-mail transmissions and packets that have been altered to seem as if they came from another source are referred to as being “spoofed.” (faked) or that it was sent via a colleague’s compromised account. If unsure, contact the sender or your security staff.

Also know how to read the complete URL to look for tricks. Some firms misspell Web address names (—note the missing period), set up subdomains to trick the eye (—which is hosted at even though a quick glance looks like, or hijack brands by registering a legitimate firm’s name via foreign top-level domains (

A legitimate URL might also appear in a phishing message, but an HTML coding trick might make something that looks like actually link to Hovering your cursor over the URL or an image connected to a link should reveal the actual URL as a tool tip (just don’t click it, or you’ll go to that site).

Figure 13.2

This e-mail message looks like it’s from Bank of America. However, hovering the cursor above the “Continue to Log In” button reveals the URL without clicking through to the site. Note how the actual URL associated with the link is not associated with Bank of America.

Figure 13.3

This image is from a phishing scheme masquerading as an eBay message. The real destination is a compromised .org domain unassociated with eBay, but the phishers have created a directory at this domain named “” in hopes that users will focus on that part of the URL and not recognize they’re really headed to a non-eBay site.

Web 2.0: The Rising Security Threat

Social networks and other Web 2.0 tools are a potential gold mine for crooks seeking to pull off phishing scams. Malware can send messages that seem to come from trusted “friends.” Messages such as status updates and tweets are short, and with limited background information, there are fewer contexts to question a post’s validity. Many users leverage or other URL-shortening services that don’t reveal the Web site they link to in their URL, making it easier to hide a malicious link. While the most popular URL-shortening services maintain a blacklist, early victims are threatened by zero-day exploitsAttacks that are so new that they haven’t been clearly identified, and so they haven’t made it into security screening systems.. Criminals have also been using a variety of techniques to spread malware across sites or otherwise make them difficult to track and catch.

Some botnets have even used Twitter to communicate by sending out coded tweets to instruct compromised machines.UnsafeBits, “Botnets Go Public by Tweeting on Twitter,” Technology Review, August 17, 2009. Social media can also be a megaphone for loose lips, enabling a careless user to broadcast proprietary information to the public domain. A 2009 Congressional delegation to Iraq led by House Minority Leader John Boehner was supposed to have been secret. But Rep. Peter Hoekstra tweeted his final arrival into Baghdad for all to see, apparently unable to contain his excitement at receiving BlackBerry service in Iraq. Hoekstra tweeted, “Just landed in Baghdad. I believe it may be first time I’ve had bb service in Iraq. 11th trip here.” You’d think he would have known better. At the time, Hoekstra was a ranking member of the House Intelligence Committee!

Figure 13.4

A member of the House Intelligence Committee uses Twitter and reveals his locale on a secret trip.


Many valuable assets are kept secure via just one thin layer of protection—the password. And if you’re like most users, your password system is a mess.F. Manjoo, “Fix Your Terrible, Insecure Passwords in Five Minutes,” Slate, November 12, 2009. With so many destinations asking for passwords, chances are you’re using the same password (or easily guessed variants) in a way that means getting just one “key” would open many “doors.” The typical Web user has 6.5 passwords, each of which is used at four sites, on average.N. Summers, “Building a Better Password,” Newsweek, October 19, 2009. Some sites force users to change passwords regularly, but this often results in insecure compromises. Users make only minor tweaks (e.g., appending the month or year); they write passwords down (in an unlocked drawer or Post-it note attached to the monitor); or they save passwords in personal e-mail accounts or on unencrypted hard drives.

The challenge questions offered by many sites to automate password distribution and reset are often pitifully insecure. What’s your mother’s maiden name? What elementary school did you attend? Where were you born? All are pretty easy to guess. One IEEE study found acquaintances could correctly answer colleagues’ secret questions 28 percent of the time, and those who did not know the person still guessed right at a rate of 17 percent. Plus, within three to six months, 16 percent of study participants forgot answers to their own security questions.R. Lemos, “Are Your ‘Secret Questions’ Too Easily Answered?” Technology Review, May 18, 2009. In many cases, answers to these questions can be easily uncovered online. Chances are, if you’ve got an account at a site like,, or Facebook, then some of your secret answers have already been exposed—by you! A Tennessee teen hacked into Sarah Palin’s personal Yahoo! account ( in part by correctly guessing where she met her husband. A similar attack hit staffers at Twitter, resulting in the theft of hundreds of internal documents, including strategy memos, e-mails, and financial forecasts, many of which ended up embarrassingly posted online.N. Summers, “Building a Better Password,” Newsweek, October 19, 2009.

Related to the password problem are issues with system setup and configuration. Many vendors sell software with a common default password. For example, for years, leading database products came with the default account and password combination “scott/tiger.” Any firm not changing default accounts and passwords risks having an open door. Other firms are left vulnerable if users set systems for open access—say turning on file sharing permission for their PC. Programmers, take note: well-designed products come with secure default settings, require users to reset passwords at setup, and also offer strong warnings when security settings are made weaker. But unfortunately, there are a lot of legacy products out there, and not all vendors have the insight to design for out-of-the-box security.

Building a Better Password

There’s no simple answer for the password problem. BiometricsTechnologies that measure and analyze human body characteristics for identification or authentication. These might include fingerprint readers, retina scanners, voice and face recognition, and more. are often thought of as a solution, but technologies that replace conventionally typed passwords with things like fingerprint readers, facial recognition, or iris scans are still rarely used, and PCs that include such technologies are widely viewed as novelties. Says Carnegie Mellon University CyLab fellow Richard Power, “Biometrics never caught on and it never will.”N. Summers, “Building a Better Password,” Newsweek, October 19, 2009.

Other approaches leverage technology that distributes single use passwords. These might arrive via external devices like an electronic wallet card, key chain fob, or cell phone. Security firm RSA has even built the technology into BlackBerrys. Enter a user name and receive a phone message with a temporary password. Even if a system was compromised by keystroke capture malware, the password is only good for one session. Lost device? A central command can disable it. This may be a good solution for situations that demand a high level of security, and Wells Fargo and PayPal are among the firms offering these types of services as an option. However, for most consumer applications, slowing down users with a two-tier authentication system would be an impractical mandate.

While you await technical fixes, you can at least work to be part of the solution rather than part of the problem. It’s unlikely you’ve got the memory or discipline to create separate unique passwords for all of your sites, but at least make it a priority to create separate, hard-to-guess passwords for each of your highest priority accounts (e.g., e-mail, financial Web sites, corporate network, and PC). Remember, the integrity of a password shared across Web sites isn’t just up to you. That hot start-up Web service may not have the security resources or experience to protect your special code, and if that Web site’s account is hacked, your user name and password are now in the hands of hackers that can try out those “keys” across the Web’s most popular destinations.

Web sites are increasingly demanding more “secure” passwords, requiring users to create passwords at least eight characters in length and that include at least one number and other nonalphabet character. Beware of using seemingly clever techniques to disguise common words. Many commonly available brute-force password cracking tools run through dictionary guesses of common words or phrases, substituting symbols or numbers for common characters (e.g., “@” for “a,” “+” for “t”). For stronger security, experts often advise basing passwords on a phrase, where each letter makes up a letter in an acronym. For example, the phrase “My first Cadillac was a real lemon so I bought a Toyota” becomes “M1stCwarlsIbaT.”F. Manjoo, “Fix Your Terrible, Insecure Passwords in Five Minutes,” Slate, November 12, 2009. Be careful to choose an original phrase that’s known only by you and that’s easy for you to remember. Studies have shown that acronym-based passwords using song lyrics, common quotes, or movie lines are still susceptible to dictionary-style hacks that build passwords from pop-culture references (in one test, two of 144 participants made password phrases from an acronym of the Oscar Meyer wiener jingle).N. Summers, “Building a Better Password,” Newsweek, October 19, 2009. Finding that balance between something tough for others to guess yet easy for you to remember will require some thought—but it will make you more secure. Do it now!

Technology Threats (Client and Server Software, Hardware, and Networking)


Any accessible computing device is a potential target for infiltration by malware. Malware (for malicious software) seeks to compromise a computing system without permission. Client PCs and a firm’s servers are primary targets, but as computing has spread, malware now threatens nearly any connected system running software, including mobile phones, embedded devices, and a firm’s networking equipment.

Some hackers will try to sneak malware onto a system via techniques like phishing. In another high-profile hacking example, infected USB drives were purposely left lying around government offices. Those seemingly abandoned office supplies really contained code that attempted to infiltrate government PCs when inserted by unwitting employees.

Machines are constantly under attack. Microsoft’s Internet Safety Enforcement Team claims that the mean time to infection for an unprotected PC is less than five minutes.J. Markoff, “A Robot Network Seeks to Enlist Your Computer,” New York Times, October 20, 2008. Oftentimes malware attempts to compromise weaknesses in software—either bugs, poor design, or poor configuration.

Years ago, most attacks centered on weaknesses in the operating system, but now malware exploits have expanded to other targets, including browsers, plug-ins, and scripting languages used by software. BusinessWeek reports that Adobe has replaced Microsoft as the primary means by which hackers try to infect or take control of PCs. Even trusted Web sites have become a conduit to deliver malware payloads. More than a dozen sites, including those of the New York Times, USA Today, and Nature, were compromised when seemingly honest advertising clients switched on fake ads that exploit Adobe software.A. Ricadela, “Can Adobe Beat Back the Hackers?” BusinessWeek, November 19, 2009. Some attacks were delivered through Flash animations that direct computers to sites that scan PCs, installing malware payloads through whatever vulnerabilities are discovered. Others circulated via e-mail through PDF triggered payloads deployed when a file was loaded via Acrobat Reader. Adobe is a particularly tempting target, as Flash and Acrobat Reader are now installed on nearly every PC, including Mac and Linux machines.

Malware goes by many names. Here are a few of the more common terms you’re likely to encounter.Portions adapted from G. Perera, “Your Guide to Understanding Malware,”, May 17, 2009.

Methods of infection are as follows:

  • Viruses. Programs that infect other software or files. They require an executable (a running program) to spread, attaching to other executables. Viruses can spread via operating systems, programs, or the boot sector or auto-run feature of media such as DVDs or USB drives. Some applications have executable languages (macros) that can also host viruses that run and spread when a file is open.
  • Worms. Programs that take advantage of security vulnerability to automatically spread, but unlike viruses, worms do not require an executable. Some worms scan for and install themselves on vulnerable systems with stunning speed (in an extreme example, the SQL Slammer worm infected 90 percent of vulnerable software worldwide within just ten minutes).M. Broersma, “Slammer—the First ‘Warhol’ Worm?” CNET, February 3, 2003.
  • Trojans. Exploits that, like the mythical Trojan horse, try to sneak in by masquerading as something they’re not. The payload is released when the user is duped into downloading and installing the malware cargo, oftentimes via phishing exploits.

While the terms above cover methods for infection, the terms below address the goal of the malware:

  • Botnets or zombie networks. Hordes of surreptitiously infected computers linked and controlled remotely by a central command. Botnets are used in crimes where controlling many difficult-to-identify PCs is useful, such as when perpetrating click fraud, sending spam, registering accounts that use CAPTCHAsAn acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. CAPTCHAs are those scrambled character images that many sites require to submit some sort of entry (account setup, ticket buying). CAPTCHAs were developed because computers have difficulty discerning letters that are distorted or mixed inside a jumbled graphic. CAPTCHAs are meant to be a Turing Test—a test to distinguish if a task is being performed by a computer or a human.G. Keizer, “Botnet Busts Newest Hotmail CAPTCHA,” Computerworld, February 19, 2009. (those scrambled character images meant to thwart things like automated account setup or ticket buying), executing “dictionary” password cracking attempts, or launching denial-of-service attacks.
  • Malicious adware. Programs installed without full user consent or knowledge that later serve unwanted advertisements.
  • Spyware. Software that surreptitiously monitors user actions, network traffic, or scans for files.
  • Keylogger. Type of spyware that records user keystrokes. Keyloggers can be either software-based or hardware, such as a recording “dongle” that is plugged in between a keyboard and a PC.
  • Screen capture. Variant of the keylogger approach. This category of software records the pixels that appear on a user’s screen for later playback in hopes of identifying proprietary information.
  • Blended threats. Attacks combining multiple malware or hacking exploits.

All the News Fit to Print (Brought to You by Scam Artists)

In fall 2009, bad guys posing as the telecom firm Vonage signed up to distribute ads through the New York Times Web site. Many firms that display online ads on their Web sites simply create placeholders on their Web pages, with the actual ad content served by the advertisers themselves (see the Google chapter for details). In this particular case, the scam artists posing as Vonage switched off the legitimate-looking ads and switched on code that, according to the New York Times, “took over the browsers of many people visiting the site, as their screens filled with an image that seemed to show a scan for computer viruses. The visitors were then told that they needed to buy antivirus software to fix a problem, but the software was more snake oil than a useful program.”A. Vance, “Times Web Ads Show Security Breach,” New York Times, September 14, 2009. Sites ranging from Fox News, the San Francisco Chronicle, and British tech site The Register have also been hit with ad scams in the past. In the Times case, malware wasn’t distributed directly to user PCs, but by passing through ads from third parties to consumers, the Times became a conduit for a scam. In the same way that manufacturers need to audit their supply chain to ensure that partners aren’t engaged in sweatshop labor or disgraceful pollution, sites that host ads need to audit their partners to ensure they are legitimate and behaving with integrity.

The Virus in Your Pocket

Most mobile phones are really pocket computers, so it’s not surprising that these devices have become malware targets. And there are a lot of pathways to exploit. Malware might infiltrate a smartphone via e-mail, Internet surfing, MMS attachments, or even Bluetooth. The “commwarrior” mobile virus spread to at least eight countries, propagating from a combination of MMS messages and Bluetooth.J. Charney, “Commwarrior Cell Phone Virus Marches On,” CNET, June 5, 2005.

Most smartphones have layers of security to block the spread of malware, so hackers typically hunt for the weakest victims. Easy marks include “jail-broken” iPhones, devices with warranty-voiding modifications in which security restrictions are overridden to allow phones to be used off network, and for the installation of unsanctioned applications. Estimates suggest some 10 percent of iPhones are jail-broken, and early viruses exploiting the compromised devices ranged from a “Rick roll” that replaced the home screen image with a photo of 1980s crooner Rick AstleyS. Steade, “It’s Shameless How They Flirt,” Good Morning Silicon Valley, November 9, 2009. to the more nefarious Ikee.B, which scanned text messages and hunted out banking codes, forwarding the nabbed data to a server in Lithuania.R. Lemos, “Nasty iPhone Worm Hints at the Future,” Technology Review, November 29, 2009.

The upside? Those smart devices are sometimes crime fighters themselves. A Pittsburgh mugging victim turned on Apple’s “Find My iPhone” feature within its MobileMe service, mapping the perpetrator’s path, then sending the law to bust the bad guys while they ate at a local restaurant.J. Murrell, “The iWitness News Roundup: Crime-fighting iPhone,” Good Morning Silicon Valley, August 31, 2009.

Figure 13.5

A “jail-broken” iPhone gets “Rick rolled” by malware.

Compromising Web Sites

Some exploits directly target poorly designed and programmed Web sites. Consider the SQL injection technique. It zeros in on a sloppy programming practice where software developers don’t validate user input.

It works like this. Imagine that you visit a Web site and are asked to enter your user ID in a field on a Web page (say your user ID is smith). A Web site may be programmed to take the data you enter from the Web page’s user ID field (smith), then add it to a database command (creating the equivalent of a command that says “find the account for ‘smith’”). The database then executes that command.

But Web sites that don’t verify user entries and instead just blindly pass along entered data are vulnerable to attack. Hackers with just a rudimentary knowledge of SQL could type actual code fragments into the user ID field, appending this code to statements executed by the site (see sidebar for a more detailed description). Such modified instructions could instruct the Web site’s database software to drop (delete) tables, insert additional data, return all records in a database, or even redirect users to another Web site that will scan clients for weaknesses, then launch further attacks. Security expert Ben Schneier noted a particularly ghastly SQL injection vulnerability in the publicly facing database for the Oklahoma Department of Corrections, where “anyone with basic SQL knowledge could have registered anyone he wanted as a sex offender.”B. Schneier, “Oklahoma Data Leak,” Schneier on Security, April 18, 2008.

Not trusting user input is a cardinal rule of programming, and most well-trained programmers know to validate user input. But there’s a lot of sloppy code out there, which hackers are all too eager to exploit. IBM identifies SQL injection as the fastest growing security threat, with over half a million attack attempts recorded each day.A. Wittmann, “The Fastest-Growing Security Threat,” InformationWeek, November 9, 2009. Some vulnerable systems started life as quickly developed proofs of concepts, and programmers never went back to add the needed code to validate input and block these exploits. Other Web sites may have been designed by poorly trained developers who have moved on to other projects, by staff that have since left the firm, or where development was outsourced to another firm. As such, many firms don’t even know if they suffer from this vulnerability.

SQL injection and other application weaknesses are particularly problematic because there’s not a commercial software patch or easily deployed piece of security software that can protect a firm. Instead, firms have to meticulously examine the integrity of their Web sites to see if they are vulnerable.While some tools exist to automate testing, this is by no means as easy a fix as installing a commercial software patch or virus protection software.

How SQL Injection Works

For those who want to get into some of the geekier details of a SQL injection attack, consider a Web site that executes the code below to verify that an entered user ID is in a database table of usernames. The code executed by the Web site might look something like this:

“SELECT * FROM users WHERE userName = ‘” + userID + “‘;”

The statement above tells the database to SELECT (find and return) all columns (that’s what the “*” means) from a table named users where the database’s userName field equals the text you just entered in the userID field. If the Web site’s visitor entered smith, that text is added to the statement above, and it’s executed as:

“SELECT * FROM users WHERE userName = ‘smith’;”

No problem. But now imagine a hacker gets sneaky and instead of just typing smith, into the Web site’s userID field, they also add some additional SQL code like this:

smith’; DROP TABLE users; DELETE * FROM users WHERE ‘t’ = ‘t

If the programming statement above is entered into the user ID, the Web site adds this code to its own programming to create a statement that is executed as:

SELECT * FROM users WHERE userName = ‘smith’; DELETE * FROM users WHERE ‘t’ = ‘t’;

The semicolons separate SQL statements. That second statement says delete all data in the users table for records where ‘t’ = ‘t’ (this last part, ‘t’ = ‘t,’ is always true, so all records will be deleted). Yikes! In this case, someone entering the kind of code you’d learn in the first chapter of SQL for Dummies could annihilate a site’s entire user ID file using one of the site’s own Web pages as the attack vehicle.B. Schneier, “Oklahoma Data Leak,” Schneier on Security, April 18, 2008.

Related programming exploits go by names such as cross-site scripting attacks and HTTP header injection. We’ll spare you the technical details, but what this means for both the manager and the programmer is that all systems must be designed and tested with security in mind. This includes testing new applications, existing and legacy applications, partner offerings, and SaaS (software as a service) applications—everything. Visa and MasterCard are among the firms requiring partners to rigorously apply testing standards. Firms that aren’t testing their applications will find they’re locked out of business; if caught with unacceptable breaches, such firms may be forced to pay big fines and absorb any costs associated with their weak practices.Knowledge@Wharton, “Information Security: Why Cybercriminals Are Smiling,” August 19, 2009.

Push-Button Hacking

Not only are the list of technical vulnerabilities well known, hackers have created tools to make it easy for the criminally inclined to automate attacks. Chapter 14 “Google: Search, Online Advertising, and Beyond” outlines how Web sites can interrogate a system to find out more about the software and hardware used by visitors. Hacking toolkits can do the same thing. While you won’t find this sort of software for sale on Amazon, a casual surfing of the online underworld (not recommended or advocated) will surface scores of tools that probe systems for the latest vulnerabilities, then launch appropriate attacks. In one example, a $700 toolkit (MPack v. 86) was used to infiltrate a host of Italian Web sites, launching Trojans that infested 15,000 users in just a six-day period.Trend Micro, “Web Threats Whitepaper,” March 2008. As an industry executive in BusinessWeek has stated, “The barrier of entry is becoming so low that literally anyone can carry out these attacks.”J. Schectman, “Computer Hacking Made Easy,” BusinessWeek, August 13, 2009.

Network Threats

The network itself may also be a source of compromise. Recall that the TJX hack happened when a Wi-Fi access point was left open and undetected. A hacker just drove up and performed the digital equivalent of crawling through an open window. The problem is made more challenging since wireless access points are so inexpensive and easy to install. For less than $100, a user (well intentioned or not) could plug in to an access point that could provide entry for anyone. If a firm doesn’t regularly monitor its premises, its network, and its network traffic, it may fall victim.

Other troubling exploits have targeted the very underpinning of the Internet itself. This is the case with so-called DNS cache poisoning. The DNS, or domain name service, is a collection of software that maps an Internet address, such as (, to an IP address, such as 220 (see Chapter 12 “A Manager’s Guide to the Internet and Telecommunications” for more detail). DNS cache poisoning exploits can redirect this mapping and the consequences are huge. Imagine thinking that you’re visiting your bank’s Web site, but instead your network’s DNS server has been poisoned so that you really visit a carefully crafted replica that hackers use to steal your log-in credentials and drain your bank account. A DNS cache poisoning attack launched against one of China’s largest ISPs redirected users to sites that launched malware exploits, targeting weaknesses in RealPlayer, Adobe Flash, and Microsoft’s ActiveX technology, commonly used in browsers.J. London, “China Netcom Falls Prey to DNS Cache Poisoning,” Computerworld, August 22, 2008.

Physical Threats

A firm doesn’t just have to watch out for insiders or compromised software and hardware; a host of other physical threats can grease the skids to fraud, theft, and damage. Most large firms have disaster-recovery plans in place. These often include provisions to backup systems and data to off-site locales, to protect operations and provide a fall back in the case of disaster. Such plans increasingly take into account the potential impact of physical security threats such as terrorism, or vandalism, as well.

Anything valuable that reaches the trash in a recoverable state is also a potential security breach. Hackers and spies sometimes practice dumpster divingCombing through trash to identify valuable assets., sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack. This might include hunting for discarded passwords written on Post-it notes, recovering unshredded printed user account listings, scanning e-mails or program printouts for system clues, recovering tape backups, resurrecting files from discarded hard drives, and more.

Other compromises might take place via shoulder surfingGaining compromising information through observation (as in looking over someone’s shoulder)., simply looking over someone’s shoulder to glean a password or see other proprietary information that might be displayed on a worker’s screen.

Firms might also fall victim to various forms of eavesdropping, such as efforts to listen into or record conversations, transmissions, or keystrokes. A device hidden inside a package might sit inside a mailroom or a worker’s physical inbox, scanning for open wireless connections, or recording and forwarding conversations.J. Robertson, “Hackers Mull Physical Attacks on a Networked World,” San Francisco Chronicle, August 8, 2008. Other forms of eavesdropping can be accomplished via compromised wireless or other network connections, malware keylogger or screen capture programs, as well as hardware devices such as replacement keyboards with keyloggers embedded inside, microphones to capture the slightly unique and identifiable sound of each key being pressed, programs that turn on built-in microphone or cameras that are now standard on many PCs, or even James Bond-style devices using Van Eck techniques that attempt to read monitors from afar by detecting their electromagnetic emissions.

The Encryption Prescription

During a routine physical transfer of backup media, Bank of America lost tapes containing the private information—including Social Security and credit card numbers—of hundreds of thousands of customers.J. Mardesich, “Ensuring the Security of Stored Data,” CIO Strategy Center, 2009. This was potentially devastating fodder for identity thieves. But who cares if someone steals your files if they still can’t read the data? That’s the goal of encryption!

EncryptionScrambling data using a code or formula, known as a cipher, such that it is hidden from those who do not have the unlocking key. scrambles data, making it essentially unreadable to any program that doesn’t have the descrambling password, known as a keyCode that unlocks encryption.. Simply put, the larger the key, the more difficult it is for a brute-force attack to exhaust all available combinations and crack the code. When well implemented, encryption can be the equivalent of a rock solid vault. To date, the largest known brute-force attacksAn attack that exhausts all possible password combinations in order to break into an account. The larger and more complicated a password or key, the longer a brute-force attack will take., demonstration hacks launched by grids of simultaneous code-cracking computers working in unison, haven’t come close to breaking the type of encryption used to scramble transmissions that most browsers use when communicating with banks and shopping sites. The problem occurs when data is nabbed before encryption or after decrypting, or in rare cases, if the encrypting key itself is compromised.

Extremely sensitive data—trade secrets, passwords, credit card numbers, and employee and customer information—should be encrypted before being sent or stored.J. Mardesich, “Ensuring the Security of Stored Data,” CIO Strategy Center, 2009. Deploying encryption dramatically lowers the potential damage from lost or stolen laptops, or from hardware recovered from dumpster diving. It is vital for any laptops carrying sensitive information.

Encryption is also employed in virtual private network (VPN) technology, which scrambles data passed across a network. Public wireless connections pose significant security threats—they may be set up by hackers that pose as service providers, while really launching attacks on or monitoring the transmissions of unwitting users. The use of VPN software can make any passed-through packets unreadable. Contact your firm or school to find out how to set up VPN software.

In the Bank of America example above, the bank was burned. It couldn’t verify that the lost tapes were encrypted, so it had to notify customers and incur the cost associated with assuming data had been breached.J. Mardesich, “Ensuring the Security of Stored Data,” CIO Strategy Center, 2009.

Encryption is not without its downsides. Key management is a potentially costly procedural challenge for most firms. If your keys aren’t secure, it’s the equivalent of leaving the keys to a safe out in public. Encryption also requires additional processing to scramble and descramble data—drawing more power and slowing computing tasks. Moore’s Law will speed things along, but it also puts more computing power in the hands of attackers. With hacking threats on the rise, expect to see laws and compliance requirements that mandate encrypted data, standardize encryption regimes, and simplify management.

How Do Web Sites Encrypt Transmissions?

Most Web sites that deal with financial transactions (e.g., banks, online stores) secure transmissions using a method called public key encryptionA two key system used for securing electronic transmissions. One key distributed publicly is used to encrypt (lock) data, but it cannot unlock data. Unlocking can only be performed with the private key. The private key also cannot be reverse engineered from the public key. By distributing public keys, but keeping the private key, Internet services can ensure transmissions to their site are secure.. The system works with two keys—a public key and a private key. The public key can “lock” or encrypt data, but it can’t unlock it: that can only be performed by the private key. So a Web site that wants you to transmit secure information will send you a public key—you use this to lock the data, and no one that intercepts that transmission can break in unless they’ve got the private key. If the Web site does its job, it will keep the private key out of reach of all potentially prying eyes.

Wondering if a Web site’s transmissions are encrypted? Look at the Web address. If it begins with “https” instead of “http”, it should be secure. Also, look for the padlock icon in the corner of your Web browser to be closed (locked). Finally, you can double click the padlock to bring up a verification of the Web site’s identity (verified by a trusted third party firm, known as a certificate authorityA trusted third party that provides authentication services in public key encryption schemes.). If this matches your URL and indicates the firm you’re doing business with, then you can be pretty sure verified encryption is being used by the firm that you intend to do business with.

Figure 13.6

In this screenshot, a Firefox browser is visiting Bank of America. The padlock icon was clicked to bring up digital certificate information. Note how the Web site’s name matches the URL. The verifying certificate authority is the firm VeriSign.

Key Takeaways

  • An organization’s information assets are vulnerable to attack from several points of weakness, including users and administrators, its hardware and software, its networking systems, and various physical threats.
  • Social engineering attempts to trick or con individuals into providing information, while phishing techniques are cons conducted through technology.
  • While dangerous, a number of tools and techniques can be used to identify phishing scams, limiting their likelihood of success.
  • Social media sites may assist hackers in crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information.
  • Most users employ inefficient and insecure password systems; however, techniques were offered to improve one’s individual password regime.
  • Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more.
  • Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end-user caution, as well as for firms to ensure the integrity of their participating online partners.
  • SQL injection and related techniques show the perils of poor programming. Software developers must design for security from the start—considering potential security weaknesses, and methods that improve end-user security (e.g., in areas such as installation and configuration).
  • Encryption can render a firm’s data assets unreadable, even if copied or stolen. While potentially complex to administer and resource intensive, encryption is a critical tool for securing an organization’s electronic assets.

Questions and Exercises

  1. Consider your own personal password regime and correct any weaknesses. Share any additional password management tips and techniques with your class.
  2. Why is it a bad idea to use variants of existing passwords when registering for new Web sites?
  3. Relate an example of social engineering that you’ve experienced or heard of. How might the victim have avoided being compromised?
  4. Have you ever seen phishing exploits? Have you fallen for one? Why did you take the bait, or what alerted you to the scam? How can you identify phishing scams?
  5. Have you or has anyone you know fallen victim to malware? Relate the experience—how do you suppose it happened? What damage was done? What, if anything, could be done to recover from the situation?
  6. Why are social media sites such a threat to information security? Give various potential scenarios where social media use might create personal or organizational security compromises.
  7. Some users regularly update their passwords by adding a number (say month or year) to their code. Why is this bad practice?
  8. What kind of features should a programmer build into systems in order to design for security? Think about the products that you use. Are there products that you feel did a good job of ensuring security during setup? Are there products you use that have demonstrated bad security design? How?
  9. Why are SQL injection attacks more difficult to address than the latest virus threat?
  10. How should individuals and firms leverage encryption?
  11. Investigate how you might use a VPN if traveling with your laptop. Be prepared to share your findings with your class and your instructor.

13.4 Taking Action

Learning Objectives

After studying this section you should be able to do the following:

  1. Identify critical steps to improve your individual and organizational information security.
  2. Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and organization more secure.
  3. Recognize the major information security issues that organizations face, as well as the resources, methods, and approaches that can help make firms more secure.

Taking Action as a User

The weakest link in security is often a careless user, so don’t make yourself an easy mark. Once you get a sense of threats, you understand the kinds of precautions you need to take. Security considerations then become more common sense than high tech. Here’s a brief list of major issues to consider:

  • Surf smart. Think before you click—question links, enclosures, download request, and the integrity of Web sites that you visit. Avoid suspicious e-mail attachments and Internet downloads. Be on guard for phishing, and other attempts to con you into letting in malware. Verify anything that looks suspicious before acting. Avoid using public machines (libraries, coffee shops) when accessing sites that contain your financial data or other confidential information.
  • Stay vigilant. Social engineering con artists and rogue insiders are out there. An appropriate level of questioning applies not only to computer use, but also to personal interactions, be it in person, on the phone, or electronically.
  • Stay updated. Turn on software update features for your operating system and any application you use (browsers, applications, plug-ins, and applets), and manually check for updates when needed. Malware toolkits specifically scan for older, vulnerable systems, so working with updated programs that address prior concerns lowers your vulnerable attack surface.
  • Stay armed. Install a full suite of security software. Many vendors offer a combination of products that provide antivirus software that blocks infection, personal firewalls that repel unwanted intrusion, malware scanners that seek out bad code that might already be nesting on your PC, antiphishing software that identifies if you’re visiting questionable Web sites, and more. Such tools are increasingly being built into operating systems, browsers, and are deployed at the ISP or service provider (e-mail firm, social network) level. But every consumer should make it a priority to understand the state of the art for personal protection. In the way that you regularly balance your investment portfolio to account for economic shifts, or take your car in for an oil change to keep it in top running condition, make it a priority to periodically scan the major trade press or end-user computing sites for reviews and commentary on the latest tools and techniques for protecting yourself (and your firm).
  • Be settings smart. Don’t turn on risky settings like unrestricted folder sharing that may act as an invitation for hackers to drop off malware payloads. Secure home networks with password protection and a firewall. Encrypt hard drives—especially on laptops or other devices that might be lost or stolen. Register mobile devices for location identification or remote wiping. Don’t click the “Remember me” or “Save password” settings on public machines, or any device that might be shared or accessed by others. Similarly, if your machine might be used by others, turn off browser settings that auto-fill fields with prior entries—otherwise you make it easy for someone to use that machine to track your entries and impersonate you. And when using public hotspots, be sure to turn on your VPN software to encrypt transmission and hide from network eavesdroppers.
  • Be password savvy. Change the default password on any new products that you install. Update your passwords regularly. Using guidelines outlined earlier, choose passwords that are tough to guess, but easy for you (and only you) to remember. Federate your passwords so that you’re not using the same access codes for your most secure sites. Never save passwords in nonsecured files, e-mail, or written down in easily accessed locations.
  • Be disposal smart. Shred personal documents. Wipe hard drives with an industrial strength software tool before recycling, donating, or throwing away—remember in many cases “deleted” files can still be recovered. Destroy media such as CDs and DVDs that may contain sensitive information. Erase USB drives when they are no longer needed.
  • Back up. The most likely threat to your data doesn’t come from hackers; it comes from hardware failure.C. Taylor, “The Tech Catastrophe You’re Ignoring,” Fortune, October 26, 2009. Yet most users still don’t regularly back up their systems. This is another do-it-now priority. Cheap, plug-in hard drives work with most modern operating systems to provide continual backups, allowing for quick rollback to earlier versions if you’ve accidentally ruined some vital work. And services like EMC’s Mozy provide monthly, unlimited backup over the Internet for less than what you probably spent on your last lunch (a fire, theft, or similar event could also result in the loss of any backups stored on-site, but Internet backup services can provide off-site storage and access if disaster strikes).
  • Check with your administrator. All organizations that help you connect to the Internet—your ISP, firm, or school—should have security pages. Many provide free security software tools. Use them as resources. Remember—it’s in their interest to keep you safe, too!

Taking Action as an Organization

Frameworks, Standards, and Compliance

Developing organizational security is a daunting task. You’re in an arms race with adversaries that are tenacious and constantly on the lookout for new exploits. Fortunately, no firm is starting from scratch—others have gone before you and many have worked together to create published best practices.

There are several frameworks, but perhaps the best known of these efforts comes from the International Organization for Standards (ISO), and is broadly referred to as ISO27k or the ISO 27000 series. According to, this evolving set of standards provides “a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System.”

Firms may also face compliance requirements—legal or professionally binding steps that must be taken. Failure to do so could result in fine, sanction, and other punitive measures. At the federal level, examples include HIPAA (the Health Insurance Portability and Accountability Act), which regulates health data; the Graham-Leach-Bliley Act, which regulates financial data; and the Children’s Online Privacy Protection Act, which regulates data collection on minors. U.S. government agencies must also comply with FISMA (the Federal Information Security Management Act), and there are several initiatives at the other government levels. By 2009, some level of state data breach laws had been passed by over thirty states, while multinationals face a growing number of statues throughout the world. Your legal team and trade associations can help you understand your domestic and international obligations. Fortunately, there are often frameworks and guidelines to assist in compliance. For example, the ISO standards include subsets targeted at the telecommunications and health care industries, and major credit card firms have created the PCI (payment card industry) standards. And there are skilled consulting professionals who can help bring firms up to speed in these areas, and help expand their organizational radar as new issues develop.

Here is a word of warning on frameworks and standards: compliance does not equal security. Outsourcing portions security efforts without a complete, organizational commitment to being secure can also be dangerous. Some organizations simply approach compliance as a necessary evil: a sort of checklist that can reduce the likelihood of a lawsuit or other punitive measure.M. Davis, “What Will It Take?” InformationWeek, November 23, 2009. While you want to make sure you’re doing everything in your power not to get sued, this isn’t the goal. The goal is taking all appropriate measures to ensure that your firm is secure for your customers, employees, shareholders, and others. Frameworks help shape your thinking and expose things you should do, but security doesn’t stop there—this is a constant, evolving process that needs to pervade the organization from the CEO suite and board, down to front line workers and potentially out to customers and partners. And be aware of the security issues associated with any mergers and acquisitions. Bringing in new firms, employees, technologies, and procedures means reassessing the security environment for all players involved.

The Heartland Breach

On inauguration day 2009, credit card processor Heartland announced that it had experienced what was one of the largest security breaches in history. The Princeton, New Jersey, based firm was, at the time, the nation’s fifth largest payments processor. Its business was responsible for handling the transfer of funds and information between retailers and cardholders’ financial institutions. That means infiltrating Heartland was like breaking into Fort Knox.

It’s been estimated that as many as 100 million cards issued by more than 650 financial services companies may have been compromised during the Heartland breach. Said the firm’s CEO, this was “the worst thing that can happen to a payments company and it happened to us.”R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Wall Street noticed. The firm’s stock tanked—within a month, its market capitalization had plummeted over 75 percent, dropping over half a billion dollars in value.T. Claburn, “Payment Card Industry Gets Encryption Religion,” InformationWeek, November 13, 2009.

The Heartland case provides a cautionary warning against thinking that security ends with compliance. Heartland had in fact passed multiple audits, including one conducted the month before the infiltration began. Still, at least thirteen pieces of malware were uncovered on the firm’s servers. Compliance does not equal security. Heartland was complaint, but a firm can be compliant and not be secure. Compliance is not the goal, security is.

Since the breach, the firm’s executives have championed industry efforts to expand security practices, including encrypting card information at the point it is swiped and keeping it secure through settlement. Such “cradle-to-grave” encryption can help create an environment where even compromised networking equipment or intercepting relay systems wouldn’t be able to grab codes.T. Claburn, “Payment Card Industry Gets Encryption Religion,” InformationWeek, November 13, 2009; R. King, “Lessons from the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Recognize that security is a continual process, it is never done, and firms need to pursue security with tenacity and commitment.

Education, Audit, and Enforcement

Security is as much about people, process, and policy, as it is about technology.

From a people perspective, the security function requires multiple levels of expertise. Operations employees are involved in the day-to-day monitoring of existing systems. A group’s R&D function is involved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. A team must also work on broader governance issues. These efforts should include representatives from specialized security and broader technology and infrastructure functions. It should also include representatives from general counsel, audit, public relations, and human resources. What this means is that even if you’re a nontechnical staffer, you may be brought in to help a firm deal with security issues.

Processes and policies will include education and awareness—this is also everyone’s business. As the Vice President of Product Development at security firm Symantec puts it, “We do products really well, but the next step is education. We can’t keep the Internet safe with antivirus software alone.”D. Goldman, “Cybercrime: A Secret Underground Economy,” CNNMoney, September 17, 2009. Companies should approach information security as a part of their “collective corporate responsibility…regardless of whether regulation requires them to do so.”Knowledge@Wharton, “Information Security: Why Cybercriminals Are Smiling,” August 19, 2009.

For a lesson in how important education is, look no further than the head of the CIA. Former U.S. Director of Intelligence John Deutch engaged in shockingly loose behavior with digital secrets, including keeping a daily journal of classified information—some 1,000+ pages—on memory cards he’d transport in his shirt pocket. He also downloaded and stored Pentagon information, including details of covert operations, at home on computers that his family used for routine Internet access.N. Lewis, “Investigation Of Ex-Chief Of the C.I.A. Is Broadened,” New York Times, September 17, 2000.

Employees need to know a firm’s policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations. Policies without eyes (audit) and teeth (enforcement) won’t be taken seriously. Audits include real-time monitoring of usage (e.g., who’s accessing what, from where, how, and why; sound the alarm if an anomaly is detected), announced audits, and surprise spot checks. This function might also stage white hat demonstration attacks—attempts to hunt for and expose weaknesses, hopefully before hackers find them. Frameworks offer guidelines on auditing, but a recent survey found most organizations don’t document enforcement procedures in their information security policies, that more than one-third do not audit or monitor user compliance with security policies, and that only 48 percent annually measure and review the effectiveness of security policies.A. Matwyshyn, Harboring Data: Information Security, Law, and The Corporation (Palo Alto, CA: Stanford University Press, 2009).

A firm’s technology development and deployment processes must also integrate with the security team to ensure that from the start, applications, databases, and other systems are implemented with security in mind. The team will have specialized skills and monitor the latest threats and are able to advise on precautions necessary to be sure systems aren’t compromised during installation, development, testing, and deployment.

What Needs to Be Protected and How Much Is Enough?

A worldwide study by PricewaterhouseCoopers and Chief Security Officer magazine revealed that most firms don’t even know what they need to protect. Only 33 percent of executives responded that their organizations kept accurate inventory of the locations and jurisdictions where data was stored, and only 24 percent kept inventory of all third parties using their customer data.A. Matwyshyn, Harboring Data: Information Security, Law, and The Corporation (Palo Alto, CA: Stanford University Press, 2009). What this means is that most firms don’t even have an accurate read on where their valuables are kept, let alone how to protect them.

So information security should start with an inventory-style auditing and risk assessment. Technologies map back to specific business risks. What do we need to protect? What are we afraid might happen? And how do we protect it? Security is an economic problem, involving attack likelihood, costs, and prevention benefits. These are complex trade-offs that must consider losses from theft or resources, systems damage, data loss, disclosure of proprietary information, recovery, downtime, stock price declines, legal fees, government and compliance penalties, and intangibles such as damaged firm reputation, loss of customer and partner confidence, industry damage, promotion of adversary, and encouragement of future attacks.

While many firms skimp on security, firms also don’t want to misspend, targeting exploits that aren’t likely, while underinvesting in easily prevented methods to thwart common infiltration techniques. Hacker conventions like DefCon can show some really wild exploits. But it’s up to the firm to assess how vulnerable it is to these various risks. The local donut shop has far different needs than a military installation, law enforcement agency, financial institution, or firm housing other high-value electronic assets. A skilled risk assessment team will consider these vulnerabilities and what sort of countermeasure investments should take place.

Economic decisions usually drive hacker behavior, too. While in some cases attacks are based on vendetta or personal reasons, in most cases exploit economics largely boils down to

Adversary ROI = Asset value to adversary – Adversary cost.

An adversary’s costs include not only the resources, knowledge, and technology required for the exploit, but also the risk of getting caught. Make things tough to get at, and lobbying for legislation that imposes severe penalties on crooks can help raise adversary costs and lower your likelihood of becoming a victim.

Technology’s Role

Technical solutions often involve industrial strength variants of the previously discussed issues individuals can employ, so your awareness is already high. Additionally, an organization’s approach will often leverage multiple layers of protection and incorporate a wide variety of protective measures.

Patch. Firms must be especially vigilant to pay attention to security bulletins and install software updates that plug existing holes, (often referred to as patches). Firms that don’t plug known problems will be vulnerable to trivial and automated attacks. Unfortunately, many firms aren’t updating all components of their systems with consistent attention. With operating systems automating security update installations, hackers have moved on to application targets. But a major study recently found that organizations took at least twice as long to patch application vulnerabilities as they take to patch operating system holes.S. Wildstrom, “Massive Study of Net Vulnerabilities: They’re Not Where You Think They Are,” BusinessWeek, September 14, 2009. And remember, software isn’t limited to conventional PCs and servers. Embedded systems abound, and connected, yet unpatched devices are vulnerable. Malware has infected everything from unprotected ATM machinesP. Lilly, “Hackers Targeting Windows XP-Based ATM Machines,” Maximum PC, June 4, 2009. to restaurant point-of-sale systemsR. McMillan, “Restaurants Sue Vendors after Point-of-Sale Hack,” CIO, December 1, 2009. to fighter plane navigation systems.C. Matyszczyk, “French Planes Grounded by Windows Worm,” CNET, February 8, 2009.

As an example of unpatched vulnerabilities, consider the DNS cache poisoning exploit described earlier in this chapter. The discovery of this weakness was one of the biggest security stories the year it was discovered, and security experts saw this as a major threat. Teams of programmers worldwide raced to provide fixes for the most widely used versions of DNS software. Yet several months after patches were available, roughly one quarter of all DNS servers were still unpatched and exposed.IBM, X-Force Threat Report: 2008 Year in Review, January 2009.

To be fair, not all firms delay patches out of negligence. Some organizations have legitimate concerns about testing whether the patch will break their system or whether the new technology contains a change that will cause problems down the road.For example, the DNS security patch mentioned was incompatible with the firewall software deployed at some firms. And there have been cases where patches themselves have caused problems. Finally, many software updates require that systems be taken down. Firms may have uptime requirements that make immediate patching difficult. But ultimately, unpatched systems are an open door for infiltration.

Lock down hardware. Firms range widely in the security regimes used to govern purchase through disposal system use. While some large firms such as Kraft are allowing employees to select their own hardware (Mac or PC, desktop or notebook, iPhone or BlackBerry),N. Wingfield, “It’s a Free Country…So Why Can’t I Pick the Technology I Use in the Office?” Wall Street Journal, November 15, 2009. others issue standard systems that prevent all unapproved software installation and force file saving to hardened, backed-up, scanned, and monitored servers. Firms in especially sensitive industries such as financial services may regularly reimage the hard drive of end-user PCs, completely replacing all the bits on a user’s hard drive with a pristine, current version—effectively wiping out malware that might have previously sneaked onto a user’s PC. Other lock-down methods might disable the boot capability of removable media (a common method for spreading viruses via inserted discs or USBs), prevent Wi-Fi use or require VPN encryption before allowing any network transmissions, and more. The cloud helps here, too. (See Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”.) Employers can also require workers to run all of their corporate applications inside a remote desktop where the actual executing hardware and software is elsewhere (likely hosted as a virtual machine session on the organization’s servers), and the user is simply served an image of what is executing remotely. This seals the virtual PC off in a way that can be thoroughly monitored, updated, backed up, and locked down by the firm.

In the case of Kraft, executives worried that the firm’s previously restrictive technology policies prevented employees from staying in step with trends. Employees opting into the system must sign an agreement promising they’ll follow mandated security procedures. Still, financial services firms, law offices, health care providers, and others may need to maintain stricter control, for legal and industry compliance reasons.

Lock down the network. Network monitoring is a critical part of security, and a host of technical tools can help.

Firms employ firewallsA system that acts as a control for network traffic, blocking unauthorized traffic while permitting acceptable use. to examine traffic as it enters and leaves the network, potentially blocking certain types of access, while permitting approved communication. Intrusion detection systemsA system that monitors network use for potential hacking attempts. Such a system may take preventative action to block, isolate, or identify attempted infiltration, and raise further alarms to warn security personnel. specifically look for unauthorized behavior, sounding the alarm and potentially taking action if something seems amiss. Some firms deploy honeypotsA seemingly tempting, but bogus target meant to draw hacking attempts. By monitoring infiltration attempts against a honeypot, organizations may gain insight into the identity of hackers and their techniques, and they can share this with partners and law enforcement.—bogus offerings meant to distract attackers. If attackers take honeypot bait, firms may gain an opportunity to recognize the hacker’s exploits, identify the IP address of intrusion, and take action to block further attacks and alert authorities.

Many firms also deploy blacklistsPrograms that deny the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions.—denying the entry or exit of specific IP addresses, products, Internet domains, and other communication restrictions. While blacklists block known bad guys, whitelistsHighly restrictive programs that permit communication only with approved entities and/or in an approved manner. are even more restrictive—permitting communication only with approved entities or in an approved manner.

These technologies can be applied to network technology, specific applications, screening for certain kinds of apps, malware signatures, and hunting for anomalous patterns. The latter is important, as recent malware has become polymorphic, meaning different versions are created and deployed in a way that their signature, a sort of electronic fingerprint often used to recognize malicious code, is slightly altered. This also helps with zero-day exploits, and in situations where whitelisted Web sites themselves become compromised.

Many technical solutions, ranging from network monitoring and response to e-mail screening, are migrating to “the cloud.” This can be a good thing—if network monitoring software immediately shares news of a certain type of attack, defenses might be pushed out to all clients of a firm (the more users, the “smarter” the system can potentially become—again we see the power of network effects in action).

Lock down partners. Insist partner firms are compliant, and audit them to ensure this is the case. This includes technology providers and contract firms, as well as value chain participants such as suppliers and distributors. Anyone who touches your network is a potential point of weakness. Many firms will build security expectations and commitments into performance guarantees known as service level agreements (SLAs).

Lock down systems. Audit for SQL injection and other application exploits. The security team must constantly scan exploits and then probe its systems to see if it’s susceptible, advising and enforcing action if problems are uncovered. This kind of auditing should occur with all of a firm’s partners.

Access controls can also compartmentalize data access on a need-to-know basis. Such tools can not only enforce access privileges, they can help create and monitor audit trails to help verify that systems are not being accessed by the unauthorized, or in suspicious ways.

Audit trails are used for deterring, identifying, and investigating these cases. Recording, monitoring, and auditing access allows firms to hunt for patterns of abuse. Logs can detail who, when, and from where assets are accessed. Giveaways of nefarious activity may include access from unfamiliar IP addresses, from nonstandard times, accesses that occur at higher than usual volumes, and so on. Automated alerts can put an account on hold or call in a response team for further observation of the anomaly.

Single-sign-on tools can help firms offer employees one very strong password that works across applications, is changed frequently (or managed via hardware cards or mobile phone log-in), and can be altered by password management staff.

Multiple administrators should jointly control key systems. Major configuration changes might require approval of multiple staffers, as well as the automatic notification of concerned personnel. And firms should employ a recovery mechanism to regain control in the event that key administrators are incapacitated or uncooperative. This balances security needs with an ability to respond in the event of a crisis. Such a system was not in place in the earlier described case of the rogue IT staffer who held the city of San Francisco’s networks hostage by refusing to give up vital passwords.

Have failure and recovery plans. While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. If a compromise has taken place, what needs to be done? Do stolen assets need to be devalued (e.g., accounts terminated, new accounts issued)? What should be done to notify customers and partners, educate them, and advise them through any necessary responses? Who should work with law enforcement and with the media? Do off-site backups or redundant systems need to be activated? Can systems be reliably restored without risking further damage?

Best practices are beginning to emerge. While postevent triage is beyond the scope of our introduction, the good news is that firms are now sharing data on breaches. Given the potential negative consequences of a breach, organizations once rarely admitted they’d been compromised. But now many are obligated to do so. And the broad awareness of infiltration both reduces organizational stigma in coming forward, and allows firms and technology providers to share knowledge on the techniques used by cybercrooks.

Information security is a complex, continually changing, and vitally important domain. The exploits covered in this chapter seem daunting, and new exploits constantly emerge. But your thinking on key issues should now be broader. Hopefully you’ve now embedded security thinking in your managerial DNA, and you are better prepared to be a savvy system user and a proactive participant working for your firm’s security. Stay safe!

Key Takeaways

  • End users can engage in several steps to improve the information security of themselves and their organizations. These include surfing smart, staying vigilant, updating software and products, using a comprehensive security suite, managing settings and passwords responsibly, backing up, properly disposing of sensitive assets, and seeking education.
  • Frameworks such as ISO27k can provide a road map to help organizations plan and implement an effective security regime.
  • Many organizations are bound by security compliance commitments and will face fines and retribution if they fail to meet these commitments.
  • The use of frameworks and being compliant is not equal to security. Security is a continued process that must be constantly addressed and deeply ingrained in an organization’s culture.
  • Security is about trade-offs—economic and intangible. Firms need to understand their assets and risks in order to best allocate resources and address needs.
  • Information security is not simply a technical fix. Education, audit, and enforcement regarding firm policies are critical. The security team is broadly skilled and constantly working to identify and incorporate new technologies and methods into their organizations. Involvement and commitment is essential from the boardroom to frontline workers, and out to customers and partners.

Questions and Exercises

  1. Visit the security page for your ISP, school, or employer. What techniques do they advocate that we’ve discussed here? Are there any additional techniques mentioned and discussed? What additional provisions do they offer (tools, services) to help keep you informed and secure?
  2. What sorts of security regimes are in use at your university, and at firms you’ve worked or interned for? If you don’t have experience with this, ask a friend or relative for their professional experiences. Do you consider these measures to be too restrictive, too lax, or about right?
  3. While we’ve discussed the risks in having security that is too lax, what risk does a firm run if its security mechanisms are especially strict? What might a firm give up? What are the consequences of strict end-user security provisions?
  4. What risks does a firm face by leaving software unpatched? What risks does it face if it deploys patches as soon as they emerge? How should a firm reconcile these risks?
  5. What methods do firms use to ensure the integrity of their software, their hardware, their networks, and their partners?
  6. An organization’s password management system represents “the keys to the city.” Describe personnel issues that a firm should be concerned with regarding password administration. How might it address these concerns?

Chapter 12: A Manager’s Guide to the Internet and Telecommunications

12.1 Introduction

There’s all sorts of hidden magic happening whenever you connect to the Internet. But what really makes it possible for you to reach servers halfway around the world in just a fraction of a second? Knowing this is not only flat-out fascinating stuff; it’s also critically important for today’s manager to have at least a working knowledge of how the Internet functions.

That’s because the Internet is a platform of possibilities and a business enabler. Understanding how the Internet and networking works can help you brainstorm new products and services and understand roadblocks that might limit turning your ideas into reality. Marketing professionals who know how the Internet reaches consumers have a better understanding of how technologies can be used to find and target customers. Finance firms that rely on trading speed to move billions in the blink of an eye need to master Internet infrastructure to avoid being swept aside by more nimble market movers. And knowing how the Internet works helps all managers understand where their firms are vulnerable. In most industries today, if your network goes down then you might as well shut your doors and go home; it’s nearly impossible to get anything done if you can’t get online. Managers who know the Net are prepared to take the appropriate steps to secure their firms and keep their organization constantly connected.

12.2 Internet 101: Understanding How the Internet Works

Learning Objectives

After studying this section you should be able to do the following:

  1. Describe how the technologies of the Internet combine to answer these questions: What are you looking for? Where is it? And how do we get there?
  2. Interpret a URL, understand what hosts and domains are, describe how domain registration works, describe cybersquatting, and give examples of conditions that constitute a valid and invalid domain-related trademark dispute.
  3. Describe certain aspects of the Internet infrastructure that are fault-tolerant and support load balancing.
  4. Discuss the role of hosts, domains, IP addresses, and the DNS in making the Internet work.

The Internet is a network of networks—millions of them, actually. If the network at your university, your employer, or in your home has Internet access, it connects to an Internet service provider (ISP)An organization or firm that provides access to the Internet.. Many (but not all) ISPs are big telecommunications companies like Verizon, Comcast, and AT&T. These providers connect to one another, exchanging traffic, and ensuring your messages can get to any other computer that’s online and willing to communicate with you.

The Internet has no center and no one owns it. That’s a good thing. The Internet was designed to be redundant and fault-tolerant—meaning that if one network, connecting wire, or server stops working, everything else should keep on running. Rising from military research and work at educational institutions dating as far back as the 1960s, the Internet really took off in the 1990s, when graphical Web browsing was invented, and much of the Internet’s operating infrastructure was transitioned to be supported by private firms rather than government grants.

Figure 12.1

The Internet is a network of networks, and these networks are connected together. In the diagram above, the “” campus network is connected to other networks of the Internet via two ISPs: Cogent and Verizon.

Enough history—let’s see how it all works! If you want to communicate with another computer on the Internet then your computer needs to know the answer to three questions: What are you looking for? Where is it? And how do we get there? The computers and software that make up Internet infrastructure can help provide the answers. Let’s look at how it all comes together.

The URL: “What Are You Looking For?”

When you type an address into a Web browser (sometimes called a URLOften used interchangeably with “Web address,” URLs identify resources on the Internet along with the application protocol need to retrieve it. for uniform resource locator), you’re telling your browser what you’re looking for. Figure 12.2 “Anatomy of a Web Address” describes how to read a typical URL.

Figure 12.2 Anatomy of a Web Address

The URL displayed really says, “Use the Web (http://) to find a host server named ‘www’ in the ‘’ network, look in the ‘tech’ directory, and access the ‘index.html’ file.”

The http:// you see at the start of most Web addresses stands for hypertext transfer protocolApplication transfer protocol that allows Web browsers and Web servers to communicate with each other.. A protocolEnables communication by defining the format of data and rules for exchange. is a set of rules for communication—sort of like grammar and vocabulary in a language like English. The http protocol defines how Web browser and Web servers communicate and is designed to be independent from the computer’s hardware and operating system. It doesn’t matter if messages come from a PC, a Mac, a huge mainframe, or a pocket-sized smartphone; if a device speaks to another using a common protocol, then it will be heard and understood.

The Internet supports lots of different applications, and many of these applications use their own application transfer protocol to communicate with each other. The server that holds your e-mail uses something called SMTP, or simple mail transfer protocol, to exchange mail with other e-mail servers throughout the world. FTPApplication transfer protocol that is used to copy files from one computer to another., or file transfer protocol, is used for—you guessed it—file transfer. FTP is how most Web developers upload the Web pages, graphics, and other files for their Web sites. Even the Web uses different protocols. When you surf to an online bank or when you’re ready to enter your payment information at the Web site of an Internet retailer, the http at the beginning of your URL will probably change to https (the “s” is for secure). That means that communications between your browser and server will be encrypted for safe transmission. The beauty of the Internet infrastructure is that any savvy entrepreneur can create a new application that rides on top of the Internet.

Hosts and Domain Names

The next part of the URL in our diagram holds the host and domain name. Think of the domain name as the name of the network you’re trying to connect to, and think of the host as the computer you’re looking for on that network.

Many domains have lots of different hosts. For example, Yahoo!’s main Web site is served from the host named “www” (at the address, but Yahoo! also runs other hosts including those named “finance” (, “sports” (, and “games” (

Host and Domain Names: A Bit More Complex Than That

While it’s useful to think of a host as a single computer, popular Web sites often have several computers that work together to share the load for incoming requests. Assigning several computers to a host name offers load balancingDistributing a computing or networking workload across multiple systems to avoid congestion and slow performance. and fault toleranceThe ability of a system to continue operation even if a component fails., helping ensure that all visits to a popular site like won’t overload a single computer, or that Google doesn’t go down if one computer fails.

It’s also possible for a single computer to have several host names. This might be the case if a firm were hosting several Web sites on a single piece of computing hardware.

Some domains are also further broken down into subdomains—many times to represent smaller networks or subgroups within a larger organization. For example, the address is a University of Maryland address with a host “www” located in the subdomain “rhsmith” for the Robert H. Smith School of Business. International URLs might also include a second-level domain classification scheme. British URLs use this scheme, for example, with the BBC carrying the commercial (.co) designation——and the University of Oxford carrying the academic (.ac) designation— You can actually go 127 levels deep in assigning subdomains, but that wouldn’t make it easy on those who have to type in a URL that long.

Most Web sites are configured to load a default host, so you can often eliminate the host name if you want to go to the most popular host on a site (the default host is almost always named “www”). Another tip: most browsers will automatically add the “http://” for you, too.

Host and domain names are not case sensitive, so you can use a combination of upper and lower case letters and you’ll still get to your destination.

I Want My Own Domain

You can stake your domain name claim in cyberspace by going through a firm called a domain name registrar. You don’t really buy a domain name; you simply pay a registrar for the right to use that name, with the right renewable over time. While some registrars simply register domain names, others act as Web hosting servicesA firm that provides hardware and services to run the Web sites of others. that are able to run your Web site on their Internet-connected servers for a fee.

Registrars throughout the world are accredited by ICANN (Internet Corporation for Assigning Names and Numbers)Nonprofit organization responsible for managing the Internet’s domain and numbering systems., a nonprofit governance and standards-setting body. Each registrar may be granted the ability to register domain names in one or more of the Net’s generic top-level domains (gTLDs), such as “.com,” “.net,” or “.org.” There are dozens of registrars that can register “.com” domain names, the most popular gTLD.

Some generic top-level domain names, like “.com,” have no restrictions on use, while others limit registration. For example, “.edu” is restricted to U.S.-accredited, postsecondary institutions. ICANN has also announced plans to allow organizations to sponsor their own top-level domains (e.g., “.berlin,” or “.coke”).

There are also separate agencies that handle over 250 different two-character country code top-level domains, or ccTLDs (e.g., “.uk” for the United Kingdom and “.jp” for Japan). Servers or organizations generally don’t need to be housed within a country to use a country code as part of their domain names, leading to a number of creatively named Web sites. The URL-shortening site “” uses Libya’s “.ly” top-level domain; many physicians are partial to Moldova’s code (“.md”); and the tiny Pacific island nation of Tuvulu might not have a single broadcast television station, but that doesn’t stop it from licensing its country code to firms that want a “.tv” domain name.K. Maney, “Tuvalu’s Sinking, But Its Domain Is on Solid Ground,” USA Today, April 27, 2004. Recent standards also allow domain names in languages that use non-Latin alphabets such as Arabic and Russian.

Domain name registration is handled on a first-come, first-served basis and all registrars share registration data to ensure that no two firms gain rights to the same name. Start-ups often sport wacky names, partly because so many domains with common words and phrases are already registered to others. While some domain names are held by legitimate businesses, others are registered by investors hoping to resell a name’s rights.

Trade in domain names can be lucrative. For example, the “” domain was sold to QuinStreet for $16 million in fall 2009.B. Bosker, “The 11 Most Expensive Domain Names Ever,” The Huffington Post, March 10, 2010. But knowingly registering a domain name to profit from someone else’s firm name or trademark is known as cybersquattingAcquiring a domain name that refers to a firm, individual, product, or trademark, with the goal of exploiting it for financial gain. The practice is illegal in many nations, and ICANN has a dispute resolution mechanism that in some circumstances can strip cybersquatters of registered domains. and that’s illegal. The United States has passed the Anticybersquatting Consumer Protection Act (ACPA), and ICANN has the Domain Name Dispute Resolution Policy that can reach across boarders. Try to extort money by holding a domain name that’s identical to (or in some cases, even similar to) a well-known trademark holder and you could be stripped of your domain name and even fined.

Courts and dispute resolution authorities will sometimes allow a domain that uses the trademark of another organization if it is perceived to have legitimate, nonexploitive reasons for doing so. For example, the now defunct site was registered as a protest against the networking giant and was considered fair use since owners didn’t try to extort money from the telecom giant.D. Streitfeld, “Web Site Feuding Enters Constitutional Domain,” The Washington Post, September 11, 2000. However, the courts allowed the owner of the PETA trademark (the organization People for the Ethical Treatment of Animals) to claim the domain name from original registrant, who had been using that domain to host a site called “People Eating Tasty Animals.”D. McCullagh, “Ethical Treatment of PETA Domain,” Wired, August 25, 2001.

Trying to predict how authorities will rule can be difficult. The musician Sting’s name was thought to be too generic to deserve the rights to, but Madonna was able to take back her domain name (for the record, Sting now owns Konrad and E. Hansen, “ Embroiled in Domain Ownership Spat,” CNET, August 21, 2000. Apple executive Jonathan Ive was denied the right to reclaim domain names incorporating his own name, but that had been registered by another party and without his consent. The publicity-shy design guru wasn’t considered enough of a public figure to warrant protection.D. Morson, “Apple VP Ive Loses Domain Name Bid,” MacWorld, May 12, 2009. And sometimes disputing parties can come to an agreement outside of court or ICANN’s dispute resolution mechanisms. When Canadian teenager Michael Rowe registered a site for his part-time Web design business, a firm south of the border took notice of his domain name— The two parties eventually settled in a deal that swapped the domain for an Xbox and a trip to the Microsoft Research Tech Fest.M. Kotadia, “MikeRoweSoft Settles for an Xbox,” CNET, January 26, 2004.

Path Name and File Name

Look to the right of the top-level domain and you might see a slash followed by either a path name, a file name, or both. If a Web address has a path and file name, the path maps to a folder location where the file is stored on the server; the file is the name of the file you’re looking for.

Most Web pages end in “.html,” indicating they are in hypertext markup languageLanguage used to compose Web pages.. While http helps browsers and servers communicate, html is the language used to create and format (render) Web pages. A file, however, doesn’t need to be .html; Web servers can deliver just about any type of file: Acrobat documents (.pdf), PowerPoint documents (.ppt or .pptx), Word docs (.doc or .docx), JPEG graphic images (.jpg), and—as we’ll see in Chapter 13 “Information Security: Barbarians at the Gateway (and Just About Everywhere Else)”—even malware programs that attack your PC. At some Web addresses, the file displays content for every visitor, and at others (like, a file will contain programs that run on the Web server to generate custom content just for you.

You don’t always type a path or file name as part of a Web address, but there’s always a file lurking behind the scenes. A Web address without a file name will load content from a default page. For example, when you visit “,” Google automatically pulls up a page called “index.html,” a file that contains the Web page that displays the Google logo, the text entry field, the “Google Search” button, and so on. You might not see it, but it’s there.

Butterfingers, beware! Path and file names are case sensitive— is considered to be different from Mistype your capital letters after the domain name and you might get a 404 error (the very unfriendly Web server error code that means the document was not found).

IP Addresses and the Domain Name System: “Where Is It? And How Do We Get There?”

The IP Address

If you want to communicate, then you need to have a way for people to find and reach you. Houses and businesses have street addresses, and telephones have phone numbers. Every device connected to the Internet has an identifying address, too—it’s called an IP (Internet protocol) address.

A device gets its IP addressA value used to identify a device that is connected to the Internet. IP addresses are usually expressed as four numbers (from 0 to 255), separated by periods. from whichever organization is currently connecting it to the Internet. Connect using a laptop at your university and your school will assign the laptop’s IP address. Connect at a hotel, and the hotel’s Internet service provider lends your laptop an IP address. Laptops and other end-user machines might get a different IP address each time they connect, but the IP addresses of servers rarely change. It’s OK if you use different IP addresses during different online sessions because services like e-mail and Facebook identify you by your username and password. The IP address simply tells the computers that you’re communicating with where they can find you right now. IP addresses can also be used to identify a user’s physical location, to tailor search results, and to customize advertising. See Chapter 14 “Google: Search, Online Advertising, and Beyond” to learn more.

IP addresses are usually displayed as a string of four numbers between 0 and 255, separated by three periods. Want to know which IP address your smartphone or computer is using? Visit a Web site like (one “d”),, or

The Internet Is Almost Full

If you do the math, four combinations of 0 to 255 gives you a little over four billion possible IP addresses. Four billion sounds like a lot, but the number of devices connecting to the Internet is exploding! Internet access is now baked into smartphones, tablets, televisions, DVD players, video game consoles, utility meters, thermostats, appliances, picture frames, and more. Another problem is a big chunk of existing addresses weren’t allocated efficiently, and these can’t be easily reclaimed from the corporations, universities, and other organizations that initially received them. All of this means that we’re running out of IP addresses. Experts differ on when ICANN will have no more numbers to dole out, but most believe that time will come by 2012, if not sooner.M. Ward, “Internet Approaches Addressing Limit,” BBC News, May 11, 2010.

There are some schemes to help delay the impact of this IP address drought. For example, a technique known as NAT (network address translation)A technique often used to conserve IP addresses by maps devices on a private network to single Internet-connected device that acts on their behalf. uses a gateway that allows multiple devices to share a single IP address. But NAT slows down Internet access and is complex, cumbersome, and expensive to administer.S. Shankland, “Google Tries to Break IPv6 Logjam by Own Example,” CNET, March 27, 2009.

The only long-term solution is to shift to a new IP scheme. Fortunately, one was developed more than a decade ago. IPv6 increases the possible address space from the 232 (4,294,967,296) addresses used in the current system (called IPv4) to a new theoretical limit of 2128 addresses, which is a really big number—bigger than 34 with 37 zeros after it.

But not all the news is good. Unfortunately, IPv6 isn’t backward compatible with IPv4, and the transition to the new standard has been painfully slow. This gives us the equivalent of many islands of IPv6 in a sea of IPv4, with translation between the two schemes happening when these networks come together. While most modern hardware and operating systems providers now support IPv6, converting a network to IPv6 currently involves a lot of cost with little short-term benefit.S. Shankland, “Google Tries to Break IPv6 Logjam by Own Example,” CNET, March 27, 2009. Upgrading may take years and is likely to result in rollout problems. David Conrad, a general manager at Internet Assigned Numbers Authority (IANA), the agency that grants permission to use IP addresses, has said, “I suspect we are actually beyond a reasonable time frame where there won’t be some disruption. It’s just a question of how much.”B. Arnoldy, “IP Address Shortage to Limit Internet Access,” USA Today, August 3, 2007.

Some organizations have stepped up to try to hasten transition. Google has made most of its services IPv6 accessible, the U.S. government has mandated IPv6 support for most agencies, China has spurred conversion within its borders, and Comcast and Verizon have major IPv6 rollouts under way. While the transition will be slow, when wide scale deployment does arrive, IPv6 will offer other benefits, including potentially improving the speed, reliability, and security of the Internet.

The DNS: The Internet’s Phonebook

You can actually type an IP address of a Web site into a Web browser and that page will show up. But that doesn’t help users much because four sets of numbers are really hard to remember.

This is where the domain name service (DNS)Internet directory service that allows devices and services to be named and discoverable. The DNS, for example, helps your browser locate the appropriate computers when entering an address like comes in. The domain name service is a distributed database that looks up the host and domain names that you enter and returns the actual IP address for the computer that you want to communicate with. It’s like a big, hierarchical set of phone books capable of finding Web servers, e-mail servers, and more. These “phone books” are called nameservers—and when they work together to create the DNS, they can get you anywhere you need to go online.

Figure 12.3

When your computer needs to find the IP address for a host or domain name, it sends a message to a DNS resolver, which looks up the IP address starting at the root nameserver. Once the lookup has taken place, that IP address can be saved in a holding space called a cache, to speed future lookups.

To get a sense of how the DNS works, let’s imagine that you type into a Web browser. Your computer doesn’t know where to find that address, but when your computer connected to the network, it learned where to find a service on the network called a DNS resolver. The DNS resolver can look up host/domain name combinations to find the matching IP address using the “phone book” that is the DNS. The resolver doesn’t know everything, but it does know where to start a lookup that will eventually give you the address you’re looking for. If this is the first time anyone on that network has tried to find “,” the resolver will contact one of thirteen identical root nameservers. The root acts as a lookup starting place. It doesn’t have one big list, but it can point you to a nameserver for the next level, which would be one of the “.com” nameservers in our example. The “.com” nameserver can then find one of the nameservers. The nameserver can respond to the resolver with the IP address for, and the resolver passes that information back to your computer. Once your computer knows Yahoo!’s IP address, it’s then ready to communicate directly with The nameserver includes IP addresses for all Yahoo!’s public sites:,,,, and so on.

The system also remembers what it’s done so the next time you need the IP address of a host you’ve already looked up, your computer can pull this out of a storage space called a cacheA temporary storage space used to speed computing tasks., avoiding all those nameserver visits. Caches are periodically cleared and refreshed to ensure that data referenced via the DNS stays accurate.

Distributing IP address lookups this way makes sense. It avoids having one huge, hard-to-maintain, and ever-changing list. Firms add and remove hosts on their own networks just by updating entries in their nameserver. And it allows host IP addresses to change easily, too. Moving your Web server off-site to a hosting provider? Just update your nameserver with the new IP address at the hosting provider, and the world will invisibly find that new IP address on the new network by using the same old, familiar host/domain name combination. The DNS is also fault-tolerant—meaning that if one nameserver goes down, the rest of the service can function. There are exact copies at each level, and the system is smart enough to move on to another nameserver if its first choice isn’t responding.

But What If the DNS Gets Hacked?

A hacked DNS would be a disaster! Think about it. If bad guys could change which Web sites load when you type in a host and domain name, they could redirect you to impostor Web sites that look like a bank or e-commerce retailer but are really set up to harvest passwords and credit card data.

This exact scenario played out when the DNS of NET Virtua, a Brazilian Internet service provider, was hacked via a technique called DNS cache poisoning. Cache poisoning exploits a hole in DNS software, redirecting users to sites they didn’t request. The Brazilian DNS hack redirected NET Virtua users wishing to visit the Brazilian bank Bradesco to fraudulent Web sites that attempted to steal passwords and install malware. The hack impacted about 1 percent of the bank’s customers before the attack was discovered.D. Godin, “Cache-Poisoning Attack Snares Top Brazilian Bank,” The Register, April 22, 2009.

The exploit showed the importance of paying attention to security updates. A few months earlier, a group that Wired magazine referred to as “A Secret Geek A-Team”J. Davis, “Secret Geek A-Team Hacks Back, Defends Worldwide Web,” Wired, Nov. 24, 2008. had developed a software update that would have prevented the DNS poisoning exploit used against NET Virtua, but administrators at the Brazilian Internet service provider failed to update their software so the hackers got in. An additional upgrade to a DNS system, known as DNSSEC (domain name service security extensions), promises to further limit the likelihood of cache poisoning, but it may take years for the new standards to be rolled out everywhere.J. Hutchinson, “ICANN, Verisign Place Last Puzzle Pieces in DNSSEC Saga,” NetworkWorld, May 2, 2010.

Key Takeaways

  • The Internet is a network of networks. Internet service providers connect with one another to share traffic, enabling any Internet-connected device to communicate with any other.
  • URLs may list the application protocol, host name, domain name, path name, and file name, in that order. Path and file names are case sensitive.
  • A domain name represents an organization. Hosts are public services offered by that organization. Hosts are often thought of as a single computer, although many computers can operate under a single host name and many hosts can also be run off a single computer.
  • You don’t buy a domain name but can register it, paying for a renewable right to use that domain name. Domains need to be registered within a generic top-level domain such as “.com” or “.org” or within a two-character country code top-level domain such as “.uk,” “.ly,” or “.md.”
  • Registering a domain that uses someone else’s trademark in an attempt to extract financial gain is considered cybersquatting. The United States and other nations have anticybersquatting laws, and ICANN has a dispute resolution system that can overturn domain name claims if a registrant is considered to be cybersquatting.
  • Every device connected to the Internet has an IP address. These addresses are assigned by the organization that connects the user to the Internet. An IP address may be assigned temporarily, for use only during that online session.
  • We’re running out of IP addresses. The current scheme (IPv4) is being replaced by IPv6, a scheme that will give us many more addresses and additional feature benefits but is not backward compatible with the IPv4 standard. Transitioning to IPv6 will be costly and take time.
  • The domain name system is a distributed, fault-tolerant system that uses nameservers to map host/domain name combinations to IP addresses.

Questions and Exercises

  1. Find the Web page for your school’s information systems department. What is the URL that gets you to this page? Label the host name, domain name, path, and file for this URL. Are there additional subdomains? If so, indicate them, as well.
  2. Go to a registrar and see if someone has registered your first or last name as a domain name. If so, what’s hosted at that domain? If not, would you consider registering your name as a domain name? Why or why not?
  3. Investigate cases of domain name disputes. Examine a case that you find especially interesting. Who were the parties involved? How was the issue resolved? Do you agree with the decision?
  4. Describe how the DNS is fault-tolerant and promotes load balancing. Give examples of other types of information systems that might need to be fault-tolerant and offer load balancing. Why?
  5. Research DNS poisoning online. List a case, other than the one mentioned in this chapter, where DNS poisoning took place. Which network was poisoned, who were the victims, and how did hackers exploit the poisoned system? Could this exploit have been stopped? How? Whose responsibility is it to stop these kinds of attacks?
  6. Why is the switch from IPv4 to IPv6 so difficult? What key principles, discussed in prior chapters, are slowing migration to the new standard?

12.3 Getting Where You’re Going

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the layers that make up the Internet—application protocol, transmission control protocol, and Internet protocol—and describe why each is important.
  2. Discuss the benefits of Internet architecture in general and TCP/IP in particular.
  3. Name applications that should use TCP and others that might use UDP.
  4. Understand what a router does and the role these devices play in networking.
  5. Conduct a traceroute and discuss the output, demonstrating how Internet interconnections work in getting messages from point to point.
  6. Understand why mastery of Internet infrastructure is critical to modern finance and be able to discuss the risks in automated trading systems.
  7. Describe VoIP, and contrast circuit versus packet switching, along with organizational benefits and limitations of each.

TCP/IP: The Internet’s Secret Sauce

OK, we know how to read a Web address, we know that every device connected to the Net needs an IP address, and we know that the DNS can look at a Web address and find the IP address of the machine that you want to communicate with. But how does a Web page, an e-mail, or an iTunes download actually get from a remote computer to your desktop?

For our next part of the Internet journey, we’ll learn about two additional protocols: TCP and IP. These protocols are often written as TCP/IP and pronounced by reading all five letters in a row, “T-C-P-I-P” (sometimes they’re also referred to as the Internet protocol suite). TCP and IP are built into any device that a user would use to connect to the Internet—from handhelds to desktops to supercomputers—and together TCP/IP make Internet working happen.

Figure 12.4 TCP/IP in Action

In this example, a server on the left sends a Web page to the user on the right. The application (the Web server) passes the contents of the page to TCP (which is built into the server’s operating system). TCP slices the Web page into packets. Then IP takes over, forwarding packets from router to router across the Internet until it arrives at the user’s PC. Packets sometimes take different routes, and occasionally arrive out of order. TCP running on the receiving system on the right checks that all packets have arrived, requests that damaged or lost packets be resent, puts them in the right order, and sends a perfect, exact copy of the Web page to your browser.

TCP and IP operate below http and the other application transfer protocols mentioned earlier. TCP (transmission control protocol)Works at both ends of most Internet communication to ensure a perfect copy of a message is sent. works its magic at the start and endpoint of the trip—on both your computer and on the destination computer you’re communicating with. Let’s say a Web server wants to send you a large Web page. The Web server application hands the Web page it wants to send to its own version of TCP. TCP then slices up the Web page into smaller chunks of data called packets (or datagrams)A unit of data forwarded by a network. All Internet transmissions—URLs, Web pages, e-mails—are divided into one or more packets.. The packets are like little envelopes containing part of the entire transmission—they’re labeled with a destination address (where it’s going) and a source address (where it came from). Now we’ll leave TCP for a second, because TCP on the Web server then hands those packets off to the second half of our dynamic duo, IP.

It’s the job of IP (Internet protocol)Routing protocol that is in charge of forwarding packets on the Internet. to route the packets to their final destination, and those packets might have to travel over several networks to get to where they’re going. The relay work is done via special computers called routersA computing device that connects networks and exchanges data between them., and these routers speak to each other and to other computers using IP (since routers are connected to the Internet, they have IP addresses, too. Some are even named). Every computer on the Internet is connected to a router, and all routers are connected to at least one (and usually more than one) other router, linking up the networks that make up the Internet.

Routers don’t have perfect, end-to-end information on all points in the Internet, but they do talk to each other all the time, so a router has a pretty good idea of where to send a packet to get it closer to where it needs to end up. This chatter between the routers also keeps the Internet decentralized and fault-tolerant. Even if one path out of a router goes down (a networking cable gets cut, a router breaks, the power to a router goes out), as long as there’s another connection out of that router, then your packet will get forwarded. Networks fail, so good, fault-tolerant network design involves having alternate paths into and out of a network.

Once packets are received by the destination computer (your computer in our example), that machine’s version of TCP kicks in. TCP checks that it has all the packets, makes sure that no packets were damaged or corrupted, requests replacement packets (if needed), and then puts the packets in the correct order, passing a perfect copy of your transmission to the program you’re communicating with (an e-mail server, Web server, etc.).

This progression—application at the source to TCP at the source (slice up the data being sent), to IP (for forwarding among routers), to TCP at the destination (put the transmission back together and make sure it’s perfect), to application at the destination—takes place in both directions, starting at the server for messages coming to you, and starting on your computer when you’re sending messages to another computer.

UDP: TCP’s Faster, Less Reliable Sibling

TCP is a perfectionist and that’s what you want for Web transmissions, e-mail, and application downloads. But sometimes we’re willing to sacrifice perfection for speed. You’d make this sacrifice for streaming media applications like Windows Media Player, Real Player, Internet voice chat, and video conferencing. Having to wait to make sure each packet is perfectly sent would otherwise lead to awkward pauses that interrupt real-time listening. It’d be better to just grab the packets as they come and play them, even if they have minor errors. Packets are small enough that if one packet doesn’t arrive, you can ignore it and move on to the next without too much quality disruption. A protocol called UDP (user datagram protocol)Protocol that operates instead of TCP in applications where delivery speed is important and quality can be sacrificed. does exactly this, working as a TCP stand-in when you’ve got the need for speed, and are willing to sacrifice quality. If you’ve ever watched a Web video or had a Web-based phone call and the quality got sketchy, it’s probably because there were packet problems, but UDP kept on chugging, making the “get it fast” instead of “get it perfect” trade-off.

VoIP: When Phone Calls Are Just Another Internet Application

The increasing speed and reliability of the Internet means that applications such as Internet phone calls (referred to as VoIP, or voice over Internet protocolTransmission technologies that enable voice communications (phone calls) to take place over the Internet as well as private packet-switched networks.) are becoming more reliable. That doesn’t just mean that Skype becomes a more viable alternative for consumer landline and mobile phone calls; it’s also good news for many businesses, governments, and nonprofits.

Many large organizations maintain two networks—one for data and another for POTS (plain old telephone service). Maintaining two networks is expensive, and while conventional phone calls are usually of a higher quality than their Internet counterparts, POTS equipment is also inefficient. Old phone systems use a technology called circuit switching. A “circuit” is a dedicated connection between two entities. When you have a POTS phone call, a circuit is open, dedicating a specific amount of capacity between you and the party on the other end. You’re using that “circuit” regardless of whether you’re talking. Pause between words or put someone on hold, and the circuit is still in use. Anyone who has ever tried to make a phone call at a busy time (say, early morning on Mother’s Day or at midnight on New Year’s Eve) and received an “all circuits are busy” recording has experienced congestion on an inefficient circuit-switched phone network.

But unlike circuit-switched counterparts, Internet networks are packet-switched networks, which can be more efficient. Since we can slice conversations up into packets, we can squeeze them into smaller spaces. If there are pauses in a conversation or someone’s on hold, applications don’t hold up the network. And that creates an opportunity to use the network’s available capacity for other users. The trade-off is one that swaps circuit switching’s quality of service (QoS) with packet switching’s efficiency and cost savings. Try to have a VoIP call when there’s too much traffic on a portion of the network and your call quality will drop. But packet switching quality is getting much better. Networking standards are now offering special features, such as “packet prioritization,” that can allow voice packets to gain delivery priority over packets for applications like e-mail, where a slight delay is OK.

When voice is digitized, “telephone service” simply becomes another application that sits on top of the Internet, like the Web, e-mail, or FTP. VoIP calls between remote offices can save long distance charges. And when the phone system becomes a computer application, you can do a lot more. Well-implemented VoIP systems allow users’ browsers access to their voice mail inbox, one-click video conferencing and call forwarding, point-and-click conference call setup, and other features, but you’ll still have a phone number, just like with POTS.

What Connects the Routers and Computers?

Routers are connected together, either via cables or wirelessly. A cable connecting a computer in a home or office is probably copper (likely what’s usually called an Ethernet cable), with transmissions sent through the copper via electricity. Long-haul cables, those that carry lots of data over long distances, are usually fiber-optic lines—glass lined cables that transmit light (light is faster and travels farther distances than electricity, but fiber-optic networking equipment is more expensive than the copper-electricity kind). Wireless transmission can happen via Wi-Fi (for shorter distances), or cell phone tower or satellite over longer distances. But the beauty of the Internet protocol suite (TCP/IP) is that it doesn’t matter what the actual transmission media are. As long as your routing equipment can connect any two networks, and as long as that equipment “speaks” IP, then you can be part of the Internet.

In reality, your messages likely transfer via lots of different transmission media to get to their final destination. If you use a laptop connected via Wi-Fi, then that wireless connection finds a base station, usually within about three hundred feet. That base station is probably connected to a local area network (LAN) via a copper cable. And your firm or college may connect to fast, long-haul portions of the Internet via fiber-optic cables provided by that firm’s Internet service provider (ISP).

Most big organizations have multiple ISPs for redundancy, providing multiple paths in and out of a network. This is so that if a network connection provided by one firm goes down, say an errant backhoe cuts a cable, other connections can route around the problem (see Figure 12.1).

In the United States (and in most deregulated telecommunications markets), Internet service providers come in all sizes, from smaller regional players to sprawling international firms. When different ISPs connect their networking equipment together to share traffic, it’s called peeringWhen separate ISPs link their networks to swap traffic on the Internet.. Peering usually takes place at neutral sites called Internet exchange points (IXPs), although some firms also have private peering points. Carriers usually don’t charge one another for peering. Instead, “the money is made” in the ISP business by charging the end-points in a network—the customer organizations and end users that an ISP connects to the Internet. Competition among carriers helps keep prices down, quality high, and innovation moving forward.

Finance Has a Need for Speed

When many folks think of Wall Street trading, they think of the open outcry pit at the New York Stock Exchange (NYSE). But human traders are just too slow for many of the most active trading firms. Over half of all U.S. stock trades and a quarter of worldwide currency trades now happen via programs that make trading decisions without any human intervention.H. Timmons, “A London Hedge Fund that Opts for Engineers, Not M.B.A.’s,” New York Times, August 18, 2006. There are many names for this automated, data-driven frontier of finance—algorithmic trading, black-box trading, or high-frequency trading. And while firms specializing in automated, high-frequency trading represent only about 2 percent of the trading firms operating in the United States, they account for about three quarters of all U.S. equity trading volume.R. Iati, “The Real Story of Trading Software Espionage,” Advanced Trading, July 10, 2009.

Programmers lie at the heart of modern finance. “A geek who writes code—those guys are now the valuable guys” says the former head of markets systems at Fidelity Investments, and that rare breed of top programmer can make “tens of millions of dollars” developing these systems.A. Berenson, “Arrest Over Software Illuminates Wall St. Secret,” New York Times, August 23, 2009. Such systems leverage data mining and other model-building techniques to crunch massive volumes of data and discover exploitable market patterns. Models are then run against real-time data and executed the instant a trading opportunity is detected. (For more details on how data is gathered and models are built, see Chapter 11 “The Data Asset: Databases, Business Intelligence, and Competitive Advantage”.)

Winning with these systems means being quick—very quick. Suffer delay (what techies call latency) and you may have missed your opportunity to pounce on a signal or market imperfection. To cut latency, many trading firms are moving their servers out of their own data centers and into colocation facilities. These facilities act as storage places where a firm’s servers get superfast connections as close to the action as possible. And by renting space in a “colo,” a firm gets someone else to manage the electrical and cooling issues, often providing more robust power backup and lower energy costs than a firm might get on its own.

Equinix, a major publicly traded IXP and colocation firm with facilities worldwide, has added a growing number of high-frequency trading firms to a roster of customers that includes e-commerce, Internet, software, and telecom companies. In northern New Jersey alone (the location of many of the servers where “Wall Street” trading takes place), Equinix hosts some eighteen exchanges and trading platforms as well as the NYSE Secure Financial Transaction Infrastructure (SFTI) access node.

Less than a decade ago, eighty milliseconds was acceptably low latency, but now trading firms are pushing below one millisecond into microseconds.I. Schmerken, “High-Frequency Trading Shops Play the Colocation Game,” Advanced Trading, October 5, 2009. So it’s pretty clear that understanding how the Internet works, and how to best exploit it, is of fundamental and strategic importance to those in finance. But also recognize that this kind of automated trading comes with risks. Systems that run on their own can move many billions in the blink of an eye, and the actions of one system may cascade, triggering actions by others.

The spring 2010 “Flash Crash” resulted in a nearly 1,000-point freefall in the Dow Jones Industrial Index, it’s biggest intraday drop ever. Those black boxes can be mysterious—weeks after the May 6th event, experts were still parsing through trading records, trying to unearth how the flash crash happened.E. Daimler and G. Davis, “‘Flash Crash’ Proves Diversity Needed in Market Mechanisms,” Pittsburgh Post-Gazette, May 29, 2010. Regulators and lawmakers recognize they now need to understand technology, telecommunications, and its broader impact on society so that they can create platforms that fuel growth without putting the economy at risk.

Watching the Packet Path via Traceroute

Want to see how packets bounce from router to router as they travel around the Internet? Check out a tool called traceroute. Traceroute repeatedly sends a cluster of three packets starting at the first router connected to a computer, then the next, and so on, building out the path that packets take to their destination.

Traceroute is built into all major desktop operating systems (Windows, Macs, Linux), and several Web sites will run traceroute between locations ( and are great places to explore).

The message below shows a traceroute performed between Irish firm VistaTEC and Boston College. At first, it looks like a bunch of gibberish, but if we look closely, we can decipher what’s going on.

Figure 12.5

The table above shows ten hops, starting at a domain in and ending in (the table doesn’t say this, but all IP addresses starting with 136.167 are Boston College addresses). The three groups of numbers at the end of three lines shows the time (in milliseconds) of three packets sent out to test that hop of our journey. These numbers might be interesting for network administrators trying to diagnose speed issues, but we’ll ignore them and focus on how packets get from point to point.

At the start of each line is the name of the computer or router that is relaying packets for that leg of the journey. Sometimes routers are named, and sometimes they’re just IP addresses. When routers are named, we can tell what network a packet is on by looking at the domain name. By looking at the router names to the left of each line in the traceroute above, we see that the first two hops are within the network. Hop 3 shows the first router outside the network. It’s at a domain named, so this must be the name of VistaTEC’s Internet service provider since it’s the first connection outside the network.

Sometimes routers names suggest their locations (oftentimes they use the same three character abbreviations you’d see in airports). Look closely at the hosts in hops 3 through 7. The subdomains dub20, lon11, lon01, jfk02, and bos01 suggest the packets are going from Dublin, then east to London, then west to New York City (John F. Kennedy International Airport), then north to Boston. That’s a long way to travel in a fraction of a second!

Hop 4 is at, but hop 5 is at (look them up online and you’ll find out that, like, is also an ISP). That suggests that between those hops peering is taking place and traffic is handed off from carrier to carrier.

Hop 8 is still, but it’s not clear who the unnamed router in hop 9,, belongs to. We can use the Internet to sleuth that out, too. Search the Internet for the phrase “IP address lookup” and you’ll find a bunch of tools to track down the organization that “owns” an IP address. Using the tool at, I found that this number is registered to PSI Net, which is now part of

Routing paths, ISPs, and peering all revealed via traceroute. You’ve just performed a sort of network “CAT scan” and looked into the veins and arteries that make up a portion of the Internet. Pretty cool!

If you try out traceroute on your own, be aware that not all routers and networks are traceroute friendly. It’s possible that as your trace hits some hops along the way (particularly at the start or end of your journey), three “*” characters will show up at the end of each line instead of the numbers indicating packet speed. This indicates that traceroute has timed out on that hop. Some networks block traceroute because hackers have used the tool to probe a network to figure out how to attack an organization. Most of the time, though, the hops between the source and destination of the traceroute (the steps involving all the ISPs and their routers) are visible.

Traceroute can be a neat way to explore how the Internet works and reinforce the topics we’ve just learned. Search for traceroute tools online or browse the Internet for details on how to use the traceroute command built into your computer.

There’s Another Internet?

If you’re a student at a large research university, there’s a good chance that your school is part of Internet2. Internet2 is a research network created by a consortium of research, academic, industry, and government firms. These organizations have collectively set up a high-performance network running at speeds of up to one hundred gigabits per second to support and experiment with demanding applications. Examples include high-quality video conferencing; high-reliability, high-bandwidth imaging for the medical field; and applications that share huge data sets among researchers.

If your university is an Internet2 member and you’re communicating with another computer that’s part of the Internet2 consortium, then your organization’s routers are smart enough to route traffic through the superfast Internet2 backbone. If that’s the case, you’re likely already using Internet2 without even knowing it!

Key Takeaways

  • TCP/IP, or the Internet protocol suite, helps get perfect copies of Internet transmissions from one location to another. TCP works on the ends of transmission, breaking up transmissions up into manageable packets at the start and putting them back together while checking quality at the end. IP works in the middle, routing packets to their destination.
  • Routers are special computing devices that forward packets from one location to the next. Routers are typically connected with more than one outbound path, so in case one path becomes unavailable, an alternate path can be used.
  • UDP is a replacement for TCP, used when it makes sense to sacrifice packet quality for delivery speed. It’s often used for media streaming.
  • TCP/IP doesn’t care about the transition media. This allows networks of different types—copper, fiber, and wireless—to connect to and participate in the Internet.
  • The ability to swap in new applications, protocols, and media files gives the network tremendous flexibility.
  • Decentralization, fault tolerance, and redundancy help keep the network open and reliable.
  • VoIP allows voice and phone systems to become an application traveling over the Internet. This is allowing many firms to save money on phone calls and through the elimination of old, inefficient circuit-switched networks. As Internet applications, VoIP phone systems can also have additional features that circuit-switched networks lack. The primary limitation of many VoIP systems is quality of service.
  • Many firms in the finance industry have developed automated trading models that analyze data and execute trades without human intervention. Speeds substantially less than one second may be vital to capitalizing on market opportunities, so firms are increasingly moving equipment into collocation facilities that provide high-speed connectivity to other trading systems.

Questions and Exercises

  1. How can the Internet consist of networks of such physically different transmission media—cable, fiber, and wireless?
  2. What is the difference between TCP and UDP? Why would you use one over the other?
  3. Would you recommend a VoIP phone system to your firm or University? Why or why not? What are the advantages? What are the disadvantages? Can you think of possible concerns or benefits not mentioned in this section? Research these concerns online and share your finding with your instructor.
  4. What are the risks in the kinds of automated trading systems described in this section? Conduct research and find an example of where these systems have caused problems for firms and/or the broader market. What can be done to prevent such problems? Whose responsibility is this?
  5. Search the Internet for a traceroute tool, or look online to figure out how to use the traceroute command built into your PC. Run three or more traceroutes to different firms at different locations around the world. List the number of ISPs that show up in the trace. Circle the areas where peering occurs. Do some of the “hops” time out with “*” values returned? If so, why do you think that happened?
  6. Find out if your school or employer is an Internet2 member. If it is, run traceroutes to schools that are and are not members of Internet2. What differences do you see in the results?

12.4 Last Mile: Faster Speed, Broader Access

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the last-mile problem and be able to discuss the pros and cons of various broadband technologies, including DSL, cable, fiber, and various wireless offerings.
  2. Describe 3G and 4G systems, listing major technologies and their backers.
  3. Understand the issue of Net neutrality and put forth arguments supporting or criticizing the concept.

The Internet backboneHigh-speed data lines provided by many firms all across the world that interconnect and collectively form the core of the Internet. is made of fiber-optic lines that carry data traffic over long distances. Those lines are pretty speedy. In fact, several backbone providers, including AT&T and Verizon, are rolling out infrastructure with 100 Gbps transmission speeds (that’s enough to transmit a two-hour high-definition [HD] movie in about eight seconds).T. Spangler, “Cisco Clarifies 100-Gig AT&T Backbone Claim,” Multichannel News, March 9, 2010;, “AT&T Tests 100 Gb Ethernet in Move toward Faster Internet,” SeekingAlpha, March 10, 2010. But when considering overall network speed, remember Amdahl’s LawA system’s speed is determined by its slowest component.: a system’s speed is determined by its slowest component.G. Gilder, Telecosm: How Infinite Bandwidth Will Revolutionize Our World (New York: Free Press, 2000). More often than not, the bottleneck isn’t the backbone but the so-called last mileTechnologies that connect end users to the Internet. The last-mile problem refers to the fact that these connections are usually the slowest part of the network., or the connections that customers use to get online.

High-speed last-mile technologies are often referred to as broadband Internet access (or just broadbandBroadly refers to high-speed Internet connections and is often applied to “last-mile” technologies.). What qualifies as broadband varies. In 2009, the Federal Communications Commission (FCC) redefined broadband as having a minimum speed of 768 Kbps (roughly fourteen times the speed of those old 56 Kbps modems). Other agencies worldwide may have different definitions. But one thing is clear: a new generation of bandwidth-demanding services requires more capacity. As we increasingly consume Internet services like HD streaming, real-time gaming, video conferencing, and music downloads, we are in fact becoming a bunch of voracious, bit-craving gluttons.

With the pivotal role the United States has played in the creation of the Internet, and in pioneering software, hardware, and telecommunications industries, you might expect the United States to lead the world in last-mile broadband access. Not even close. A recent study ranked the United States twenty-sixth in download speeds,S. Lawson, “US Ranks 26th in New Broadband Index,” Computerworld, May 25, 2010. while others have ranked the United States far behind in speed, availability, and price.S. Hansell, “The Broadband Gap: Why Is Theirs Faster?” New York Times, March 10, 2009.

Sounds grim, but help is on the way. A range of technologies and firms are upgrading infrastructure and developing new systems that will increase capacity not just in the United States but also worldwide. Here’s an overview of some of the major technologies that can be used to speed the Internet’s last mile.

Understanding Bandwidth

When folks talk about bandwidthNetwork transmission speeds, typically expressed in some form of bits per second (bps)., they’re referring to data transmission speeds. Bandwidth is often expressed in bits per second, or bps. Prefix letters associated with multiples of bps are the same as the prefixes we mentioned in Chapter 5 “Moore’s Law: Fast, Cheap Computing and What It Means for the Manager” when discussing storage capacity in bytes: Kbps = thousand bits (or kilobits) per second, Mbps = million bits (or megabits) per second, Gbps = billion bits (or gigabits) per second (or terabit), and Tbps = trillion bits (or terabits) per second.

Remember, there are eight bits in a byte, and one byte is a single character. One megabyte is roughly equivalent to one digital book, forty-five seconds of music, or twenty seconds of medium-quality video.R. Farzad, “The Truth about Bandwidth,” BusinessWeek, February 3, 2010. But you can’t just divide the amount of bytes by eight to estimate how many bits you’ll need to transfer. When a file or other transmission is sliced into packets (usually of no more than about 1,500 bytes), there’s some overhead added. Those packets “wrap” data chunks in an envelope surrounded by source and destination addressing and other important information.

Here are some rough demand requirements for streaming media. For streaming audio like Pandora, you’d need at least 150 Kbps for acceptable regular quality, and at least 300 Kbps for high quality.Pandora, “Frequently Asked Questions,” For streaming video (via Netflix), at a minimum you’d need 1.5 Mbps, but 3.0 Mbps will ensure decent video and audio. For what Netflix calls HD streaming, you’ll need a minimum of 5 Mbps, but would likely want 8 Mbps or more to ensure the highest quality video and audio.LG Knowledge Base, “Bandwidth Needed for Instant Streaming,”

Cable Broadband

Roughly 90 percent of U.S. homes are serviced by a cable provider, each capable of using a thick copper wire to offer broadband access. That wire (called a coaxial cableInsulated copper cable commonly used by cable television providers. or coax) has shielding that reduces electrical interference, allowing cable signals to travel longer distances without degrading and with less chance of interference than conventional telephone equipment.

One potential weakness of cable technology lies in the fact that most residential providers use a system that requires customers to share bandwidth with neighbors. If the guy next door is a BitTorrent-using bandwidth hog, your traffic could suffer.R. Thompson, “DSL Internet vs. Cable Internet,” High Speed Internet Access Guide, March 23, 2010.

Cable is fast and it’s getting faster. Many cable firms are rolling out a new technology called DOCSIS 3.0 that offers speeds up to and exceeding 50 Mbps (previous high-end speeds were about 16 Mbps and often much less than that). Cable firms are also creating so-called fiber-copper hybrids that run higher-speed fiber-optic lines into neighborhoods, then use lower-cost, but still relatively high-speed, copper infrastructure over short distances to homes.S. Hansell, “The Broadband Gap: Why Is Theirs Faster?” New York Times, March 10, 2009. Those are fast networks, but they are also very expensive to build, since cable firms are laying entirely new lines into neighborhoods instead of leveraging the infrastructure that they’ve already got in place.

DSL: Phone Company Copper

Digital subscriber line (DSL)Broadband technology that uses the wires of a local telephone network. technology uses the copper wire the phone company has already run into most homes. Even as customers worldwide are dropping their landline phone numbers, the wires used to provide this infrastructure can still be used for broadband.

DSL speeds vary depending on the technology deployed. Worldwide speeds may range from 7 Mbps to as much as 100 Mbps (albeit over very short distances).S. Hansell, “The Broadband Gap: Why Is Theirs Faster?” New York Times, March 10, 2009. The Achilles heel of the technology lies in the fact that DSL uses standard copper telephone wiring. These lines lack the shielding used by cable, so signals begin to degrade the further you are from the connecting equipment in telephone company offices. Speeds drop off significantly at less than two miles from a central office or DSL hub. If you go four miles out, the technology becomes unusable. Some DSL providers are also using a hybrid fiber-copper system, but as with cable’s copper hybrids, this is expensive to build.

The superspeedy DSL implementations that are popular in Europe and Asia work because foreign cities are densely populated and so many high-value customers can be accessed over short distances. In South Korea, for example, half the population lives in apartments, and most of those customers live in and around Seoul. This density also impacts costs—since so many people live in apartments, foreign carriers run fewer lines to reach customers, digging up less ground or stringing wires across fewer telephone poles. Their U.S. counterparts by contrast need to reach a customer base sprawled across the suburbs, so U.S. firms have much higher infrastructure costs. S. Hansell, “The Broadband Gap: Why Is Theirs Faster?” New York Times, March 10, 2009.

There’s another company with copper, electricity-carrying cables coming into your home—the electrical utility. BPL, or broadband over power line, technology has been available for years. However, there are few deployments because it is considered to be pricier and less practical than alternatives.R. King, “Telecom Companies Scramble for Funding,” BusinessWeek, August 3, 2009.

Fiber: A Light-Filled Glass Pipe to Your Doorstep

Fiber to the home (FTTH)Broadband service provided via light-transmitting fiber-optic cables. is the fastest last-mile technology around. It also works over long distances. Verizon’s FiOS technology boasts 50 Mbps download speeds but has tested network upgrades that increase speeds by over six times that.S. Higginbotham, “Verizon Tests 10 Gbps to the Home. Yeah, You’ll Have to Share,” GigaOM, December 17, 2009. The problem with fiber is that unlike cable or DSL copper, fiber to the home networks weren’t already in place. That means firms had to build their own fiber networks from scratch.

The cost of this build out can be enormous. Verizon, for example, has spent over $23 billion on its FTTH infrastructure. However, most experts think the upgrade was critical. Verizon has copper into millions of homes, but U.S. DSL is uncompetitive. Verizon’s residential landline business was dying as users switch to mobile phone numbers, and while mobile is growing, Verizon Wireless is a joint venture with the United Kingdom’s Vodaphone, not a wholly owned firm. This means it shares wireless unit profits with its partner. With FiOS, Verizon now offers pay television, competing with cable’s core product. It also offers some of the fastest home broadband services anywhere, and it gets to keep everything it earns.

In 2010, Google also announced plans to bring fiber to the home. Google deems its effort an experiment—it’s more interested in learning how developers and users take advantage of ultrahigh-speed fiber to the home (e.g., what kinds of apps are created and used, how usage and time spent online change), rather than becoming a nationwide ISP itself. Google says it will investigate ways to build and operate networks less expensively and plans to share findings with others. The Google network will be “open,” allowing other service providers to use Google’s infrastructure to resell services to consumers. The firm has pledged to bring speeds of 1 Gbps at competitive prices to at least 50,000 and potentially as many as 500,000 homes. Over 1,100 U.S. communities applied to be part of the Google experimental fiber network.M. Ingersoll and J. Kelly, “Think Big with a Gig: Our Experimental Fiber Network,” The Google Blog, February 2, 2010; L. Rao, “The Final Tally: More Than 1100 Cities Apply for Google’s Fiber Network,” TechCrunch, March 27, 2010.


Mobile wireless service from cell phone access providers is delivered via cell towers. While these providers don’t need to build a residential wired infrastructure, they still need to secure space for cell towers, build the towers, connect the towers to a backbone network, and license the wireless spectrumFrequencies used for communication. Most mobile cell phone services have to license spectrum. Some technologies (such as Wi-Fi) use unlicensed public spectrum. (or airwave frequency space) for transmission.

We need more bandwidth for mobile devices, too. AT&T now finds that the top 3 percent of its mobile network users gulp up 40 percent of the network’s capacity (thanks, iPhone users), and network strain will only increase as more people adopt smartphones. These users are streaming Major League Baseball games, exploring the planet with Google Earth, watching YouTube and Netflix, streaming music through Pandora, and more. Get a bunch of iPhone users in a crowded space, like in a college football stadium on game day, and the result is a network-choking data traffic jam. AT&T estimates that it’s not uncommon for 80 percent of game-day iPhone users to take out their phones and surf the Web for stats, snap and upload photos, and more. But cell towers often can’t handle the load.R. Farzad, “AT&T’s iPhone Mess,” BusinessWeek, February 3, 2010. If you’ve ever lost coverage in a crowd, you’ve witnessed mobile network congestion firsthand. Trying to have enough capacity to avoid congestion traffic jams will cost some serious coin. In the midst of customer complaints, AT&T committed to spending $18 billion on network upgrades to address its wireless capacity problem.C. Edwards and O. Kharif, “Sprint’s Bold Play on a 4G Network,” BusinessWeek, March 30, 2010.

Table 12.1 Average Demand Usage by Function

Usage Demand
Voice Calls 4 MB/hr.
iPhone Browsing 40–60 MB/hr.
Net Radio 60 MB/hr.
YouTube 200–400 MB/hr.
Conventional mobile phones use an estimated 100 MB/month, iPhones 560 MB/month, and iPads almost 1 GB/month.

We’re in the midst of transitioning from third generation (3G) to fourth generation (4G) wireless networks. 3G systems offer access speeds usually less than 2 Mbps (often a lot less).K. German, “On Call: Welcome to 4G,” CNET, March 9, 2010. While variants of 3G wireless might employ an alphabet soup of technologies—EV-DO (evolution data optimized), UMTS (universal mobile telecommunications systems), and HSDPA (high-speed downlink packet link access) among them—3G standards can be narrowed down to two camps: those based on the dominant worldwide standard called GSM (global system for mobile communications) and the runner-up standards based on CDMA (code division multiplex access). Most of Europe and a good chunk of the rest of the world use GSM. In the United States, AT&T and T-Mobile use GSM-based 3G. Verizon Wireless and Sprint use the CDMA 3G standard. Typically, handsets designed for one network can’t be used on networks supporting the other standard. CDMA has an additional limitation in not being able to use voice and data at the same time.

But 3G is being replaced by high-bandwidth 4G (fourth-generation) mobile networks. 4G technologies also fall into two standards camps: LTE (Long Term Evolution) and WiMAX (Worldwide Interoperability for Microwave Access).

LTE looks like the global winner. In the United States, every major wireless firm, except for Sprint, is betting on LTE victory. Bandwidth for the service rivals what we’d consider fast cable a few years back. Average speeds range from 5 to 12 Mbps for downloads and 2 to 5 Mbps for upload, although Verizon tests in Boston and Seattle showed download speeds as high as 50 Mbps and upload speeds reaching 25 Mbps.K. German, “On Call: Welcome to 4G,” CNET, March 9, 2010.

Competing with LTE is WiMAX; don’t confuse it with Wi-Fi. As with other 3G and 4G technologies, WiMAX needs cell towers and operators need to have licensed spectrum from their respective governments (often paying multibillion-dollar fees to do so). Average download and upload speeds should start out at 3–6 Mbps and 1 Mbps, respectively, although this may go much higher.N. Lee, “Sprint’s 4G Plans Explained,” CNET, May 19, 2010.

WiMAX looks like a particularly attractive option for cable firms, offering them an opportunity to get into the mobile phone business and offer a “quadruple play” of services: pay television, broadband Internet, home phone, and mobile. Comcast and Time Warner have both partnered with Clearwire (a firm majority-owned by Sprint), to gain access to WiMAX-based 4G mobile.

4G could also rewrite the landscape for home broadband competition. If speeds increase, it may be possible for PCs, laptops, and set-top boxes (STB) to connect to the Internet wirelessly via 4G, cutting into DSL, cable, and fiber markets.

Satellite Wireless

Wireless systems provided by earth-bound base stations like cell phone towers are referred to as terrestrial wireless, but it is possible to provide telecommunications services via satellite. Early services struggled due to a number of problems. For example, the first residential satellite services were only used for downloads, which still needed a modem or some other connection to send any messages from the computer to the Internet. Many early systems also required large antennas and were quite expensive. Finally, some services were based on satellites in geosynchronous earth orbit (GEO). GEO satellites circle the earth in a fixed, or stationary, orbit above a given spot on the globe, but to do so they must be positioned at a distance that is roughly equivalent to the planet’s circumference. That means signals travel the equivalent of an around-the-world trip to reach the satellite and then the same distance to get to the user. The “last mile” became the last 44,000 miles at best. And if you used a service that also provided satellite upload as well as download, double that to about 88,000 miles. All that distance means higher latency (more delay).G. Ou, “Why Satellite Service Is So Slow,” ZDNet, February 23, 2008.

A firm named O3b Networks thinks it might have solved the challenges that plagued early pioneers. O3b has an impressive list of big-name backers that include HSBC bank, cable magnate John Malone, European aerospace firm SES, and Google.

The name O3b stands for the “Other 3 Billion,” of the world’s population who lack broadband Internet access, and the firm hopes to provide “fiber-quality” wireless service to more than 150 countries, specifically targeting underserved portions of the developing world. These “middle earth orbit” satellites will circle closer to the earth to reduce latency (only about 5,000 miles up, less than one-fourth the distance of GEO systems). To maintain the lower orbit, O3b’s satellites orbit faster than the planet spins, but with plans to launch as many as twenty satellites, the system will constantly blanket regions served. If one satellite circles to the other side of the globe, another one will circle around to take its place, ensuring there’s always an O3b “bird” overhead.

Only about 3 percent of the sub-Saharan African population uses the Internet, compared to about 70 percent in the United States. But data rates in the few places served can cost as much as one hundred times the rates of comparable systems in the industrialized world.G. Lamb, “O3b Networks: A Far-Out Plan to Deliver the Web,” Christian Science Monitor, September 24, 2008. O3b hopes to change that equation and significantly lower access rates. O3b customers will be local telecommunication firms, not end users. The plan is for local firms to buy O3b’s services wholesale and then resell it to customers alongside rivals who can do the same thing, collectively providing more consumer access, higher quality, and lower prices through competition. O3b is a big, bold, and admittedly risky plan, but if it works, its impact could be tremendous.

Wi-Fi and Other Hotspots

Many users access the Internet via Wi-FiA term used to brand wireless local-area networking devices. Devices typically connect to an antenna-equipped base station or hotspot, which is then connected to the Internet. Wi-Fi devices use standards known as IEEE 802.11, and various version of this standard (e.g., b, g, n) may operate in different frequency bands and have access ranges. (which stands for wireless fidelity). Computer and mobile devices have Wi-Fi antennas built into their chipsets, but to connect to the Internet, a device needs to be within range of a base station or hotspot. The base station range is usually around three hundred feet (you might get a longer range outdoors and with special equipment; and less range indoors when signals need to pass through solid objects like walls, ceilings, and floors). Wi-Fi base stations used in the home are usually bought by end users, then connected to a cable, DSL, or fiber provider.

And now a sort of mobile phone hotspot is being used to overcome limitations in those services, as well. Mobile providers can also be susceptible to poor coverage indoors. That’s because the spectrum used by most mobile phone firms doesn’t travel well through solid objects. Cell coverage is also often limited in the United States because of a lack of towers, which is a result of the NIMBY problem (not in my backyard). People don’t want an eighty-foot to four-hundred-foot unsightly tower clouding their local landscape, even if it will give their neighborhood better cell phone coverage.G. Dechter and O. Kharif, “How Craig McCaw Built a 4G Network on the Cheap,” BusinessWeek, May 24, 2010. To overcome reception and availability problems, mobile telecom services firms have begun offering fentocells. These devices are usually smaller than a box of cereal and can sell for $150 or less (some are free with specific service contracts). Plug a fentocell into a high-speed Internet connection like an in-home cable or fiber service and you can get “five-bar” coverage in a roughly 5,000-square-foot footprint.C. Mims, “A Personal Cell Phone Tower,” Technology Review, April 7, 2010. That can be a great solution for someone who has an in-home, high-speed Internet connection, but wants to get phone and mobile data service indoors, too.

Net Neutrality: What’s Fair?

Across the world, battle lines are being drawn regarding the topic of Net neutrality. Net neutrality is the principle that all Internet traffic should be treated equally.M. Honan, “Inside Net Neutrality,” MacWorld, February 12, 2008. Sometimes access providers have wanted to offer varying (some say “discriminatory”) coverage, depending on the service used and bandwidth consumed. But where regulation stands is currently in flux. In a pivotal U.S. case, the FCC ordered Comcast to stop throttling (blocking or slowing down) subscriber access to the peer-to-peer file sharing service BitTorrent. BitTorrent users can consume a huge amount of bandwidth—the service is often used to transfer large files, both legitimate (like version of the Linux operating system) and pirated (HD movies). Then in spring 2010, a federal appeals court moved against the FCC’s position, unanimously ruling that the agency did not have the legal authority to dictate terms to Comcast.“What Is Net Neutrality?” The Week, April 7, 2010.

On one side of the debate are Internet service firms, with Google being one of the strongest Net neutrality supporters. In an advocacy paper, Google states, “Just as telephone companies are not permitted to tell consumers who they can call or what they can say, broadband carriers should not be allowed to use their market power to control activity online.”Google, “A Guide to Net Neutrality for Google Users,” 2008, Many Internet firms also worry that if network providers move away from flat-rate pricing toward usage-based (or metered) schemes, this may limit innovation. Says Google’s Vint Cerf (who is considered one of the “fathers of the Internet” for his work on the original Internet protocol suite) “You are less likely to try things out. No one wants a surprise bill at the end of the month.”M. Jesdanun, “As the Internet Turns 40, Barriers Threaten Growth,” Technology Review, August 31, 2009. Metered billing may limit the use of everything from iTunes to Netflix; after all, if you have to pay for per-bit bandwidth consumption as well as for the download service, then it’s as if you’re paying twice.

The counterargument is that if firms are restricted from charging more for their investment in infrastructure and services, then they’ll have little incentive to continue to make the kinds of multibillion-dollar investments that innovations like 4G and fiber networks require. Telecom industry executives have railed against Google, Microsoft, Yahoo! and others, calling them free riders who earn huge profits by piggybacking off ISP networks, all while funneling no profits back to the firms that provide the infrastructure. One Verizon vice president said, “The network builders are spending a fortune constructing and maintaining the networks that Google intends to ride on with nothing but cheap servers.…It is enjoying a free lunch that should, by any rational account, be the lunch of the facilities providers.”A. Mohammed, “Verizon Executive Calls for End to Google’s ‘Free Lunch,’” Washington Post, February 7, 2006. AT&T’s previous CEO has suggested that Google, Yahoo! and other services firms should pay for “preferred access” to the firm’s customers. The CEO of Spain’s Telefonica has also said the firm is considering charging Google and other Internet service firms for network use.I. Lunden, “Broadband Content Bits: Web Drama Investment, PPL Video Store, Telefonica to Charge?” paidContent:UK, February 11, 2010.

ISPs also lament the relentlessly increasingly bandwidth demands placed on their networks. Back in 2007, YouTube streamed as much data in three months as the world’s radio, cable, and broadcast television channels combined stream in one year,B. Swanson, “The Coming Exaflood,” Wall Street Journal, January 20, 2007. and YouTube has only continued to grow since then. Should ISPs be required to support the strain of this kind of bandwidth hog? And what if this one application clogs network use for other traffic, such as e-mail or Web surfing? Similarly, shouldn’t firms have the right to prioritize some services to better serve customers? Some network providers argue that services like video chat and streaming audio should get priority over, say, e-mail which can afford slight delay without major impact. In that case, there’s a pretty good argument that providers should be able to discriminate against services. But improving efficiency and throttling usage are two different things.

Internet service firms say they create demand for broadband business, broadband firms say Google and allies are ungrateful parasites that aren’t sharing the wealth. The battle lines on the Net neutrality frontier continue to be drawn, and the eventual outcome will impact consumers, investors, and will likely influence the continued expansion and innovation of the Internet.

Summing Up

Hopefully, this chapter helped reveal the mysteries of the Internet. It’s interesting to know how “the cloud” works but it can also be vital. As we’ve seen, the executive office in financial services firms considers mastery of the Internet infrastructure to be critically important to their competitive advantage. Media firms find the Internet both threatening and empowering. The advancement of last-mile technologies and issues of Net neutrality will expose threats and create opportunity. And a manager who knows how the Internet works will be in a better position to make decisions about how to keep the firm and its customers safe and secure, and be better prepared to brainstorm ideas for winning in a world where access is faster and cheaper, and firms, rivals, partners, and customers are more connected.

Key Takeaways

  • The slowest part of the Internet is typically the last mile, not the backbone. While several technologies can offer broadband service over the last mile, the United States continues to rank below many other nations in terms of access speed, availability, and price.
  • Cable firms and phone companies can leverage existing wiring for cable broadband and DSL service, respectively. Cable services are often criticized for shared bandwidth. DSL’s primary limitation is that it only works within a short distance of telephone office equipment.
  • Fiber to the home can be very fast but very expensive to build.
  • An explosion of high-bandwidth mobile applications is straining 3G networks. 4G systems may alleviate congestion by increasing capacities to near-cable speeds. Fentocells are another technology that can improve service by providing a personal mobile phone hotspot that can plug into in-home broadband access.
  • The two major 3G standards (popularly referred to as GSM and CDMA) will be replaced by two unrelated 4G standards (LTE and WiMAX). GSM has been the dominant 3G technology worldwide. LTE looks like it will be the leading 4G technology.
  • Satellite systems show promise in providing high-speed access to underserved parts of the world, but few satellite broadband providers have been successful so far.
  • Net neutrality is the principle that all Internet traffic should be treated equally. Google and other firms say it is vital to maintain the openness of the Internet. Telecommunications firms say they should be able to limit access to services that overtax their networks, and some have suggested charging Google and other Internet firms for providing access to their customers.

Questions and Exercises

  1. Research online for the latest country rankings for broadband service. Where does the United States currently rank? Why?
  2. Which broadband providers can service your home? Which would you choose? Why?
  3. Research the status of Google’s experimental fiber network. Report updated findings to your class. Why do you suppose Google would run this “experiment”? What other Internet access experiments has the firm been involved in?
  4. Show your understanding of the economics and competitive forces of the telecom industry. Discuss why Verizon chose to go with fiber. Do you think this was a wise decision or not? Why? Feel free to do additional research to back up your argument.
  5. Why have other nations enjoyed faster broadband speeds, greater availability, and lower prices?
  6. The iPhone has been called both a blessing and a curse for AT&T. Why do you suppose this is so?
  7. Investigate the status of mobile wireless offerings (3G and 4G). Which firm would you choose? Why? Which factors are most important in your decision?
  8. Name the two dominant 3G standards. What are the differences between the two? Which firms in your nation support each standard?
  9. Name the two dominant 4G standards. Which firms in your nation will support the respective standards?
  10. Have you ever lost communication access—wirelessly or via wired connection? What caused the loss or outage?
  11. What factors shape the profitability of the mobile wireless provider industry? How do these economics compare with the cable and wire line industry? Who are the major players and which would you invest in? Why?
  12. Last-mile providers often advertise very fast speeds, but users rarely see speeds as high as advertised rates. Search online to find a network speed test and try it from your home, office, mobile device, or dorm. How fast is the network? If you’re able to test from home, what bandwidth rates does your ISP advertise? Does this differ from what you experienced? What could account for this discrepancy?
  13. How can 4G technology help cable firms? Why might it hurt them?
  14. What’s the difference between LEO satellite systems and the type of system used by O3b? What are the pros and cons of these efforts? Conduct some additional research. What is the status of O3b and other satellite broadband efforts?
  15. What advantages could broadband offer to underserved areas of the world? Is Internet access important for economic development? Why or why not?
  16. Does your carrier offer a fentocell? Would you use one? Why or why not?
  17. Be prepared to debate the issue of Net neutrality in class. Prepare positions both supporting and opposing Net neutrality. Which do you support and why?
  18. Investigate the status of Net neutrality laws in your nation and report your findings to your instructor. Do you agree with the stance currently taken by your government? Why or why not?

Chapter 11: The Data Asset: Databases, Business Intelligence, and Competitive Advantage

11.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how increasingly standardized data, access to third-party data sets, cheap, fast computing and easier-to-use software are collectively enabling a new age of decision making.
  2. Be familiar with some of the enterprises that have benefited from data-driven, fact-based decision making.

The planet is awash in data. Cash registers ring up transactions worldwide. Web browsers leave a trail of cookie crumbs nearly everywhere they go. And with radio frequency identification (RFID), inventory can literally announce its presence so that firms can precisely journal every hop their products make along the value chain: “I’m arriving in the warehouse,” “I’m on the store shelf,” “I’m leaving out the front door.”

A study by Gartner Research claims that the amount of data on corporate hard drives doubles every six months,C. Babcock, “Data, Data, Everywhere”, InformationWeek, January 9, 2006. while IDC states that the collective number of those bits already exceeds the number of stars in the universe.L. Mearian, “Digital Universe and Its Impact Bigger Than We Thought,” Computerworld, March 18, 2008. Wal-Mart alone boasts a data volume well over 125 times as large as the entire print collection of the U.S. Library of Congress.Derived by comparing Wal-Mart’s 2.5 petabytes (E. Lai, “Teradata Creates Elite Club for Petabyte-Plus Data Warehouse Customers,” Computerworld, October 18, 2008) to the Library of Congress estimate of 20 TB (D. Gewirtz, “What If Someone Stole the Library of Congress?”, May 25, 2009). It’s further noted that the Wal-Mart figure is just for data stored on systems provided by the vendor Teradata. Wal-Mart has many systems outside its Teradata-sourced warehouses, too.

And with this flood of data comes a tidal wave of opportunity. Increasingly standardized corporate data, and access to rich, third-party data sets—all leveraged by cheap, fast computing and easier-to-use software—are collectively enabling a new age of data-driven, fact-based decision making. You’re less likely to hear old-school terms like “decision support systems” used to describe what’s going on here. The phrase of the day is business intelligence (BI)A term combining aspects of reporting, data exploration and ad hoc queries, and sophisticated data modeling and analysis., a catchall term combining aspects of reporting, data exploration and ad hoc queries, and sophisticated data modeling and analysis. Alongside business intelligence in the new managerial lexicon is the phrase analyticsA term describing the extensive use of data, statistical and quantitative analysis, explanatory and predictive models, and fact-based management to drive decisions and actions., a term describing the extensive use of data, statistical and quantitative analysis, explanatory and predictive models, and fact-based management to drive decisions and actions.T. Davenport and J. Harris, Competing on Analytics: The New Science of Winning (Boston: Harvard Business School Press, 2007).

The benefits of all this data and number crunching are very real, indeed. Data leverage lies at the center of competitive advantage we’ve studied in the Zara, Netflix, and Google cases. Data mastery has helped vault Wal-Mart to the top of the Fortune 500 list. It helped Harrah’s Casino Hotels grow to be twice as profitable as similarly sized Caesars, and rich enough to acquire this rival. And data helped Capital One find valuable customers that competitors were ignoring, delivering ten-year financial performance a full ten times greater than the S&P 500. Data-driven decision making is even credited with helping the Red Sox win their first World Series in eighty-three years and with helping the New England Patriots win three Super Bowls in four years. To quote from a BusinessWeek cover story on analytics, “Math Will Rock Your World!”S. Baker, “Math Will Rock Your World,” BusinessWeek, January 23, 2006,

Sounds great, but it can be a tough slog getting an organization to the point where it has a leveragable data asset. In many organizations data lies dormant, spread across inconsistent formats and incompatible systems, unable to be turned into anything of value. Many firms have been shocked at the amount of work and complexity required to pull together an infrastructure that empowers its managers. But not only can this be done; it must be done. Firms that are basing decisions on hunches aren’t managing; they’re gambling. And the days of uninformed managerial dice rolling are over.

While we’ll study technology in this chapter, our focus isn’t as much on the technology itself as it is on what you can do with that technology. Consumer products giant P&G believes in this distinction so thoroughly that the firm renamed its IT function as “Information and Decision Solutions.”J. Soat, “P&G’s CIO Puts IT at Users’ Service,” InformationWeek, December 15, 2007. Solutions drive technology decisions, not the other way around.

In this chapter we’ll study the data asset, how it’s created, how it’s stored, and how it’s accessed and leveraged. We’ll also study many of the firms mentioned above, and more; providing a context for understanding how managers are leveraging data to create winning models, and how those that have failed to realize the power of data have been left in the dust.

Data, Analytics, and Competitive Advantage

Anyone can acquire technology—but data is oftentimes considered a defensible source of competitive advantage. The data a firm can leverage is a true strategic asset when it’s rare, valuable, imperfectly imitable, and lacking in substitutes (see Chapter 2 “Strategy and Technology: Concepts and Frameworks for Understanding What Separates Winners from Losers”).

If more data brings more accurate modeling, moving early to capture this rare asset can be the difference between a dominating firm and an also-ran. But be forewarned, there’s no monopoly on math. Advantages based on capabilities and data that others can acquire will be short-lived. Those advances leveraged by the Red Sox were originally pioneered by the Oakland A’s and are now used by nearly every team in the major leagues.

This doesn’t mean that firms can ignore the importance data can play in lowering costs, increasing customer service, and other ways that boost performance. But differentiation will be key in distinguishing operationally effective data use from those efforts that can yield true strategic positioning.

Key Takeaways

  • The amount of data on corporate hard drives doubles every six months.
  • In many organizations, available data is not exploited to advantage.
  • Data is oftentimes considered a defensible source of competitive advantage; however, advantages based on capabilities and data that others can acquire will be short-lived.

Questions and Exercises

  1. Name and define the terms that are supplanting discussions of decision support systems in the modern IS lexicon.
  2. Is data a source of competitive advantage? Describe situations in which data might be a source for sustainable competitive advantage. When might data not yield sustainable advantage?
  3. Are advantages based on analytics and modeling potentially sustainable? Why or why not?
  4. What role do technology and timing play in realizing advantages from the data asset?

11.2 Data, Information, and Knowledge

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the difference between data and information.
  2. Know the key terms and technologies associated with data organization and management.

DataRaw facts and figures. refers simply to raw facts and figures. Alone it tells you nothing. The real goal is to turn data into informationData presented in a context so that it can answer a question or support decision making.. Data becomes information when it’s presented in a context so that it can answer a question or support decision making. And it’s when this information can be combined with a manager’s knowledgeInsight derived from experience and expertise.—their insight from experience and expertise—that stronger decisions can be made.

Trusting Your Data

The ability to look critically at data and assess its validity is a vital managerial skill. When decision makers are presented with wrong data, the results can be disastrous. And these problems can get amplified if bad data is fed to automated systems. As an example, look at the series of man-made and computer-triggered events that brought about a billion-dollar collapse in United Airlines stock.

In the wee hours one Sunday morning in September 2008, a single reader browsing back stories on the Orlando Sentinel’s Web site viewed a 2002 article on the bankruptcy of United Airlines (UAL went bankrupt in 2002, but emerged from bankruptcy four years later). That lone Web surfer’s access of this story during such a low-traffic time was enough for the Sentinel’s Web server to briefly list the article as one of the paper’s “most popular.” Google crawled the site and picked up this “popular” news item, feeding it into Google News.

Early that morning, a worker in a Florida investment firm came across the Google-fed story, assumed United had yet again filed for bankruptcy, then posted a summary on Bloomberg. Investors scanning Bloomberg jumped on what looked like a reputable early warning of another United bankruptcy, dumping UAL stock. Blame the computers again—the rapid plunge from these early trades caused automatic sell systems to kick in (event-triggered, computer-automated trading is responsible for about 30 percent of all stock trades). Once the machines took over, UAL dropped like a rock, falling from twelve to three dollars. That drop represented the vanishing of $1 billion in wealth, and all this because no one checked the date on a news story. Welcome to the new world of paying attention!M. Harvey, “Probe into How Google Mix-Up Caused $1 Billion Run on United,” Times Online, September 12, 2008,

Understanding How Data Is Organized: Key Terms and Technologies

A databaseA single table or a collection of related tables. is simply a list (or more likely, several related lists) of data. Most organizations have several databases—perhaps even hundreds or thousands. And these various databases might be focused on any combination of functional areas (sales, product returns, inventory, payroll), geographical regions, or business units. Firms often create specialized databases for recording transactions, as well as databases that aggregate data from multiple sources in order to support reporting and analysis.

Databases are created, maintained, and manipulated using programs called database management systems (DBMS)Sometimes called “databade software”; software for creating, maintaining, and manipulating data., sometimes referred to as database software. DBMS products vary widely in scale and capabilities. They include the single-user, desktop versions of Microsoft Access or Filemaker Pro, Web-based offerings like Intuit QuickBase, and industrial strength products from Oracle, IBM (DB2), Sybase, Microsoft (SQL Server), and others. Oracle is the world’s largest database software vendor, and database software has meant big bucks for Oracle cofounder and CEO Larry Ellison. Ellison perennially ranks in the Top 10 of the Forbes 400 list of wealthiest Americans.

The acronym SQL (often pronounced sequel) also shows up a lot when talking about databases. Structured query language (SQL)A language used to create and manipulate databases. is by far the most common language for creating and manipulating databases. You’ll find variants of SQL inhabiting everything from lowly desktop software, to high-powered enterprise products. Microsoft’s high-end database is even called SQL Server. And of course there’s also the open source MySQL (whose stewardship now sits with Oracle as part of the firm’s purchase of Sun Microsystems). Given this popularity, if you’re going to learn one language for database use, SQL’s a pretty good choice. And for a little inspiration, visit or another job site and search for jobs mentioning SQL. You’ll find page after page of listings, suggesting that while database systems have been good for Ellison, learning more about them might be pretty good for you, too.

Even if you don’t become a database programmer or database administrator (DBA)Job title focused on directing, performing, or overseeing activities associated with a database or set of databases. These may include (but not necessarily be limited to): database design, creation, implementation, maintenance, backup and recovery, policy setting and enforcement, and security., you’re almost surely going to be called upon to dive in and use a database. You may even be asked to help identify your firm’s data requirements. It’s quite common for nontech employees to work on development teams with technical staff, defining business problems, outlining processes, setting requirements, and determining the kinds of data the firm will need to leverage. Database systems are powerful stuff, and can’t be avoided, so a bit of understanding will serve you well.

Figure 11.1 A Simplified Relational Database for a University Course Registration System

A complete discourse on technical concepts associated with database systems is beyond the scope of our managerial introduction, but here are some key concepts to help get you oriented, and that all managers should know.

  • A table or fileA list of data, arranged in columns (fields) and rows (records). refers to a list of data.
  • A database is either a single table or a collection of related tables. The course registration database above depicts five tables.
  • A column or fieldA column in a database table. Columns represent each category of data contained in a record (e.g., first name, last name, ID number, date of birth). defines the data that a table can hold. The “Students” table above shows columns for STUDENT_ID, FIRST_NAME, LAST_NAME, CAMPU.S._ADDR (the “…” symbols above are meant to indicate that in practice there may be more columns or rows than are shown in this simplified diagram).
  • A row or recordA row in a database table. Records represent a single instance of whatever the table keeps track of (e.g., student, faculty, course title). represents a single instance of whatever the table keeps track of. In the example above, each row of the “Students” table represents a student, each row of the “Enrollment” table represents the enrollment of a student in a particular course, and each row of the “Course List” represents a given section of each course offered by the University.
  • A keyCode that unlocks encryption. is the field used to relate tables in a database. Look at how the STUDENT_ID key is used above. There is one unique STUDENT_ID for each student, but the STUDENT_ID may appear many times in the “Enrollment” table, indicating that each student may be enrolled in many classes. The “1” and “M” in the diagram above indicate the one to many relationships among the keys in these tables.

Databases organized like the one above, where multiple tables are related based on common keys, are referred to as relational databasesThe most common standard for expressing databases, whereby tables (files) are related based on common keys.. There are many other database formats (sporting names like hierarchical, and object-oriented), but relational databases are far and away the most popular. And all SQL databases are relational databases.

We’ve just scratched the surface for a very basic introduction. Expect that a formal class in database systems will offer you far more detail and better design principles than are conveyed in the elementary example above. But you’re already well on your way!

Key Takeaways

  • Data includes raw facts that must be turned into information in order to be useful and valuable.
  • Databases are created, maintained, and manipulated using programs called database management systems (DBMS), sometimes referred to as database software.
  • All data fields in the same database have unique names, several data fields make up a data record, multiple data records make up a table or data file, and one or more tables or data files make up a database.
  • Relational databases are the most common database format.

Questions and Exercises

  1. Define the following terms: table, record, field. Provide another name for each term along with your definition.
  2. Answer the following questions using the course registration database system, diagramed above:

    1. Imagine you also want to keep track of student majors. How would you do this? Would you modify an existing table? Would you add new tables? Why or why not?
    2. Why do you suppose the system needs a “Course Title” table?
    3. This database is simplified for our brief introduction. What additional data would you need to keep track of if this were a real course registration system? What changes would you make in the database above to account for these needs?
  3. Research to find additional examples of organizations that made bad decisions based on bad data. Report your examples to your class. What was the end result of the examples you’re citing (e.g., loss, damage, or other outcome)? What could managers have done to prevent problems in the cases that you cited? What role did technology play in the examples that you cite? What role did people or procedural issues play?
  4. Why is an understanding of database terms and technologies important, even for nontechnical managers and staff? Consider factors associated with both system use and system development. What other skills, beyond technology, may be important when engaged in data-driven decision making?

11.3 Where Does Data Come From?

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand various internal and external sources for enterprise data.
  2. Recognize the function and role of data aggregators, the potential for leveraging third-party data, the strategic implications of relying on externally purchased data, and key issues associated with aggregators and firms that leverage externally sourced data.

Organizations can pull together data from a variety of sources. While the examples that follow aren’t meant to be an encyclopedic listing of possibilities, they will give you a sense of the diversity of options available for data gathering.

Transaction Processing Systems

For most organizations that sell directly to their customers, transaction processing systems (TPS)Systems that record a transaction (some form of business-related exchange), such as a cash register sale, ATM withdrawal, or product return. represent a fountain of potentially insightful data. Every time a consumer uses a point-of-sale system, an ATM, or a service desk, there’s a transactionSome kind of business exchange. (some kind of business exchange) occurring, representing an event that’s likely worth tracking.

The cash register is the data generation workhorse of most physical retailers, and the primary source that feeds data to the TPS. But while TPS can generate a lot of bits, it’s sometimes tough to match this data with a specific customer. For example, if you pay a retailer in cash, you’re likely to remain a mystery to your merchant because your name isn’t attached to your money. Grocers and retailers can tie you to cash transactions if they can convince you to use a loyalty cardSystems that provide rewards and usage incentives, typically in exchange for a method that provides a more detailed tracking and recording of customer activity. In addition to enhancing data collection, loyalty cards can represent a significant switching cost.. Use one of these cards and you’re in effect giving up information about yourself in exchange for some kind of financial incentive. The explosion in retailer cards is directly related to each firm’s desire to learn more about you and to turn you into a more loyal and satisfied customer.

Some cards provide an instant discount (e.g., the CVS Pharmacy ExtraCare card), while others allow you to build up points over time (Best Buy’s Reward Zone). The latter has the additional benefit of acting as a switching cost. A customer may think “I could get the same thing at Target, but at Best Buy, it’ll increase my existing points balance and soon I’ll get a cash back coupon.”

Tesco: Tracked Transactions, Increased Insights, and Surging Sales

UK grocery giant Tesco, the planet’s third-largest retailer, is envied worldwide for what analysts say is the firm’s unrivaled ability to collect vast amounts of retail data and translate this into sales.K. Capell, “Tesco: ‘Wal-Mart’s Worst Nightmare,’” BusinessWeek, December 29, 2008.

Tesco’s data collection relies heavily on its ClubCard loyalty program, an effort pioneered back in 1995. But Tesco isn’t just a physical retailer. As the world’s largest Internet grocer, the firm gains additional data from Web site visits, too. Remove products from your virtual shopping cart? Tesco can track this. Visited a product comparison page? Tesco watches which product you’ve chosen to go with and which you’ve passed over. Done your research online, then traveled to a store to make a purchase? Tesco sees this, too.

Tesco then mines all this data to understand how consumers respond to factors such as product mix, pricing, marketing campaigns, store layout, and Web design. Consumer-level targeting allows the firm to tailor its marketing messages to specific subgroups, promoting the right offer through the right channel at the right time and the right price. To get a sense of Tesco’s laser-focused targeting possibilities, consider that the firm sends out close to ten million different, targeted offers each quarter.T. Davenport and J. Harris, “Competing with Multichannel Marketing Analytics,” Advertising Age, April 2, 2007. Offer redemption rates are the best in the industry, with some coupons scoring an astronomical 90 percent usage!M. Lowenstein, “Tesco: A Retail Customer Divisibility Champion,” CustomerThink, October 20, 2002.

The firm’s data-driven management is clearly delivering results. In April 2009, while operating in the teeth of a global recession, Tesco posted record corporate profits and the highest earnings ever for a British retailer.K. Capell, “Tesco Hits Record Profit, but Lags in U.S.,” BusinessWeek, April 21, 2009.

Enterprise Software (CRM, SCM, and ERP)

Firms increasingly set up systems to gather additional data beyond conventional purchase transactions or Web site monitoring. CRM or customer relationship management systems are often used to empower employees to track and record data at nearly every point of customer contact. Someone calls for a quote? Brings a return back to a store? Writes a complaint e-mail? A well-designed CRM system can capture all these events for subsequent analysis or for triggering follow-up events.

Enterprise software includes not just CRM systems but also categories that touch every aspect of the value chain, including supply chain management (SCM) and enterprise resource planning (ERP) systems. More importantly, enterprise software tends to be more integrated and standardized than the prior era of proprietary systems that many firms developed themselves. This integration helps in combining data across business units and functions, and in getting that data into a form where it can be turned into information (for more on enterprise systems, see Chapter 9 “Understanding Software: A Primer for Managers”).


Sometimes firms supplement operational data with additional input from surveys and focus groups. Oftentimes, direct surveys can tell you what your cash register can’t. Zara store managers informally survey customers in order to help shape designs and product mix. Online grocer FreshDirect (see Chapter 2 “Strategy and Technology: Concepts and Frameworks for Understanding What Separates Winners from Losers”) surveys customers weekly and has used this feedback to drive initiatives from reducing packaging size to including star ratings on produce.R. Braddock, “Lessons of Internet Marketing from FreshDirect,” Wall Street Journal, May 11, 2009. Many CRM products also have survey capabilities that allow for additional data gathering at all points of customer contact.

Can Technology “Cure” U.S. Health Care?

The U.S. health care system is broken. It’s costly, inefficient, and problems seem to be getting worse. Estimates suggest that health care spending makes up a whopping 18 percent of U.S. gross domestic product.J. Zhang, “Recession Likely to Boost Government Outlays on Health Care,” Wall Street Journal, February 24, 2009. U.S. automakers spend more on health care than they do on steel.S. Milligan, “Business Warms to Democratic Leaders,” Boston Globe, May 28, 2009. Even more disturbing, it’s believed that medical errors cause as many as ninety-eight thousand unnecessary deaths in the United States each year, more than motor vehicle accidents, breast cancer, or AIDS.R. Appleton, “Less Independent Doctors Could Mean More Medical Mistakes,”, June 14, 2009; and B. Obama, President’s Speech to the American Medical Association, Chicago, IL, June 15, 2009, -American-Medical-Association.

For years it’s been claimed that technology has the potential to reduce errors, improve health care quality, and save costs. Now pioneering hospital networks and technology companies are partnering to help tackle cost and quality issues. For a look at possibilities for leveraging data throughout the doctor-patient value chain, consider the “event-driven medicine” system built by Dr. John Halamka and his team at Boston’s Beth Israel Deaconess Medical Center (part of the Harvard Medical School network).

When docs using Halamka’s system encounter a patient with a chronic disease, they generate a decision support “screening sheet.” Each event in the system: an office visit, a lab results report (think the medical equivalent of transactions and customer interactions), updates the patient database. Combine that electronic medical record information with artificial intelligenceComputer software that seeks to reproduce or mimic (perhaps with improvements) human thought, decision making, or brain functions. on best practice, and the system can offer recommendations for care, such as, “Patient is past due for an eye exam” or, “Patient should receive pneumovax [a vaccine against infection] this season.”J. Halamka, “IT Spending: When Less Is More,” BusinessWeek, March 2, 2009. The systems don’t replace decision making by doctors and nurses, but they do help to ensure that key issues are on a provider’s radar.

More efficiencies and error checks show up when prescribing drugs. Docs are presented with a list of medications covered by that patient’s insurance, allowing them to choose quality options while controlling costs. Safety issues, guidelines, and best practices are also displayed. When correct, safe medication in the right dose is selected, the electronic prescription is routed to the patients’ pharmacy of choice. As Halamka puts it, going from “doctor’s brain to patients vein” without any of that messy physician handwriting, all while squeezing out layers where errors from human interpretation or data entry might occur.

President Obama believes technology initiatives can save health care as much as $120 billion a year, or roughly two thousand five hundred dollars per family.D. McCullagh, “Q&A: Electronic Health Records and You,” CNET/, May 19, 2009. An aggressive number, to be sure. But with such a large target to aim at, it’s no wonder that nearly every major technology company now has a health solutions group. Microsoft and Google even offer competing systems for electronically storing and managing patient health records. If systems like Halamka’s and others realize their promise, big benefits may be just around the corner.

External Sources

Sometimes it makes sense to combine a firm’s data with bits brought in from the outside. Many firms, for example, don’t sell directly to consumers (this includes most drug companies and packaged goods firms). If your firm has partners that sell products for you, then you’ll likely rely heavily on data collected by others.

Data bought from sources available to all might not yield competitive advantage on its own, but it can provide key operational insight for increased efficiency and cost savings. And when combined with a firm’s unique data assets, it may give firms a high-impact edge.

Consider restaurant chain Brinker, a firm that runs seventeen hundred eateries in twenty-seven countries under the Chili’s, On The Border, and Maggiano’s brands. Brinker (whose ticker symbol is EAT), supplements their own data with external feeds on weather, employment statistics, gas prices, and other factors, and uses this in predictive models that help the firm in everything from determining staffing levels to switching around menu items.R. King, “Intelligence Software for Business,” BusinessWeek podcast, February 27, 2009.

In another example, Carnival Cruise Lines combines its own customer data with third-party information tracking household income and other key measures. This data plays a key role in a recession, since it helps the firm target limited marketing dollars on those past customers that are more likely to be able to afford to go on a cruise. So far it’s been a winning approach. For three years in a row, the firm has experienced double-digit increases in bookings by repeat customers.R. King, “Intelligence Software for Business,” BusinessWeek podcast, February 27, 2009.

Who’s Collecting Data about You?

There’s a thriving industry collecting data about you. Buy from a catalog, fill out a warranty card, or have a baby, and there’s a very good chance that this event will be recorded in a database somewhere, added to a growing digital dossier that’s made available for sale to others. If you’ve ever gotten catalogs, coupons, or special offers from firms you’ve never dealt with before, this was almost certainly a direct result of a behind-the-scenes trafficking in the “digital you.”

Firms that trawl for data and package them up for resale are known as data aggregatorsFirms that collect and resell data.. They include Acxiom, a $1.3 billion a year business that combines public source data on real estate, criminal records, and census reports, with private information from credit card applications, warranty card surveys, and magazine subscriptions. The firm holds data profiling some two hundred million Americans.A. Gefter and T. Simonite, “What the Data Miners Are Digging Up about You,” CNET, December 1, 2008.

Or maybe you’ve heard of Lexis-Nexis. Many large universities subscribe to the firm’s electronic newspaper, journal, and magazine databases. But the firm’s parent, Reed Elsevier, is a data sales giant, with divisions packaging criminal records, housing information, and additional data used to uncover corporate fraud and other risks. In February, 2008, the firm got even more data rich, acquiring Acxiom competitor ChoicePoint for $4.1 billion. With that kind of money involved, it’s clear that data aggregation is very big business.A. Greenberg, “Companies That Profit from Your Data,” Forbes, May 14, 2008.

The Internet also allows for easy access to data that had been public but otherwise difficult to access. For one example, consider home sale prices and home value assessments. While technically in the public record, someone wanting this information previously had to traipse down to their Town Hall and speak to a clerk, who would hand over a printed log book. Not exactly a Google-speed query. Contrast this with a visit to The free site lets you pull up a map of your town and instantly peek at how much your neighbors paid for their homes. And it lets them see how much you paid for yours, too.

Computerworld’s Robert Mitchell uncovered a more disturbing issue when public record information is made available online. His New Hampshire municipality had digitized and made available some of his old public documents without obscuring that holy grail for identity thieves, his Social Security number.R. Mithchell, “Why You Should Be Worried about Your Privacy on the Web,” Computerworld, May 11, 2009.

Then there are accuracy concerns. A record incorrectly identifying you as a cat lover is one thing, but being incorrectly named to the terrorist watch list is quite another. During a five-week period airline agents tried to block a particularly high profile U.S. citizen from boarding airplanes on five separate occasions because his name resembled an alias used by a suspected terrorist. That citizen? The late Ted Kennedy, who at the time was the senior U.S. senator from Massachusetts.R. Swarns, “Senator? Terrorist? A Watch List Stops Kennedy at Airport,” New York Times, August 20, 2004.

For the data trade to continue, firms will have to treat customer data as the sacred asset it is. Step over that “creep-out” line, and customers will push back, increasingly pressing for tighter privacy laws. Data aggregator Intellius used to track cell phone customers, but backed off in the face of customer outrage and threatened legislation.

Another concern—sometimes data aggregators are just plain sloppy, committing errors that can be costly for the firm and potentially devastating for victimized users. For example, from 2002 to 2003, a hacker stole 1.6 billion records from Acxiom; while in 2005, ChoicePoint accidentally sold records on one hundred and forty five thousand individuals to a cybercrime identity theft ring. The ChoicePoint case resulted in a fifteen-million-dollar fine from the Federal Trade Commission.A. Greenberg, “Companies That Profit from Your Data,” Forbes, May 14, 2008. Just because you can gather data and traffic in bits doesn’t mean that you should. Any data-centric effort should involve input not only from business and technical staff, but from the firm’s legal team, as well (for more, see the box “Privacy Regulation: A Moving Target”).

Privacy Regulation: A Moving Target

New methods for tracking and gathering user information appear daily, testing user comfort levels. For example, the firm Umbria uses software to analyze millions of blog and forum posts every day, using sentence structure, word choice, and quirks in punctuation to determine a blogger’s gender, age, interests, and opinions. In 2009, Apple introduced facial recognition software while integrating iPhoto into Facebook. It’s quite possible that in the future, someone will be able to upload a photo to a service and direct it to find all the accessible photos and video on the Internet that match that person’s features. And while targeting is getting easier, a Carnegie Mellon study showed that it doesn’t take much to find someone with a minimum of data. Simply by knowing gender, birth date, and postal zip code, 87 percent of people in the United States could be pinpointed by name.A. Gefter and T. Simonite, “What the Data Miners Are Digging Up about You,” CNET, December 1, 2008. Another study showed that publicly available data on state and date of birth could be used to predict U.S. Social Security numbers—a potential gateway to identity theft.E. Mills, “Report: Social Security Numbers Can Be Predicted,” CNET, July 6, 2009,

Some feel that Moore’s Law, the falling cost of storage, and the increasing reach of the Internet have us on the cusp of a privacy train wreck. And that may inevitably lead to more legislation that restricts data-use possibilities. Noting this, strategists and technologists need to be fully aware of the legal environment their systems face (see Chapter 14 “Google: Search, Online Advertising, and Beyond” for examples and discussion) and consider how such environments may change in the future. Many industries have strict guidelines on what kind of information can be collected and shared.

For example, HIPAA (the U.S. Health Insurance Portability and Accountability Act) includes provisions governing data use and privacy among health care providers, insurers, and employers. The financial industry has strict requirements for recording and sharing communications between firm and client (among many other restrictions). There are laws limiting the kinds of information that can be gathered on younger Web surfers. And there are several laws operating at the state level as well.

International laws also differ from those in the United States. Europe, in particular, has a strict European Privacy Directive. The directive includes governing provisions that limit data collection, require notice and approval of many types of data collection, and require firms to make data available to customers with mechanisms for stopping collection efforts and correcting inaccuracies at customer request. Data-dependent efforts plotted for one region may not fully translate in another effort if the law limits key components of technology use. The constantly changing legal landscape also means that what works today might not be allowed in the future.

Firms beware—the public will almost certainly demand tighter controls if the industry is perceived as behaving recklessly or inappropriately with customer data.

Key Takeaways

  • For organizations that sell directly to their customers, transaction processing systems (TPS) represent a source of potentially useful data.
  • Grocers and retailers can link you to cash transactions if they can convince you to use a loyalty card which, in turn, requires you to give up information about yourself in exchange for some kind of financial incentive such as points or discounts.
  • Enterprise software (CRM, SCM, and ERP) is a source for customer, supply chain, and enterprise data.
  • Survey data can be used to supplement a firm’s operational data.
  • Data obtained from outside sources, when combined with a firm’s internal data assets, can give the firm a competitive edge.
  • Data aggregators are part of a multibillion-dollar industry that provides genuinely helpful data to a wide variety of organizations.
  • Data that can be purchased from aggregators may not in and of itself yield sustainable competitive advantage since others may have access to this data, too. However, when combined with a firm’s proprietary data or integrated with a firm’s proprietary procedures or other assets, third-party data can be a key tool for enhancing organizational performance.
  • Data aggregators can also be quite controversial. Among other things, they represent a big target for identity thieves, are a method for spreading potentially incorrect data, and raise privacy concerns.
  • Firms that mismanage their customer data assets risk lawsuits, brand damage, lower sales, fleeing customers, and can prompt more restrictive legislation.
  • Further raising privacy issues and identity theft concerns, recent studies have shown that in many cases it is possible to pinpoint users through allegedly anonymous data, and to guess Social Security numbers from public data.
  • New methods for tracking and gathering user information are raising privacy issues which possibly will be addressed through legislation that restricts data use.

Questions and Exercises

  1. Why would a firm use a loyalty card? What is the incentive for the firm? What is the incentive for consumers to opt in and use loyalty cards? What kinds of strategic assets can these systems create?
  2. In what ways does Tesco gather data? Can other firms match this effort? What other assets does Tesco leverage that helps the firm remain among top performing retailers worldwide?
  3. Make a list of the kind of data you might give up when using a cash register, a Web site, or a loyalty card, or when calling a firm’s customer support line. How might firms leverage this data to better serve you and improve their performance?
  4. Are you concerned by any of the data-use possibilities that you outlined in prior questions, discussed in this chapter, or that you’ve otherwise read about or encountered? If you are concerned, why? If not, why not? What might firms, governments, and consumers do to better protect consumers?
  5. What are some of the sources data aggregators tap to collect information?
  6. Privacy laws are in a near constant state of flux. Conduct research to identify the current state of privacy law. Has major legislation recently been proposed or approved? What are the implications for firms operating in effected industries? What are the potential benefits to consumers? Do consumers lose anything from this legislation?
  7. Self-regulation is often proposed as an alternative to legislative efforts. What kinds of efforts would provide “teeth” to self-regulation. Are there steps firms could do to make you believe in their ability to self-regulate? Why or why not?
  8. What is HIPPA? What industry does it impact?
  9. How do international privacy laws differ from U.S. privacy laws?

11.4 Data Rich, Information Poor

Learning Objectives

After studying this section you should be able to do the following:

  1. Know and be able to list the reasons why many organizations have data that can’t be converted to actionable information.
  2. Understand why transactional databases can’t always be queried and what needs to be done to facilitate effective data use for analytics and business intelligence.
  3. Recognize key issues surrounding data and privacy legislation.

Despite being awash in data, many organizations are data rich but information poor. A survey by consulting firm Accenture found 57 percent of companies reporting that they didn’t have a beneficial, consistently updated, companywide analytical capability. Among major decisions, only 60 percent were backed by analytics—40 percent were made by intuition and gut instinct.R. King, “Business Intelligence Software’s Time Is Now,” BusinessWeek, March 2, 2009. The big culprit limiting BI initiatives is getting data into a form where it can be used, analyzed, and turned into information. Here’s a look at some factors holding back information advantages.

Incompatible Systems

Just because data is collected doesn’t mean it can be used. This limit is a big problem for large firms that have legacy systemsOlder information systems that are often incompatible with other systems, technologies, and ways of conducting business. Incompatible legacy systems can be a major roadblock to turning data into information, and they can inhibit firm agility, holding back operational and strategic initiatives., outdated information systems that were not designed to share data, aren’t compatible with newer technologies, and aren’t aligned with the firm’s current business needs. The problem can be made worse by mergers and acquisitions, especially if a firm depends on operational systems that are incompatible with its partner. And the elimination of incompatible systems isn’t just a technical issue. Firms might be under extended agreement with different vendors or outsourcers, and breaking a contract or invoking an escape clause may be costly. Folks working in M&A (the area of investment banking focused on valuing and facilitating mergers and acquisitions) beware—it’s critical to uncover these hidden costs of technology integration before deciding if a deal makes financial sense.

Legacy Systems: A Prison for Strategic Assets

The experience of one Fortune 100 firm that your author has worked with illustrates how incompatible information systems can actually hold back strategy. This firm was the largest in its category, and sold identical commodity products sourced from its many plants worldwide. Being the biggest should have given the firm scale advantages. But many of the firm’s manufacturing facilities and international locations developed or purchased separate, incompatible systems. Still more plants were acquired through acquisition, each coming with its own legacy systems.

The plants with different information systems used different part numbers and naming conventions even though they sold identical products. As a result, the firm had no timely information on how much of a particular item was sold to which worldwide customers. The company was essentially operating as a collection of smaller, regional businesses, rather than as the worldwide behemoth that it was.

After the firm developed an information system that standardized data across these plants, it was, for the first time, able to get a single view of worldwide sales. The firm then used this data to approach their biggest customers, negotiating lower prices in exchange for increased commitments in worldwide purchasing. This trade let the firm take share from regional rivals. It also gave the firm the ability to shift manufacturing capacity globally, as currency prices, labor conditions, disaster, and other factors impacted sourcing. The new information system in effect liberated the latent strategic asset of scale, increasing sales by well over a billion and a half dollars in the four years following implementation.

Operational Data Can’t Always Be Queried

Another problem when turning data into information is that most transactional databases aren’t set up to be simultaneously accessed for reporting and analysis. When a customer buys something from a cash register, that action may post a sales record and deduct an item from the firm’s inventory. In most TPS systems, requests made to the database can usually be performed pretty quickly—the system adds or modifies the few records involved and it’s done—in and out in a flash.

But if a manager asks a database to analyze historic sales trends showing the most and least profitable products over time, they may be asking a computer to look at thousands of transaction records, comparing results, and neatly ordering findings. That’s not a quick in-and-out task, and it may very well require significant processing to come up with the request. Do this against the very databases you’re using to record your transactions, and you might grind your computers to a halt.

Getting data into systems that can support analytics is where data warehouses and data marts come in, the topic of our next section.

Key Takeaways

  • A major factor limiting business intelligence initiatives is getting data into a form where it can be used (i.e., analyzed and turned into information).
  • Legacy systems often limit data utilization because they were not designed to share data, aren’t compatible with newer technologies, and aren’t aligned with the firm’s current business needs.
  • Most transactional databases aren’t set up to be simultaneously accessed for reporting and analysis. In order to run analytics the data must first be ported to a data warehouse or data mart.

Questions and Exercises

  1. How might information systems impact mergers and acquisitions? What are the key issues to consider?
  2. Discuss the possible consequences of a company having multiple plants, each with a different information system using different part numbers and naming conventions for identical products.
  3. Why does it take longer, and require more processing power, to analyze sales trends by region and product, as opposed to posting a sales transaction?

11.5 Data Warehouses and Data Marts

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand what data warehouses and data marts are and the purpose they serve.
  2. Know the issues that need to be addressed in order to design, develop, deploy, and maintain data warehouses and data marts.

Since running analytics against transactional data can bog down a system, and since most organizations need to combine and reformat data from multiple sources, firms typically need to create separate data repositories for their reporting and analytics work—a kind of staging area from which to turn that data into information.

Two terms you’ll hear for these kinds of repositories are data warehouseA set of databases designed to support decision making in an organization. and data martA database or databases focused on addressing the concerns of a specific problem (e.g., increasing customer retention, improving product quality) or business unit (e.g., marketing, engineering).. A data warehouse is a set of databases designed to support decision making in an organization. It is structured for fast online queries and exploration. Data warehouses may aggregate enormous amounts of data from many different operational systems.

A data mart is a database focused on addressing the concerns of a specific problem (e.g., increasing customer retention, improving product quality) or business unit (e.g., marketing, engineering).

Marts and warehouses may contain huge volumes of data. For example, a firm may not need to keep large amounts of historical point-of-sale or transaction data in its operational systems, but it might want past data in its data mart so that managers can hunt for patterns and trends that occur over time.

Figure 11.2

Information systems supporting operations (such as TPS) are typically separate, and “feed” information systems used for analytics (such as data warehouses and data marts).

It’s easy for firms to get seduced by a software vendor’s demonstration showing data at your fingertips, presented in pretty graphs. But as mentioned earlier, getting data in a format that can be used for analytics is hard, complex, and challenging work. Large data warehouses can cost millions and take years to build. Every dollar spent on technology may lead to five to seven more dollars on consulting and other services.R. King, “Intelligence Software for Business,” BusinessWeek podcast, February 27, 2009.

Most firms will face a trade-off—do we attempt a large-scale integration of the whole firm, or more targeted efforts with quicker payoffs? Firms in fast-moving industries or with particularly complex businesses may struggle to get sweeping projects completed in enough time to reap benefits before business conditions change. Most consultants now advise smaller projects with narrow scope driven by specific business goals.D. Rigby and D. Ledingham, “CRM Done Right,” Harvard Business Review, November 2004; and R. King, “Intelligence Software for Business,” BusinessWeek podcast, February 27, 2009.

Firms can eventually get to a unified data warehouse but it may take time. Even analytics king Wal-Mart is just getting to that point. In 2007, it was reported that Wal-Mart had seven hundred different data marts and hired Hewlett-Packard for help in bringing the systems together to form a more integrated data warehouse.H. Havenstein, “HP Nabs Wal-Mart as Data Warehousing Customer,” Computerworld, August 1, 2007.

The old saying from the movie Field of Dreams, “If you build it, they will come,” doesn’t hold up well for large-scale data analytics projects. This work should start with a clear vision with business-focused objectives. When senior executives can see objectives illustrated in potential payoff, they’ll be able to champion the effort, and experts agree, having an executive champion is a key success factor. Focusing on business issues will also drive technology choice, with the firm better able to focus on products that best fit its needs.

Once a firm has business goals and hoped-for payoffs clearly defined, it can address the broader issues needed to design, develop, deploy, and maintain its system:Key points adapted from Davenport and J. Harris, Competing on Analytics: The New Science of Winning (Boston: Harvard Business School Press, 2007).

  • Data relevance. What data is needed to compete on analytics and to meet our current and future goals?
  • Data sourcing. Can we even get the data we’ll need? Where can this data be obtained from? Is it available via our internal systems? Via third-party data aggregators? Via suppliers or sales partners? Do we need to set up new systems, surveys, and other collection efforts to acquire the data we need?
  • Data quantity. How much data is needed?
  • Data quality. Can our data be trusted as accurate? Is it clean, complete, and reasonably free of errors? How can the data be made more accurate and valuable for analysis? Will we need to ‘scrub,’ calculate, and consolidate data so that it can be used?
  • Data hosting. Where will the systems be housed? What are the hardware and networking requirements for the effort?
  • Data governance. What rules and processes are needed to manage data from its creation through its retirement? Are there operational issues (backup, disaster recovery)? Legal issues? Privacy issues? How should the firm handle security and access?

For some perspective on how difficult this can be, consider that an executive from one of the largest U.S. banks once lamented at how difficult it was to get his systems to do something as simple as properly distinguishing between men and women. The company’s customer-focused data warehouse drew data from thirty-six separate operational systems—bank teller systems, ATMs, student loan reporting systems, car loan systems, mortgage loan systems, and more. Collectively these legacy systems expressed gender in seventeen different ways: “M” or “F”; “m” or “f”; “Male” or “Female”; “MALE” or “FEMALE”; “1” for man, “0” for woman; “0” for man, “1” for woman and more, plus various codes for “unknown.” The best math in the world is of no help if the values used aren’t any good. There’s a saying in the industry, “garbage in, garbage out.”

E-discovery: Supporting Legal Inquiries

Data archiving isn’t just for analytics. Sometimes the law requires organizations to dive into their electronic records. E-discoveryThe process of identifying and retrieving relevant electronic information to support litigation efforts. refers to identifying and retrieving relevant electronic information to support litigation efforts. E-discovery is something a firm should account for in its archiving and data storage plans. Unlike analytics that promise a boost to the bottom line, there’s no profit in complying with a judge’s order—it’s just a sunk cost. But organizations can be compelled by court order to scavenge their bits, and the cost to uncover difficult to access data can be significant, if not planned for in advance.

In one recent example, the Office of Federal Housing Enterprise Oversight (OFHEO) was subpoenaed for documents in litigation involving mortgage firms Fannie Mae and Freddie Mac. Even though the OFHEO wasn’t a party in the lawsuit, the agency had to comply with the search—an effort that cost $6 million, a full 9 percent of its total yearly budget.A. Conry-Murray, “The Pain of E-discovery,” InformationWeek, June 1, 2009.

Key Takeaways

  • Data warehouses and data marts are repositories for large amounts of transactional data awaiting analytics and reporting.
  • Large data warehouses are complex, can cost millions, and take years to build.

Questions and Exercises

  1. List the issues that need to be addressed in order to design, develop, deploy, and maintain data warehouses and data marts.
  2. What is meant by “data relevance”?
  3. What is meant by “data governance”?
  4. What is the difference between a data mart and a data warehouse?
  5. Why are data marts and data warehouses necessary? Why can’t an organization simply query its transactional database?
  6. How can something as simple as customer gender be difficult to for a large organization to establish in a data warehouse?

11.6 The Business Intelligence Toolkit

Learning Objectives

After studying this section you should be able to do the following:

  1. Know the tools that are available to turn data into information.
  2. Identify the key areas where businesses leverage data mining.
  3. Understand some of the conditions under which analytical models can fail.
  4. Recognize major categories of artificial intelligence and understand how organizations are leveraging this technology.

So far we’ve discussed where data can come from, and how we can get data into a form where we can use it. But how, exactly, do firms turn that data into information? That’s where the various software tools of business intelligence (BI) and analytics come in. Potential products in the business intelligence toolkit range from simple spreadsheets to ultrasophisticated data mining packages leveraged by teams employing “rocket-science” mathematics.

Query and Reporting Tools

The idea behind query and reporting tools is to present users with a subset of requested data, selected, sorted, ordered, calculated, and compared, as needed. Managers use these tools to see and explore what’s happening inside their organizations.

Canned reportsReports that provide regular summaries of information in a predetermined format. provide regular summaries of information in a predetermined format. They’re often developed by information systems staff and formats can be difficult to alter. By contrast, ad hoc reporting toolsTools that put users in control so that they can create custom reports on an as-needed basis by selecting fields, ranges, summary conditions, and other parameters. allow users to dive in and create their own reports, selecting fields, ranges, and other parameters to build their own reports on the fly. DashboardsA heads-up display of critical indicators that allow managers to get a graphical glance at key performance metrics. provide a sort of heads-up display of critical indicators, letting managers get a graphical glance at key performance metrics. Some tools may allow data to be exported into spreadsheets. Yes, even the lowly spreadsheet can be a powerful tool for modeling “what if” scenarios and creating additional reports (of course be careful: if data can be easily exported, then it can potentially leave the firm dangerously exposed, raising privacy, security, legal, and competitive concerns).

Figure 11.3 The Federal IT Dashboard

The Federal IT dashboard offers federal agencies, and the general public, information about the government’s IT investments.

A subcategory of reporting tools is referred to as online analytical processing (OLAP)A method of querying and reporting that takes data from standard relational databases, calculates and summarizes the data, and then stores the data in a special database called a data cube. (pronounced “oh-lap”). Data used in OLAP reporting is usually sourced from standard relational databases, but it’s calculated and summarized in advance, across multiple dimensions, with the data stored in a special database called a data cubeA special database used to store data in OLAP reporting.. This extra setup step makes OLAP fast (sometimes one thousand times faster than performing comparable queries against conventional relational databases). Given this kind of speed boost, it’s not surprising that data cubes for OLAP access are often part of a firm’s data mart and data warehouse efforts.

A manager using an OLAP tool can quickly explore and compare data across multiple factors such as time, geography, product lines, and so on. In fact, OLAP users often talk about how they can “slice and dice” their data, “drilling down” inside the data to uncover new insights. And while conventional reports are usually presented as a summarized list of information, OLAP results look more like a spreadsheet, with the various dimensions of analysis in rows and columns, with summary values at the intersection.

Figure 11.4

This OLAP report compares multiple dimensions. Company is along the vertical axis, and product is along the horizontal access. Many OLAP tools can also present graphs of multidimensional data.

Public Sector Reporting Tools in Action: Fighting Crime and Fighting Waste

Access to ad hoc query and reporting tools can empower all sorts of workers. Consider what analytics tools have done for the police force in Richmond, Virginia. The city provides department investigators with access to data from internal sources such as 911 logs and police reports, and combines this with outside data including neighborhood demographics, payday schedules, weather reports, traffic patterns, sports events, and more.

Experienced officers dive into this data, exploring when and where crimes occur. These insights help the department decide how to allocate its limited policing assets to achieve the biggest impact. While IT staffers put the system together, the tools are actually used by officers with expertise in fighting street crime—the kinds of users with the knowledge to hunt down trends and interpret the causes behind the data. And it seems this data helps make smart cops even smarter—the system is credited with delivering a single-year crime-rate reduction of 20 percent.S. Lohr, “Reaping Results: Data-Mining Goes Mainstream,” New York Times, May 20, 2007.

As it turns out, what works for cops also works for bureaucrats. When administrators for Albuquerque were given access to ad hoc reporting systems, they uncovered all sorts of anomalies, prompting excess spending cuts on everything from cell phone usage to unnecessarily scheduled overtime. And once again, BI performed for the public sector. The Albuquerque system delivered the equivalent of $2 million in savings in just the first three weeks it was used.R. Mulcahy, “ABC: An Introduction to Business Intelligence,” CIO, March 6, 2007.

Data Mining

While reporting tools can help users explore data, modern data sets can be so large that it might be impossible for humans to spot underlying trends. That’s where data mining can help. Data miningThe process of using computers to identify hidden patterns in, and to build models from, large data sets. is the process of using computers to identify hidden patterns and to build models from large data sets.

Some of the key areas where businesses are leveraging data mining include the following:

  • Customer segmentation—figuring out which customers are likely to be the most valuable to a firm.
  • Marketing and promotion targeting—identifying which customers will respond to which offers at which price at what time.
  • Market basket analysis—determining which products customers buy together, and how an organization can use this information to cross-sell more products or services.
  • Collaborative filtering—personalizing an individual customer’s experience based on the trends and preferences identified across similar customers.
  • Customer churn—determining which customers are likely to leave, and what tactics can help the firm avoid unwanted defections.
  • Fraud detection—uncovering patterns consistent with criminal activity.
  • Financial modeling—building trading systems to capitalize on historical trends.
  • Hiring and promotion—identifying characteristics consistent with employee success in the firm’s various roles.

For data mining to work, two critical conditions need to be present: (1) the organization must have clean, consistent data, and (2) the events in that data should reflect current and future trends. The recent financial crisis provides lessons on what can happen when either of these conditions isn’t met.

First lets look at problems with using bad data. A report in the New York Times has suggested that in the period leading up to the 2008 financial crisis, some banking executives deliberately deceived risk management systems in order to skew capital-on-hand requirements. This deception let firms load up on risky debt, while carrying less cash for covering losses.S. Hansell, “How Wall Street Lied to Its Computers,” New York Times, September 18, 2008. Deceive your systems with bad data and your models are worthless. In this case, wrong estimates from bad data left firms grossly overexposed to risk. When debt defaults occurred; several banks failed, and we entered the worst financial crisis since the Great Depression.

Now consider the problem of historical consistency: Computer-driven investment models can be very effective when the market behaves as it has in the past. But models are blind when faced with the equivalent of the “hundred-year flood” (sometimes called black swans); events so extreme and unusual that they never showed up in the data used to build the model.

We saw this in the late 1990s with the collapse of the investment firm Long Term Capital Management. LTCM was started by Nobel Prize–winning economists, but when an unexpected Russian debt crisis caused the markets to move in ways not anticipated by its models, the firm lost 90 percent of its value in less than two months. The problem was so bad that the Fed had to step in to supervise the firm’s multibillion-dollar bailout. Fast forward a decade to the banking collapse of 2008, and we again see computer-driven trading funds plummet in the face of another unexpected event—the burst of the housing bubble.P. Wahba, “Buffeted ‘Quants’ Are Still in Demand,” Reuters, December 22, 2008.

Data mining presents a host of other perils, as well. It’s possible to over-engineerBuild a model with so many variables that the solution arrived at might only work on the subset of data you’ve used to create it. a model, building it with so many variables that the solution arrived at might only work on the subset of data you’ve used to create it. You might also be looking at a random but meaningless statistical fluke. In demonstrating how flukes occur, one quantitative investment manager uncovered a correlation that at first glance appeared statistically to be a particularly strong predictor for historical prices in the S&P 500 stock index. That predictor? Butter production in Bangladesh.P. Coy, “He Who Mines Data May Strike Fool’s Gold,” BusinessWeek, June 16, 1997. Sometimes durable and useful patterns just aren’t in your data.

One way to test to see if you’re looking at a random occurrence in the numbers is to divide your data, building your model with one portion of the data, and using another portion to verify your results. This is the approach Netflix has used to test results achieved by teams in the Netflix Prize, the firm’s million-dollar contest for improving the predictive accuracy of its movie recommendation engine (see Chapter 4 “Netflix: The Making of an E-commerce Giant and the Uncertain Future of Atoms to Bits”).

Finally, sometimes a pattern is uncovered but determining the best choice for a response is less clear. As an example, let’s return to the data-mining wizards at Tesco. An analysis of product sales data showed several money-losing products, including a type of bread known as “milk loaf.” Drop those products, right? Not so fast. Further analysis showed milk loaf was a “destination product” for a loyal group of high-value customers, and that these customers would shop elsewhere if milk loaf disappeared from Tesco shelves. The firm kept the bread as a loss-leader and retained those valuable milk loaf fans.B. Helm, “Getting Inside the Customer’s Mind,” BusinessWeek, September 11, 2008. Data miner, beware—first findings don’t always reveal an optimal course of action.

This last example underscores the importance of recruiting a data mining and business analytics team that possesses three critical skills: information technology (for understanding how to pull together data, and for selecting analysis tools), statistics (for building models and interpreting the strength and validity of results), and business knowledge (for helping set system goals, requirements, and offering deeper insight into what the data really says about the firm’s operating environment). Miss one of these key functions and your team could make some major mistakes.

While we’ve focused on tools in our discussion above, many experts suggest that business intelligence is really an organizational process as much as it is a set of technologies. Having the right team is critical in moving the firm from goal setting through execution and results.

Artificial Intelligence

Data mining has its roots in a branch of computer science known as artificial intelligence (or AI). The goal of AI is create computer programs that are able to mimic or improve upon functions of the human brain. Data mining can leverage neural networksAn AI system that examines data and hunts down and exposes patterns, in order to build models to exploit findings. or other advanced algorithms and statistical techniques to hunt down and expose patterns, and build models to exploit findings.

Expert systemsAI systems that leverages rules or examples to perform a task in a way that mimics applied human expertise. are AI systems that leverage rules or examples to perform a task in a way that mimics applied human expertise. Expert systems are used in tasks ranging from medical diagnoses to product configuration.

Genetic algorithmsModel building techniques where computers examine many potential solutions to a problem, iteratively modifying (mutating) various mathematical models, and comparing the mutated models to search for a best alternative. are model building techniques where computers examine many potential solutions to a problem, iteratively modifying (mutating) various mathematical models, and comparing the mutated models to search for a best alternative. Genetic algorithms have been used to build everything from financial trading models to handling complex airport scheduling, to designing parts for the international space station.Adapted from J. Kahn, “It’s Alive,” Wired, March 2002; O. Port, “Thinking Machines,” BusinessWeek, August 7, 2000; and L. McKay, “Decisions, Decisions,” CRM Magazine, May 1, 2009.

While AI is not a single technology, and not directly related to data creation, various forms of AI can show up as part of analytics products, CRM tools, transaction processing systems, and other information systems.

Key Takeaways

  • Canned and ad hoc reports, digital dashboards, and OLAP are all used to transform data into information.
  • OLAP reporting leverage data cubes, which take data from standard relational databases, calculating and summarizing data for superfast reporting access. OLAP tools can present results through multidimensional graphs, or via spreadsheet-style cross-tab reports.
  • Modern data sets can be so large that it might be impossible for humans to spot underlying trends without the use of data mining tools.
  • Businesses are using data mining to address issues in several key areas including customer segmentation, marketing and promotion targeting, collaborative filtering, and so on.
  • Models influenced by bad data, missing or incomplete historical data, and over-engineering are prone to yield bad results.
  • One way to test to see if you’re looking at a random occurrence in your data is to divide your data, building your model with one portion of the data, and using another portion to verify your results.
  • Analytics may not always provide the total solution for a problem. Sometimes a pattern is uncovered, but determining the best choice for a response is less clear.
  • A competent business analytics team should possess three critical skills: information technology, statistics, and business knowledge.

Questions and Exercises

  1. What are some of the tools used to convert data into information?
  2. What is the difference between a canned reports and an ad hoc reporting?
  3. How do reports created by OLAP differ from most conventional reports?
  4. List the key areas where businesses are leveraging data mining.
  5. What is market basket analysis?
  6. What is customer churn?
  7. For data mining to work, what two critical data-related conditions must be present?
  8. Discus occurrences of model failure caused by missing or incomplete historical data.
  9. Discuss Tesco’s response to their discovery that “milk loaf” was a money-losing product.
  10. List the three critical skills a competent business analytics team should possess.
  11. Do any of the products that you use leverage artificial intelligence? What kinds of AI might be used in Netflix’s movie recommendation system, Apple’s iTunes Genius playlist builder, or Amazon’s Web site personalization? What kind of AI might help a physician make a diagnosis or help an engineer configure a complicated product in the field?

11.7 Data Asset in Action: Technology and the Rise of Wal-Mart

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how Wal-Mart has leveraged information technology to become the world’s largest retailer.
  2. Be aware of the challenges that face Wal-Mart in the years ahead.

Wal-Mart demonstrates how a physical product retailer can create and leverage a data asset to achieve world-class supply chain efficiencies targeted primarily at driving down costs.

Wal-Mart isn’t just the largest retailer in the world, over the past several years it has popped in and out of the top spot on the Fortune 500 list—meaning that the firm has had revenues greater than any firm in the United States. Wal-Mart is so big that in three months it sells more than a whole year’s worth of sales at number two U.S. retailer, Home Depot.From 2006 through 2009, Wal-Mart has appeared as either number one or number two in the Fortune 100 rankings.

At that size, it’s clear that Wal-Mart’s key source of competitive advantage is scale. But firms don’t turn into giants overnight. Wal-Mart grew in large part by leveraging information systems to an extent never before seen in the retail industry. Technology tightly coordinates the Wal-Mart value chain from tip to tail, while these systems also deliver a mineable data asset that’s unmatched in U.S. retail. To get a sense of the firm’s overall efficiencies, at the end of the prior decade a McKinsey study found that Wal-Mart was responsible for some 12 percent of the productivity gains in the entire U.S. economy.C. Fishman, “The Wal-Mart You Don’t Know,” Fast Company, December 19, 2007. The firm’s capacity as a systems innovator is so respected that many senior Wal-Mart IT executives have been snatched up for top roles at Dell, HP, Amazon, and Microsoft. And lest one think that innovation is the province of only those located in the technology hubs of Silicon Valley, Boston, and Seattle, remember that Wal-Mart is headquartered in Bentonville, Arkansas.

A Data-Driven Value Chain

The Wal-Mart efficiency dance starts with a proprietary system called Retail Link, a system originally developed in 1991 and continually refined ever since. Each time an item is scanned by a Wal-Mart cash register, Retail Link not only records the sale, it also automatically triggers inventory reordering, scheduling, and delivery. This process keeps shelves stocked, while keeping inventories at a minimum. An AMR report ranked Wal-Mart as having the seventh best supply chain in the country (the only other retailer in the top twenty was Tesco, at number fifteen).T. Friscia, K. O’Marah, D. Hofman, and J. Souza, “The AMR Research Supply Chain Top 25 for 2009,” AMR Research, May 28, 2009, The firm’s annual inventory turnover ratioThe ratio of a company’s annual sales to its inventory. of 8.5 means that Wal-Mart sells the equivalent of its entire inventory roughly every six weeks (by comparison, Target’s turnover ratio is 6.4, Sears’ is 3.4, and the average for U.S. retail is less than 2).Twelve-month figures from midyear 2009, via Forbes and Reuters.

Back-office scanners keep track of inventory as supplier shipments come in. Suppliers are rated based on timeliness of deliveries, and you’ve got to be quick to work with Wal-Mart. In order to avoid a tractor-trailer traffic jam in store parking lots, deliveries are choreographed to arrive at intervals less than ten minutes apart. When Levi’s joined Wal-Mart, the firm had to guarantee it could replenish shelves every two days—no prior retailer had required a shorter than five day window from Levi’s.C. Fishman, “The Wal-Mart You Don’t Know,” Fast Company, December 19, 2007.

Wal-Mart has been a catalyst for technology adoption among its suppliers. The firm is currently leading an adoption effort that requires partners to leverage RFID technology to track and coordinate inventories. While the rollout has been slow, a recent P&G trial showed RFID boosted sales nearly 20 percent by ensuring that inventory was on shelves and located where it should be.D. Joseph, “Supermarket Strategies: What’s New at the Grocer,” BusinessWeek, June 8, 2009.

Data Mining Prowess

Wal-Mart also mines its mother lode of data to get its product mix right under all sorts of varying environmental conditions, protecting the firm from “a retailer’s twin nightmares: too much inventory, or not enough.”C. Hays, “What Wal-Mart Knows about Customer Habits,” New York Times, November 14, 2004. For example, the firm’s data mining efforts informed buyers that customers stock up on certain products in the days leading up to predicted hurricanes. Bumping up prestorm supplies of batteries and bottled water was a no brainer, but the firm also learned that Pop-Tarts sales spike seven fold before storms hit, and that beer is the top prestorm seller. This insight has lead to truckloads full of six packs and toaster pastries streaming into gulf states whenever word of a big storm surfaces.C. Hays, “What Wal-Mart Knows about Customer Habits,” New York Times, November 14, 2004.

Data mining also helps the firm tighten operational forecasts, helping to predict things like how many cashiers are needed at a given store at various times of day throughout the year. Data drives the organization, with mined reports forming the basis of weekly sales meetings, as well as executive strategy sessions.

Sharing Data, Keeping Secrets

While Wal-Mart is demanding of its suppliers, it also shares data with them, too. Data can help firms become more efficient so that Wal-Mart can keep dropping prices, and data can help firms uncover patterns that help suppliers sell more. P&G’s Gillette unit, for example, claims to have mined Wal-Mart data to develop promotions that increased sales as much as 19 percent. More than seventeen thousand suppliers are given access to their products’ Wal-Mart performance across metrics that include daily sales, shipments, returns, purchase orders, invoices, claims and forecasts. And these suppliers collectively interrogate Wal-Mart data warehouses to the tune of twenty-one million queries a year.K. Evans-Correia, “Dillman Replaced as Wal-Mart CIO,” SearchCIO, April 6, 2006.

While Wal-Mart shares sales data with relevant suppliers, the firm otherwise fiercely guards this asset. Many retailers pool their data by sharing it with information brokers like Information Resources and ACNielsen. This sharing allows smaller firms to pool their data to provide more comprehensive insight on market behavior. But Wal-Mart stopped sharing data with these agencies years ago. The firm’s scale is so big, the additional data provided by brokers wasn’t adding much value, and it no longer made sense to allow competitors access to what was happening in its own huge chunk of retail sales.

Other aspects of the firm’s technology remain under wraps, too. Wal-Mart custom builds large portions of its information systems to keep competitors off its trail. As for infrastructure secrets, the Wal-Mart Data Center in McDonald County, Missouri, was considered so off limits that the county assessor was required to sign a nondisclosure statement before being allowed on-site to estimate property value.M. McCoy, “Wal-Mart’s Data Center Remains Mystery,” Joplin Globe, May 28, 2006.

Challenges Abound

But despite success, challenges continue. While Wal-Mart grew dramatically throughout the 1990s, the firm’s U.S. business has largely matured. And as a mature business it faces a problem not unlike the example of Microsoft discussed at the end of Chapter 14 “Google: Search, Online Advertising, and Beyond”; Wal-Mart needs to find huge markets or dramatic cost savings in order to boost profits and continue to move its stock price higher.

The firm’s aggressiveness and sheer size also increasingly make Wal-Mart a target for criticism. Those low prices come at a price, and the firm has faced accusations of subpar wages and remains a magnet for union activists. Others had identified poor labor conditions at some of the firm’s contract manufacturers. Suppliers that compete for Wal-Mart’s business are often faced with a catch-22. If they bypass Wal-Mart they miss out on the largest single chunk of world retail sales. But if they sell to Wal-Mart, the firm may demand prices so aggressively low that suppliers end up cannibalizing their own sales at other retailers. Still more criticism comes from local citizen groups that have accused Wal-Mart of ruining the market for mom-and-pop stores.C. Fishman, “The Wal-Mart You Don’t Know,” Fast Company, December 19, 2007.

While some might see Wal-Mart as invincibly standing at the summit of world retail, it’s important to note that other megaretailers have fallen from grace. In the 1920s and 1930s, the A&P grocery chain once controlled 80 percent of U.S. grocery sales, at its peak operating five times the number of stores that Wal-Mart has today. But market conditions changed, and the government stepped in to draft antipredatory pricing laws when it felt A&Ps parent was too aggressive.

For all of Wal-Mart’s data brilliance, historical data offers little insight on how to adapt to more radical changes in the retail landscape. The firm’s data warehouse wasn’t able to foretell the rise of Target and other up-market discounters. And yet another major battle is brewing, as Tesco methodically attempts to take its globally honed expertise to U.S. shores. Savvy managers recognize that data use is a vital tool, but not the only tool in management’s strategic arsenal.

Key Takeaways

  • Wal-Mart demonstrates how a physical product retailer can create and leverage a data asset to achieve world-class value chain efficiencies.
  • Wal-Mart uses data mining in numerous ways, from demand forecasting to predicting the number of cashiers needed at a store at a particular time.
  • To help suppliers become more efficient, and as a result lower prices, Wal-Mart shares data with them.
  • Despite its success, Wal-Mart is a mature business that needs to find huge markets or dramatic cost savings in order to boost profits and continue to move its stock price higher. The firm’s success also makes it a high impact target for criticism and activism. And the firm’s data assets could not predict impactful industry trends such as the rise of Target and other upscale discounters.

Questions and Exercises

  1. List the functions performed by Retail Link. What is its benefit to Wal-Mart?
  2. Which supplier metrics does Retail Link gather and report? How is this valuable to Wal-Mart and suppliers?
  3. Name the technology does Wal-Mart require partners to use to track and coordinate inventory. Do you know of other uses for this technology?
  4. What steps has Wal-Mart taken to protect its data from competitors?
  5. List the criticisms leveled at Wal-Mart. Do you think these critiques are valid or not? What can Wal-Mart do to counteract this criticism? Should it take these steps? Why or why not?

11.8 Data Asset in Action: Harrah’s Solid Gold CRM for the Service Sector

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how Harrah’s has used IT to move from an also-ran chain of casinos to become the largest gaming company based on revenue.
  2. Name some of the technology innovations that Harrah’s is using to help it gather more data, and help push service quality and marketing program success.

Harrah’s Entertainment provides an example of exceptional data asset leverage in the service sector, focusing on how this technology enables world-class service through customer relationship management.

Gary Loveman is a sort of management major trifecta. The CEO of Harrah’s Entertainment is a former operations professor who has leveraged information technology to create what may be the most effective marketing organization in the service industry. If you ever needed an incentive to motivate you for cross-disciplinary thinking, Loveman provides it.

Harrah’s has leveraged its data-powered prowess to move from an also-ran chain of casinos to become the largest gaming company by revenue. The firm operates some fifty-three casinos, employing more than eighty-five thousand workers on five continents. Brands include Harrah’s, Caesars Palace, Bally’s, Horseshoe, and Paris Las Vegas. Under Loveman, Harrah’s has aggressively swallowed competitors, the firm’s $9.4 billion buyout of Caesars Entertainment being its largest deal to date.

Collecting Data

Data drives the firm. Harrah’s collects customer data on just about everything you might do at their properties—gamble, eat, grab a drink, attend a show, stay in a room. The data’s then used to track your preferences and to size up whether you’re the kind of customer that’s worth pursuing. Prove your worth, and the firm will surround you with top-tier service and develop a targeted marketing campaign to keep wooing you back.V. Magnini, E. Honeycutt, and S. Hodge, “Data Mining for Hotel Firms: Use and Limitations,” Cornell Hotel and Restaurant Administration Quarterly, April 2003,

The ace in the firm’s data collection hole is its Total Rewards loyalty card system. Launched over a decade ago, the system is constantly being enhanced by an IT staff of seven hundred, with an annual budget in excess of $100 million.P. Swabey, “Nothing Left to Chance,” Information Age, January 18, 2007. Total Rewards is an opt-inProgram (typically a marketing effort) that requires customer consent. This program is contrasted with opt-out programs, which enroll all customers by default. loyalty program, but customers consider the incentives to be so good that the card is used by some 80 percent of Harrah’s patrons, collecting data on over forty-four million customers.M. Wagner, “Harrah’s Places Its Bet On IT,” InformationWeek, September 16, 2008; and L. Haugsted, “Better Take Care of Big Spenders; Harrah’s Chief Offers Advice to Cablers,” Multichannel News, July 30, 2007.

Customers signing up for the card provide Harrah’s with demographic information such as gender, age, and address. Visitors then present the card for various transactions. Slide it into a slot machine, show it to the restaurant hostess, present it to the parking valet, share your account number with a telephone reservation specialist—every contact point is an opportunity to collect data. Between three hundred thousand and one million customers come through Harrah’s doors daily, adding to the firm’s data stash and keeping that asset fresh.N. Hoover, “Chief of the Year: Harrah’s CIO Tim Stanley,” Information Week Research and Reports, 2007.

Who Are the Most Valuable Customers?

All that data is heavily and relentlessly mined. Customer relationship management should include an assessment to determine which customers are worth having a relationship with. And because Harrah’s has so much detailed historical data, the firm can make fairly accurate projections of customer lifetime value (CLV)The present value of the likely future income stream generated by an individual purchaser.. CLV represents the present value of the likely future income stream generated by an individual purchaser.“Which Customers Are Worth Keeping and Which Ones Aren’t? Managerial Uses of CLV,” Knowledge@Wharton, July 30, 2003, Once you know this, you can get a sense of how much you should spend to keep that customer coming back. You can size them up next to their peer group and if they fall below expectations you can develop strategies to improve their spending.

The firm tracks over ninety demographic segments, and each responds differently to different marketing approaches. Identifying segments and figuring out how to deal with each involves an iterative model of mining the data to identify patterns, creating a hypothesis (customers in group X will respond to a free steak dinner; group Y will want ten dollars in casino chips), then testing that hypothesis against a control group, turning again to analytics to statistically verify the outcome.

The firm runs hundreds of these small, controlled experiments each year. Loveman says that when marketers suggest new initiatives, “I ask, did we test it first? And if I find out that we just whole-hogged, went after something without testing it, I’ll kill ’em. No matter how clever they think it is, we test it.”J. Nickell, “Welcome to Harrah’s,” Business 2.0, April 2002. The former ops professor is known to often quote quality guru W. Edwards Deming, saying, “In God we trust; all others must bring data.”

When Harrah’s began diving into the data, they uncovered patterns that defied the conventional wisdom in the gaming industry. Big money didn’t come from European princes, Hong Kong shipping heirs, or the Ocean’s 11 crowd—it came from locals. The less than 30 percent of customers who spent between one hundred and five hundred dollars per visit accounted for over 80 percent of revenues and nearly 100 percent of profits.P. Swabey, “Nothing Left to Chance,” Information Age, January 18, 2007.

The data also showed that the firm’s most important customers weren’t the families that many Vegas competitors were trying to woo with Disneyland-style theme casinos—it was Grandma! Harrah’s focuses on customers forty-five years and older: twenty-somethings have no money, while thirty-somethings have kids and are too busy. To the premiddle-aged crowd, Loveman says, “God bless you, but we don’t need you.”L. Haugsted, “Better Take Care of Big Spenders; Harrah’s Chief Offers Advice to Cablers,” Multichannel News, July 30, 2007.

Data-Driven Service: Get Close (but Not Too Close) to Your Customers

The names for reward levels on the Total Rewards card convey increasing customer value—Gold, Diamond, and Platinum. Spend more money at Harrah’s and you’ll enjoy shorter lines, discounts, free items, and more. And if Harrah’s systems determine you’re a high-value customer, expect white-glove treatment. The firm will lavish you with attention, using technology to try to anticipate your every need. Customers notice the extra treatment that top-tier Total Rewards members receive and actively work to improve their status.

To illustrate this, Loveman points to the obituary of an Ashville, North Carolina, woman who frequented a casino Harrah’s operates on a nearby Cherokee reservation. “Her obituary was published in the Asheville paper and indicated that at the time of her death, she had several grandchildren, she sang in the Baptist choir and she was a holder of the Harrah’s Diamond Total Rewards card.” Quipped Loveman, “When your loyalty card is listed in someone’s obituary, I would maintain you have traction.”G. Loveman, Speech and Comments, Chief Executive Club of Boston College, January 2005; emphasis added.

The degree of customer service pushed through the system is astonishing. Upon check in, a Harrah’s customer who enjoys fine dining may find his or her table is reserved, along with tickets for a show afterward. Others may get suggestions or special offers throughout their stay, pushed via text message to their mobile device.M. Wagner, “Harrah’s Places Its Bet On IT,” InformationWeek, September 16, 2008. The firm even tracks gamblers to see if they’re suffering unusual losses, and Harrah’s will dispatch service people to intervene with a feel-good offer: “Having a bad day? Here’s a free buffet coupon.”T. Davenport and J. Harris, Competing on Analytics: The New Science of Winning (Boston: Harvard Business School Press, 2007).

The firm’s CRM effort monitors any customer behavior changes. If a customer who usually spends a few hundred a month hasn’t shown up in a while, the firm’s systems trigger follow-up contact methods such as sending a letter with a promotion offer, or having a rep make a phone call inviting them back.G. Loveman, Speech and Comments, Chief Executive Club of Boston College, January 2005.

Customers come back to Harrah’s because they feel that those casinos treat them better than the competition. And Harrah’s laser-like focus on service quality and customer satisfaction are embedded into its information systems and operational procedures. Employees are measured on metrics that include speed and friendliness and are compensated based on guest satisfaction ratings. Hourly workers are notoriously difficult to motivate: they tend to be high-turnover, low-wage earners. But at Harrah’s, incentive bonuses depend on an entire location’s ratings. That encourages strong performers to share tips to bring the new guy up to speed. The process effectively changed the corporate culture at Harrah’s from an every-property-for-itself mentality to a collaborative, customer-focused enterprise.V. Magnini, E. Honeycutt, and S. Hodge, “Data Mining for Hotel Firms: Use and Limitations,” Cornell Hotel and Restaurant Administration Quarterly, April 2003,

While Harrah’s is committed to learning how to make your customer experience better, the firm is also keenly sensitive to respecting consumer data. The firm has never sold or given away any of its bits to third parties. And the firm admits that some of its efforts to track customers have misfired, requiring special attention to find the sometimes subtitle line between helpful and “too helpful.” For example, the firm’s CIO has mentioned that customers found it “creepy and Big Brother-ish” when employees tried to greet them by name and talk with them about their past business history at Harrah’s, so the firm backed off.M. Wagner, “Harrah’s Places Its Bet On IT,” InformationWeek, September 16, 2008.


Harrah’s is constantly tinkering with new innovations that help it gather more data and help push service quality and marketing program success. When the introduction of gaming in Pennsylvania threatened to divert lucrative New York City gamblers from Harrah’s Atlantic City properties, the firm launched an interactive billboard in New York’s Times Square, allowing passers-by to operate a virtual slot machine using text messages from their cell phones. Players dialing into the video billboard not only control the display, they receive text message offers promoting Harrah’s sites in Atlantic City.“Future Tense: The Global CMO,” Economist Intelligence Unit, September 2008.

At Harrah’s, tech experiments abound. RFID-enabled poker chips and under-table RFID readers allow pit bosses to track and rate game play far better than they could before. The firm is experimenting with using RFID-embedded bracelets for poolside purchases and Total Rewards tracking for when customers aren’t carrying their wallets. The firm has also incorporated drink ordering into gaming machines—why make customers get up to quench their thirst? A break in gambling is a halt in revenue.

The firm was also one of the first to sign on to use Microsoft’s Surface technology—a sort of touch-screen and sensor-equipped tabletop. Customers at these tables can play bowling and group pinball games and even pay for drinks using cards that the tables will automatically identify. Tech even helps Harrah’s fight card counters and crooks, with facial recognition software scanning casino patrons to spot the bad guys.S. Lohr, “Reaping Results: Data-Mining Goes Mainstream,” New York Times, May 20, 2007.


A walk around Vegas during Harrah’s ascendency would find rivals with bigger, fancier casinos. Says Loveman, “We had to compete with the kind of place that God would build if he had the money.…The only thing we had was data.”P. Swabey, “Nothing Left to Chance,” Information Age, January 18, 2007.

That data advantage creates intelligence for a high-quality and highly personal customer experience. Data gives the firm a service differentiation edge. The loyalty program also represents a switching cost. And these assets combined to be leveraged across a firm that has gained so much scale that it’s now the largest player in its industry, gaining the ability to cross-sell customers on a variety of properties—Vegas vacations, riverboat gambling, locally focused reservation properties, and more.

Harrah’s chief marketing officer, David Norton, points out that when Total Rewards started, Harrah’s was earning about thirty-six cents on every dollar customers spent gaming—the rest went to competitors. A climb to forty cents would be considered monstrous. By 2005 that number had climbed to forty-five cents, making Harrah’s the biggest monster in the industry.E. Lundquist, “Harrah’s Bets Big on IT,” eWeek, July 20, 2005. Some of the firm’s technology investments have paid back tenfold in just two years—bringing in hundreds of millions of dollars.P. Swabey, “Nothing Left to Chance,” Information Age, January 18, 2007.

The firm’s technology has been pretty tough for others to match, too. Harrah’s holds several patents covering key business methods and technologies used in its systems. After being acquired by Harrah’s, employees of Caesars lamented that they had, for years, unsuccessfully attempted to replicate Harrah’s systems without violating the firm’s intellectual property.N. Hoover, “Chief of the Year: Harrah’s CIO Tim Stanley,” Information Week Research and Reports, 2007.


Harrah’s efforts to gather data, extract information, and turn this into real profits is unparalleled, but it’s not a cure-all. Broader events can often derail even the best strategy. Gaming is a discretionary spending item, and when the economy tanks, gambling is one of the first things consumers will cut. Harrah’s has not been immune to the world financial crisis and experienced a loss in 2008.

Also note that if you look up Harrah’s stock symbol you won’t find it. The firm was taken privateThe process by which a publicly held company has its outstanding shares purchased by an individual or by a small group of individuals who wish to obtain complete ownership and control. in January 2008, when buyout firms Apollo Management and TPG Capital paid $30.7 billion for all of the firm’s shares. At that time Loveman signed a five-year deal to remain on as CEO, and he’s spoken positively about the benefits of being private—primarily that with the distraction of quarterly earnings off the table, he’s been able to focus on the long-term viability and health of the business.A. Knightly, “Harrah’s Boss Speaks,” Las Vegas Review-Journal, June 14, 2009.

But the firm also holds $24 billion in debt from expansion projects and the buyout, all at a time when economic conditions have not been favorable to leveraged firms.P. Lattman, “A Buyout-Shop Breather,” Wall Street Journal, May 30, 2009. A brilliantly successful firm that developed best-in-class customer relationship management in now in a position many consider risky due to debt assumed as part of an overly optimistic buyout occurring at precisely the time when the economy went into a terrible funk. Harrah’s awesome risk-reducing, profit-pushing analytics failed to offer any insight on the wisdom (or risk) in the debt and private equity deals.

Key Takeaways

  • Harrah’s Entertainment provides an example of exceptional data asset leverage in the service sector, focusing on how this technology enables world-class service through customer relationship management.
  • Harrah’s uses its Total Rewards loyalty card system to collect customer data on just about everything you might do at their properties—gamble, eat, drink, see a show, stay in a room, and so on.
  • Individual customers signing up for the Total Rewards loyalty card provide Harrah’s with demographic information such as gender, age, and address, which is combined with transactional data as the card is used.
  • Data mining also provides information about ninety-plus customer demographic segments, each of which responds differently to different marketing approaches.
  • If Harrah’s systems determine you’re a high-value customer, you can expect a higher level of perks and service.
  • Harrah’s CRM effort monitors any customer behavior changes.
  • Harrah’s uses its information systems and operating procedures to measure employees based on metrics that include speed and friendliness, and compensates them based on guest satisfaction ratings.

Questions and Exercises

  1. What types of customer data does Harrah’s gather?
  2. How is the data that Harrah’s collects used?
  3. Describe Harrah’s most valuable customers? Approximately what percentage of profits does this broad group deliver to the firm?
  4. List the services a Rewards Card cardholder might expect.
  5. What happens when a good, regular customer stops showing up?
  6. Describe how Harrah’s treats customer data.
  7. List some of the technology innovations that Harrah’s is using to help it gather more data, and help push service quality and marketing program success.
  8. How does Harrah’s Total Rewards loyalty card system represent a switching cost?
  9. What is customer lifetime value? Do you think this is an easier metric to calculate at Harrah’s or Wal-Mart? Why?
  10. How did intellectual property protection benefit Harrah’s?
  11. Discuss the challenges Harrah’s may have to confront in the near future.
  12. Describe the role that testing plays in initiatives? What advantage does testing provide the firm? What’s the CEO’s attitude to testing? Do you agree with this level of commitment? Why or why not?

Chapter 10: Software in Flux: Partly Cloudy and Sometimes Free

10.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how low marginal costs, network effects, and switching costs have combined to help create a huge and important industry.
  2. Recognize that the software industry is undergoing significant and broadly impactful change brought about by several increasingly adopted technologies including open source software, cloud computing, and software-as-a-service.

For many, software has been a magnificent business. It is the two-hundred-billion-dollar-per-year juggernautD. Kirkpatrick, “How the Open Source World Plans to Smack Down Microsoft and Oracle, and…,” Fortune, February 23, 2004. that placed Microsoft’s Bill Gates and Oracle’s Larry Ellison among the wealthiest people in the world. Once a successful software product has been written, the economics for a category-leading offering are among the best you’ll find in any industry. Unlike physical products assembled from raw materials, the marginal costThe cost of producing one more unit of a product. to produce an additional copy of a software product is effectively zero. Just duplicate, no additional input required. That quality leads to businesses that can gush cash. Microsoft generates one and a half billion dollars a month from Windows and Office alone.F. Vogelstein, “Rebuilding Microsoft,” Wired, October 2006. Network effects and switching cost can also offer a leading software firm a degree of customer preference and lock in that can establish a firm as a standard, and in many cases creates winner-take-all (or at least winner-take-most) markets.

But as great as the business has been, the fundamental model powering the software industry is under assault. Open source software (OSS)Software that is free and where anyone can look at and potentially modify the code. offerings—free alternatives where anyone can look at and potentially modify a program’s code—pose a direct challenge to the assets and advantages cultivated by market leaders. Giants shudder—“How can we compete with free,” while others wonder, “How can we make money and fuel innovation on free?” And if free software wasn’t enough of a shock, the way firms and users think about software is also changing. A set of services referred to as cloud computingReplacing computing resources—either an organization’s or individual’s hardware or software—with services provided over the Internet. is making it more common for a firm to move software out of its own IS shop so that it is run on someone else’s hardware. In one variant of this approach known as software as a service (SaaS)A form of cloud computing where a firm subscribes to a third-party software and receives a service that is delivered online., users access a vendor’s software over the Internet, usually by simply starting up a Web browser. With SaaS, you don’t need to own the program or install it on your own computer. Hardware clouds can let firms take their software and run it on someone else’s hardware—freeing them from the burden of buying, managing, and maintaining the physical computing that programs need. Another software technology called virtualizationA type of software that allows a single computer (or cluster of connected computers) to function as if it were several different computers, each running its own operating system and software. Virtualization software underpins most cloud computing efforts, and can make computing more efficient, cost-effective, and scalable. can make a single computer behave like many separate machines. This function helps consolidate computing resources and creates additional savings and efficiencies.

These transitions are important. They mean that smaller firms have access to the kinds of burly, sophisticated computing power than only giants had access to in the past. Start-ups can scale quickly and get up and running with less investment capital. Existing firms can leverage these technologies to reduce costs. Got tech firms in your investment portfolio? Understanding what’s at work here can inform decisions you make on which stocks to buy or sell. If you make tech decisions for your firm or make recommendations for others, these trends may point to which firms have strong growth and sustainability ahead, or which may be facing troubled times.

Key Takeaways

  • The software business is attractive due to near-zero marginal costs and an opportunity to establish a standard—creating the competitive advantages of network effects and switching costs.
  • New trends in the software industry, including open source software (OSS), hardware clouds, software as a service (SaaS), and virtualization are creating challenges and opportunity across tech markets. Understanding the impact of these developments can help a manager make better technology choices and investment decisions.

Questions and Exercises

  1. What major trends, outlined in the section above, are reshaping how we think about software? What industries and firms are potentially impacted by these changes? Why do managers, investors, and technology buyers care about these changes?
  2. Which organizations might benefit from these trends? Which might be threatened? Why?
  3. What are marginal costs? Are there other industries that have cost economics similar to the software industry?
  4. Investigate the revenues and net income of major software players: Microsoft, Google, Oracle, Red Hat, and Which firms have higher revenues? Net income? Which have better margins? What do the trends in OSS, SaaS, and cloud computing suggest for these and similar firms?
  5. How might the rise of OSS, SaaS, and cloud computing impact hardware sales? How might it impact entrepreneurship and smaller businesses?

10.2 Open Source

Learning Objectives

After studying this section you should be able to do the following:

  1. Define open source software and understand how it differs from conventional offerings.
  2. Provide examples of open source software and how firms might leverage this technology.

Who would have thought a twenty-one-year-old from Finland could start a revolution that continues to threaten the Microsoft Windows empire? But Linus Torvalds did just that. During a marathon six-month coding session, Torvalds created the first version of LinuxD. Diamond, “The Good-Hearted Wizard—Linus Torvalds,” Virtual Finland, January 2008. marshalling open source revolutionaries like no one before him. Instead of selling his operating system, Torvalds gave it away. Now morphed and modified into scores of versions by hundreds of programmers, LinuxAn open source software operating system. can be found just about everywhere, and most folks credit Linux as being the most significant product in the OSS arsenal. Today Linux powers everything from cell phones to stock exchanges, set top boxes to supercomputers. You’ll find the OS on 30 percent of the servers in corporate America,Sarah Lacy, “Open Warfare in Open Source,” BusinessWeek, August 21, 2006. and supporting most Web servers (including those at Google, Amazon, and Facebook). Linux forms the core of the TiVo operating system, it underpins Google’s Android and Chrome OS offerings, and it has even gone interplanetary. Linux has been used to power the Phoenix Lander and to control the Spirit and Opportunity Mars rovers.J. Brockmeier, “NASA Using Linux,” Unix Review, March 2004; and S. Barrett, “Linux on Mars,” Science News, Space News, Technology News, June 6, 2008. Yes, Linux is even on Mars!

How Do You Pronounce Linux?

Most English speakers in the know pronounce Linux in a way that rhymes with “cynics.” You can easily search online to hear video and audio clips of Linus (whose name is actually pronounced “Lean-us” in Finish) pronouncing the name of his OS. In deference to Linux, some geeks prefer something that sounds more like “lean-ooks.”For examples, see and Just don’t call it “line-ucks,” or the tech-savvy will think you’re an open source n00bWritten with two zeros, pronounced “newb.” Geek-slang (leet speak) derogatory term for an uninformed or unskilled person.! Oh yeah, and while we’re on the topic of operating system pronunciation, the Macintosh operating system OS X is pronounced “oh es ten.”

Figure 10.1 Tux, the Linux Mascot

Open source software (OSS) is often described as free. While most OSS can be downloaded for free over the Internet, it’s also “free” as in liberated. The source code for OSS products is openly shared. Anyone can look at the source code, change it, and even redistribute it, provided the modified software continues to remain open and free.A list of criteria defining open source software can be found at the Open Source Initiative at This openness is in stark contrast to the practice of conventional software firms, who treat their intellectual property as closely guarded secrets, and who almost never provide the source code for their commercial software products. At times, many software industry execs have been downright hostile toward OSS. The former President of SAP once referred to the open source movement as “socialism,” while Microsoft’s Steve Balmer has called Linux a “cancer.”J. Fortt, “Why Larry Loves Linux (and He’s Not Alone),” Fortune, December 19, 2007.

But while execs at some firms see OSS as a threat undermining the lifeblood of their economic model, other big-name technology companies are now solidly behind the open source movement. The old notion of open source being fueled on the contributions of loners tooling away for the glory of contributing to better code is now largely inaccurate. The vast majority of people who work on efforts like Linux are now paid to do so by commercially motivated employers.D. Woods, “The Commercial Bear Hug of Open Source,” Forbes, August 18, 2008. Nearly every major hardware firm has paid staff contributing to open source projects, and most firms also work together to fund foundations that set standards and coordinate the release of product revisions and improvements. Such coordination is critical—helping, for example, to ensure that various versions of Linux work alike. Sun Microsystems claims to have eleven thousand engineers contributing to OSS.C. Preimesberger, “Sun’s ‘Open’-Door Policy,” eWeek, April 21, 2008. Guido van Rossum, the inventor of the open source Python programming language, works for Google where he continues to coordinate development. IBM programmers work on several open source projects, including Linux. The firm has even deeded a commercially developed programming tool (including an IDE) to the Eclipse foundation, where it’s now embraced and supported by dozens of firms.

Turn on the LAMP—It’s Free!

Figure 10.2

Open source is big on the Web. In fact, you’ll often hear Web programmers and open source advocates refer to the LAMP stack. LAMPAn acronym standing for Linux, the Apache Web server software, the MySQL database, and any of several programming languages that start with P (e.g., Perl, Python, or PHP). is an acronym that stands for the Linux operating system, the Apache Web server software, the MySQL database, and any of several programming languages that start with the letter “P”—Perl, Python, and PHP. From Facebook to YouTube, you’ll find LAMP software powering many of the sites you visit each day.

Key Takeaways

  • OSS is not only available for free, but also makes source code available for review and modification (for the Open Source Initiatives list of the criteria that define an open source software product, see
  • While open source alternatives are threatening to conventional software firms, some of the largest technology companies now support OSS initiatives and work to coordinate standards, product improvements, and official releases.
  • The flagship OSS product is the Linux operating system, now available on all scales of computing devices from cell phones to supercomputers.
  • The LAMP stack of open source products is used to power many of the Internet’s most popular Web sites. Linux can be found on 30 percent of corporate servers, supports most Web servers, and is integral to TiVo and Android-based cell phones.
  • The majority of persons who work on open source projects are paid by commercially motivated employers.

Questions and Exercises

  1. Who developed Linux?
  2. Who develops it today?
  3. List the components of the LAMP stack. Which commercial products do these components compete with (investigate online, if necessary)?
  4. Why do commercial firms contribute to open source consortia and foundations?
  5. Free doesn’t always win. Why might a firm turn down free software in favor of a commercial alternative?

10.3 Why Open Source?

Learning Objectives

After studying this section you should be able to do the following:

  1. Know the primary reasons firms choose to use OSS.
  2. Understand how OSS can beneficially impact industry and government.

There are many reasons why firms choose open source products over commercial alternatives:

Cost—Free alternatives to costly commercial code can be a tremendous motivator, particularly since conventional software often requires customers to pay for every copy used and to pay more for software that runs on increasingly powerful hardware. Big Lots stores lowered costs by as much as $10 million by finding viable OSSM. Castelluccio, “Enterprise Open Source Adoption,” Strategic Finance, November 2008. to serve their system needs. Online broker E*TRADE estimates that its switch to open source helped save over $13 million a year.R. King, “Cost-Conscious Companies Turn to Open-Source Software,” BusinessWeek, December 1, 2008. And Amazon claimed in SEC filings that the switch to open source was a key contributor to nearly $20 million in tech savings.S. Shankland, M. Kane, and R. Lemos, “How Linux Saved Amazon Millions,” CNET, October 30, 2001. Firms like TiVo, which use OSS in their own products, eliminate a cost spent either developing their own operating system or licensing similar software from a vendor like Microsoft.

Reliability—There’s a saying in the open source community, “Given enough eyeballs, all bugs are shallow.”E. Raymond, The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary (Sebastopol, CA: O’Reilly, 1999). What this means is that the more people who look at a program’s code, the greater the likelihood that an error will be caught and corrected. The open source community harnesses the power of legions of geeks who are constantly trawling OSS products, looking to squash bugs and improve product quality. And studies have shown that the quality of popular OSS products outperforms proprietary commercial competitors.J. Ljungberg, “Open Source Movements as a Model for Organizing,” European Journal of Information Systems 9, no. 4 (December 2000): 208–16. In one study, Carnegie Mellon University’s Cylab estimated the quality of Linux code to be less buggy than commercial alternatives by a factor of two hundred!M. Castelluccio, “Enterprise Open Source Adoption,” Strategic Finance, November 2008.

Security—OSS advocates also argue that by allowing “many eyes” to examine the code, the security vulnerabilities of open source products come to light more quickly and can be addressed with greater speed and reliability.D. Wheeler, Secure Programming for Linux and Unix, 2003, High profile hacking contests have frequently demonstrated the strength of OSS products. In one well-publicized 2008 event, laptops running Windows and Macintosh were both hacked (the latter in just two minutes), while a laptop running Linux remained uncompromised.R. McMillan, “Gone in Two Minutes,” InfoWorld, March 27, 2008. Government agencies and the military often appreciate the opportunity to scrutinize open source efforts to verify system integrity (a particularly sensitive issue among foreign governments leery of legislation like the USA PATRIOT Act of 2001).S. Lohr, “Microsoft to Give Governments Access to Code,” New York Times, January 15, 2003. Many OSS vendors offer security focusedAlso known as “hardened.” Term used to describe technology products that contain particularly strong security features. (sometimes called hardened) versions of their products. These can include systems that monitor the integrity of an OSS distribution, checking file size and other indicators to be sure that code has not been modified and redistributed by bad guys who’ve added a back door, malicious routines, or other vulnerabilities.

Scalability—Many major OSS efforts can run on everything from cheap commodity hardware to high-end supercomputing. ScalabilityAbility to either handle increasing workloads or to be easily expanded to manage workload increases. In a software context, systems that aren’t scalable often require significant rewrites or the purchase or development of entirely new systems. allows a firm to scale from start-up to blue chip without having to significantly rewrite their code, potentially saving big on software development costs. Not only can many forms of OSS be migrated to more powerful hardware, packages like Linux have also been optimized to balance a server’s workload among a large number of machines working in tandem. Brokerage firm E*TRADE claims that usage spikes following 2008 U.S. Federal Reserve moves flooded the firm’s systems, creating the highest utilization levels in five years. But E*TRADE credits its scalable open source systems for maintaining performance while competitors’ systems struggled.R. King, “Cost-Conscious Companies Turn to Open-Source Software,” BusinessWeek, December 1, 2008.

Agility and Time to Market—Vendors who use OSS as part of product offerings may be able to skip whole segments of the software development process, allowing new products to reach the market faster than if the entire software system had to be developed from scratch, in-house. Motorola has claimed that customizing products built on OSS has helped speed time-to-market for the firm’s mobile phones, while the team behind the Zimbra e-mail and calendar effort built their first product in just a few months by using some forty blocks of free code.R. Guth, “Virtual Piecework: Trolling the Web for Free Labor, Software Upstarts Are a New Force,” Wall Street Journal, November 13, 2006.

Key Takeaways

  • The most widely cited benefits of using OSS include low cost; increased reliability; improved security and auditing; system scalability; and helping a firm improve its time to market.
  • Free OSS has resulted in cost savings for many large companies in several industries.
  • OSS often has fewer bugs than its commercial counterparts due to the large number of persons who have looked at the code.
  • The huge exposure to scrutiny by developers and other people helps to strengthen the security of OSS.
  • “Hardened” versions of OSS products often include systems that monitor the integrity of an OSS distribution, checking file size and other indicators to be sure that code has not been modified and redistributed by bad guys who have added a back door, malicious routines, or other vulnerabilities.
  • OSS can be easily migrated to more powerful computers as circumstances dictate, and also can balance workload by distributing work over a number of machines.
  • Vendors who use OSS as part of product offerings may be able to skip whole segments of the software development process, allowing new products to reach the market faster.

Questions and Exercises

  1. What advantages does OSS offer TiVo? What alternatives to OSS might the firm consider and why do you suppose the firm decided on OSS?
  2. What’s meant by the phrase, “Given enough eyeballs, all bugs are shallow”? Provide evidence that the insight behind this phrase is an accurate one.
  3. How has OSS benefited E*TRADE? Amazon? Motorola? Zimbra? What benefits were achieved in each of these examples?
  4. Describe how OSS provides a firm with scalability. What does this mean, and why does this appeal to a firm? What issues might a firm face if chosen systems aren’t scalable?
  5. The Web site NetCraft ( is one of many that provide a tool to see the kind of operating system and Web server software that a given site is running. Visit NetCraft or a similar site and enter the address of some of your favorite Web sites. How many run open source products (e.g., the Linux OS or Apache Web server)? Do some sites show their software as “unknown”? Why might a site be reluctant to broadcast the kind of software that it uses?

10.4 Examples of Open Source Software

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize that just about every type of commercial product has an open source equivalent.
  2. Be able to list commercial products and their open source competitors.

Just about every type of commercial product has an open source equivalent. lists over two hundred and thirty thousand such products!See Many of these products come with the installation tools, support utilities, and full documentation that make them difficult to distinguish from traditional commercial efforts.D. Woods, “The Commercial Bear Hug of Open Source,” Forbes, August 18, 2008. In addition to the LAMP products, some major examples include the following:

  • Firefox—a Web browser that competes with Internet Explorer
  • OpenOffice—a competitor to Microsoft Office
  • Gimp—a graphic tool with features found in Photoshop
  • Alfresco—collaboration software that competes with Microsoft Sharepoint and EMC’s Documentum
  • Marketcetera—an enterprise trading platform for hedge fund managers that competes with FlexTrade and Portware
  • Zimbra—open source e-mail software that competes with Outlook server
  • MySQL, Ingres, and EnterpriseDB—open source database software packages that each go head-to-head with commercial products from Oracle, Microsoft, Sybase, and IBM
  • SugarCRM—customer relationship management software that competes with and Siebel
  • Asterix—an open source implementation for running a PBX corporate telephony system that competes with offerings from Nortel and Cisco, among others
  • Free BSD and Sun’s OpenSolaris—open source versions of the Unix operating system

Key Takeaways

  • There are thousands of open source products available, covering nearly every software category. Many have a sophistication that rivals commercial software products.
  • Not all open source products are contenders. Less popular open source products are not likely to attract the community of users and contributors necessary to help these products improve over time (again we see network effects are a key to success—this time in determining the quality of an OSS effort).
  • Just about every type of commercial product has an open source equivalent.

Questions and Exercises

  1. Visit Make a brief list of commercial product categories that an individual or enterprise might use. Are there open source alternatives for these categories? Are well-known firms leveraging these OSS offerings? Which commercial firms do they compete with?
  2. Are the OSS efforts you identified above provided by commercial firms, nonprofit organizations, or private individuals? Does this make a difference in your willingness to adopt a particular product? Why or why not? What other factors influence your adoption decision?
  3. Download a popular, end-user version of an OSS tool that competes with a desktop application that you own, or that you’ve used (hint: choose something that’s a smaller file or easy to install). What do you think of the OSS offering compared to the commercial product? Will you continue to use the OSS product? Why or why not?

10.5 Why Give It Away? The Business of Open Source

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the disproportional impact OSS has on the IT market.
  2. Understand how vendors make money on open source.
  3. Know what SQL and MySQL are.

Open source is a sixty-billion-dollar industry,M. Asay, “Open Source Is a $60 Billion Industry,” CNET, May 15, 2008. but it has a disproportionate impact on the trillion-dollar IT market. By lowering the cost of computing, open source efforts make more computing options accessible to smaller firms. More reliable, secure computing also lowers costs for all users. OSS also diverts funds that firms would otherwise spend on fixed costs, like operating systems and databases, so that these funds can be spent on innovation or other more competitive initiatives. Think about Google, a firm that some estimate has over 1.4 million servers. Imagine the costs if it had to license software for each of those boxes!

Commercial interest in OSS has sparked an acquisition binge. Red Hat bought open source application server firm JBoss for $350 million. Novell snapped up SUSE Linux for $210 million. And Sun plunked down over $1 billion for open source database provider MySQL.A. Greenberg, “Sun Snaps Up Database Firm, MySQL,” Forbes, January 16, 2008. And with Oracle’s acquisition of Sun, one of the world’s largest commercial software firms has zeroed in on one of the deepest portfolios of open source products.

But how do vendors make money on open source? One way is by selling support and consulting services. While not exactly Microsoft money, Red Hat, the largest purely OSS firm, reported half a billion dollars in revenue in 2008. The firm had two and a half million paid subscriptions offering access to software updates and support services.A. Greenberg, “Sun Snaps Up Database Firm, MySQL,” Forbes, January 16, 2008. Oracle, a firm that sells commercial ERP and database products, provides Linux for free, selling high-margin Linux support contracts for as much as five hundred thousand dollars.J. Fortt, “Why Larry Loves Linux (and He’s Not Alone),” Fortune, December 19, 2007. The added benefit for Oracle? Weaning customers away from Microsoft—a firm that sells many products that compete head-to-head with Oracle’s offerings. Service also represents the most important part of IBM’s business. The firm now makes more from services than from selling hardware and software.J. Robertson, “IBM Sees Better-Than-Expected 2009 Profit, Earns US$4.4 Billion in Q4,” Associated Press, January 20, 2009, And every dollar saved on buying someone else’s software product means more money IBM customers can spend on IBM computers and services. Sun Microsystems was a leader in OSS, even before the Oracle acquisition bid. The firm has used OSS to drive advanced hardware sales, but the firm also sells proprietary products that augment its open source efforts. These products include special optimization, configuration management, and performance tools that can tweak OSS code to work its best.C. Preimesberger, “Sun’s ‘Open’-Door Policy,” eWeek, April 21, 2008.

Here’s where we also can relate the industry’s evolution to what we’ve learned about standards competition in our earlier chapters. In the pre-Linux days, nearly every major hardware manufacturer made its own, incompatible version of the Unix operating system. These fractured, incompatible markets were each so small that they had difficulty attracting third-party vendors to write application software. Now, much to Microsoft’s dismay, all major hardware firms run Linux. That means there’s a large, unified market that attracts software developers who might otherwise write for Windows.

To keep standards unified, several Linux-supporting hardware and software firms also back the Linux Foundation, the nonprofit effort where Linus Torvalds serves as a fellow, helping to oversee Linux’s evolution. Sharing development expenses in OSS has been likened to going in on a pizza together. Everyone wants a pizza with the same ingredients. The pizza doesn’t make you smarter or better. So why not share the cost of a bigger pie instead of buying by the slice?S. Cohen, “Open Source: The Model Is Broken,” BusinessWeek, December 1, 2008. With OSS, hardware firms spend less money than they would in the brutal, head-to-head competition where each once offered a “me too” operating system that was incompatible with rivals but offered little differentiation. Hardware firms now find their technical talent can be deployed in other value-added services mentioned above: developing commercial software add-ons, offering consulting services, and enhancing hardware offerings.

Linux on the Desktop?

While Linux is a major player in enterprise software, mobile phones, and consumer electronics, the Linux OS can only be found on a tiny fraction of desktop computers. There are several reasons for this. Some suggest Linux simply isn’t as easy to install and use as Windows or the Mac OS. This complexity can raise the total cost of ownership (TCO)All of the costs associated with the design, development, testing, implementation, documentation, training and maintenance of a software system. of Linux desktops, with additional end-user support offsetting any gains from free software. The small number of desktop users also dissuades third party firms from porting popular desktop applications over to Linux. For consumers in most industrialized nations, the added complexity and limited desktop application availability of desktop Linux just it isn’t worth the one to two hundred dollars saved by giving up Windows.

But in developing nations where incomes are lower, the cost of Windows can be daunting. Consider the OLPC, Nicholas Negroponte’s “one-hundred-dollar” laptop. An additional one hundred dollars for Windows would double the target cost for the nonprofit’s machines. It is not surprising that the first OLPC laptops ran Linux. Microsoft recognizes that if a whole generation of first-time computer users grows up without Windows, they may favor open source alternatives years later when starting their own businesses. As a result, Microsoft has begun offering low-cost versions of Windows (in some cases for as little as seven dollars) in nations where populations have much lower incomes. Microsoft has even offered a version of Windows to the backers of the OLPC. While Microsoft won’t make much money on these efforts, the low cost versions will serve to entrench Microsoft products as standards in emerging markets, staving off open source rivals and positioning the firm to raise prices years later when income levels rise.

MySQL: Turning a Ten-Billion-Dollars-a-Year Business into a One-Billion-Dollar One

Finland is not the only Scandinavian country to spawn an open source powerhouse. Uppsala Sweden’s MySQL (pronounced “my sequel”) is the “M” in the LAMP stack, and is used by organizations as diverse as FedEx, Lufthansa, NASA, Sony, UPS, and YouTube.

The “SQL” in name stands for the structured query languageA language for creating and manipulating databases. SQL is by far the most common database standard in use today, and is supported by many commercial and open source products., a standard method for organizing and accessing data. SQL is also employed by commercial database products from Oracle, Microsoft, and Sybase. Even Linux-loving IBM uses SQL in its own lucrative DB2 commercial database product. Since all of these databases are based on the same standard, switching costs are lower, so migrating from a commercial product to MySQL’s open source alternative is relatively easy. And that spells trouble for commercial firms. Granted, the commercial efforts offer some bells and whistles that MySQL doesn’t yet have, but those extras aren’t necessary in a lot of standard database use. Some organizations, impressed with MySQL’s capabilities, are mandating its use on all new development efforts, attempting to cordon off proprietary products in legacy code that is maintained but not expanded.

Savings from using MySQL can be huge. The Web site PriceGrabber pays less than ten thousand dollars in support for MySQL compared to one hundred thousand to two hundred thousand dollars for a comparable Oracle effort. Lycos Europe switched from Oracle to MySQL and slashed costs from one hundred twenty thousand dollars a year to seven thousand dollars. And the travel reservation firm Sabre used open source products such as MySQL to slash ticket purchase processing costs by 80 percent.D. Lyons, “Cheapware,” Forbes, September 6, 2004.

MySQL does make money, just not as much as its commercial rivals. While you can download a version of MySQL over the Net, the flagship product also sells for four hundred ninety-five dollars per server computer compared to a list price for Oracle that can climb as high as one hundred sixty thousand dollars. Of the roughly eleven million copies of MySQL in use, the company only gets paid for about one in a thousand.A. Ricadela, “The Worth of Open Source? Open Question,” BusinessWeek, June 26, 2007. Firms pay for what’s free for one of two reasons: (1) for MySQL service, and (2) for the right to incorporate MySQL’s code into their own products.D. Kirkpatrick, “How the Open Source World Plans to Smack Down Microsoft and Oracle, and…,” Fortune, February 23, 2004. Amazon, Facebook, Gap, NBC, and Sabre pay MySQL for support; Cisco, Ericsson, HP, and Symantec pay for the rights to the code.A. Ricadela, “The Worth of Open Source? Open Question,” BusinessWeek, June 26, 2007. Top-level round-the-clock support for MySQL for up to fifty servers is fifty thousand dollars a year, still a fraction of the cost for commercial alternatives. Founder Marten Mickos has stated an explicit goal of the firm is “turning the $10-billion-a-year database business into a $1 billion one.”D. Kirkpatrick, “How the Open Source World Plans to Smack Down Microsoft and Oracle, and…,” Fortune, February 23, 2004.

When Sun Microsystems spent over $1 billion to buy Mickos’ MySQL in 2008, Sun CEO Jonathan Schwartz called the purchase the “most important acquisition in the company’s history.”S. Shankland, “Google’s Open-Source Android Now Actually Open,” CNET, October 21, 2008, Sun hoped the cheap database software could make the firm’s hardware offerings seem more attractive. And it looked like Sun was good for MySQL, with the product’s revenues growing 55 percent in the year after the acquisition.M. Asay, “Open-Source Database Market Shows Muscles,” CNET, February 3, 2009,

But here’s where it gets complicated. Sun also had a lucrative business selling hardware to support commercial ERP and database software from Oracle. That put Sun and partner Oracle in a relationship where they were both competitors and collaborators (the “coopetition” or “frenemies” phenomenon mentioned in Chapter 6 “Understanding Network Effects”). Then in spring 2009, Oracle announced it was buying Sun. Oracle CEO Larry Ellison mentioned acquiring the Java language was the crown jewel of the purchase, but industry watchers have raised several questions. Will the firm continue to nurture MySQL and other open source products, even as this software poses a threat to its bread-and-butter database products? Will the development community continue to back MySQL as the de facto standard for open source SQL databases, or will they migrate to an alternative? Or will Oracle find the right mix of free and fee-based products and services that allow MySQL to thrive while Oracle continues to grow? The implications are serious for investors, as well as firms that have made commitments to Sun, Oracle, and MySQL products. The complexity of this environment further demonstrates why technologists need business savvy and market monitoring skills and why business folks need to understand the implications of technology and tech-industry developments.

Legal Risks and Open Source Software: A Hidden and Complex Challenge

Open source software isn’t without its risks. Competing reports cite certain open source products as being difficult to install and maintain (suggesting potentially higher total cost of ownership, or TCO). Adopters of OSS without support contracts may lament having to rely on an uncertain community of volunteers to support their problems and provide innovative upgrades. Another major concern is legal exposure. Firms adopting OSS may be at risk if they distribute code and aren’t aware of the licensing implications. Some commercial software firms have pressed legal action against the users of open source products when there is a perceived violation of software patents or other unauthorized use of their proprietary code.

For example, in 2007 Microsoft suggested that Linux and other open source software efforts violated some two hundred thirty-five of its patents.A. Ricadela, “Microsoft Wants to ‘Kill’ Open Source,” BusinessWeek, May 15, 2007. The firm then began collecting payments and gaining access to the patent portfolios of companies that use the open source Linux operating system in their products, including Fuji, Samsung, and Xerox. Microsoft also cut a deal with Linux vendor Novell in which both firms pledged not to sue each other’s customers for potential patent infringements.

Also complicating issues are the varying open source license agreements (these go by various names, such as GPL and the Apache License), each with slightly different legal provisions—many of which have evolved over time. Keeping legal with so many licensing standards can be a challenge, especially for firms that want to bundle open source code into their own products.Sarah Lacy, “Open Warfare in Open Source,” BusinessWeek, August 21, 2006. An entire industry has sprouted up to help firms navigate the minefield of open source legal licenses. Chief among these are products, such as those offered by the firm Black Duck, which analyze the composition of software source code and report on any areas of concern so that firms can honor any legal obligations associated with their offerings. Keeping legal requires effort and attention, even in an environment where products are allegedly “free.” This also shows that even corporate lawyers had best geek-up if they want to prove they’re capable of navigating a twenty-first-century legal environment.

Key Takeaways

  • Business models for firms in the open source industry are varied, and can include selling services, licensing OSS for incorporation into commercial products, and using OSS to fuel hardware sales.
  • Many firms are trying to use OSS markets to drive a wedge between competitors and their customers.
  • Linux has been very successful on mobile devices and consumer electronics, as well as on high-end server class and above computers. But it has not been as successful on the desktop. The small user base for desktop Linux makes the platform less attractive for desktop software developers. Incompatibility with Windows applications, switching costs, and other network effects-related issues all suggest that Desktop Linux has an uphill climb in more mature markets.
  • MySQL is the dominant open source database software product. Adoption of the SQL standard eases some issues with migrating from commercial products to MySQL.
  • OSS also has several drawbacks and challenges that limit its appeal. These include complexity of some products and a higher total cost of ownership for some products, concern about the ability of a product’s development community to provide support or product improvement, and legal and licensing concerns.

Questions and Exercises

  1. Describe the impact of OSS on the IT market.
  2. Show your understanding of the commercial OSS market. How do Red Hat, Oracle, Oracle’s Sun division, and IBM make money via open source?
  3. Visit Which open source products does this organization develop? Investigate how development of these efforts is financed. How does this organization differ from the ones mentioned above?
  4. What is the Linux Foundation? Why is it necessary? Which firms are members, underwriting foundation efforts?
  5. List the reasons why Linux is installed on only a very small fraction of desktop computers. Are there particular categories of products or users who might see Linux as more appealing than conventional operating systems? Do you think Linux’s share of the desktop market will increase? Why or why not?
  6. How is Microsoft combating the threat of open source software and other free tools that compete with its commercial products?
  7. What is the dominant open source database software product? Which firms use this product? Why?
  8. Which firm developed the leading OSS database product? Do you think it’s more or less likely that a firm would switch to an OSS database instead of an OSS office suite or desktop alternative? Why or why not?
  9. How has stewardship of the leading OSS database effort changed in recent years? Who oversees the effort today? What questions does this raise for the product’s future? Although this book is updated regularly, current events continue to change after publication of this chapter. Investigate the current status of this effort—reaction of the developer community, continued reception of the product—and be prepared to share your findings with class.
  10. List some of the risks associated with using OSS. Give examples of firms that might pass on OSS software, and explain why.

10.6 Cloud Computing: Hype or Hope?

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the concept of cloud computing.
  2. Identify the two major categories of cloud computing.

Oracle Chairman Larry Ellison, lamenting the buzzword-chasing character of the tech sector, once complained that the computer industry is more fashion-focused than even the women’s clothing business.D. Farber, “Oracle’s Ellison Nails Cloud Computing,” CNET, September 26, 2008,;txt. Ellison has a point: when a technology term becomes fashionable, the industry hype machine shifts into overdrive. The technology attracts press attention, customer interest, and vendor marketing teams scramble to label their products and services as part of that innovation. Recently, few tech trends have been more fashionable than cloud computing.

Like Web 2.0, trying to nail down an exact definition for cloud computing is tough. In fact, it’s been quite a spectacle watching industry execs struggle to clarify the concept. HP’s Chief Strategy Office “politely refused” when asked by BusinessWeek to define the term cloud computing.S. Hamm, “Cloud Computing: Eyes on the Skies,” BusinessWeek, April 24, 2008. Richard Stallman, founder of the Free Software Foundation said about cloud computing, “It’s worse than stupidity. It’s a marketing hype campaign.”L. McKay, “30,000-Foot Views of the Cloud,” Customer Relationship Management, January 2009. And Larry Ellison, always ready with a sound bite, offered up this priceless quip, “Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane.”D. Lyons, “A Mostly Cloudy Computing Forecast,” Washington Post, November 4, 2008. Insane, maybe, but also big bucks. By year-end 2008, the various businesses that fall under the rubric of cloud computing had already accounted for an estimated thirty-six-billion-dollar market. That represents a whopping 13 percent of global software sales!M. Liedtke, “Cloud Computing: Pie in the Sky Concept or the Next Big Breakthrough on Tech Horizon?” Associated Press Newswires, December 21, 2008.

When folks talk about cloud computing they’re really talking about replacing computing resources—either an organization’s or an individual’s hardware or software—with services provided over the Internet. The name actually comes from the popular industry convention of drawing the Internet or other computer network as a big cloud.

Cloud computing encompasses a bunch of different efforts. We’ll concentrate on describing, providing examples, and analyzing the managerial implications of two separate categories of cloud computing: (1) software as a service (SaaS), where a firm subscribes to a third-party software-replacing service that is delivered online, and (2) models often referred to as utility computingA form of cloud computing where a firm develops its own software, and then runs it over the Internet on a service provider’s computers., platform as a service, or infrastructure as a service. Using these latter techniques, an organization develops its own systems, but runs them over the Internet on someone else’s hardware. A later section on virtualization will discuss how some organizations are developing their own private cloudsPools of computing resources that reside inside an organization and that can be served up for specific tasks as need arrives., pools of computing resources that reside inside an organization and that can be served up for specific tasks as need arrives.

The benefits and risks of SaaS and the utility computing-style efforts are very similar, but understanding the nuances of each effort can help you figure out if and when the cloud makes sense for your organization. The evolution of cloud computing also has huge implications across the industry: from the financial future of hardware and software firms, to cost structure and innovativeness of adopting organizations, to the skill sets likely to be most valued by employers.

Key Takeaways

  • Cloud computing is difficult to define. Managers and techies use the term cloud computing to describe computing services provided over a network, most often commercial services provided over the Internet by a third party that can replace or offload tasks that would otherwise run on a user or organization’s existing hardware or software.
  • Software as a service (SaaS) refers to a third-party software-replacing service that is delivered online.
  • Hardware cloud computing services replace hardware that a firm might otherwise purchase.
  • Estimated to be a thirty-six-billion-dollar industry, cloud computing is reshaping software, hardware, and service markets, and is impacting competitive dynamics across industries.

Questions and Exercises

  1. Identify and contrast the two categories of cloud computing.
  2. Define cloud computing.

10.7 The Software Cloud: Why Buy When You Can Rent?

Learning Objectives

After studying this section you should be able to do the following:

  1. Know how firms using SaaS products can dramatically lower several costs associated with their information systems.
  2. Know how SaaS vendors earn their money.
  3. Be able to list the benefits to users that accrue from using SaaS.
  4. Be able to list the benefits to vendors from deploying SaaS.

If open source isn’t enough of a threat to firms that sell packaged software, a new generation of products, collectively known as SaaS, claims that you can now get the bulk of your computing done through your Web browser. Don’t install software—let someone else run it for you and deliver the results over the Internet.

Software as a service (SaaS) refers to software that is made available by a third party online. You might also see the terms ASP (application service provider) or HSV (hosted software vendor) used to identify this type of offering. SaaS is potentially a very big deal. Firms using SaaS products can dramatically lower several costs associated with the care and feeding of their information systems, including software licenses, server hardware, system maintenance, and IT staff. Most SaaS firms earn money via a usage-based pricing model akin to a monthly subscription. Others offer free services that are supported by advertising, while others promote the sale of upgraded or premium versions for additional fees.

Make no mistake, SaaS is yet another direct assault on traditional software firms. The most iconic SaaS firm is, an enterprise customer relationship management (CRM) provider. This “un-software” company even sports a logo featuring the word “software” crossed out, Ghostbusters-style.J. Hempel, “Salesforce Hits Its Stride,” Fortune, March 2, 2009.

Figure 10.3

The antisoftware message is evident in the logo of SaaS leader

Other enterprise-focused SaaS firms compete directly with the biggest names in software. Some of these upstarts are even backed by leading enterprise software executives. Examples include NetSuite (funded in part by Oracle’s Larry Ellison—the guy’s all over this chapter), which offers a comprehensive SaaS ERP suite; and Workday (launched by founders of Peoplesoft), which has SaaS offerings for managing human resources. Several traditional software firms have countered start-ups by offering SaaS efforts of their own. IBM offers a SaaS version of its Cognos business intelligence products, Oracle offers CRM On Demand, and SAP’s Business ByDesign includes a full suite of enterprise SaaS offerings. Even Microsoft has gone SaaS, with a variety of Web-based services that include CRM, Web meeting tools, collaboration, e-mail, and calendaring.

SaaS is also taking on desktop applications. Intuit has online versions of its QuickBooks, TurboTax, and Quicken finance software. Adobe has an online version of Photoshop. Google and Zoho offer office suites that compete with desktop alternatives, prompting Microsoft’s own introduction of an online version of Office. And if you store photos on Flickr or Picassa instead of your PC’s hard drive, then you’re using SaaS, too.

Figure 10.4

A look at Zoho’s home page shows the diversity of both desktop and enterprise offerings from this SaaS upstart. Note that the firm makes it services available through browsers, phones, and even Facebook.

The Benefits of SaaS

Firms can potentially save big using SaaS. Organizations that adopt SaaS forgo the large upfront costs of buying and installing software packages. For large enterprises, the cost to license, install, and configure products like ERP and CRM systems can easily run into the hundreds of thousands or even millions of dollars. And these costs are rarely a one time fee. Additional costs like annual maintenance contracts have also been rising as rivals fail or get bought up. Less competition among traditional firms recently allowed Oracle and SAP to raise maintenance fees to as much as 20 percent.Sarah Lacy, “On-Demand Computing: A Brutal Slog,” BusinessWeek, July 18, 2008.

Firms that adopt SaaS don’t just save on software and hardware, either. There’s also the added cost for the IT staff needed to run these systems. Forrester Research estimates that SaaS can bring cost savings of 25 to 60 percent if all these costs are factored in.J. Quittner, “How SaaS Helps Cut Small Business Costs,” BusinessWeek, December 5, 2008.

There are also accounting and corporate finance implications for SaaS. Firms that adopt software as a service never actually buy a system’s software and hardware, so these systems become a variable operating expense. This flexibility helps mitigate the financial risks associated with making a large capital investment in information systems. For example, if a firm pays sixty-five dollars per month per user for its CRM software, it can reduce payments during a slow season with a smaller staff, or pay more during heavy months when a firm might employ temporary workers. At these rates, SaaS not only looks good to large firms, it makes very sophisticated technology available to smaller firms that otherwise wouldn’t be able to afford expensive systems, let alone the IT staff and hardware required to run them.

In addition to cost benefits, SaaS offerings also provide the advantage of being highly scalable. This feature is important because many organizations operate in environments prone to wide variance in usage. Some firms might expect systems to be particularly busy during tax time or the period around quarterly financial reporting deadlines, while others might have their heaviest system loads around a holiday season. A music label might see spikes when an artist drops a new album. Using conventional software, an organization would have to buy enough computing capacity to ensure that it could handle its heaviest anticipated workload. But sometimes these loads are difficult to predict, and if the difference between high workloads and average use is great, a lot of that expensive computer hardware will spend most of its time doing nothing. In SaaS, however, the vendor is responsible for ensuring that systems meet demand fluctuation. Vendors frequently sign a service level agreement (SLA)A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements. with their customers to ensure a guaranteed uptime and define their ability to meet demand spikes.

When looking at the benefits of SaaS, also consider the potential for higher quality and service levels. SaaS firms benefit from economies of scale that not only lower software and hardware costs, but also potentially boost quality. The volume of customers and diversity of their experiences means that an established SaaS vendor is most likely an expert in dealing with all sorts of critical computing issues. SaaS firms handle backups, instantly deploy upgrades and bug fixes, and deal with the continual burden of security maintenance—all costly tasks that must be performed regularly and with care, although each offers little strategic value to firms that perform these functions themselves in-house. The breadth of a SaaS vendor’s customer base typically pushes the firm to evaluate and address new technologies as they emerge, like quickly offering accessibility from mobile platforms like the BlackBerry and iPhone. For all but the savviest of IT shops, an established SaaS vendor can likely leverage its scale and experience to provide better, cheaper, more reliable standard information systems than individual companies typically can.

Software developers who choose to operate as SaaS providers also realize benefits. While a packaged software company like SAP must support multiple versions of its software to accommodate operating systems like Windows, Linux, and various flavors of Unix, an SaaS provider develops, tests, deploys, and supports just one version of the software executing on its own servers.

An argument might also be made that SaaS vendors are more attuned to customer needs. Since SaaS firms run a customer’s systems on their own hardware, they have a tighter feedback loop in understanding how products are used (and why they fail)—potentially accelerating their ability to enhance their offerings. And once made, enhancements or fixes are immediately available to customers the next time they log in.

SaaS applications also impact distribution costs and capacity. As much as 30 percent of the price of traditional desktop software is tied to the cost of distribution—pressing CD-ROMs, packaging them in boxes, and shipping them to retail outlets.M. Drummond, “The End of Software as We Know It,” Fortune, November 19, 2001. Going direct to consumers can cut out the middleman, so vendors can charge less or capture profits that they might otherwise share with a store or other distributor. Going direct also means that SaaS applications are available anywhere someone has an Internet connection, making them truly global applications. This feature has allowed many SaaS firms to address highly specialized markets (sometimes called vertical nichesSometimes referred to as vertical markets. Products and services designed to target a specific industry (e.g., pharmaceutical, legal, apparel retail).). For example, the Internet allows a company writing specialized legal software, for example, or a custom package for the pharmaceutical industry, to have a national deployment footprint from day one. Vendors of desktop applications that go SaaS benefit from this kind of distribution, too.

Finally, SaaS allows a vendor to counter the vexing and costly problem of software piracy. It’s just about impossible to make an executable, illegal copy of a subscription service that runs on a SaaS provider’s hardware.

Gaming in Flux: Is There a Future in Free?

PC game makers are in a particularly tough spot. Development costs are growing as games become more sophisticated. But profits are plummeting as firms face rampant piracy, a growing market for used game sales, and lower sales from rental options from firms like Blockbuster and GameFly. To combat these trends, Electronic Arts (EA) has begun to experiment with a radical alternative to PC game sales—give the base version of the product away for free and make money by selling additional features.

The firm started with the Korean version of its popular FIFA soccer game. Koreans are crazy for the world’s most popular sport; their nation even cohosted the World Cup in 2002. But piracy was killing EA’s sales in Korea. To combat the problem, EA created a free, online version of FIFA that let fans pay for additional features and upgrades, such as new uniforms for their virtual teams, or performance-enhancing add-ons. Each enhancement only costs about one dollar and fifty cents, but the move to a model based on these so-called microtransactionsSmall payments, typically paid for products or services purchased online. Gaming firms, news, music, and other media efforts have all experimented with microtransactions, albeit with varying degrees of success. has brought in big earnings. During the first two years that the microtransaction-based Korean FIFA game was available, EA raked in roughly $1 million a month. The two-year, twenty-four-million-dollar take was twice the sales record for EA’s original FIFA game.

Asian markets have been particularly receptive to microtransactions—this revenue model makes up a whopping 50 percent of the region’s gaming revenues. But whether this model can spread to other parts of the world remains to be seen. The firm’s first free, microtransaction offering outside of Korea leverages EA’s popular Battlefield franchise. Battlefield Heroes sports lower quality, more cartoon-like graphics than EA’s conventional Battlefield offerings, but it will be offered free online. Lest someone think they can rise to the top of player rankings by buying the best military hardware for their virtual armies, EA offers a sophisticated matching engine, pitting players with similar abilities and add-ons against one another.J. Schenker, “EA Leaps into Free Video Games,” BusinessWeek, January 22, 2008.

Players of the first versions of Battlefield Heroes and FIFA Online needed to download software to their PC. But the start-up World Golf Tour shows how increasingly sophisticated games can execute within a browser, SaaS-style. WGT doesn’t have quite the graphics sophistication of the dominant desktop golf game (EA’s Tiger Woods PGA Golf), but the free, ad-supported offering is surprisingly detailed. Buddies can meet up online for a virtual foursome, played on high-resolution representations of the world’s elite courses stitched together from fly-over photographs taken as part of game development. World Golf Tour is ad-supported. The firm hopes that advertisers will covet access to the high-income office workers likely to favor a quick virtual golf game to break up their workday. Zynga’s FarmVille, an app game for Facebook, combines both models. Free online, but offering added features purchased in micropayment-sized chunks, FarmVille made half a million dollars in three days, just by selling five-dollar virtual sweet potatoes.D. MacMillan, P. Burrows, and S. Ante, “Inside the App Economy,” BusinessWeek, October 22, 2009. FIFA Online, Battlefield Heroes, World Golf Tour, and FarmVille all show that the conventional models of gaming software are just as much in flux as those facing business and productivity packages.

Key Takeaways

  • SaaS firms may offer their clients several benefits including the following:

    • lower costs by eliminating or reducing software, hardware, maintenance, and staff expenses
    • financial risk mitigation since start-up costs are so low
    • potentially faster deployment times compared with installed packaged software or systems developed in-house
    • costs that are a variable operating expense rather than a large, fixed capital expense
    • scalable systems that make it easier for firms to ramp up during periods of unexpectedly high system use
    • higher quality and service levels through instantly available upgrades, vendor scale economies, and expertise gained across its entire client base
    • remote access and availability—most SaaS offerings are accessed through any Web browser, and often even by phone or other mobile device
  • Vendors of SaaS products benefit from the following:

    • limiting development to a single platform, instead of having to create versions for different operating systems
    • tighter feedback loop with clients, helping fuel innovation and responsiveness
    • ability to instantly deploy bug fixes and product enhancements to all users
    • lower distribution costs
    • accessibility to anyone with an Internet connection
    • greatly reduced risk of software piracy
  • Microtransactions and ad-supported gaming present alternatives to conventional purchased video games. Firms leveraging these models potentially benefit from a host of SaaS advantages, including direct-to-consumer distribution, instant upgrades, continued revenue streams rather than one-time purchase payments, and a method for combating piracy.

Questions and Exercises

  1. Firms that buy conventional enterprise software spend money buying software and hardware. What additional and ongoing expenses are required as part of the “care and feeding” of enterprise applications?
  2. In what ways can firms using SaaS products dramatically lower costs associated with their information systems?
  3. How do SaaS vendors earn their money?
  4. Give examples of enterprise-focused SaaS vendors and their products. Visit the Web sites of the firms that offer these services. Which firms are listed as clients? Does there appear to be a particular type of firm that uses its services, or are client firms broadly represented?
  5. Give examples of desktop-focused SaaS vendors and their products. If some of these are free, try them out and compare them to desktop alternatives you may have used. Be prepared to share your experiences with your class.
  6. List the cost-related benefits to users that accrue from using SaaS.
  7. List the benefits other than cost-related that accrue to users from using SaaS.
  8. List the benefits realized by vendors that offer SaaS services instead of conventional software.
  9. Microtransactions have been tried in many contexts, but have often failed. Can you think of contexts where microtransactions don’t work well? Are there contexts where you have paid (or would be wiling to pay) for products and services via microtransactions? What do you suppose are the major barriers to the broader acceptance of microtransactions? Do struggles have more to do with technology, consumer attitudes, or both?
  10. Search online to find free and microtransaction-based games. What do you think of these efforts? What kind of gamers do these efforts appeal to? See if you can investigate whether there are examples of particularly successful offerings, or efforts that have failed. What’s the reason behind the success or failure of the efforts that you’ve investigated?

10.8 SaaS: Not without Risks

Learning Objective

After studying this section you should be able to do the following:

  1. Be able to list and appreciate the risks associated with SaaS.

Like any technology, we also recognize there is rarely a silver bullet that solves all problems. A successful manager is able to see through industry hype and weigh the benefits of a technology against its weaknesses and limitations. And there are still several major concerns surrounding SaaS.

The largest concerns involve the tremendous dependence a firm develops with its SaaS vendor. Having all of your eggs in one basket can leave a firm particularly vulnerable. If a traditional software company goes out of business, in most cases its customers can still go on using its products. But if your SaaS vendor goes under, you’re hosed. They’ve got all your data, and even if firms could get their data out, most organizations don’t have the hardware, software, staff, or expertise to quickly absorb an abandoned function.

Beware with whom you partner. Any hot technology is likely to attract a lot of start-ups, and most of these start-ups are unlikely to survive. In just a single year, the leading trade association found the number of SaaS vendors dropped from seven hundred members to four hundred fifty.M. Drummond, “The End of Software as We Know It,” Fortune, November 19, 2001. One of the early efforts to collapse was Pandesic, a joint venture between SAP and Intel—two large firms that might have otherwise instilled confidence among prospective customers. In another example, Danish SaaS firm “IT Factory” was declared “Denmark’s Best IT Company 2008” by Computerworld, only to follow the award one week later with a bankruptcy declaration.R. Wauters, “The Extraordinary Rise and Fall of Denmark’s IT Factory,” TechCrunch, December 2, 2008. Indeed, despite the benefits, the costs of operating as a SaaS vendor can be daunting. NetSuite’s founder claimed it “takes ten years and $100 million to do right”Sarah Lacy, “On-Demand Computing: A Brutal Slog,” BusinessWeek, July 18, 2008.—maybe that’s why the firm still wasn’t profitable, even a year and a half after going public.

Firms that buy and install packaged software usually have the option of sticking with the old stuff as long as it works, but organizations adopting SaaS may find they are forced into adopting new versions. This fact is important because any radical changes in a SaaS system’s user interface or system functionality might result in unforeseen training costs, or increase the chance that a user might make an error.

Keep in mind that SaaS systems are also reliant on a network connection. If a firm’s link to the Internet goes down, its link to its SaaS vendor is also severed. Relying on an Internet connection also means that data is transferred to and from a SaaS firm at Internet speeds, rather the potentially higher speeds of a firm’s internal network. Solutions to many of these issues are evolving as Internet speeds become faster and Internet service providers become more reliable. There are also several programs that allow for offline use of data that is typically stored in SaaS systems, including Google Gears and Adobe AIR. With these products a user can download a subset of data to be offline (say on a plane flight or other inaccessible location), and then sync the data when the connection is restored. Ultimately, though, SaaS users have a much higher level of dependence on their Internet connections.

And although a SaaS firm may have more security expertise than your organization, that doesn’t mean that security issues can be ignored. Any time a firm allows employees to access a corporation’s systems and data assets from a remote location, a firm is potentially vulnerable to abuse and infiltration. Some firms may simply be unacceptably uncomfortable with critical data assets existing outside their own network. There may also be contractual or legal issues preventing data from being housed remotely, especially if a SaaS vendor’s systems are in another country operating under different laws and regulations. “We’re very bound by regulators in terms of client data and country-of-origin issues, so it’s very difficult to use the cloud,” says Rupert Brown, a chief architect at Merrill Lynch.G. Gruman, “Early Experiments in Cloud Computing,” InfoWorld, April 7, 2008.

SaaS systems are often accused of being less flexible than their installed software counterparts—mostly due to the more robust configuration and programming options available in traditional software packages. It is true that many SaaS vendors have improved system customization options and integration with standard software packages. And at times a lack of complexity can be a blessing—fewer choices can mean less training, faster start-up time, and lower costs associated with system use. But firms with unique needs may find SaaS restrictive.

SaaS offerings usually work well when the bulk of computing happens at the server end of a distributed system because the kind of user interface you can create in a browser isn’t as sophisticated as what you can do with a separate, custom-developed desktop program. A comparison of the first few iterations of the Web-based Google office suite, which offers word processing, presentation software, and a spreadsheet, reveals a much more limited feature set than Microsoft’s Office desktop software. The bonus, of course, is that an online office suite is accessible anywhere and makes sharing documents a snap. Again, an understanding of trade-offs is key.

Here’s another challenge for a firm and its IT staff: SaaS means a greater consumerization of technology. Employees, at their own initiative, can go to Socialtext or Google Sites and set up a wiki, WordPress to start blogging, or subscribe to a SaaS offering like, all without corporate oversight and approval. This work can result in employees operating outside established firm guidelines and procedures, potentially introducing operational inconsistencies or even legal and security concerns.

The consumerization of corporate technology isn’t all bad. Employee creativity can blossom with increased access to new technologies, costs might be lower than home grown solutions, and staff could introduce the firm to new tools that might not otherwise be on the radar of the firm’s IS Department. But all this creates an environment that requires a level of engagement between a firm’s technical staff and the groups that it serves that is deeper than that employed by any prior generation of technology workers. Those working in an organization’s information systems group must be sure to conduct regular meetings with representative groups of employees across the firm to understand their pain points and assess their changing technology needs. Non-IT managers should regularly reach out to IT to ensure that their needs are on the tech staff’s agenda. Organizations with internal IT-staff R&D functions that scan new technologies and critically examine their relevance and potential impact on the firm can help guide an organization through the promise and peril of new technologies. Now more than ever, IT managers must be deeply knowledgeable about business areas, broadly aware of new technologies, and able to bridge the tech and business worlds. Similarly, any manager looking to advance his or her organization has to regularly consider the impact of new technologies.

Key Takeaways

The risks associated with SaaS include the following:

  • dependence on a single vendor.
  • concern about the long-term viability of partner firms.
  • users may be forced to migrate to new versions—possibly incurring unforeseen training costs and shifts in operating procedures.
  • reliance on a network connection—which may be slower, less stable, and less secure.
  • data asset stored off-site—with the potential for security and legal concerns.
  • limited configuration, customization, and system integration options compared to packaged software or alternatives developed in-house.
  • the user interface of Web-based software is often less sophisticated and lacks the richness of most desktop alternatives.
  • ease of adoption may lead to pockets of unauthorized IT being used throughout an organization.

Questions and Exercises

  1. Consider the following two firms: a consulting start-up, and a defense contractor. Leverage what you know about SaaS and advise whether each might consider SaaS efforts for CRM or other enterprise functions? Why or why not?
  2. Think of firms you’ve worked for, or firms you would like to work for. Do SaaS offerings make sense for these firms? Make a case for or against using certain categories of SaaS.
  3. What factors would you consider when evaluating a SaaS vendor? Which firms are more appealing to you and why?
  4. Discuss problems that may arise because SaaS solutions rely on Internet connections. Discuss the advantages of through-the-browser access.
  5. Evaluate trial versions of desktop SaaS offerings (offered by Adobe, Google, Microsoft, Zoho, or others). Do you agree that the interfaces of Web-based versions are not as robust as desktop rivals? Are they good enough for you? For most users?

10.9 The Hardware Cloud: Utility Computing and Its Cousins

Learning Objectives

After studying this section you should be able to do the following:

  1. Distinguish between SaaS and hardware clouds.
  2. Provide examples of firms and uses of hardware clouds.
  3. Understand the concepts of cloud computing, cloudbursting, and black swan events.
  4. Understand the challenges and economics involved in shifting computing hardware to the cloud.

While SaaS provides the software and hardware to replace an internal information system, sometimes a firm develops its own custom software but wants to pay someone else to run it for them. That’s where hardware clouds, utility computing, and related technologies come in. In this model, a firm replaces computing hardware that it might otherwise run on-site with a service provided by a third party online. While the term utility computing was fashionable a few years back (and old timers claim it shares a lineage with terms like hosted computing or even time sharing), now most in the industry have begun referring to this as an aspect of cloud computing, often referred to as hardware cloudsA cloud computing model in which a service provider makes computing resources such as hardware and storage, along with infrastructure management, available to a customer on an as-needed basis. The provider typically charges for specific resource usage rather than a flat rate. In the past, similar efforts have been described as utility computing, hosting, or even time sharing.. Computing hardware used in this scenario exists “in the cloud,” meaning somewhere on the Internet. The costs of systems operated in this manner look more like a utility bill—you only pay for the amount of processing, storage, and telecommunications used. Tech research firm Gartner has estimated that 80 percent of corporate tech spending goes toward data center maintenance.J. Rayport, “Cloud Computing Is No Pipe Dream,” BusinessWeek, December 9, 2008. Hardware-focused cloud computing provides a way for firms to chip away at these costs.

Major players are spending billions building out huge data centers to take all kinds of computing out of the corporate data center and place it in the cloud. Efforts include Sun’s grid, IBM’s Cloud Labs, Amazon’s EC2 (Elastic Computing Cloud), Google’s App Engine, Microsoft’s Azure, and’s While cloud vendors typically host your software on their systems, many of these vendors also offer additional tools to help in creating and hosting apps in the cloud. offers, which includes not only a hardware cloud but also several cloud-supporting tools, including a programming environment (IDE) to write applications specifically tailored for Web-based delivery. Google’s App Engine offers developers a database product called Big Table, while Amazon offers one called Amazon DB. Traditional software firms like Oracle are also making their products available to developers through various cloud initiatives.

Still other cloud computing efforts focus on providing a virtual replacement for operational hardware like storage and backup solutions. These include the cloud-based backup efforts like EMC’s Mozy, and corporate storage services like Amazon’s Simple Storage Solution (S3). Even efforts like Apple’s MobileMe and Microsoft’s Live Mesh that sync user data across devices (phone, multiple desktops) are considered part of the cloud craze. The common theme in all of this is leveraging computing delivered over the Internet to satisfy the computing needs of both users and organizations.

Clouds in Action: A Snapshot of Diverse Efforts

Large, established organizations, small firms and start-ups are all embracing the cloud. The examples below illustrate the wide range of these efforts.

Journalists refer to the New York Times as, “The Old Gray Lady,” but it turns out that the venerable paper is a cloud-pioneering whippersnapper. When the Times decided to make roughly one hundred fifty years of newspaper archives (over fifteen million articles) available over the Internet, it realized that the process of converting scans into searchable PDFs would require more computing power than the firm had available.J. Rayport, “Cloud Computing Is No Pipe Dream,” BusinessWeek, December 9, 2008. To solve the challenge, a Times IT staffer simply broke out a credit card and signed up for Amazon’s EC2 cloud computing and S3 cloud storage services. The Times then started uploading terabytes of information to Amazon, along with a chunk of code to execute the conversion. While anyone can sign up for services online without speaking to a rep, someone from Amazon eventually contacted the Times to check in after noticing the massive volume of data coming into its systems. Using one hundred of Amazon’s Linux servers, the Times job took just twenty-four hours to complete. In fact, a coding error in the initial batch forced the paper to rerun the job. Even the blunder was cheap—just two hundred forty dollars in extra processing costs. Says a member of the Times IT group: “It would have taken a month at our facilities, since we only had a few spare PCs.…It was cheap experimentation, and the learning curve isn’t steep.”G. Gruman, “Early Experiments in Cloud Computing,” InfoWorld, April 7, 2008.

NASDAQ also uses Amazon’s cloud as part of its Market Replay system. The exchange uses Amazon to make terabytes of data available on demand, and uploads an additional thirty to eighty gigabytes every day. Market Reply allows access through an Adobe AIR interface to pull together historical market conditions in the ten-minute period surrounding a trade’s execution. This allows NASDAQ to produce a snapshot of information for regulators or customers who question a trade. Says the exchange’s VP of Product Development, “The fact that we’re able to keep so much data online indefinitely means the brokers can quickly answer a question without having to pull data out of old tapes and CD backups.”P. Grossman, “Cloud Computing Begins to Gain Traction on Wall Street,” Wall Street and Technology, January 6, 2009. NASDAQ isn’t the only major financial organization leveraging someone else’s cloud. Others include Merrill Lynch, which uses IBM’s Blue Cloud servers to build and evaluate risk analysis programs; and Morgan Stanley, which relies on for recruiting applications.

The offering from Sun Microsystems is essentially a grid computer in the clouds (see Chapter 5 “Moore’s Law: Fast, Cheap Computing and What It Means for the Manager”). Since grid computers break a task up to spread across multiple processors, the Sun service is best for problems that can be easily divided into smaller mini jobs that can be processed simultaneously by the army of processors in Sun’s grid. The firm’s cloud is particularly useful for performing large-scale image and data tasks. Infosolve, a data management firm, uses the Sun cloud to scrub massive data sets, at times harnessing thousands of processors to comb through client records and correct inconsistent entries.

IBM Cloud Labs, which counts Elizabeth Arden and the U.S. Golf Association among its customers, offers several services, including so-called cloudburstingDescribes the use of cloud computing to provide excess capacity during periods of spiking demand. Cloudbursting is a scalability solution that is usually provided as an overflow sservice, kicking in as needed.. In a cloudbursting scenario a firm’s data center running at maximum capacity can seamlessly shift part of the workload to IBM’s cloud, with any spikes in system use metered, utility style. Cloudbursting is appealing because forecasting demand is difficult and can’t account for the ultrarare, high-impact events, sometimes called black swansUnpredicted, but highly impactful events. Scalable computing resources can help a firm deal with spiking impact from Black Swan events. The phrase entered the managerial lexicon from the 2007 book of the same name by Nassim Taleb.. Planning to account for usage spikes explains why the servers at many conventional corporate IS shops run at only 10 to 20 percent capacity.J. Parkinson, “Green Data Centers Tackle LEED Certification,”, January 18, 2007. While Cloud Labs cloudbursting service is particularly appealing for firms that already have a heavy reliance on IBM hardware in-house, it is possible to build these systems using the hardware clouds of other vendors, too.’s cloud is especially tuned to help firms create and deploy custom Web applications. The firm makes it possible to piece together projects using premade Web services that provide software building blocks for features like calendaring and scheduling. The integration with the firm’s SaaS CRM effort, and with third-party products like Google Maps allows enterprise mash-ups that can combine services from different vendors into a single application that’s run on hardware. The platform even includes tools to help deploy Facebook applications. Intuitive Surgical used to create and host a custom application to gather clinical trial data for the firm’s surgical robots. An IS manager at Intuitive noted, “We could build it using just their tools, so in essence, there was no programming.”G. Gruman, “Early Experiments in Cloud Computing,” InfoWorld, April 7, 2008. Other users include Jobscience, which used to launch its online recruiting site; and Harrah’s Entertainment, which uses applications to manage room reservations, air travel programs, and player relations.

These efforts compete with a host of other initiatives, including Google’s App Engine and Microsoft’s Azure Services Platform, hosting firms like Rackspace, and cloud-specific upstarts like GoGrid.

Challenges Remain

Hardware clouds and SaaS share similar benefits and risk, and as our discussion of SaaS showed, cloud efforts aren’t for everyone. Some additional examples illustrate the challenges in shifting computing hardware to the cloud.

For all the hype about cloud computing, it doesn’t work in all situations. From an architectural standpoint, most large organizations run a hodgepodge of systems that include both package applications and custom code written in-house. Installing a complex set of systems on someone else’s hardware can be a brutal challenge and in many cases is just about impossible. For that reason we can expect most cloud computing efforts to focus on new software development projects rather than options for old software. Even for efforts that can be custom-built and cloud-deployed, other roadblocks remain. For example, some firms face stringent regulatory compliance issues. To quote one tech industry executive, “How do you demonstrate what you are doing is in compliance when it is done outside?”G. Gruman, “Early Experiments in Cloud Computing,” InfoWorld, April 7, 2008.

Firms considering cloud computing need to do a thorough financial analysis, comparing the capital and other costs of owning and operating their own systems over time against the variable costs over the same period for moving portions to the cloud. For high-volume, low-maintenance systems, the numbers may show that it makes sense to buy rather than rent. Cloud costs can seem super cheap at first. Sun’s early cloud effort offered a flat fee of one dollar per CPU per hour. Amazon’s cloud storage rates were twenty-five cents per gigabyte per month. But users often also pay for the number of accesses and the number of data transfers.C. Preimesberger, “Sun’s ‘Open’-Door Policy,” eWeek, April 21, 2008. A quarter a gigabyte a month may seem like a small amount, but system maintenance costs often include the need to clean up old files or put them on tape. If unlimited data is stored in the cloud, these costs can add up.

Firms should enter the cloud cautiously, particularly where mission-critical systems are concerned. When one of the three centers supporting Amazon’s cloud briefly went dark in 2008, start-ups relying on the service, including Twitter and SmugMug, reported outages. Apple’s MobileMe cloud-based product for synchronizing data across computers and mobile devices, struggled for months after its introduction when the cloud repeatedly went down. Vendors with multiple data centers that are able to operate with fault-tolerantCapable of continuing operation even if a component fails. provisioning, keeping a firm’s efforts at more than one location to account for any operating interruptions, will appeal to firms with stricter uptime requirements.

Key Takeaways

  • It’s estimated that 80 percent of corporate tech spending goes toward data center maintenance. Hardware-focused cloud computing initiatives from third party firms help tackle this cost by allowing firms to run their own software on the hardware of the provider.
  • Amazon, EMC, Google, IBM, Microsoft, Oracle/Sun, Rackspace, and are among firms offering platforms to run custom software projects. Some offer additional tools and services, including additional support for cloud-based software development, hosting, application integration, and backup.
  • Users of cloud computing run the gamut of industries, including publishing (the New York Times), finance (NASDAQ), and cosmetics and skin care (Elizabeth Arden).
  • Benefits and risks are similar to those discussed in SaaS efforts. Benefits include the use of the cloud for handling large batch jobs or limited-time tasks, offloading expensive computing tasks, and cloudbursting efforts that handle system overflow when an organization needs more capacity.
  • Most legacy systems can’t be easily migrated to the cloud, meaning most efforts will be new efforts or those launched by younger firms.
  • Cloud (utility) computing doesn’t work in situations where complex legacy systems have to be ported, or where there may be regulatory compliance issues.
  • Some firms may still find TCO and pricing economics favor buying over renting—scale sometimes suggests an organization is better off keeping efforts in-house.

Questions and Exercises

  1. What are hardware clouds? What kinds of services are described by this terms? What are other names for this phenomenon? How does this differ from SaaS?
  2. Which firms are the leading providers of hardware clouds? How are clients using these efforts?
  3. List the circumstances where hardware clouds work best and where it works poorly.
  4. Research cloud-based alternatives for backing up your hard drive. Which are among the best reviewed product or services? Why? Do you or would you use such a service? Why or why not?
  5. Can you think of “black swan” events that have caused computing services to become less reliable? Describe the events and its consequences for computing services. Suggest a method and vendor for helping firms overcome the sorts of events that you encountered.

10.10 Clouds and Tech Industry Impact

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how cloud computing’s impact across industries is proving to be broad and significant.
  2. Know the effects of cloud computing on high-end server sales and the influence on the trend shifting from hardware sales to service.
  3. Know the effects of cloud computing on innovation and the influence on the changes in the desired skills mix and job outlook for IS workers.
  4. Know that by lowering the cost to access powerful systems and software, cloud computing can decrease barriers to entry.
  5. Understand the importance, size, and metrics of server farms.

Although still a relatively recent phenomenon, cloud computing’s impact across industries is already proving to be broad and significant.

Cloud computing is affecting the competitive dynamics of the hardware, software, and consulting industries. In the past, firms seeking to increase computing capacity invested heavily in expensive, high margin server hardware, creating a huge market for computer manufacturers. But now hardware firms find these markets may be threatened by the cloud. The trend shifting from hardware to services is evident in IBM’s quarterly numbers. The firm recently reported its overall earnings were up 12 percent, even though hardware sales were off by 20 percent.J. Fortt, “Goodbye, PC (and Mac). Hello, Services,” Fortune, February 4, 2009. What made up the difference? The growth of Big Blue’s services business. IBM is particularly well positioned to take advantage of the shift to services because it employs more technology consultants than any other firm in the world, while most of its competitors are forced to partner to offer something comparable. Consulting firm Capgemini’s partnership to offer cloud services through Amazon is one such example.

The shift to cloud computing also alters the margin structure for many in the computing industry. While Moore’s Law has made servers cheap, deploying SaaS and operating a commercial cloud is still very expensive—much more so than simply making additional copies of conventional, packaged software. Microsoft surprised Wall Street when it announced it would need to pour at least $2 billion more than analysts expected into the year’s server farmA massive network of computer servers running software to coordinate their collective use. Server farms provide the infrastructure backbone to SaaS and hardware cloud efforts, as well as many large-scale Internet services. capital spending. The firm’s stock—among the world’s most widely held—sank 11 percent in a day.S. Mehta, “Behold the Server Farm,” Fortune, July 28, 2006. As a result, many portfolio managers started paying closer attention to the business implications of the cloud.

Cloud computing can accelerate innovation and therefore changes the desired skills mix and job outlook for IS workers. If cloud computing customers spend less on expensive infrastructure investments, they potentially have more money to reinvest in strategic efforts and innovation. IT careers may change, too. Demand for nonstrategic skills like hardware operations and maintenance are likely to decrease. Organizations will need more business-focused technologists who intimately understand a firm’s competitive environment, and can create systems that add value and differentiate the firm from its competition.J. Fortt, “Tech Execs Get Sexy,” Fortune, February 12, 2009. While these tech jobs require more business training, they’re also likely to be more durable and less likely to be outsourced to a third party with a limited understanding of the firm.

By lowering the cost to access powerful systems and software, barriers to entry also decrease. Firms need to think about the strategic advantages they can create, even as technology is easily duplicated. This trend means the potential for more new entrants across industries, and since start-ups can do more with less, it’s also influencing entrepreneurship and venture capital. The CTO of SlideShare, a start-up that launched using Amazon’s S3 storage cloud, offers a presentation on his firm’s site labeled “Using S3 to Avoid VC.” Similarly, the CEO of online payments start-up Zuora claims to have saved between half a million and $1 million by using cloud computing: “We have no servers, we run the entire business in the cloud.”E. Ackerman, “Forecast for Computing: Cloudy,” San Jose Mercury News, December 23, 2008. And the sophistication of these tools lowers development time. Enterprise firm Apttus claims it was able to perform the equivalent of six months of development in a couple of weekends by using cloud services. The firm scored its first million-dollar deal in three months, and was break-even in nine months, a ramp-up time that would have been unheard of, had they needed to plan, purchase, and deploy their own data center, and create from scratch the Web services that were provided by its cloud vendor.J. Rayport, “Cloud Computing Is No Pipe Dream,” BusinessWeek, December 9, 2008.

So What’s It Take to Run This Thing?

In the countryside surrounding the Columbia River in the Pacific Northwest, potato farms are yielding to server farms. Turns out the area is tailor made for creating the kinds of massive data installations that form the building blocks of cloud computing. The land is cheap, the region’s hydroelectric power costs a fraction of Silicon Valley rates, and the area is served by ultrafast fiber-optic connections. Even the area’s mild temperatures cut cooling costs.

Most major players in cloud computing have server farms in the region, each with thousands of processors humming away simultaneously. Microsoft’s Quincy, Washington, facility is as big as ten American football fields and has nearly six hundred miles of wiring, 1.5 metric tons of battery backup, and three miles of chiller piping to keep things cool. Storage is big enough to store 6.75 trillion photos. Just a short drive away, Yahoo has two facilities on fifty acres, including one that runs at a zero carbon footprint. Google has a thirty-acre site sprawled across former farmland in The Dalles, Oregon. The Google site includes two massive buildings, with a third on the way. And in Boardman, Oregon, Amazon has a three building petabyte palace that sports its own ten-megawatt electrical substation.R. Katz, “Tech Titans Building Boom,” IEEE Spectrum 46, no. 2 (February 1, 2009): 40–43.

While U.S. activity has been particularly intense in the Pacific Northwest, server farms that support cloud computing are popping up from Shanghai to São Paulo. Not only does a diverse infrastructure offer a degree of fault tolerance and disaster recovery (Oregon down? Shift to North Carolina), the myriad of national laws and industry-specific regulatory environments may require some firms to keep data within a specific country or region. To meet the challenge, cloud vendors are racing to deploy infrastructure worldwide and allowing customers to select regional availability zones for their cloud computing needs.

The build-out race has become so intense that many firms have developed rapid-deployment server farm modules that are preconfigured and packed inside shipping containers. Some of these units contain as many as three thousand servers each. Just drop the containers on-site, link to power, water, and telecom, and presto—you’ve got yourself a data center. More than two hundred containers can be used on a single site. One Microsoft VP claimed the configuration has cut the time to open a data center to just a few days, claiming Microsoft’s San Antonio facility was operational in less time than it took a local western wear firm to deliver her custom-made cowboy boots!P. Burrows, “Microsoft to Google: Get Off of My Cloud,” BusinessWeek, November 21, 2008. Microsoft’s Dublin-based fourth generation data center will be built entirely of containers—no walls or roof—using the outside air for much of the cooling.T. Vanderbilt, “Data Center Overload,” New York Times, June 8, 2009.

Figure 10.5

This Sun server-packed container is designed for rapid data center deployment.

While firms are buying less hardware, cloud vendors have turned out to be the computing industry’s best customers. Amazon has spent well over $2 billion on its cloud infrastructure. Google reportedly has 1.4 million servers operating across three dozen data centers.R. Katz, “Tech Titans Building Boom,” IEEE Spectrum 46, no. 2 (February 1, 2009): 40–43. Demonstrating it won’t be outdone, Microsoft plans to build as many as twenty server farms, at costs of up to $1 billion each.P. Burrows, “Microsoft to Google: Get Off of My Cloud,” BusinessWeek, November 21, 2008. Look for the clouds to pop up in unexpected places. Microsoft has scouted locations in Siberia, while Google has applied to patent a method for floating data centers on an offshore platform powered by wave motions.R. Katz, “Tech Titans Building Boom,” IEEE Spectrum 46, no. 2 (February 1, 2009): 40–43.

Key Takeaways

  • Cloud computing’s impact across industries is proving to be broad and significant.
  • Clouds can lower barriers to entry in an industry, making it easier for start-ups to launch and smaller firms to leverage the backing of powerful technology.
  • Clouds may also lower the amount of capital a firm needs to launch a business, shifting power away from venture firms in those industries that had previously needed more VC money.
  • Clouds can shift resources out of capital spending and into profitability and innovation.
  • Hardware and software sales may drop as cloud use increases, while service revenues will increase.
  • Cloud computing can accelerate innovation and therefore changes the desired skills mix and job outlook for IS workers. Tech skills in data center operations, support, and maintenance may shrink as a smaller number of vendors consolidate these functions.
  • Demand continues to spike for business-savvy technologists. Tech managers will need even stronger business skills and will focus an increasing percentage of their time on strategic efforts. These latter jobs are tougher to outsource, since they involve an intimate knowledge of the firm, its industry, and its operations.
  • The market for expensive, high margin, sever hardware is threatened by companies moving applications to the cloud instead of investing in hardware.
  • Server farms require plenty of cheap land, low cost power, ultrafast fiber-optic connections, and benefit from mild climates.
  • Sun, Microsoft, IBM, and HP have all developed rapid-deployment server farm modules that are pre configured and packed inside shipping containers.

Questions and Exercises

  1. Describe the change in IBM’s revenue stream resulting from the shift to the cloud.
  2. Why is IBM particularly well positioned to take advantage of the shift to services?
  3. Describe the shift in skill sets required for IT workers that is likely to result from the widespread adoption of cloud computing.
  4. Why do certain entry barriers decrease as a result of cloud computing? What is the effect of lower entry barriers on new entrants, entrepreneurship, and venture capital? On existing competitors?
  5. What factors make the Columbia River region of the Pacific Northwest an ideal location for server farms?
  6. What is the estimated number of computers operated by Google?
  7. Why did Microsoft’s shift to cloud computing create an unexpected shock among stock analysts who cover the firm? What does this tell you about the importance of technology understanding among finance and investment professionals?
  8. Why do cloud computing vendors build regional server farms instead of one mega site?
  9. Why would a firm build a container-based data center?

10.11 Virtualization: Software That Makes One Computer Act Like Many

Learning Objectives

After studying this section you should be able to do the following:

  1. Know what virtualization software is and its impact on cloud computing.
  2. Be able to list the benefits to a firm from using virtualization.

The reduced costs and increased power of commodity hardware are not the only contributors to the explosion of cloud computing. The availability of increasingly sophisticated software tools has also had an impact. Perhaps the most important software tool in the cloud computing toolbox is virtualizationA type of software that allows a single computer (or cluster of connected computers) to function as if it were several different computers, each running its own operating system and software. Virtualization software underpins most cloud computing efforts, and can make computing more efficient, cost-effective, and scalable.. Think of virtualization as being a kind of operating system for operating systems. A server running virtualization software can create smaller compartments in memory that each behave as a separate computer with its own operating system and resources. The most sophisticated of these tools also allow firms to combine servers into a huge pool of computing resources that can be allocated as needed.D. Lyons, “A Mostly Cloudy Computing Forecast,” Washington Post, November 4, 2008.

Virtualization can generate huge savings. Some studies have shown that on average, conventional data centers run at 15 percent or less of their maximum capacity. Data centers using virtualization software have increased utilization to 80 percent or more.R. Katz, “Tech Titans Building Boom,” IEEE Spectrum 46, no. 2 (February 1, 2009): 40–43. This increased efficiency means cost savings in hardware, staff, and real estate. Plus it reduces a firm’s IT-based energy consumption, cutting costs, lowering its carbon footprint, and boosting “green cred.”K. Castro, “The Virtues of Virtualization,” BusinessWeek, December 3, 2007. Using virtualization, firms can buy and maintain fewer servers, each running at a greater capacity. It can also power down servers until demand increases require them to come online.

While virtualization is a key software building block that makes public cloud computing happen, it can also be used in-house to reduce an organization’s hardware needs, and even to create a firm’s own private cloud of scalable assets. Bechtel, BT, Merrill Lynch, and Morgan Stanley are among the firms with large private clouds enabled by virtualization.J. Brodkin, “Private Clouds Bring IT Mgmt. Challenges,” NetworkWorld, December 15, 2008. Another kind of virtualization, virtual desktopsWhen a firm runs an instance of a PC’s software on another machine and simply delivers the image of what’s executing to the remote device. Using virtualization, a single server can run dozens of PCs, simplifying backup, upgrade, security, and administration. allow a server to run what amounts to a copy of a PC—OS, applications, and all—and simply deliver an image of what’s executing to a PC or other connected device. This allows firms to scale, back up, secure, and upgrade systems far more easily than if they had to maintain each individual PC. One game start-up hopes to remove the high-powered game console hardware attached to your television and instead put the console in the cloud, delivering games to your TV as they execute remotely on superfast server hardware. Virtualization can even live on your desktop. Anyone who’s ever run Windows in a window on Mac OS X is using virtualization software; these tools inhabit a chunk of your Mac’s memory for running Windows and actually fool this foreign OS into thinking that it’s on a PC.

Interest in virtualization has exploded in recent years. VMware, the virtualization software division of storage firm EMC, was the biggest IPO of 2007. But its niche is getting crowded. Microsoft has entered the market, building virtualization into its server offerings. Dell bought a virtualization software firm for $1.54 billion. And there’s even an open source virtualization product called Xen.K. Castro, “The Virtues of Virtualization,” BusinessWeek, December 3, 2007.

Key Takeaways

  • Virtualization software allows one computing device to function as many. The most sophisticated products also make it easy for organizations to scale computing requirements across several servers.
  • Virtualization software can lower a firm’s hardware needs, save energy, and boost scalability.
  • Data center virtualization software is at the heart of many so-called private clouds and scalable corporate data centers, as well as the sorts of public efforts described earlier.
  • Virtualization also works on the desktop, allowing multiple operating systems (Mac OS X, Linux, Windows) to run simultaneously on the same platform.
  • Virtualization software can increase data center utilization to 80 percent or more.
  • While virtualization is used to make public cloud computing happen, it can also be used in-house to create a firm’s own private cloud.
  • A number of companies, including Microsoft and Dell, have entered the growing virtualization market.

Questions and Exercises

  1. List the benefits to a firm from using virtualization.
  2. What is the average utilization rate for conventional data centers?
  3. List companies that have virtualization-enabled private clouds.
  4. Give an example of desktop virtualization.
  5. Name three companies that are players in the virtualization software industry.

10.12 Make, Buy, or Rent

Learning Objectives

After studying this section you should be able to do the following:

  1. Know the options managers have when determining how to satisfy the software needs of their companies.
  2. Know the factors that must be considered when making the make, buy, or rent decision.

So now you realize managers have a whole host of options when seeking to fulfill the software needs of their firms. An organization can purchase packaged software from a vendor, use open source offerings, leverage SaaS or other type of cloud computing, outsource development or other IT functions to another firm either domestically or abroad, or a firm can develop all or part of the effort themselves. When presented with all of these options, making decisions about technologies and systems can seem pretty daunting.

First, realize that that for most firms, technology decisions are not binary options for the whole organization in all situations. Few businesses will opt for an IT configuration that is 100 percent in-house, packaged, or SaaS. Being aware of the parameters to consider can help a firm make better, more informed decisions. It’s also important to keep in mind that these decisions need to be continuously reevaluated as markets and business needs change. What follows is a summary of some of the key variables to consider.

Competitive AdvantageDo we rely on unique processes, procedures, or technologies that create vital, differentiating competitive advantage? If so, then these functions aren’t a good candidate to outsource or replace with a package software offering. had originally used recommendation software provided by a third party, and Netflix and Dell both considered third-party software to manage inventory fulfillment. But in all three cases, these firms felt that mastery of these functions was too critical to competitive advantage, so each firm developed proprietary systems unique to the circumstances of each firm.

SecurityAre there unacceptable risks associated with using the packaged software, OSS, cloud solution, or an outsourcing vendor? Are we convinced that the prospective solution is sufficiently secure and reliable? Can we trust the prospective vendor with our code, our data, our procedures and our way of doing business? Are there noncompete provisions for vendor staff that may be privy to our secrets? For off-site work, are there sufficient policies in place for on-site auditing? If the answers to any of these questions is no, outsourcing might not be a viable option.

Legal and ComplianceIs our firm prohibited outright from using technologies? Are there specific legal and compliance requirements related to deploying our products or services? Even a technology as innocuous as instant messaging may need to be deployed in such a way that it complies with laws requiring firms to record and reproduce the electronic equivalent of a paper trail. For example, SEC Rule 17a-4 requires broker dealers to retain client communications for a minimum of three years. HIPAA laws governing health care providers state that electronic communications must also be captured and stored.D. Shapiro, “Instant Messaging and Compliance Issues: What You Need to Know,” SearchCIO, May 17, 2004. While tech has gained a seat in the board room, legal also deserves a seat in systems planning meetings.

Skill, Expertise, and Available LaborCan we build it? The firm may have skilled technologists, but they may not be sufficiently experienced with a new technology. Even if they are skilled, managers much consider the costs of allocating staff away from existing projects for this effort.

CostIs this a cost-effective choice for our firm? A host of factors must be considered when evaluating the cost of an IT decision. The costs to build, host, maintain, and support an ongoing effort involve labor (software development, quality assurance, ongoing support, training, and maintenance), consulting, security, operations, licensing, energy, and real estate. Any analysis of costs should consider not only the aggregate spending required over the lifetime of the effort but also whether these factors might vary over time.

TimeDo we have time to build, test, and deploy the system?

Vendor IssuesIs the vendor reputable and in a sound financial position? Can the vendor guarantee the service levels and reliability we need? What provisions are in place in case the vendor fails or is acquired? Is the vendor certified via the Carnegie Mellon Software Institute or other standards organizations in a way that conveys quality, trust, and reliability?

The list above is a starter. It should also be clear that these metrics are sometimes quite tough to estimate. Welcome to the challenges of being a manager! At times an environment in flux can make an executive feel like he or she is working on a surfboard, constantly being buffeted about by unexpected currents and waves. Hopefully the issues outlined in this chapter will give you the surfing skills you need for a safe ride that avoids the organizational equivalent of a wipeout.

Key Takeaways

  • The make, buy, or rent decision may apply on a case-by-case basis that might be evaluated by firm, division, project or project component. Firm and industry dynamics may change in a way that causes firms to reassess earlier decisions, or to alter the direction of new initiatives.
  • Factors that managers should consider when making a make, buy, or rent decision include the following: competitive advantage, security, legal and compliance issues, the organization’s skill and available labor, cost, time, and vendor issues.
  • Factors must be evaluated over the lifetime of a project, not at a single point in time.
  • Managers have numerous options available when determining how to satisfy the software needs of their companies: purchase packaged software from a vendor, use OSS, use SaaS or utility computing, outsourcing development, or developing all or part of the effort themselves.
  • If a company relies on unique processes, procedures, or technologies that create vital, differentiating, competitive advantages, the functions probably aren’t a good candidate to outsource.

Questions and Exercises

  1. What are the options available to managers when seeking to meet the software needs of their companies?
  2. What are the factors that must be considered when making the make, buy, or rent decision?
  3. What are some security-related questions that must be asked when making the make, buy, or rent decision?
  4. What are some vendor-related questions that must be asked when making the make, buy, or rent decision?
  5. What are some of the factors that must be considered when evaluating the cost of an IT decision?
  6. Why must factors be evaluated over the lifetime of a project, not at a single point in time?

Chapter 9: Understanding Software: A Primer for Managers

9.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize the importance of software and its implications for the firm and strategic decision making.
  2. Understand that software is everywhere; not just in computers, but also cell phones, cars, cameras, and many other technologies.
  3. Know what software is and be able to differentiate it from hardware.
  4. List the major classifications of software and give examples of each.

We know computing hardwareThe physical components of information technology, which can include the computer itself plus peripherals such as storage devices, input devices like the mouse and keyboard, output devices like monitors and printers, networking equipment, and so on. is getting faster and cheaper, creating all sorts of exciting and disruptive opportunities for the savvy manager. But what’s really going on inside the box? It’s softwareA computer program or a collection of programs. It is a precise set of instructions that tells hardware what to do. that makes the magic of computing happen. Without software, your PC would be a heap of silicon wrapped in wires encased in plastic and metal. But it’s the instructions—the software code—that enable a computer to do something wonderful, driving the limitless possibilities of information technology.

Software is everywhere. An inexpensive cell phone has about one million lines of code, while the average car contains nearly one hundred million.R. Charette, “Why Software Fails,” IEEE Spectrum, September 2005. In this chapter we’ll take a peek inside the chips to understand what software is. A lot of terms are associated with software: operating systems, applications, enterprise software, distributed systems, and more. We’ll define these terms up front, and put them in a managerial context. A follow-up chapter, Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”, will focus on changes impacting the software business, including open source software, software as a service (SaaS), and cloud computing. These changes are creating an environment radically different from the software industry that existed in prior decades—confronting managers with a whole new set of opportunities and challenges.

Managers who understand software can better understand the possibilities and impact of technology. They can make better decisions regarding the strategic value of IT and the potential for technology-driven savings. They can appreciate the challenges, costs, security vulnerabilities, legal and compliance issues, and limitations involved in developing and deploying technology solutions. In the next two chapters we will closely examine the software industry and discuss trends, developments and economics—all of which influence decisions managers make about products to select, firms to partner with, and firms to invest in.

What Is Software?

When we refer to computer hardware (sometimes just hardware), we’re talking about the physical components of information technology—the equipment that you can physically touch, including computers, storage devices, networking equipment, and other peripherals.

Software refers to a computer program or collection of programs—sets of instructions that tell the hardware what to do. Software gets your computer to behave like a Web browser or word processor, makes your iPod play music and video, and enables your bank’s ATM to spit out cash.

It’s when we start to talk about the categories of software that most people’s eyes glaze over. To most folks, software is a big, incomprehensible alphabet soup of acronyms and geeky phrases: OS, VB, SAP, SQL, to name just a few.

Don’t be intimidated. The basics are actually pretty easy to understand. But it’s not soup; it’s more of a layer cake. Think about computer hardware as being at the bottom of the layer cake. The next layer is the operating systemThe software that controls the computer hardware and establishes standards for developing and executing applications., the collection of programs that control the hardware. Windows, Mac OS X, and Linux are operating systems. On top of that layer are applicationsIncludes desktop applications, enterprise software, utilities, and other programs that perform specific tasks for users and organizations.—these can range from end-user programs like those in Office, to the complex set of programs that manage a business’s inventory, payroll, and accounting. At the top of the cake are users.

Figure 9.1 The Hardware/Software Layer Cake

The flexibility of these layers gives computers the customization options that managers and businesses demand. Understanding how the layers relate to each other helps you make better decisions on what options are important to your unique business needs, can influence what you buy, and may have implications for everything from competitiveness to cost overruns to security breaches. What follows is a manager’s guide to the main software categories with an emphasis on why each is important.

Key Takeaways

  • Software refers to a computer program or collection of programs. It enables computing devices to perform tasks.
  • You can think of software as being part of a layer cake, with hardware at the bottom; the operating system controlling the hardware and establishing standards, the applications executing one layer up, and the users at the top.
  • How these layers relate to one another has managerial implications in many areas, including the flexibility in meeting business demand, costs, legal issues and security.
  • Software is everywhere—not just in computers, but also in cell phones, cars, cameras, and many other technologies.

Questions and Exercises

  1. Explain the difference between hardware and software.
  2. Why should a manager care about software and how software works? What critical organizational and competitive factors can software influence?
  3. What role has software played in your decision to select certain products? Has this influenced why you favored one product or service over another?
  4. Find the Fortune 500 list online. Which firm is the highest ranked software firm? While the Fortune 500 ranks firms according to revenue, what’s this firm’s profitability rank? What does this discrepancy tell you about the economics of software development? Why is the software business so attractive to entrepreneurs?
  5. Refer to earlier chapters (and particularly to Chapter 2 “Strategy and Technology: Concepts and Frameworks for Understanding What Separates Winners from Losers”): Which resources for competitive advantage might top software firms be able to leverage to ensure their continued dominance? Give examples of firms that have leveraged these assets, and why they are so strong.

9.2 Operating Systems

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand what an operating system is and why computing devices require operating systems.
  2. Appreciate how embedded systems extend Moore’s Law, allowing firms to create “smarter” products and services

Computing hardware needs to be controlled, and that’s the role of the operating system. The operating system (sometimes called the “OS”) provides a common set of controls for managing computer hardware, making it easier for users to interact with computers and for programmers to write application software. Just about every computing device has an operating system—desktops and laptops, enterprise-class server computers, your mobile phone. Even specialty devices like iPods, video game consoles, and television set top boxes run some form of OS.

Some firms, like Apple and Nintendo, develop their own proprietary OS for their own hardware. Microsoft sells operating systems to everyone from Dell to the ATM manufacturer Diebold (listen for the familiar Windows error beep on some cash machines). And there are a host of specialty firms, such as Wind River (purchased by Intel), that help firms develop operating systems for all sorts of devices that don’t necessarily look like a PC, including cars, video editing systems, and fighter jet control panels.

Anyone who has used both a PC and a Mac and has noticed differences across these platforms can get a sense of the breadth of what an operating system does. Even for programs that are otherwise identical for these two systems (like the Firefox browser), subtitle differences are visible. Screen elements like menus, scroll bars, and window borders look different on the Mac than they do in Windows. So do the dialogue boxes that show up when you print or save.

These items look and behave differently because each of these functions touches the hardware, and the team that developed Microsoft Windows created a system distinctly different from their Macintosh counterparts at Apple. Graphical user interface (UI)The mechanism through which users interact with a computing device. The UI includes elements of the graphical user interface (or GUI, pronounced “gooey”), such as windows, scroll bars, buttons, menus, and dialogue boxes; and can also include other forms of interaction, such as touch screens, motion sensing controllers, or tactile devices used by the visually impaired. items like scroll bars and menus are displayed on the hardware of the computer display. Files are saved to the hardware of a hard drive or other storage device. Most operating systems also include control panels, desktop file management, and other support programs to work directly with hardware elements like storage devices, displays, printers, and networking equipment. The Macintosh Finder and the Windows Explorer are examples of components of these operating systems. The consistent look, feel, and functionality that operating systems enforce across various programs help make it easier for users to learn new software, which reduces training costs and operator error. See Figure 9.2 for similarities and differences.

Figure 9.2

Differences between the Windows and Mac operating systems are evident throughout the user interface, particularly when a program interacts with hardware.

Operating systems are also designed to give programmers a common set of commands to consistently interact with the hardware. These commands make a programmer’s job easier by reducing program complexity and making it faster to write software while minimizing the possibility of errors in code. Consider what an OS does for the Wii game developer. Nintendo’s Wii OS provides Wii programmers with a set of common standards to use to access the Wiimote, play sounds, draw graphics, save files, and more. Without this, games would be a lot more difficult to write, they’d likely look differently, be less reliable, would cost more, and there would be fewer titles available.

Similarly, when Apple provided developers with a common set of robust, easy-to-use standards for the iPhone and (via the App Store) an easy way for users to install these applications on top of the iPhone/iPod touch OS, software development boomed, and Apple became hands-down the most versatile mobile computing device available.The iPhone and iPod touch OS is derived from Apple’s Mac OS X operating system. In Apple’s case, some fifty thousand apps became available through the App Store in less than a year. A good OS and software development platform can catalyze network effects (see Chapter 6 “Understanding Network Effects”). While the OS seems geeky, its effective design has very strategic business implications!

Figure 9.3 Operating System Market Share for Desktop, Server, and Mobile Phones

Firmware and Embedded Systems

Most personal computers have an operating system installed on their hard drives. This system allows the OS to be replaced or upgraded easily. But many smaller, special-purpose computing devices have their operating systems installed on nonvolatile memory, often on read-only memory (ROM) chips. Control programs stored on chips are sometimes referred to as firmwareSoftware stored on nonvolatile memory chips (as opposed to being stored on devices such as hard drives or removable discs). Despite the seemingly permanent nature of firmware, many products allow for firmware to be upgraded online or by connecting to another device.. The OS in an iPod, mobile phone, or your TV’s set-top box is most likely stored as firmware. Your PC also has a tiny bit of firmware that allows it to do very basic functions like start-up (boot) and begin loading its operating system from disk.

Another term you might hear is embedded systemsSpecial-purpose software designed and included inside physical products (often on firmware). Embedded systems help make devices “smarter,” sharing usage information, helping diagnose problems, indicating maintenance schedules, providing alerts, or enabling devices to take orders from other systems.. As computing gets cheaper, special-purpose technology is increasingly becoming embedded into all sorts of devices like cars, picture frames, aircraft engines, photocopiers, and heating and air conditioning systems. The software programs that make up embedded systems are often stored as firmware too.

Moore’s Law (see Chapter 5 “Moore’s Law: Fast, Cheap Computing and What It Means for the Manager”) enables embedded systems, and these systems can create real strategic value. The Otis Elevator Company, a division of United Technologies, uses embedded systems in its products to warn its service centers when the firm’s elevators, escalators, and moving walkways need maintenance or repair. This warning provides Otis with several key benefits:

  1. Since products automatically contact Otis when they need attention, these systems generate a lucrative service business for the firm and make it more difficult for third parties to offer a competing business servicing Otis products.
  2. Products contact service technicians to perform maintenance based on exact needs (e.g., lubricant is low, or a part has been used enough to be replaced) rather than guessed schedules, which makes service more cost-effective, products less likely to break down, and customers happier.
  3. Any product failures are immediately detected, with embedded systems typically dispatching technicians before a client’s phone call.
  4. The data is fed back to Otis’s R&D group, providing information on reliability and failure so that engineers can use this info to design better products.

Collectively, software embedded on tiny chips yields very big benefits, for years helping Otis remain at the top of its industry.

Key Takeaways

  • The operating system (OS) controls a computer’s hardware and provides a common set of commands for writing programs.
  • Most computing devices (enterprise-class server computers, PCs, phones, set-top boxes, video games, cars, the Mars Rover) have an operating system.
  • Some products use operating systems provided by commercial firms, while others develop their own operating system. Others may leverage open source alternatives (see Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”).
  • Embedded systems are special-purpose computer systems designed to perform one or a few dedicated functions, and are frequently built into conventional products like cars, air conditioners, and elevators.
  • Embedded systems can make products and services more efficient, more reliable, more functional, and can enable entire new businesses and create or reinforce resources for competitive advantage.

Questions and Exercises

  1. What does an operating system do? Why do you need an operating system? How do operating systems make a programmer’s job easier? How do operating systems make life easier for end users?
  2. How has the market for desktop, server, and mobile operating systems changed in recent years? Do certain products seem to be gaining traction? Why do you think this is the case?
  3. What kinds of operating systems are used in the devices that you own? On your personal computer? Your mobile phone? The set-top box on top of your television? Are there other operating systems that you come into contact with? If you can’t tell which operating system is in each of these devices, see if you can search the Internet to find out.
  4. For your list in the prior question (and to the extent that you can), diagram the hardware/software “layer cake” for these devices.
  5. For this same list, do you think each device’s manufacturer wrote all of the software that you use on these devices? Can you add or modify software to all of these devices? Why or why not? What would the implications be for cost, security, complexity, reliability, updates and upgrades, and the appeal of each device?
  6. Some ATM machines use Windows. Why would an ATM manufacturer choose to build its systems owing Windows? Why might it want to avoid this? Are there other non-PC devices you’ve encountered that were running some form of Windows?
  7. What are embedded systems? When might firms want to install software on chips instead of on a hard drive?
  8. It’s important to understand how technology impacts a firm’s strategy and competitive environment. Consider the description of Otis elevator’s use of embedded systems. Which parts of the value chain does this impact? How? Consider the “five forces”: How does the system impact the firm’s competitive environment? Are these systems a source of competitive advantage? If not, explain why not? If they are, what kinds of resources for competitive advantage can these kinds of embedded systems create?
  9. Can you think of other firms that can or do leverage embedded systems? Provide examples and list the kinds of benefits these might offer firms and consumers.
  10. Research the Americans with Disabilities Act of 1990 (or investigate if your nation has a similar law), and the implications of this legislation for software developers and Web site operators. Have firms been successfully sued when their software or Web sites could not be accessed by users with physical challenges? What sorts of issues should developers consider when making their products more accessible? What practices might they avoid?

9.3 Application Software

Learning Objectives

After studying this section you should be able to do the following:

  1. Appreciate the difference between desktop and enterprise software.
  2. List the categories of enterprise software.
  3. Understand what an ERP (enterprise resource planning) software package is.
  4. Recognize the relationship of the DBMS (database system) to the other enterprise software systems.
  5. Recognize both the risks and rewards of installing packaged enterprise systems.

Operating systems are designed to create a platformProducts and services that allow for the development and integration of software products and other complementary goods. Windows, the iPhone, the Wii, and the standards that allow users to create Facebook apps are all platforms. so that programmers can write additional applications, allowing the computer to do even more useful things. While operating systems control the hardware, application software (sometimes referred to as software applications, applications, or even just apps) perform the work that users and firms are directly interested in accomplishing. Think of applications as the place where the users or organization’s real work gets done. As we learned in Chapter 6 “Understanding Network Effects”, the more application software that is available for a platform (the more games for a video game console, the more apps for your phone), the more valuable it potentially becomes.

Desktop softwareApplications installed on a personal computer, typically supporting tasks performed by a single user. refers to applications installed on a personal computer—your browser, your Office suite (e.g., word processor, spreadsheet, presentation software), photo editors, and computer games are all desktop software. Enterprise softwareApplications that address the needs of multiple users throughout an organization or work group. refers to applications that address the needs of multiple, simultaneous users in an organization or work group. Most companies run various forms of enterprise software programs to keep track of their inventory, record sales, manage payments to suppliers, cut employee paychecks, and handle other functions.

Some firms write their own enterprise software from scratch, but this can be time consuming and costly. Since many firms have similar procedures for accounting, finance, inventory management, and human resource functions, it often makes sense to buy a software packageA software product offered commercially by a third party. (a software product offered commercially by a third party) to support some of these functions. So-called enterprise resource planning (ERP)A software package that integrates the many functions (accounting, finance, inventory management, human resources, etc.) of a business. software packages serve precisely this purpose. In the way that Microsoft can sell you a suite of desktop software programs that work together, many companies sell ERP software that coordinates and integrates many of the functions of a business. The leading ERP vendors include the firm’s SAP and Oracle, although there are many firms that sell ERP software. A company doesn’t have to install all of the modules of an ERP suite, but it might add functions over time—for example, to plug in an accounting program that is able to read data from the firm’s previously installed inventory management system. And although a bit more of a challenge to integrate, a firm can also mix and match components, linking software the firm has written with modules purchased from different enterprise software vendors.

Figure 9.4 ERP in ActionAdapted from G. Edmondson, “Silicon Valley on the Rhine,” BusinessWeek International, November 3, 1997.

An ERP system with multiple modules installed can touch many functions of the business:

  • Sales—A sales rep from Vermont-based SnowboardCo. takes an order for five thousand boards from a French sporting goods chain. The system can verify credit history, apply discounts, calculate price (in euros), and print the order in French.
  • Inventory—While the sales rep is on the phone with his French customer, the system immediately checks product availability, signaling that one thousand boards are ready to be shipped from the firm’s Burlington warehouse, the other four thousand need to be manufactured and can be delivered in two weeks from the firm’s manufacturing facility in Guangzhou.
  • Manufacturing—When the customer confirms the order, the system notifies the Guangzhou factory to ramp up production for the model ordered.
  • Human Resources—High demand across this week’s orders triggers a notice to the Guangzhou hiring manager, notifying her that the firm’s products are a hit and that the flood of orders coming in globally mean her factory will have to hire five more workers to keep up.
  • Purchasing—The system keeps track of raw material inventories, too. New orders trigger an automatic order with SnowboardCo’s suppliers, so that raw materials are on hand to meet demand.
  • Order Tracking—The French customer can log in to track her SnowboardCo order. The system shows her other products that are available, using this as an opportunity to cross-sell additional products.
  • Decision Support—Management sees the firm’s European business is booming and plans a marketing blitz for the continent, targeting board models and styles that seem to sell better for the Alps crowd than in the U.S. market.

Other categories of enterprise software that managers are likely to encounter include the following:

  • customer relationship management (CRM)Systems used to support customer-related sales and marketing activities. systems used to support customer-related sales and marketing activities
  • supply chain management (SCM)Systems that can help a firm manage aspects of its value chain, from the flow of raw materials into the firm, through delivery of finished products and services at the point-of-consumption. systems that can help a firm manage aspects of its value chain, from the flow of raw materials into the firm through delivery of finished products and services at the point-of-consumption
  • business intelligence (BI) systemsSystems that use data created by other systems to provide reporting and analysis for organizational decision making., which use data created by other systems to provide reporting and analysis for organizational decision making

Major ERP vendors are now providing products that extend into these and other categories of enterprise application software, as well.

Most enterprise software works in conjunction with a database management system (DBMS)Sometimes referred to as database software; software for creating, maintaining, and manipulating data., sometimes referred to as a “database system.” The database system stores and retrieves the data that an application creates and uses. Think of this as another additional layer in our cake analogy. Although the DBMS is itself considered an application, it’s often useful to think of a firm’s database systems as sitting above the operating system, but under the enterprise applications. Many ERP systems and enterprise software programs are configured to share the same database system so that an organization’s different programs can use a common, shared set of data. This system can be hugely valuable for a company’s efficiency. For example, this could allow a separate set of programs that manage an inventory and point-of-sale system to update a single set of data that tells how many products a firm has to sell and how many it has already sold—information that would also be used by the firm’s accounting and finance systems to create reports showing the firm’s sales and profits.

Firms that don’t have common database systems with consistent formats across their enterprise often struggle to efficiently manage their value chain. Common procedures and data formats created by packaged ERP systems and other categories of enterprise software also make it easier for firms to use software to coordinate programs between organizations. This coordination can lead to even more value chain efficiencies. Sell a product? Deduct it from your inventory. When inventory levels get too low, have your computer systems send a message to your supplier’s systems so that they can automatically build and ship replacement product to your firm. In many cases these messages are sent without any human interaction, reducing time and errors. And common database systems also facilitate the use of BI systems that provide critical operational and competitive knowledge and empower decision making. For more on CRM and BI systems, and the empowering role of data, see Chapter 11 “The Data Asset: Databases, Business Intelligence, and Competitive Advantage”.

Figure 9.5

An organization’s database management system can be set up to work with several applications both within and outside the firm.

The Rewards and Risks of Packaged Enterprise Systems

When set up properly, enterprise systems can save millions of dollars and turbocharge organizations. For example, the CIO of office equipment maker Steelcase credited the firm’s ERP with an eighty-million-dollar reduction in operating expenses saved from eliminating redundant processes and making data more usable. The CIO of Colgate Palmolive also praised their ERP, saying, “The day we turned the switch on, we dropped two days out of our order-to-delivery cycle.”A. Robinson and D. Dilts, “OR and ERP,” ORMS Today, June 1999. Packaged enterprise systems can streamline processes, make data more usable, and ease the linking of systems with software across the firm and with key business partners. Plus, the software that makes up these systems is often debugged, tested, and documented with an industrial rigor that may be difficult to match with proprietary software developed in-house.

But for all the promise of packaged solutions for standard business functions, enterprise software installations have proven difficult. Standardizing business processes in software that others can buy means that those functions are easy for competitors to match, and the vision of a single monolithic system that delivers up wondrous efficiencies has been difficult for many to achieve. The average large company spends roughly $15 million on ERP software, with some installations running into the hundreds of millions of dollars.C. Rettig, “The Trouble with Enterprise Software,” MIT Sloan Management Review 49, no. 1 (2007): 21–27. And many of these efforts have failed disastrously.

FoxMeyer was once a six-billion-dollar drug distributor, but a failed ERP installation led to a series of losses that bankrupted the firm. The collapse was so rapid and so complete that just a year after launching the system, the carcass of what remained of the firm was sold to a rival for less than $80 million. Hershey Foods blamed a $466 million revenue shortfall on glitches in the firm’s ERP rollout. Among the problems, the botched implementation prevented the candy maker from getting product to stores during the critical period before Halloween. Nike’s first SCM and ERP implementation was labeled a “disaster”; their systems were blamed for over $100 million in lost sales.C. Koch, “Nike Rebounds: How (and Why) Nike Recovered from Its Supply Chain Disaster,” CIO, June 15, 2004. Even tech firms aren’t immune to software implementation blunders. HP once blamed a $160 million loss on problems with its ERP systems.R. Charette, “Why Software Fails,” IEEE Spectrum, September 2005. Manager beware—there are no silver bullets. For insight on the causes of massive software failures, and methods to improve the likelihood of success, see Section 9.6 “Total Cost of Ownership (TCO): Tech Costs Go Way beyond the Price Tag”.

Key Takeaways

  • Application software focuses on the work of a user or an organization.
  • Desktop applications are typically designed for a single user. Enterprise software supports multiple users in an organization or work group.
  • Popular categories of enterprise software include ERP (enterprise resource planning), SCM (supply chain management), CRM (customer relationship management), and BI (business intelligence) software, among many others.
  • These systems are used in conjunction with database management systems, programs that help firms organize, store, retrieve, and maintain data.
  • ERP and other packaged enterprise systems can be challenging and costly to implement, but can help firms create a standard set of procedures and data that can ultimately lower costs and streamline operations.
  • The more application software that is available for a platform, the more valuable that platform becomes.
  • The DBMS stores and retrieves the data used by the other enterprise applications. Different enterprise systems can be configured to share the same database system in order share common data.
  • Firms that don’t have common database systems with consistent formats across their enterprise often struggle to efficiently manage their value chain, and often lack the flexibility to introduce new ways of doing business. Firms with common database systems and standards often benefit from increased organizational insight and decision-making capabilities.
  • Enterprise systems can cost millions of dollars in software, hardware, development, and consulting fees, and many firms have failed when attempting large-scale enterprise system integration. Simply buying a system does not guarantee its effective deployment and use.
  • When set up properly, enterprise systems can save millions of dollars and turbocharge organizations by streamlining processes, making data more usable, and easing the linking of systems with software across the firm and with key business partners.

Questions and Exercises

  1. What is the difference between desktop and enterprise software?
  2. Who are the two leading ERP vendors?
  3. List the functions of a business that might be impacted by an ERP.
  4. What do the acronyms ERP, CRM, SCM, and BI stand for? Briefly describe what each of these enterprise systems does.
  5. Where in the “layer cake” analogy does the DBMS lie.
  6. Name two companies that have realized multimillion-dollar benefits as result of installing enterprise systems.
  7. Name two companies that have suffered multimillion-dollar disasters as result of failed enterprise system installations.
  8. How much does the average large company spend annually on ERP software?

9.4 Distributed Computing

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the concept of distributed computing and its benefits.
  2. Understand the client-server model of distributed computing.
  3. Know what Web services are and the benefits that Web services bring to firms.
  4. Appreciate the importance of messaging standards and understand how sending messages between machines can speed processes, cut costs, reduce errors, and enable new ways of doing business.

When computers in different locations can communicate with one another, this is often referred to as distributed computingA form of computing where systems in different locations communicate and collaborate to complete a task.. Distributed computing can yield enormous efficiencies in speed, error reduction, and cost savings and can create entirely new ways of doing business. Designing systems architecture for distributed systems involves many advanced technical topics. Rather than provide an exhaustive decomposition of distributed computing, the examples that follow are meant to help managers understand the bigger ideas behind some of the terms that they are likely to encounter.

Let’s start with the term serverA program that fulfills the requests of a client.. This is a tricky one because it’s frequently used in two ways: (1) in a hardware context a server is a computer that has been configured to support requests from other computers (e.g., Dell sells servers) and (2) in a software context a server is a program that fulfills requests (e.g., the Apache open source Web server). Most of the time, server software resides on server-class hardware, but you can also set up a PC, laptop, or other small computer to run server software, albeit less powerfully. And you can use mainframe or super-computer-class machines as servers, too.

The World Wide Web, like many other distributed computing services, is what geeks call a client-server system. Client-server refers to two pieces of software, a clientA software program that makes requests of a server program. that makes a request, and a server that receives and attempts to fulfill the request. In our WWW scenario, the client is the browser (e.g., Internet Explorer, Firefox, Safari). When you type a Web site’s address into the location field of your browser, you’re telling the client to “go find the Web server software at the address provided, and tell the server to return the Web site requested.”

It is possible to link simple scripting languages to a Web server for performing calculations, accessing databases, or customizing Web sites. But more advanced distributed environments may use a category of software called an application serverSoftware that houses and serves business logic for use (and reuse) by multiple applications.. The application server (or app server) houses business logic for a distributed system. Individual Web servicesSmall pieces of code that are accessed via the application server which permit interoperable machine-to-machine interaction over a network. served up by the app server are programmed to perform different tasks: returning a calculation (“sales tax for your order will be $11.58”), accessing a database program (“here are the results you searched for”), or even making a request to another server in another organization (“Visa, please verify this customer’s credit card number for me”).

Figure 9.6

In this multitiered distributed system, client browsers on various machines (desktop, laptop, mobile) access the system through the Web server. The cash register doesn’t use a Web browser, so instead the cash register logic is programmed to directly access the services it needs from the app server. Web services accessed from the app server may be asked to do a variety of functions, including perform calculations, access corporate databases, or even make requests from servers at other firms (for example, to verify a customer’s credit card).

Those little chunks of code that are accessed via the application server are sometimes referred to as Web services. The World Wide Web consortium defines Web services as software systems designed to support interoperable machine-to-machine interaction over a network.W3C, “Web Services Architecture,” W3C Working Group Note, February 11, 2004. And when computers can talk together (instead of people), this often results in fewer errors, time savings, cost reductions, and can even create whole new ways of doing business! Each Web service defines the standard method for other programs to request it to perform a task and defines the kind of response the calling client can expect back. These standards are referred to as application programming interfaces (APIs)Programming hooks, or guidelines, published by firms that tell other programs how to get a service to perform a task such as send or receive data. For example, provides APIs to let developers write their own applications and Websites that can send the firm orders..

Look at the advantages that Web services bring a firm like Amazon. Using Web services, the firm can allow the same order entry logic to be used by Web browsers, mobile phone applications, or even by third parties who want to access Amazon product information and place orders with the firm (there’s an incentive to funnel sales to Amazon—the firm will give you a cut of any sales that you send Amazon’s way). Organizations that have created a robust set of Web services around their processes and procedures are said to have a service-oriented architecture (SOA)A robust set of Web services built around an organizations processes and procedures.. Organizing systems like this, with separate applications in charge of client presentation, business logic, and database, makes systems more flexible. Code can be reused, and each layer can be separately maintained, upgraded, or migrated to new hardware—all with little impact on the others.

Web services sound geeky, but here’s a concrete example illustrating their power. Southwest Airlines had a Web site where customers could book flights, but many customers also wanted to rent a car or book a hotel, too. To keep customers on, the firm and its hotel and rental car partners created a set of Web services and shared the APIs. Now customers visiting can book a hotel stay and rental car on the same page where they make their flight reservation. This process transforms into a full service travel destination and allows the site to compete head-to-head with the likes of Expedia, Travelocity, and Orbitz.J. McCarthy, “The Standards Body Politic,” InfoWorld, May 17, 2002.

Think about why Web services are important from a strategic perspective. By adding hotel and rental car services, Southwest is now able to eliminate the travel agent, along with any fees they might share with the agent. This shortcut allows the firm to capture more profits or pass on savings to customers, securing its position as the first place customers go for low-cost travel. And perhaps most importantly, Southwest can capture key data from visitor travel searches and bookings (something it likely couldn’t do if customers went to a site like Expedia or Travelocity). Data is a hugely valuable asset, and this kind of customer data can be used by Southwest to send out custom e-mail messages and other marketing campaigns to bring customers back to the airline. As geeky as they might at first seem, Web services can be very strategic!

Figure 9.7 uses Web services to allow car rental and hotel firms to book services through Southwest. This process transforms into a full-service online travel agent.

Messaging Standards

Two additional terms you might hear within the context of distributed computing are EDI and XML. EDI (electronic data interchange)A set of standards for exchanging messages containing formatted data between computer applications. is a set of standards for exchanging information between computer applications. EDI is most often used as a way to send the electronic equivalent of structured documents between different organizations. Using EDI, each element in the electronic document, like a firm name, address, or customer number, is coded so that it can be recognized by the receiving computer program. Eliminating paper documents makes businesses faster and lowers data entry and error costs. One study showed that firms that used EDI decreased their error rates by 82 percent and their cost of producing each document fell by up to 96 percent.“Petroleum Industry Continues to Explore EDI,” National Petroleum News 90, no. 12 (November 1998).

EDI is a very old standard, with roots stretching back to the 1948 Berlin Air Lift. While still in use, a new generation of more-flexible technologies for specifying data standards are taking its place. Chief among the technologies replacing EDI is extensible markup language (XML)A tagging language that can be used to identify data fields made available for use by other applications. Most APIs and Web services send messages where the data exchanged is wrapped in identifying XML tags.. XML has lots of uses, but in the context of distributed systems, it allows software developers to create a set of standards for common data elements that, like EDI messages, can be sent between different kinds of computers, different applications, and different organizations. XML is often thought of as easier to code than EDI, and it’s more robust because it can be extended—organizations can create formats to represent any kind of data (e.g., a common part number, photos, the complaint field collected by customer support personnel). In fact, most messages sent between Web services are coded in XML (the technology is a key enabler in mashups, discussed in Chapter 7 “Peer Production, Social Media, and Web 2.0”). Many computer programs also use XML as a way to export and import data in a common format that can be used regardless of the kind of computer hardware, operating system, or application program used. And if you design Web sites, you might encounter XML as part of the coding behind the cascading style sheets (CSS) that help maintain a consistent look and feel to the various Web pages in a given Web site.

Rearden Commerce: A Business Built on Web Services

Web services, APIs, and open standards not only transform businesses, they can create entire new firms that change how we get things done. For a look at the mashed-up, integrated, hyperautomated possibilities that Web services make possible, check out Rearden Commerce, a Foster City, California, firm that is using this technology to become what AMR’s Chief Research Office referred to as “Travelocity on Steroids.”

Using Rearden, firms can offer their busy employees a sort of Web-based concierge/personal assistant. Rearden offers firms a one-stop shop where employees can not only make the flight, car, and hotel bookings they might do from a travel agent, they can also book dinner reservations, sports and theatre tickets, and arrange for business services like conference calls and package shipping. Rearden doesn’t supply the goods and services it sells. Instead it acts as the middleman between transactions. A set of open APIs to its Web services allows Rearden’s one hundred and sixty thousand suppliers to send product and service data to Rearden, and to receive booking and sales data from the site.

In this ultimate business mashup, a mobile Rearden user could use her phone to book a flight into a client city, see restaurants within a certain distance of her client’s office, have these locations pop up on a Google map, have listings accompanied by Zagat ratings and cuisine type, book restaurant reservations through Open Table, arrange for a car and driver to meet her at her client’s office at a specific time, and sync up these reservations with her firm’s corporate calendaring systems. If something unexpected comes up, like a flight delay, Rearden will be sure she gets the message. The system will keep track of any cancelled reservation credits, and also records travel reward programs, so Rearden can be used to spend those points in the future.

In order to pull off this effort, the Rearden maestros are not only skilled at technical orchestration, but also in coordinating customer and supplier requirements. As TechCrunch’s Erick Schonfeld put it, “The hard part is not only the technology—which is all about integrating an unruly mess of APIs and Web services—[it also involves] signing commercially binding service level agreements with [now over 160,000] merchants across the world.” For its efforts, Rearden gets to keep between 6 percent and 25 percent of every nontravel dollar spent, depending on the service. The firm also makes money from subscriptions, and distribution deals.

The firm’s first customers were large businesses and included ConAgra, GlaxoSmithKline, and Motorola. Rearden’s customers can configure the system around special parameters unique to each firm: to favor a specific airline, benefit from a corporate discount, or to restrict some offerings for approved employees only. Rearden investors include JPMorgan Chase and American Express—both of whom offer Rearden to their employees and customers. Even before the consumer version was available, Rearden had over four thousand corporate customers and two million total users, a user base larger than better-known firms like Arrington, “Rearden Commerce: Time for the Adults to Come In and Clean House,” TechCrunch, April 5, 2007; E. Schonfeld, “At Rearden Commerce, Addiction Is Job One,” TechCrunch, May 6, 2008; and M. Arrington, “2008: Rearden Commerce Has a Heck of a Year,” TechCrunch, January 13, 2009. For all the pizzazz we recognize that, as a start-up, the future of Rearden Commerce remains uncertain; however, the firm’s effective use of Web services illustrates the business possibilities as technologies allow firms to connect with greater ease and efficiency.

Connectivity has made our systems more productive and enables entire new strategies and business models. But these wonderful benefits come at the price of increased risk. When systems are more interconnected, opportunities for infiltration and abuse also increase. Think of it this way—each “connection” opportunity is like adding another door to a building. The more doors that have to be defended, the more difficult security becomes. It should be no surprise that the rise of the Internet and distributed computing has led to an explosion in security losses by organizations worldwide.

Key Takeaways

  • Client-server computing is a method of distributed computing where one program (a client) makes a request to be fulfilled by another program (a server).
  • Server is a tricky term and is sometimes used to refer to hardware. While server-class hardware refers to more powerful computers designed to support multiple users, just about any PC or notebook can be configured to run server software.
  • Web servers serve up Web sites and can perform some scripting.
  • Most firms serve complex business logic from an application server.
  • Isolating a system’s logic in three or more layers (presentation or user interface, business logic, and database) can allow a firm flexibility in maintenance, reusability, and in handling upgrades.
  • Web services allow different applications to communicate with one another. APIs define the method to call a Web service (e.g., to get it to do something), and the kind of response the calling program can expect back.
  • Web services make it easier to link applications as distributed systems, and can make it easier for firms to link their systems across organizations.
  • Popular messaging standards include EDI (older) and XML. Sending messages between machines instead of physical documents can speed processes, drastically cut the cost of transactions, and reduce errors.
  • Distributed computing can yield enormous efficiencies in speed, error reduction, and cost savings and can create entirely new ways of doing business.
  • When computers can communicate with each other (instead of people), this often results in fewer errors, time savings, cost reductions, and can even create whole new ways of doing business.
  • Web services, APIs, and open standards not only transform businesses, they can create entire new firms that change how we get things done.

Questions and Exercises

  1. Differentiate the term “server” used in a hardware context, from “server” used in a software context.
  2. Describe the “client-server” model of distributed computing. What products that you use would classify as leveraging client-server computing?
  3. List the advantages that Web services have brought to Amazon.
  4. How has Southwest Airlines utilized Web services to its competitive advantage?
  5. What is Rearden Commerce and which technologies does it employ? Describe Rearden Technology’s revenue model. Who were Rearden Technology’s first customers? Who were among their first investors?
  6. What are the security risks associated with connectivity, the Internet, and distributed processing?

9.5 Writing Software

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand, at a managerial level, what programming languages are and how software is developed.
  2. Recognize that an operating system and microprocessor constrain the platform upon which most compiled application software will run.
  3. Understand what Java is and why it is significant.
  4. Know what scripting languages are.

So you’ve got a great idea that you want to express in software—how do you go about creating a program? Programmers write software in a programming languageProvides the standards, syntax, statements, and instructions for writing computer software.. While each language has its strengths and weaknesses, most commercial software is written in C++ (pronounced “see plus plus”) or C# (pronounced “see sharp”). Visual Basic (from Microsoft) and Java (from Sun) are also among the more popular of the dozens of programming languages available. Web developers may favor specialty languages like Ruby and Python, while languages like SQL are used in databases.

Most professional programmers use an integrated development environment (IDE)An application that includes an editor (a sort of programmer’s word processor), debugger, and compiler, among other tools. to write their code. The IDE includes a text editor, a debugger for sleuthing out errors, and other useful programming tools. The most popular IDE for Windows is Visual Studio, while Apple offers the Xcode IDE. Most IDEs can support several different programming languages. The IDE will also compileStep in which program code written in a language that humans can more easily understand, is then converted into a form (expressed in patterns of ones and zeros) that can be understood and executed by a microprocessor. Programmers using conventional programming languages must compile their software before making it available for execution. a programmer’s code, turning the higher-level lines of instructions that are readable by humans into lower-level instructions expressed as the patterns of ones and zeros that are readable by a computer’s microprocessor.

Figure 9.8

Microsoft’s Visual Studio IDE supports desktop, server, mobile, and cloud computing software development.

Look at the side of a box of commercial software and you’re likely to see system requirements that specify the operating system and processor that the software is designed for (e.g., “this software works on computers with Windows 7 and Intel-compatible processors”). Wouldn’t it be great if software could be written once and run everywhere? That’s the idea behind JavaA programming language, initially developed by Sun Microsystems, designed to provide true platform independence (“write once, run anywhere”) for application developers. In most cases, Java apps are developed to be executed by a Java Virtual Machine—an interpreting layer that translates code as it executes, into the format required by the operating system and microprocessor. Without Java, application developers have to write and compile software to execute natively by a specific operating system / microprocessor combination (e.g., Windows/Intel, Linux PowerPC, Mac/Intel, Linux/Intel).—a programming language developed by Sun Microsystems.

Java programmers don’t write code with specific operating system commands (say for Windows, Mac OS X, or Linux), instead they use special Java commands to control their user interface or interact with the display and other hardware. Java programs can run on any computer that has a Java Virtual Machine (JVM), a software layer that interprets Java code so that it can be understood by the operating system and processor of a given computer. Java’s platform independence—the ability for developers to “write once, run everywhere”—is its biggest selling point. Many Web sites execute Java applets to run the animation you might see in advertisements or games. Java has also been deployed on over six billion mobile phones worldwide, and is popular among enterprise programmers who want to be sure their programs can scale from smaller hardware up to high-end supercomputers. As long as the machine receiving the Java code has a JVM, then the Java application should run. However, Java has not been popular for desktop applications. Since Java isn’t optimized to take advantage of interface elements specific to the Mac or Windows, most Java desktop applications look clunky and unnatural. Java code that runs through the JVM interpreter is also slower than code compiled for the native OS and processor that make up a platform.Some offerings have attempted to overcome the speed issues associated with interpreting Java code. Just-in-time compilation stores code in native processor-executable form after each segment is initially interpreted, further helping to speed execution. Other environments allow for Java to be compiled ahead of time so that it can be directly executed by a microprocessor. However, this process eliminates code portability—Java’s key selling point. And developers preparing their code for the JVM actually precompile code into something called Java bytecode, a format that’s less human friendly but more quickly interpreted by JVM software.

Scripting languages are the final category of programming tool that we’ll cover. Scripting languagesProgramming tool that executes within an application. Scripting languages are interpreted within their applications, rather than compiled to run directly by a microprocessor. typically execute within an application. Microsoft offers a scripting language called VB Script (a derivative of Visual Basic) to automate functions in Office. And most browsers and Web servers support JavaScript, a language that helps make the Web more interactive (despite its name, JavaScript is unrelated to Java). Scripting languages are interpretedLanguages where each line of written code is converted (by a software program, called an “interpreter”) for execution at run-time. Most scripting languages are interpreted languages. Many programmers also write Java applications to be interpreted by the Java Virtual Machine. within their applications, rather than compiled to run directly by a microprocessor. This distinction makes them slower than the kinds of development efforts found in most commercial software. But most scripting languages are usually easy to use, and are often used both by professional programmers and power users.

Key Takeaways

  • Programs are often written in a tool called an IDE, an application that includes an editor (a sort of programmer’s word processor), debugger, and compiler, among other tools.
  • Compiling takes code from the high-level language that humans can understand and converts them into the sets of ones and zeros in patterns representing instructions that microprocessors understand.
  • Popular programming languages include C++, C#, Visual Basic, and Java.
  • Most software is written for a platform—a combination of an operating system and microprocessor.
  • Java is designed to be platform independent. Computers running Java have a separate layer called a Java Virtual Machine that translates (interprets) Java code so that it can be executed on an operating system/processor combination. In theory, Java is “write once, run everywhere,” as opposed to conventional applications that are written for an operating system and compiled for an OS/processor combination.
  • Java is popular on mobile phones, enterprise computing, and to make Web sites more interactive. Java has never been a successful replacement for desktop applications, largely because user interface differences among the various operating systems are too great to be easily standardized.
  • Scripting languages are interpreted languages, such as VB Script or Java Script. Many scripting languages execute within an application (like the Office programs, a Web browser, or to support the functions of a Web server). They are usually easier to program, but are less powerful and execute more slowly than compiled languages.

Questions and Exercises

  1. List popular programming languages.
  2. What’s an IDE? Why do programmers use IDEs? Name IDEs popular for Windows and Mac users.
  3. What is the difference between a compiled programming language and an interpreted programming language?
  4. Name one advantage and one disadvantage of scripting languages.
  5. In addition to computers, on what other technology has Java been deployed? Why do you suppose Java is particularly attractive for these kinds of applications?
  6. What’s a JVM? Why do you need it?
  7. What if a programmer wrote perfect Java code, but there was a bug on the JVM installed on a given computer? What might happen?
  8. Why would developers choose to write applications in Java? Why might they skip Java and choose another programming language?
  9. Why isn’t Java popular for desktop applications?
  10. Go to Click on “Do I have Java?” Is Java running on your computer? Which version?

9.6 Total Cost of Ownership (TCO): Tech Costs Go Way beyond the Price Tag

Learning Objectives

After studying this section you should be able to do the following:

  1. List the different cost categories that comprise total cost of ownership.
  2. Understand that once a system is implemented, the costs of maintaining and supporting the system continue.
  3. List the reasons that technology development projects fail and the measures that can be taken to increase the probability of success.

Managers should recognize that there are a whole host of costs that are associated with creating and supporting an organization’s information systems. Of course, there are programming costs for custom software as well as purchase, configuration, and licensing costs for packaged software, but there’s much, much more.

There are costs associated with design and documentation (both for programmers and for users). There are also testing costs. New programs should be tested thoroughly across the various types of hardware the firm uses, and in conjunction with existing software and systems, before being deployed throughout the organization. Any errors that aren’t caught can slow down a business or lead to costly mistakes that could ripple throughout an organization and its partners. Studies have shown that errors not caught before deployment could be one hundred times more costly to correct than if they were detected and corrected beforehand.R. Charette, “Why Software Fails,” IEEE Spectrum, September 2005.

Once a system is “turned on,” the work doesn’t end there. Firms need to constantly engage in a host of activities to support the system that may also include the following:

  • providing training and end user support
  • collecting and relaying comments for system improvements
  • auditing systems to ensure complianceEnsuring that an organization’s systems operate within required legal constraints, and industry and organizational obligations (i.e., that the system operates within the firm’s legal constraints and industry obligations)
  • providing regular backup of critical data
  • planning for redundancy and disaster recovery in case of an outage
  • vigilantly managing the moving target of computer security issues

With so much to do, it’s no wonder that firms spend 70 to 80 percent of their information systems (IS) budgets just to keep their systems running.C. Rettig, “The Trouble with Enterprise Software,” MIT Sloan Management Review 49, no. 1 (2007): 21–27. The price tag and complexity of these tasks can push some managers to think of technology as being a cost sink rather than a strategic resource. These tasks are often collectively referred to as the total cost of ownership (TCO)All of the costs associated with the design, development, testing, implementation, documentation, training and maintenance of a software system. of an information system. Understanding TCO is critical when making technology investment decisions. TCO is also a major driving force behind the massive tech industry changes discussed in Chapter 10 “Software in Flux: Partly Cloudy and Sometimes Free”.

Why Do Technology Projects Fail?

Even though information systems represent the largest portion of capital spending at most firms, an astonishing one in three technology development projects fail to be successfully deployed.L. Dignan, “Survey: One in 3 IT Projects Fail; Management OK with It,” ZDNet, December 11, 2007. Imagine if a firm lost its investment in one out of every three land purchases, or when building one in three factories. These statistics are dismal! Writing in IEEE Spectrum, risk consultant Robert Charette provides a sobering assessment of the cost of software failures, stating, “The yearly tab for failed and troubled software conservatively runs somewhere from $60 to $70 billion in the United States alone. For that money, you could launch the space shuttle one hundred times, build and deploy the entire 24-satellite Global Positioning System, and develop the Boeing 777 from scratch—and still have a few billion left over.”R. Charette, “Why Software Fails,” IEEE Spectrum, September 2005.

Why such a bad track record? Sometimes technology itself is to blame, other times it’s a failure to test systems adequately, and sometimes it’s a breakdown of process and procedures used to set specifications and manage projects. In one example, a multimillion-dollar loss on the NASA Mars Observer was traced back to a laughably simple oversight—Lockheed Martin contractors using English measurements, while the folks at NASA used the metric system.R. Lloyd, “Metric Mishap Caused Loss of NASA Orbiter,” CNN, September 20, 1999. Yes, a $125 million taxpayer investment was lost because a bunch of rocket scientists failed to pay attention to third grade math. When it comes to the success or failure of technical projects, the devil really is in the details.

Projects rarely fail for just one reason. Project post-mortems often point to a combination of technical, project management, and business decision blunders. The most common factors include the following:List largely based on R. Charette, “Why Software Fails,” IEEE Spectrum, September 2005.

  • Unrealistic or unclear project goals
  • Poor project leadership and weak executive commitment
  • Inaccurate estimates of needed resources
  • Badly defined system requirements and allowing “feature creep” during development
  • Poor reporting of the project’s status
  • Poor communication among customers, developers, and users
  • Use of immature technology
  • Unmanaged risks
  • Inability to handle the project’s complexity
  • Sloppy development and testing practices
  • Poor project management
  • Stakeholder politics
  • Commercial pressures (e.g., leaving inadequate time or encouraging corner-cutting)

Managers need to understand the complexity involved in their technology investments, and that achieving success rarely lies with the strength of the technology alone.

But there is hope. Information systems organizations can work to implement procedures to improve the overall quality of their development practices. Mechanisms for quality improvement include capability maturity model integration (CMMI)A process-improvement approach (useful for but not limited to software engineering projects) that can assist in assessing the maturity, quality, and development of certain organizational business processes, and suggest steps for their improvement., which gauge an organization’s process maturity and capability in areas critical to developing and deploying technology projects, and provides a carefully chosen set of best practices and guidelines to assist quality and process improvement.R. Kay, “QuickStudy: Capability Maturity Model Integration (CMMI),” Computerworld, January 24, 2005; and Carnegie Mellon Software Engineering Institute, Welcome to CMMI, 2009,

Firms are also well served to leverage established project planning and software development methodologies that outline critical businesses processes and stages when executing large-scale software development projects. The idea behind these methodologies is straightforward—why reinvent the wheel when there is an opportunity to learn from and follow blueprints used by those who have executed successful efforts. When methodologies are applied to projects that are framed with clear business goals and business metrics, and that engage committed executive leadership, success rates can improve dramatically.A. Shenhar and D. Dvir, Reinventing Project Management: The Diamond Approach to Successful Growth and Innovation (Boston: Harvard Business School Press, 2007).

While software development methodologies are the topic of more advanced technology courses, the savvy manager knows enough to inquire about the development methodologies and quality programs used to support large scale development projects, and can use these investigations as further input when evaluating whether those overseeing large scale efforts have what it takes to get the job done.

Key Takeaways

  • The care and feeding of information systems can be complex and expensive. The total cost of ownership of systems can include software development and documentation, or the purchase price and ongoing license and support fees, plus configuration, testing, deployment, maintenance, support, training, compliance auditing, security, backup, and provisions for disaster recovery. These costs are collectively referred to as TCO, or a system’s total cost of ownership.
  • Information systems development projects fail at a startlingly high rate. Failure reasons can stem from any combination of technical, process, and managerial decisions.
  • IS organizations can leverage software development methodologies to improve their systems development procedures, and firms can strive to improve the overall level of procedures used in the organization through models like CMMI. However, it’s also critical to engage committed executive leadership in projects, and to frame projects using business metrics and outcomes to improve the chance of success.
  • System errors that aren’t caught before deployment can slow down a business or lead to costly mistakes that could ripple throughout an organization. Studies have shown that errors not caught before deployment could be 100 times more costly to correct than if they were detected and corrected beforehand.
  • Firms spend 70 to 80 percent of their IS budgets just to keep their systems running.
  • One in three technology development projects fail to be successfully deployed.
  • IS organizations can employ project planning and software development methodologies to implement procedures to improve the overall quality of their development practices.

Questions and Exercises

  1. List the types of total ownership costs associated with creating and supporting an organization’s information systems.
  2. On average, what percent of firms’ IS budgets is spent to keep their systems running?
  3. What are the possible effects of not detecting and fixing major system errors before deployment?
  4. List some of the reasons for the failure of technology development projects.
  5. What is the estimated yearly cost of failed technology development projects?
  6. What was the reason attributed to the failure of the NASA Mars Observer project?
  7. What is capability maturity model integration (CMMI) and how is it used to improve the overall quality of a firm’s development practices?
  8. Perform an Internet search for “IBM Rational Portfolio Manager.” How might IBM’s Rational Portfolio Manager software help companies realize more benefit from their IT systems development project expenditures? What competing versions of this product offered by other organizations?

Chapter 8: Facebook: Building a Business from the Social Graph

8.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Be familiar with Facebook’s origins and rapid rise.
  2. Understand how Facebook’s rapid rise has impacted the firm’s ability to raise venture funding and its founder’s ability to maintain a controlling interest in the firm.

Here’s how much of a Web 2.0 guy Mark Zuckerberg is: during the weeks he spent working on Facebook as a Harvard sophomore, he didn’t have time to study for a course he was taking, “Art in the Time of Augustus,” so he built a Web site containing all of the artwork in class and pinged his classmates to contribute to a communal study guide. Within hours, the wisdom of crowds produced a sort of custom CliffsNotes for the course, and after reviewing the Web-based crib sheet, he aced the test. Turns out he didn’t need to take that exam, anyway. Zuck (that’s what the cool kids call him)For an insider account of Silicon Valley Web 2.0 start-ups, see Sarah Lacy, Once You’re Lucky, Twice You’re Good: The Rebirth of Silicon Valley and the Rise of Web 2.0. (New York: Gotham Books, 2008). dropped out of Harvard later that year.

Zuckerberg is known as both a shy, geeky, introvert who eschews parties, and as a brash Silicon Valley bad boy. After Facebook’s incorporation, Zuckerberg’s job description was listed as “Founder, Master and Commander [and] Enemy of the State.”T. McGinn, “Online Facebooks Duel over Tangled Web of Authorship,” Harvard Crimson, May 28, 2004. An early business card read “I’m CEO…Bitch.”C. Hoffman, “The Battle for Facebook,” Rolling Stone, June 26, 2008, 9. And let’s not forget that Facebook came out of drunken experiments in his dorm room, one of which was a system for comparing classmates to farm animals (Zuckerberg, threatened with expulsion, later apologized). For one meeting with Sequoia Capital, the venerable Menlo Park venture capital firm that backed Google and YouTube, Zuckerberg showed up in his pajamas.C. Hoffman, “The Battle for Facebook,” Rolling Stone, June 26, 2008.

By the age of twenty-three, Mark Zuckerberg had graced the cover of Newsweek, been profiled on 60 Minutes, and was discussed in the tech world with a reverence previously reserved only for Steve Jobs and the Google guys, Sergey Brin and Larry Page. But Mark Zuckerberg’s star rose much faster than any of his predecessors. Just two weeks after Facebook launched, the firm had four thousand users. Ten months later it was up to one million. The growth continued, and the business world took notice. In 2006, Viacom (parent of MTV) saw that its core demographic was spending a ton of time on Facebook and offered to buy the firm for three quarters of a billion dollars. Zuckerberg passed.S. Rosenbush, “Facebook’s on the Block,” BusinessWeek, March 28, 2006. Yahoo! offered up a cool billion (twice). Zuck passed again, both times.

As growth skyrocketed, Facebook built on its stranglehold of the college market (over 85 percent of four-year college students are Facebook members), opening up first to high schoolers, then to everyone. Web hipsters started selling shirts emblazoned with “I Facebooked your Mom!” Even Microsoft wanted some of Facebook’s magic. In 2006, the firm temporarily locked up the right to broker all banner ad sales that run on the U.S. version of Facebook, guaranteeing Zuckerberg’s firm $100 million a year through 2011. In 2007, Microsoft came back, buying 1.6 percent of the firm for $240 million.While Microsoft had cut deals to run banner ads worldwide, Facebook dropped banner ads for poor performance in early 2010; see C. McCarthy, “More Social, Please: Facebook Nixes Banner Ads”, CNET, February 5, 2010.

The investment was a shocker. Do the math and a 1.6 percent stake for $240 million values Facebook at $15 billion (more on that later). That meant that a firm that at the time had only five hundred employees, $150 million in revenues, and was helmed by a twenty-three-year-old college dropout in his first “real job,” was more valuable than General Motors. Rupert Murdoch, whose News Corporation owns rival MySpace, engaged in a little trash talk, referring to Facebook as “the flavor of the month.”B. Morrissey, “Murdoch: Facebook Is ‘Flavor of the Month,’” Media Week, June 20, 2008.

Watch your back, Rupert. Or on second thought, watch Zuckerberg’s. By spring 2009, Facebook had more than twice MySpace’s monthly unique visitors worldwide;E. Schonfeld, “Dear Owen, Good Luck with That,” TechCrunch, April 24, 2009. by June, Facebook surpassed MySpace in the United States;“Facebook Dethrones MySpace in the U.S.,” Los Angeles Times, June 16, 2009, by July, Facebook was cash-flow positiveWhen a company’s revenues can cover its operating costs.; and by February 2010 (when Facebook turned six), the firm had over four hundred million users, more than doubling in size in less than a year.D. Gage, “Facebook Claims 250 Million Users,” InformationWeek, July 16, 2009. Murdoch, the media titan who stood atop an empire that includes the Wall Street Journal and Fox, had been outmaneuvered by “the kid.”

Why Study Facebook?

Looking at the “flavor of the month” and trying to distinguish the reality from the hype is a critical managerial skill. In Facebook’s case, there are a lot of folks with a vested interest in figuring out where the firm is headed. If you want to work there, are you signing on to a firm where your stock options and 401k contributions are going to be worth something or worthless? If you’re an investor and Facebook goes publicThe first time a firm sells stock to the public; formally called an initial public stock offering (IPO)., should you shortShort selling is an attempt to profit from a falling stock price. Short sellers sell shares they don’t own with an obligation of later repayment. They do so in the hope that the price of sold shares will fall. They then repay share debt with shares purchased at a lower price and pocket the difference (spread) between initial share price and repayment price. the firm or increase your holdings? Would you invest in or avoid firms that rely on Facebook’s business? Should your firm rush to partner with the firm? Would you extend the firm credit? Offer it better terms to secure its growing business, or worse terms because you think it’s a risky bet? Is this firm the next Google (underestimated at first, and now wildly profitable and influential), the next GeoCities (Yahoo! paid $3 billion for it—no one goes to the site today), or the next Skype (deeply impactful with over half a billion accounts worldwide, but not much of a profit generator)? The jury is still out on all this, but let’s look at the fundamentals with an eye to applying what we’ve learned. No one has a crystal ball, but we do have some key concepts that can guide our analysis. There are a lot of broadly applicable managerial lessons that can be gleaned by examining Facebook’s successes and missteps. Studying the firm provides a context for examining nework effects, platforms, partnerships, issues in the rollout of new technologies, privacy, ad models, and more.

Zuckerberg Rules!

Many entrepreneurs accept start-up capital from venture capitalists (VCs)Investor groups that provide funding in exchange for a stake in the firm, and often, a degree of managerial control (usually in the form of a voting seat or seats on the firm’s board of directors)., investor groups that provide funding in exchange for a stake in the firm, and often, a degree of managerial control (usually in the form of a voting seat or seats on the firm’s board of directorsGroup assigned to govern, advise, and provide oversight for the firm. The board’s many responsibilities typically include hiring and firing the CEO.). Typically, the earlier a firm accepts VC money, the more control these investors can exert (earlier investments are riskier, so VCs can demand more favorable terms). VCs usually have deep entrepreneurial experience and a wealth of contacts, and can often offer important guidance and advice, but strong investor groups can oust a firm’s founder and other executives if they’re dissatisfied with the firm’s performance.

At Facebook, however, Zuckerberg owns an estimated 20 percent to 30 percent of the company, and controls three of five seats on the firm’s board of directors. That means that he’s virtually guaranteed to remain in control of the firm, regardless of what investors say. Maintaining this kind of control is unusual in a start-up, and his influence is a testament to the speed with which Facebook expanded. By the time Zuckerberg reached out to VCs, his firm was so hot that he could call the shots, giving up surprisingly little in exchange for their money.

Key Takeaways

  • Facebook was founded by a nineteen-year-old college sophomore and eventual dropout.
  • It is currently the largest social network in the world, boasting more than four hundred million members and usage rates that would be the envy of most media companies. The firm is now larger than MySpace in both the United States and worldwide.
  • The firm’s rapid rise is the result of network effects and the speed of its adoption placed its founder in a particularly strong position when negotiating with venture firms. As a result, Facebook founder Mark Zuckerberg retains significant influence over the firm.
  • While revenue prospects remain sketchy, some reports have valued the firm at $15 billion, based largely on an extrapolation of a Microsoft stake.

Questions and Exercises

  1. Who started Facebook? How old was he then? Now? How much control does the founding CEO have over his firm? Why?
  2. Which firms have tried to acquire Facebook? Why? What were their motivations and why did Facebook seem attractive? Do you think these bids are justified? Do you think the firm should have accepted any of the buyout offers? Why or why not?
  3. As of late 2007, Facebook boasted an extremely high “valuation.” How much was Facebook allegedly “worth”? What was this calculation based on?
  4. Why study Facebook? Who cares if it succeeds?

8.2 What’s the Big Deal?

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize that Facebook’s power is allowing it to encroach on and envelop other Internet businesses.
  2. Understand the concept of the “dark Web” and why some feel this may one day give Facebook a source of advantage vis-à-vis Google.
  3. Understand the basics of Facebook’s infrastructure, and the costs required to power the effort.

The prior era’s Internet golden boy, Netscape founder Marc Andreessen, has said that Facebook is “an amazing achievement one of the most significant milestones in the technology industry.”F. Vogelstein, “How Mark Zuckerberg Turned Facebook into the Web’s Hottest Platform,” Wired, September 6, 2007. While still in his twenties, Andreessen founded Netscape, eventually selling it to AOL for over $4 billion. His second firm, Opsware, was sold to HP for $1.6 billion. He joined Facebook’s Board of Directors within months of making this comment. Why is Facebook considered such a big deal?

First there’s the growth: between December 2008 and 2009, Facebook was adding between six hundred thousand and a million users a day. It was as if every twenty-four hours, a group as big or bigger than the entire city of Boston filed into Facebook’s servers to set up new accounts. Roughly half of Facebook users visit the site every single day,D. Gage, “Facebook Claims 250 Million Users,” InformationWeek, July 16, 2009. with the majority spending fifty-five minutes or more getting their daily Facebook fix.“Facebook Facts and Figures (History and Statistics),” Website Monitoring Blog, March 17, 2010. And it seems that Mom really is on Facebook (Dad, too); users thirty-five years and older account for more than half of Facebook’s daily visitors and its fastest growing population.J. Hagel and J. S. Brown, “Life on the Edge: Learning from Facebook,” BusinessWeek, April 2, 2008; and D. Gage, “Facebook Claims 250 Million Users,” InformationWeek, July 16, 2009.

Then there’s what these users are doing on the site: Facebook isn’t just a collection of personal home pages and a place to declare your allegiance to your friends. The integrated set of Facebook services encroaches on a wide swath of established Internet businesses. Facebook has become the first-choice messaging and chat service for this generation. E-mail is for your professors, but Facebook is for friends. In photos, Google, Yahoo! and MySpace all spent millions to acquire photo sharing tools (Picasa, Flickr, and Photobucket, respectively). But Facebook is now the biggest photo-sharing site on the Web, taking in some three billion photos each month.“Facebook Facts and Figures (History and Statistics),” Website Monitoring Blog, March 17, 2010. And watch out, YouTube. Facebookers share eight million videos each month. YouTube will get you famous, but Facebook is a place most go to share clips you only want friends to see.F. Vogelstein, “Mark Zuckerberg: The Wired Interview,” Wired, June 29, 2009.

Facebook is a kingmaker, opinion catalyst, and traffic driver. While in the prior decade news stories would carry a notice saying, “Copyright, do not distribute without permission,” major news outlets today, including the New York Times, display Facebook icons alongside every copyrighted story, encouraging users to “share” the content on their profile pages via Facebook’s “Like” button, scattering it all over the Web. Like digital photos, video, and instant messaging, link sharing is Facebook’s sharp elbow to the competition. Suddenly, Facebook gets space on a page alongside and, even though those guys showed up first.

Facebook Office? Facebook rolled out the document collaboration and sharing service in partnership with Microsoft. Facebook is also hard at work on its own e-mail system,H. Blodget, “Facebook’s Plan To Build a Real Email System and Attack Gmail Is Brilliant,” Business Insider, February 5, 2010. music service,J. Kincaid, “What Is This Mysterious Facebook Music App?” TechCrunch, February 2, 2010. and payments mechanism.R. Maher, “Facebook’s New Payment System Off to Great Start, Could Boost Revenue by $250 Million in 2010,” TBI Research, February 1, 2010. Look out, Gmail, Hotmail, Pandora, iTunes, PayPal, and Yahoo!—you may all be in Facebook’s path!

As for search, Facebook’s got designs on that, too. Google and Bing index some Facebook content, but since much of Facebook is private, accessible only among friends, this represents a massive blind spot for Google search. Sites that can’t be indexed by Google and other search engines are referred to as the dark WebInternet content that can’t be indexed by Google and other search engines.. While Facebook’s partnership with Microsoft currently offers Web search results through, Facebook has announced its intention to offer its own search engine with real-time access to up-to-the-minute results from status updates, links, and other information made available to you by your friends. If Facebook can tie together standard Internet search with its dark Web content, this just might be enough for some to break the Google habit.

And Facebook is political—in big, regime-threatening ways. The site is considered such a powerful tool in the activist’s toolbox that China, Iran, and Syria are among nations that have, at times, attempted to block Facebook access within their borders. Egyptians have used the site to protest for democracy. Saudi women have used it to lobby for driving privileges. ABC News cosponsored U.S. presidential debates with Facebook. And Facebook cofounder Chris Hughes was even recruited by the Obama campaign to create, a social media site considered vital in the 2008 U.S. presidential victory.D. Talbot, “How Obama Really Did It,” Technology Review, September/October 2008; and E. McGirt, “How Chris Hughes Helped Launch Facebook and the Barack Obama Campaign,” Fast Company, March 17, 2009,

So What’s It Take to Run This Thing?

The Facebook cloudA collection of resources available for access over the Internet. (the big group of connected servers that power the site) is scattered across multiple facilities, including server farms in San Francisco, Santa Clara, and northern Virginia.A. Zeichick, “How Facebook Works,” Technology Review, July/August 2008. The innards that make up the bulk of the system aren’t that different from what you’d find on a high-end commodity workstation. Standard hard drives and eight core Intel processors—just a whole lot of them lashed together through networking and software.

Much of what powers the site is open source software (OSS)Software that is free and whose code can be accessed and potentially modified by anyone.. A good portion of the code is in PHP (a scripting language particularly well-suited for Web site development), while the databases are in MySQL (a popular open source database). Facebook also developed Cassandra, a non-SQL database project for large-scale systems that the firm has since turned over to the open source Apache Software Foundation. The object cache that holds Facebook’s frequently accessed objects is in chip-based RAM instead of on slower hard drives and is managed via an open source product called Memcache.

Other code components are written in a variety of languages, including C++, Java, Python, and Ruby, with access between these components managed by a code layer the firm calls Thrift (developed at Facebook, which was also turned over to the Apache Software Foundation). Facebook also developed its own media serving solution, called Haystack. Haystack coughs up photos 50 percent faster than more expensive, proprietary solutions, and since it’s done in-house, it saves Facebook costs that other online outlets spend on third-party content delivery networks (CDN)Systems distributed throughout the Internet (or other network) that help to improve the delivery (and hence loading) speeds of Web pages and other media, typically by spreading access across multiple sites located closer to users. Akamai is the largest CDN, helping firms like CNN and MTV quickly deliver photos, video, and other media worldwide. like Akamai. Facebook receives some fifty million requests per second,S. Gaudin, “Facebook Rolls Out Storage System to Wrangle Massive Photo Stores,” Computerworld, April 1, 2009, yet 95 percent of data queries can be served from a huge, distributed server cache that lives in over fifteen terabytes of RAM (objects like video and photos are stored on hard drives).A. Zeichick, “How Facebook Works,” Technology Review, July/August 2008.

Hot stuff (literally), but it’s not enough. The firm raised several hundred million dollars more in the months following the fall 2007 Microsoft deal, focused largely on expanding the firm’s server network to keep up with the crush of growth. The one hundred million dollars raised in May 2008 was “used entirely for servers.”S. Ante, “Facebook: Friends with Money,” BusinessWeek, May 9, 2008. Facebook will be buying them by the thousands for years to come. And it’ll pay a pretty penny to keep things humming. Estimates suggest the firm spends $1 million a month on electricity, another half million a month on telecommunications bandwidthTransmission rate, typically expressed as the number of bits per second that can be transmitted by a particular telecommunications mechanism., and at least fifteen million dollars a year in office and data center rental payments.A. Arrington, “Facebook Completes Rollout of Haystack to Stem Losses from Massive Photo Uploads,” TechCrunch, April 6, 2009.

Key Takeaways

  • Facebook’s position as the digital center of its members’ online social lives has allowed the firm to envelop related businesses such as photo and video sharing, messaging, bookmarking, and link sharing. Facebook has opportunities to expand into other areas as well.
  • Much of the site’s content is in the dark Web, unable to be indexed by Google or other search engines. Some suggest this may create an opportunity for Facebook to challenge Google in search.
  • Facebook can be a vital tool for organizers—presenting itself as both opportunity and threat to those in power, and an empowering medium for those seeking to bring about change.
  • Facebook’s growth requires a continued and massive infrastructure investment. The site is powered largely on commodity hardware, open source software, and proprietary code tailored to the specific needs of the service.

Questions and Exercises

  1. What is Facebook? How do people use the site? What do they “do” on Facebook?
  2. What markets has Facebook entered? What factors have allowed the firm to gain share in these markets at the expense of established firms? In what ways does it enjoy advantages that a traditional new entrant in such markets would not?
  3. What is the “dark Web” and why is it potentially an asset to Facebook? Why is Google threatened by Facebook’s dark Web? What firms might consider an investment in the firm, if it provided access to this asset? Do you think the dark Web is enough to draw users to a Facebook search product over Google? Why or why not?
  4. As Facebook grows, what kinds of investments continue to be necessary? What are the trends in these costs over time? Do you think Facebook should wait in making these investments? Why or why not?
  5. Investments in servers and other capital expenses typically must be depreciated over time. What does this imply about how the firm’s profitability is calculated?
  6. How have media attitudes toward their copyrighted content changed over the past decade? Why is Facebook a potentially significant partner for firms like the New York Times? What does the Times stand to gain by encouraging “sharing” its content? What do newspapers and others sites really mean when they encourage sites to “share?” What actually is being passed back and forth? Do you think this ultimately helps or undermines the Times and other newspaper and magazine sites? Why?

8.3 The Social Graph

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the concept of feeds, why users rebelled against Facebook feeds, and why users eventually embraced this feature.
  2. Recognize the two strategic resources that are most critical to Facebook’s competitive advantage and why Facebook was able to create these resources while MySpace has fallen short.
  3. Appreciate that while Facebook’s technology can be easily copied, barriers to sustain any new entrant are extraordinarily high, and the likelihood that a firm will win significant share from Facebook by doing the same thing is considerably remote.

At the heart of Facebook’s appeal is a concept Zuckerberg calls the social graphThe global mapping of users and organizations, and how they are connected., which refers to Facebook’s ability to collect, express, and leverage the connections between the site’s users, or as some describe it, “the global mapping of everyone and how they’re related.”A. Iskold, “Social Graph: Concepts and Issues,” ReadWriteWeb, September 12, 2007. Think of all the stuff that’s on Facebook as a node or endpoint that’s connected to other stuff. You’re connected to other users (your friends), photos about you are tagged, comments you’ve posted carry your name, you’re a member of groups, you’re connected to applications you’ve installed—Facebook links them all.A. Zeichick, “How Facebook Works,” Technology Review, July/August 2008.

While MySpace and Facebook are often mentioned in the same sentence, from their founding these sites were conceived differently. It goes beyond the fact that Facebook, with its neat, ordered user profiles, looks like a planned community compared to the garish, Vegas-like free-for-all of MySpace. MySpace was founded by musicians seeking to reach out to unknown users and make them fans. It’s no wonder the firm, with its proximity to Los Angeles and ownership by News Corporation, is viewed as more of a media company. It has cut deals to run network television shows on its site, and has even established a record label. It’s also important to note that from the start anyone could create a MySpace identity, and this open nature meant that you couldn’t always trust what you saw. Rife with bogus profiles, even News Corporation’s Rupert Murdoch has had to contend with the dozens of bogus Ruperts who have popped up on the service!L. Petrecca, “If You See These CEOs on MySpace…,” USA Today, September 25, 2006.

Facebook, however, was established in the relatively safe cocoon of American undergraduate life, and was conceived as a place where you could reinforce contacts among those who, for the most part, you already knew. The site was one of the first social networks where users actually identified themselves using their real names. If you wanted to establish that you worked for a certain firm or were a student of a particular university, you had to verify that you were legitimate via an e-mail address issued by that organization. It was this “realness” that became Facebook’s distinguishing feature—bringing along with it a degree of safety and comfort that enabled Facebook to become a true social utility and build out a solid social graph consisting of verified relationships. Since “friending” (which is a link between nodes in the social graph) required both users to approve the relationship, the network fostered an incredible amount of trust. Today, many Facebook users post their cell phone numbers and their birthdays, offer personal photos, and otherwise share information they’d never do outside their circle of friends. Because of trust, Facebook’s social graph is stronger than MySpace’s.

There is also a strong network effectAlso known as Metcalfe’s Law, or network externalities. When the value of a product or service increases as its number of users expands. to Facebook (see Chapter 6 “Understanding Network Effects”). People are attracted to the service because others they care about are more likely to be there than anywhere else online. Without the network effect Facebook wouldn’t exist. And it’s because of the network effect that another smart kid in a dorm can’t rip off Zuckerberg in any market where Facebook is the biggest fish. Even an exact copy of Facebook would be a virtual ghost town with no social graph (see Note 8.23 “It’s Not the Technology” below).

The switching costsThe cost a consumer incurs when moving from one product to another. It can involve actual money spent (e.g., buying a new product) as well as investments in time, any data loss, and so forth. for Facebook are also extremely powerful. A move to another service means recreating your entire social graph. The more time you spend on the service, the more you’ve invested in your graph and the less likely you are to move to a rival.

It’s Not the Technology

Does your firm have Facebook envy? KickApps, an eighty-person start-up in Manhattan, will give you the technology to power your own social network. All KickApps wants is a cut of the ads placed around your content. In its first two years, the site has provided the infrastructure for twenty thousand “mini Facebooks,” registering three hundred million page views a month.B. Urstadt, “The Business of Social Networks,” Technology Review, July/August 2008. NPR, ABC, AutoByTel, Harley-Davidson, and Kraft all use the service (social networks for Cheez Whiz?).

There’s also Ning, which has enabled users to create over 2.3 million mini networks organized on all sorts of topics as diverse as church groups, radio personalities, vegans, diabetes sufferers networks limited to just family members.

Or how about the offering from Agriya Infoway, based in Chennai, India? The firm will sell you Kootali, a software package that lets developers replicate Facebook’s design and features, complete with friend networks, photos, and mini-feeds. They haven’t stolen any code, but they have copied the company’s look and feel. Those with Zuckerberg ambitions can shell out the four hundred bucks for Kootali. Sites with names like and have done just that—and gone nowhere.

Mini networks that extend the conversation (NPR) or make it easier to find other rabidly loyal product fans (Harley-Davidson) may hold a niche for some firms. And Ning is a neat way for specialized groups to quickly form in a secure environment that’s all their own (it’s just us, no “creepy friends” from the other networks). While every market has a place for its niches, none of these will grow to compete with the dominant social networks. The value isn’t in the technology; it’s in what the technology has created over time. For Facebook, it’s a huge user base that (for now at least) is not going anywhere else.

Key Takeaways

  • The social graph expresses the connections between individuals and organizations.
  • Trust created through user verification and friend approval requiring both parties to consent encouraged Facebook users to share more and helped the firm establish a stronger social graph than MySpace or other social networking rivals.
  • Facebook’s key resources for competitive advantage are network effects and switching costs. These resources make it extremely difficult for copycat firms to steal market share from Facebook.

Questions and Exercises

  1. Which is bigger, Facebook or MySpace? How are these firms different? Why would a person or organization be attracted to one service over another?
  2. What is the social graph? Why is Facebook’s social graph considered to be stronger than the social graph available to MySpace users?
  3. In terms of features and utility, how are Facebook and MySpace similar? How are they different? Why would a user choose to go to one site instead of another? Are you a member of either of these sites? Both? Why? Do you feel that they are respectively pursuing lucrative markets? Why or why not? If given the opportunity, would you invest in either firm? Why or why not?
  4. If you were a marketer, which firm would you target for an online advertising campaign—Facebook or MySpace? Why?
  5. Does Facebook have to worry about copycat firms from the United States? In overseas markets? Why or why not? If Facebook has a source (or sources) of competitive advantage, explain these. If it has no advantage, discuss why.

8.4 Facebook Feeds—Ebola for Data Flows

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the concept of feeds, why users rebelled, and why users eventually embraced this feature.
  2. Recognize the role of feeds in viral promotions, catalyzing innovation, and supporting rapid organizing.

While the authenticity and trust offered by Facebook was critical, offering News Feeds concentrated and released value from the social graph. With feeds, each time a user performs an activity in Facebook—makes a friend, uploads a picture, joins a group—the feed blasts this information to all of your friends in a reverse chronological list that shows up right when they next log on. An individual user’s activities are also listed within a mini feed that shows up on their profile. Get a new job, move to a new city, read a great article, have a pithy quote—post it to Facebook—the feed picks it up, and the world of your Facebook friends will get an update.

Feeds are perhaps the linchpin of Facebook’s ability to strengthen and deliver user value from the social graph, but for a brief period of time it looked like feeds would kill the company. News Feeds were launched on September 5, 2006, just as many of the nation’s undergrads were arriving on campus. Feeds reflecting any Facebook activity (including changes to the relationship status) became a sort of gossip page splashed right when your friends logged in. To many, feeds were first seen as a viral blast of digital nosiness—a release of information they hadn’t consented to distribute widely.

And in a remarkable irony, user disgust over the News Feed ambush offered a whip-crack demonstration of the power and speed of the feed virus. Protest groups formed, and every student who, for example, joined a group named Students Against Facebook News Feed, had this fact blasted to their friends (along with a quick link where friends, too, could click to join the group). Hundreds of thousands of users mobilized against the firm in just twenty-four hours. It looked like Zuckerberg’s creation had turned on him, Frankenstein style.

The first official Facebook blog post on the controversy came off as a bit condescending (never a good tone to use when your customers feel that you’ve wronged them). “Calm down. Breathe. We hear you,” wrote Zuckerberg on the evening of September 5. The next post, three days after the News Feed launch, was much more contrite (“We really messed this one up,” he wrote). In the 484-word open letter, Zuckerberg apologized for the surprise, explaining how users could opt out of feeds. The tactic worked, and the controversy blew over.F. Vogelstein, “How Mark Zuckerberg Turned Facebook into the Web’s Hottest Platform,” Wired, September 6, 2007. The ability to stop personal information from flowing into the feed stream was just enough to stifle critics, and as it turns out, a lot of people really liked the feeds and found them useful. It soon became clear that if you wanted to use the Web to keep track of your social life and contacts, Facebook was the place to be. Not only did feeds not push users away, by the start of the next semester subscribers had nearly doubled!

Key Takeaways

  • Facebook feeds foster the viral spread of information and activity.
  • Feeds were initially unwanted by many Facebook users. Feeds themselves helped fuel online protests against the feed feature.
  • Today feeds are considered one of the most vital, value-adding features to Facebook and other social networking sites.
  • Users often misperceive technology and have difficulty in recognizing an effort’s value (as well as its risks). They have every right to be concerned and protective of their privacy. It is the responsibility of firms to engage users on new initiatives and to protect user privacy. Failure to do so risks backlash.

Questions and Exercises

  1. What is the “linchpin” of Facebook’s ability to strengthen and deliver user-value from the social graph?
  2. How did users first react to feeds? What could Facebook have done to better manage the launch?
  3. How do you feel about Facebook feeds? Have you ever been disturbed by information about you or someone else that has appeared in the feed? Did this prompt action? Why or why not?
  4. Visit Facebook and experiment with privacy settings. What kinds of control do you have over feeds and data sharing? Is this enough to set your mind at ease? Did you know these settings existed before being prompted to investigate features?
  5. What other Web sites are leveraging features that mimic Facebook feeds? Do you think these efforts are successful or not? Why?

8.5 Facebook as a Platform

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand how Facebook created a platform and the potential value this offers the firm.
  2. Recognize that running a platform also presents a host of challenges to the platform operator.

In May 2007, Facebook followed News Feeds with another initiative that set it head and shoulders above its competition. At the firm’s first f8 (pronounced “fate”) Developers Conference, Mark Zuckerberg stood on stage and announced that he was opening up the screen real estate on Facebook to other application developers. Facebook published a set of application programming interfaces (APIs)Programming hooks, or guidelines, published by firms that tell other programs how to get a service to perform a task such as send or receive data. For example, provides APIs to let developers write their own applications and Websites that can send the firm orders. that specified how programs could be written to run within and interact with Facebook. Now any programmer could write an application that would run inside a user’s profile. Geeks of the world, Facebook’s user base could be yours! Just write something good.

Developers could charge for their wares, offer them for free, and even run ads. And Facebook let developers keep what they made (Facebook does revenue share with app vendors for some services, such as the Facebook Credits payment service, mentioned later). This was a key distinction; MySpace initially restricted developer revenue on the few products designed to run on their site, at times even blocking some applications. The choice was clear, and developers flocked to Facebook.

To promote the new apps, Facebook would run an Applications area on the site where users could browse offerings. Even better, News Feed was a viral injection that spread the word each time an application was installed. Your best friend just put up a slide show app? Maybe you’ll check it out, too. The predictions of $1 billion in social network ad spending were geek catnip, and legions of programmers came calling. Apps could be cobbled together on the quick, feeds made them spread like wildfire, and the early movers offered adoption rates never before seen by small groups of software developers. People began speaking of the Facebook Economy. Facebook was considered a platform. Some compared it to the next Windows, Zuckerberg the next Gates (hey, they both dropped out of Harvard, right?).

And each application potentially added more value and features to the site without Facebook lifting a finger. The initial event launched with sixty-five developer partners and eighty-five applications. There were some missteps along the way. Some applications were accused of spamming friends with invites to install them. There were also security concerns and apps that violated the intellectual property of other firms (see the “Scrabulous” sidebar below), but Facebook worked to quickly remove errant apps, improve the system, and encourage developers. Just one year in, Facebook had marshaled the efforts of some four hundred thousand developers and entrepreneurs, twenty-four thousand applications had been built for the platform, 140 new apps were being added each day, and 95 percent of Facebook members had installed at least one Facebook application. As Sarah Lacy, author of Once You’re Lucky, Twice You’re Good, put it, “with one masterstroke, Zuck had mobilized all of Silicon Valley to innovate for him.”

With feeds to spread the word, Facebook was starting to look like the first place to go to launch an online innovation. Skip the Web, bring it to Zuckerberg’s site first. Consider iLike: within the first three months, the firm saw installs of its Facebook app explode to seven million, more than doubling the number of users the firm was able to attract through the Web site it introduced the previous year. ILike became so cool that by September, platinum rocker KT Tunstall was debuting tracks through the Facebook service. A programmer named Mark Pincus wrote a Texas hold ’em game at his kitchen table.J. Guynn, “A Software Industry @ Facebook,” Los Angeles Times, September 10, 2007. Today his social gaming firm, Zynga, is a powerhouse—a profitable firm with over three dozen apps, over 230 million users,D. MacMillan, “Zynga Enlarges Its War Chest,” BusinessWeek, December 17, 2009. and more than $600 million in annual revenue.M. Learmonth and A. Klaasen, “Facebook Apps Will Make More Money Than Facebook in 2009,” Silicon Alley Insider, May 18, 2009. Some of Zynga’s revenues come from apps that run on MySpace or other networks, too. Also see N. Carolson, “The Profitable, $100 Million-a-Year Startup You’ve Never Heard Of,” Business Insider, July 27, 2009; and N. Carlson and K. Angelova, “Chart of the Day: FarmVille-Maker Zynga’s Revenues Reach $600 Million, Fueled by Social Obligations,” April 26, 2010. Zynga games include MafiaWars, Vampires, and the wildly successful FarmVille, which boasts some twenty times the number of actual farms in the United States. App firm Slide (started by PayPal cofounder Max Levchin) scored investments from Legg Mason, and Fidelity pegged the firm’s value at $500 million.J. Hempel and M. Copeland, “Are These Widgets Worth Half a Billion?” Fortune, March 25, 2008. Playfish, the U.K. social gaming firm behind the Facebook hits Pet Society and Restaurant City, was snapped up by Electronic Arts for $300 million with another $100 million due if the unit hits performance targets. Lee Lorenzen, founder of Altura Ventures, an investment firm exclusively targeting firms creating Facebook apps, said, “Facebook is God’s gift to developers. Never has the path from a good idea to millions of users been shorter.”J. Guynn, “A Software Industry @ Facebook,” Los Angeles Times, September 10, 2007.

I Majored in Facebook

Once Facebook became a platform, Stanford professor BJ Fogg thought it would be a great environment for a programming class. In ten weeks his seventy-three students built a series of applications that collectively received over sixteen million installs. By the final week of class, several applications developed by students, including KissMe, Send Hotness, and Perfect Match, had received millions of users, and class apps collectively generated more than half a million dollars in ad revenue. At least three companies were formed from the course.

But legitimate questions remain. Are Facebook apps really a big deal? Just how important will apps be to adding sustained value within Facebook? And how will firms leverage the Facebook framework to extract their own value? A chart from FlowingData showed the top category, Just for Fun, was larger than the next four categories combined. That suggests that a lot of applications are faddish time wasters. Yes, there is experimentation beyond virtual Zombie Bites. Visa has created a small business network on Facebook (Facebook had some eighty thousand small businesses online at the time of Visa’s launch). Educational software firm Blackboard offered an application that will post data to Facebook pages as soon as there are updates to someone’s Blackboard account (new courses, whether assignments or grades have been posted, etc.). We’re still a long way from Facebook as a Windows rival, but the platform helped push Facebook to number one, and it continues to deliver quirky fun (and then some) supplied by thousands of developers off its payroll.


Rajat and Jayant Agarwalla, two brothers in Kolkata, India, who run a modest software development company, decided to write a Scrabble clone as a Facebook application. The app, named Scrabulous, was social—users could invite friends to play, or they could search for new players looking for an opponent. Their application was a smash, snagging three million registered users and seven hundred thousand players a day after just a few months. Scrabulous was featured in PC World’s 100 best products of 2008, received coverage in the New York Times, Newsweek, and Wired, and was pulling in about twenty-five thousand dollars a month from online advertising. Way to go, little guys!H. Timmons, “Online Scrabble Craze Leaves Game Sellers at Loss for Words,” New York Times, March 2, 2008.

There is only one problem: the Agarwalla brothers didn’t have the legal rights to Scrabble, and it was apparent to anyone that from the name to the tiles to the scoring—this was a direct rip-off of the well-known board game. Hasbro owns the copyright to Scrabble in the United States and Canada; Mattel owns it everywhere else. Thousands of fans joined Facebook groups with names like “Save Scrabulous” and “Please God, I Have So Little: Don’t Take Scrabulous, Too.” Users in some protest groups pledged never to buy Hasbro games if Scrabulous was stopped. Even if the firms wanted to succumb to pressure and let the Agarwalla brothers continue, they couldn’t. Both Electronic Arts and RealNetworks have contracted with the firms to create online versions of the game.

While the Facebook Scrabulous app is long gone, the tale shows just one of the challenges of creating a platform. In addition to copyright violations, app makers have crafted apps that annoy, raise privacy and security concerns, purvey pornography, or otherwise step over the boundaries of good taste. Firms from Facebook to Apple (through its iTunes Store) have struggled to find the right mix of monitoring, protection, and approval while avoiding cries of censorship.

Key Takeaways

  • Facebook’s platform allows the firm to further leverage the network effect. Developers creating applications create complementary benefits that have the potential to add value to Facebook beyond what the firm itself provides to its users.
  • There is no revenue-sharing mandate among platform partners—whatever an application makes can be kept by its developers (although Facebook does provide some services via revenue sharing, such as Facebook Credits).
  • Most Facebook applications are focused on entertainment. The true, durable, long-term value of Facebook’s platform remains to be seen.
  • Despite this, some estimates claim Facebook platform developers earned more than Facebook itself in 2009.
  • Running a platform can be challenging. Copyright, security, appropriateness, free speech tensions, efforts that tarnish platform operator brands, privacy, and the potential for competition with partners, all can make platform management more complex than simply creating a set of standards and releasing this to the public.

Questions and Exercises

  1. Why did more developers prefer to write apps for Facebook than for MySpace?
  2. What competitive asset does the application platform initiative help Facebook strengthen? For example, how do apps make Facebook stronger when compared to rivals?
  3. What’s Scrabulous? Did the developers make money? What happened to the firm and why?
  4. Have you used Facebook apps? Which are your favorites? What makes them successful?
  5. Leverage your experience or conduct additional research—are there developers who you feel have abused the Facebook app network? Why? What is Facebook’s responsibility (if any) to control such abuse?
  6. How do most app developers make money? Have you ever helped a Facebook app developer earn money? How or why not?
  7. How do Facebook app revenue opportunities differ from those leveraged by a large portion of iTunes Store apps?

8.6 Advertising and Social Networks: A Work in Progress

Learning Objectives

After studying this section you should be able to do the following:

  1. Describe the differences in the Facebook and Google ad models.
  2. Explain the Hunt versus Hike metaphor, contrast the relative success of ad performance on search compared to social networks, and understand the factors behind the latter’s struggles.
  3. Recognize how firms are leveraging social networks for brand and product engagement, be able to provide examples of successful efforts, and give reasons why such engagement is difficult to achieve.

If Facebook is going to continue to give away its services for free, it needs to make money somehow. Right now the bulk of revenue comes from advertising. Fortunately for the firm, online advertising is hot. For years, online advertising has been the only major media category that has seen an increase in spending (see Chapter 14 “Google: Search, Online Advertising, and Beyond”). Firms spend more advertising online than they do on radio and magazine ads, and the Internet will soon beat out spending on cable TV.M. Sweeney, “Internet Ad Spending Will Overtake Television in 2009,” Guardian, May 19, 2008; and T. Wayne, “A Milestone for Internet Ad Revenue,” New York Times, April 25, 2010. But not all Internet advertising is created equal. And there are signs that social networking sites are struggling to find the right ad model.

Google founder Sergey Brin sums up this frustration, saying, “I don’t think we have the killer best way to advertise and monetize social networks yet,” that social networking ad inventory as a whole was proving problematic and that the “monetization work we were doing [in social media] didn’t pan out as well as we had hoped.”“Everywhere and Nowhere,” Economist, March 19, 2008. When Google ad partner Fox Interactive Media (the News Corporation division that contains MySpace) announced that revenue would fall $100 million short of projections, News Corporation’s stock tumbled 5 percent, analysts downgraded the company, and the firm’s chief revenue officer was dismissed.B. Stelter, “MySpace Might Have Friends, but It Wants Ad Money,” New York Times, June 16, 2008.

Why aren’t social networks having the success of Google and other sites? Problems advertising on these sites include content adjacencyConcern that an advertisement will run near offensive material, embarrassing an advertiser and/or degrading their products or brands., and user attention. The content adjacency problem refers to concern over where a firm’s advertisements will run. Consider all of the questionable titles in social networking news groups. Do advertisers really want their ads running alongside conversations that are racy, offensive, illegal, or that may even mock their products? This potential juxtaposition is a major problem with any site offering ads adjacent to free-form social media. Summing up industry wariness, one P&G manager said, “What in heaven’s name made you think you could monetize the real estate in which somebody is breaking up with their girlfriend?”B. Stone, “Facebook Aims to Extends Its Reach across Web,” New York Times, December 1, 2008. An IDC report suggests that it’s because of content adjacency that “brand advertisers largely consider user-generated content as low-quality, brand-unsafe inventory” for running ads.R. Stross, “Advertisers Face Hurdles on Social Networking Sites,” New York Times, December 14, 2008.

Now let’s look at the user attention problem.

Attention Challenges: The Hunt Versus The Hike

In terms of revenue model, Facebook is radically different from Google and the hot-growth category of search advertising. Users of Google and other search sites are on a hunt—a task-oriented expedition to collect information that will drive a specific action. Search users want to learn something, buy something, research a problem, or get a question answered. To the extent that the hunt overlaps with ads, it works. Just searched on a medical term? Google will show you an ad from a drug company. Looking for a toy? You’ll see Google ads from eBay sellers and other online shops. Type in a vacation destination and you get a long list of ads from travel providers aggressively courting your spending. Even better, Google only charges text advertisers when a user clicks through. No clicks? The ad runs at no cost to the firm. From a return on investment perspective, this is extraordinarily efficient. How often do users click on Google ads? Enough for this to be the single most profitable activity among any Internet firm. In 2009, Google revenue totaled nearly $24 billion. Profits exceeded $6.5 billion, almost all of this from pay-per-click ads (see Chapter 14 “Google: Search, Online Advertising, and Beyond” for more details).

While users go to Google to hunt, they go to Facebook as if they were going on a hike—they have a rough idea of what they’ll encounter, but they’re there to explore and look around, enjoy the sights (or site). They’ve usually allocated time for fun and they don’t want to leave the terrain when they’re having conversations, looking at photos or videos, and checking out updates from friends.

These usage patterns are reflected in click-through rates. Google users click on ads around 2 percent of the time (and at a much higher rate when searching for product information). At Facebook, click-throughs are about 0.04 percent.B. Urstadt, “The Business of Social Networks,” Technology Review, July/August 2008. Rates quoted in this piece seem high, but a large discrepancy between site rates holds across reported data.

Most banner ads don’t charge per click but rather CPMCost per thousand impressions (the M representing the roman numeral for one thousand). (cost per thousand) impressionsEach time an ad is served to a user for viewing. (each time an ad appears on someone’s screen). But Facebook banner ads performed so poorly that the firm pulled them in early 2010.C. McCarthy, “More Social, Please: Facebook Nixes Banner Ads,” CNET, February 5, 2010. Lookery, a one-time ad network that bought ad space on Facebook in bulk, had been reselling inventory at a CPM of 7.5 cents (note that Facebook does offer advertisers pay-per-click as well as impression-based, or CPM, options). Even Facebook ads with a bit of targeting weren’t garnering much (Facebook’s Social Ads, which allow advertisers to target users according to location and age, have a floor price of fifteen cents CPM).B. Urstadt, “The Business of Social Networks,” Technology Review, July/August 2008; J. Hempel, “Finding Cracks in Facebook,” Fortune, May 13, 2008; and E. Schonfeld, “Are Facebook Ads Going to Zero? Lookery Lowers Its Guarantee to 7.5-cent CMPs,” TechCrunch, July 22, 2008. Other social networks also suffered. In 2008, MySpace lowered its banner ad rate from $3.25 CPM to less than two dollars. By contrast, information and news-oriented sites do much better, particularly if these sites draw in a valuable and highly targeted audience. The social networking blog Mashable has CPM rates ranging between seven and thirty-three dollars. Technology Review magazine boasts a CPM of seventy dollars. TechTarget, a Web publisher focusing on technology professionals, has been able to command CPM rates of one hundred dollars and above (an ad inventory that valuable helped the firm go public in 2007).

Getting Creative with Promotions: Does It Work?

Facebook and other social networks are still learning what works. Ad inventory displayed on high-traffic home pages have garnered big bucks for firms like Yahoo! With Facebook offering advertisers greater audience reach than most network television programs, there’s little reason to suggest that chunks of this business won’t eventually flow to the social networks. But even more interesting is how Facebook and widget sites have begun to experiment with relatively new forms of advertising. Many feel that Facebook has a unique opportunity to get consumers to engage with their brand, and some initial experiments point where this may be heading.

Many firms have been leveraging so-called engagement adsPromotion technique popular with social media that attempts to get consumers to interact with an ad, then shares that action with friends. by making their products part of the Facebook fun. Using an engagement ad, a firm can set up a promotion where a user can do things such as “Like” or become a fan of a brand, RSVP to an event and invite others, watch and comment on a video and see what your friends have to say, send a “virtual gift” with a personal message, or answer a question in a poll. The viral nature of Facebook allows actions to flow back into the news feed and spread among friends.

COO Sheryl Sandberg discussed Ben & Jerry’s promotion for the ice cream chain’s free cone day event. To promote the upcoming event, Ben & Jerry’s initially contracted to make two hundred and fifty thousand “gift cones” available to Facebook users; they could click on little icons that would gift a cone icon to a friend, and that would show up in their profile. Within a couple of hours, customers had sent all two hundred and fifty thousand virtual cones. Delighted, Ben & Jerry’s bought another two hundred and fifty thousand cones. Within eleven hours, half a million people had sent cones, many making plans with Facebook friends to attend the real free cone day. The day of the Facebook promotion, Ben & Jerry’s Web site registered fifty-three million impressions, as users searched for store locations and wrote about their favorite flavors.Q. Hardy, “Facebook Thinks Outside Boxes,” Forbes, May 28, 2008. The campaign dovetailed with everything Facebook was good at: it was viral, generating enthusiasm for a promotional event and even prompting scheduling.

In other promotions, Honda gave away three quarters of a million hearts during a Valentine’s Day promo,S. Sandberg, “Sheryl Sandberg on Facebook’s Future,” BusinessWeek, April 8, 2009. and the Dr. Pepper Snapple Group offered two hundred and fifty thousand virtual Sunkist sodas, which earned the firm one hundred thirty million brand impressions in twenty-two hours. Says Sunkist’s brand manager, “A Super Bowl ad, if you compare it, would have generated somewhere between six to seven million.”E. Wong, “Ben & Jerry’s, Sunkist, Indy Jones Unwrap Facebook’s ‘Gift of Gab,’” Brandweek, June 1, 2008.

Facebook, Help Get Me a Job!

The papers are filled with stories about employers scouring Facebook for dirt on potential hires. But one creative job seeker turned the tables and used Facebook to make it easier for firms to find him. Recent MBA graduate Eric Barker, a talented former screenwriter with experience in the film and gaming industry, bought ads promoting himself on Facebook, setting them up to run only on the screens of users identified as coming from firms he’d like to work for. In this way, someone Facebook identified as being from Microsoft would see an ad from Eric declaring “I Want to Be at Microsoft” along with an offer to click and learn more. The cost to run the ads was usually less than $5 a day. Said Barker, “I could control my bid price and set a cap on my daily spend. Starbucks put a bigger dent in my wallet than promoting myself online.” The ads got tens of thousands of impressions, hundreds of clicks, and dozens of people called offering assistance. Today, Eric Barker is gainfully employed at a “dream job” in the video game industry.Eric is a former student of mine. His story has been covered by many publications, including J. Zappe, “MBA Grad Seeks Job with Microsoft; Posts Ad on Facebook,”, May 27, 2009; G. Sentementes, “‘Hire Me’ Nation: Using the Web & Social Media to Get a Job,” Baltimore Sun, July 15, 2009; and E. Liebert, Facebook Fairytales (New York: Skyhorse, 2010).

Figure 8.1

Eric Barker used Facebook to advertise himself to prospective employers.

Of course, even with this business, Facebook may find that it competes with widget makers. Unlike Apple’s App Store (where much of developer-earned revenue comes from selling apps), the vast majority of Facebook apps are free and supported by ads. That means Facebook and its app providers are both running at a finite pot of advertising dollars. Slide’s Facebook apps have attracted top-tier advertisers, such as Coke and Paramount Pictures—a group Facebook regularly courts as well. By some estimates, in 2009, Facebook app developers took in well over half a billion dollars—exceeding Facebook’s own haul.M. Learmonth and A. Klaasen, “Facebook Apps Will Make More Money Than Facebook in 2009,” Silicon Alley Insider, May 18, 2009. And there’s controversy. Zynga was skewered in the press when some of its partners were accused of scamming users into signing up for subscriptions or installing unwanted software in exchange for game credits (Zynga has since taken steps to screen partners and improve transparency).M. Arrington, “Zynga Takes Steps to Remove Scams from Games,” TechCrunch, November 2, 2009.

While these efforts might be innovative, are they even effective? Some of these programs are considered successes; others, not so much. Jupiter Research surveyed marketers trying to create a viral impact online and found that only about 15 percent of these efforts actually caught on with consumers.M. Cowan, “Marketers Struggle to Get Social,” Reuters, June 19, 2008, While the Ben & Jerry’s gift cones were used up quickly, a visit to Facebook in the weeks after this campaign saw CareerBuilder, Wide Eye Caffeinated Spirits, and Coors Light icons lingering days after their first appearance. Brands seeking to deploy their own applications in Facebook have also struggled. New Media Age reported that applications rolled out by top brands such as MTV, Warner Bros., and Woolworths were found to have as little as five daily users. Congestion may be setting in for all but the most innovative applications, as standing out in a crowd of over 550,000 applications becomes increasingly difficult.Facebook Press Room, Statistics, April 29, 2010,

Consumer products giant P&G has been relentlessly experimenting with leveraging social networks for brand engagement, but the results show what a tough slog this can be. The firm did garner fourteen thousand Facebook “fans” for its Crest Whitestrips product, but those fans were earned while giving away free movie tickets and other promos. The New York Times quipped that with those kinds of incentives, “a hemorrhoid cream” could have attracted a similar group of “fans.” When the giveaways stopped, thousands promptly “unfanned” Whitestrips. Results for Procter & Gamble’s “2X Ultra Tide” fan page were also pretty grim. P&G tried offbeat appeals for customer-brand bonding, including asking Facebookers to post “their favorite places to enjoy stain-making moments.” But a check eleven months after launch had garnered just eighteen submissions, two from P&G, two from staffers at spoof news site The Onion, and a bunch of short posts such as “Tidealicious!”R. Stross, “Advertisers Face Hurdles on Social Networking Sites,” New York Times, December 14, 2008.

Efforts around engagement opportunities like events (Ben & Jerry’s) or products consumers are anxious to identify themselves with (a band or a movie) may have more success than trying to promote consumer goods that otherwise offer little allegiance, but efforts are so new that metrics are scarce, impact is tough to gauge, and best practices are still unclear.

Facebook Engagement Ads

Key Takeaways

  • Content adjacency and user attention make social networking ads less attractive than search and professionally produced content sites.
  • Google enjoys significantly higher click-through rates than Facebook.
  • Display ads are often charged based on impression. Social networks also offer lower CPM rates than many other, more targeted Web sites.
  • Social networking has been difficult to monetize, as users are online to engage friends, not to hunt for products or be drawn away by clicks.
  • Many firms have begun to experiment with engagement ads. While there have been some successes, engagement campaigns often haven’t yielded significant results.

Questions and Exercises

  1. How are most display ads billed? What acronym is used to describe pricing of most display ads?
  2. How are most text ads billed?
  3. Contrast Facebook and Google click-through rates. Contrast Facebook CPMs with CPMs at professional content sites. Why the discrepancy?
  4. What is the content adjacency problem? Search for examples of firms that have experienced embracement due to content adjacency—describe them, why they occurred, and if site operators could have done something to reduce the likelihood these issues could have occurred.
  5. What kinds of Web sites are most susceptible to content adjacency? Are news sites? Why or why not? What sorts of technical features might act as breeding grounds for content adjacency problems?
  6. If a firm removed user content because it was offensive to an advertiser, what kinds of problems might this create? When (if ever) should a firm remove or take down user content?
  7. How are firms attempting to leverage social networks for brand and product engagement?
  8. What are the challenges that social networking sites face when trying to woo advertisers?
  9. Describe an innovative marketing campaign that has leveraged Facebook or other social networking sites. What factors made this campaign work? Are all firms likely to have this sort of success? Why or why not?
  10. Have advertisers ever targeted you when displaying ads on Facebook? How were you targeted? What did you think of the effort?

8.7 Privacy Peril: Beacon and the TOS Debacle

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the difference between opt-in and opt-out efforts.
  2. Recognize how user issues and procedural implementation can derail even well-intentioned information systems efforts.
  3. Recognize the risks in being a pioneer associated with new media efforts, and understand how missteps led to Facebook and its partners being embarrassed (and in some cases sued) by Beacon’s design and rollout issues.

Conventional advertising may grow into a great business for Facebook, but the firm was clearly sitting on something that was unconventional compared to prior generations of Web services. Could the energy and virulent nature of social networks be harnessed to offer truly useful, consumer information to its users? Word of mouth is considered the most persuasive (and valuable) form of marketing,V. Kumar, J. Andrew Petersen, and Robert Leone, “How Valuable Is Word of Mouth?” Harvard Business Review 85, no. 10 (October 2007): 139–46. and Facebook was a giant word of mouth machine. What if the firm worked with vendors and grabbed consumer activity at the point of purchase to put into the News Feed and post to a user’s profile? If you rented a video, bought a cool product, or dropped something in your wish list, your buddies could get a heads-up and they might ask you about it. The person being asked feels like an expert, the person with the question gets a frank opinion, and the vendor providing the data just might get another sale. It looked like a home run.

This effort, named Beacon, was announced in November 2007. Some forty e-commerce sites signed up, including Blockbuster, Fandango, eBay, Travelocity, Zappos, and the New York Times. Zuckerberg was so confident of the effort that he stood before a group of Madison Avenue ad executives and declared that Beacon would represent a “once-in-a-hundred-years” fundamental change in the way media works.

Like News Feeds, user reaction was swift and brutal. The commercial activity of Facebook users began showing up without their consent. The biggest problem with Beacon was that it was “opt-out” instead of “opt-in.” Facebook (and its partners) assumed users would agree to sharing data in their feeds. A pop-up box did appear briefly on most sites supporting Beacon, but it disappeared after a few seconds.E. Nakashima, “Feeling Betrayed, Facebook Users Force Site to Honor Their Privacy,” Washington Post, November 30, 2007. Many users, blind to these sorts of alerts, either clicked through or ignored the warnings. And well…there are some purchases you might not want to broadcast to the world.

“Facebook Ruins Christmas for Everyone!” screamed one headline from Another from U.S. News and World Report read “How Facebook Stole Christmas.” The Washington Post ran the story of Sean Lane, a twenty-eight-year-old tech support worker from Waltham, Massachusetts, who got a message from his wife just two hours after he bought a ring on “Who is this ring for?” she wanted to know. Facebook had not only posted a feed that her husband had bought the ring, but also that he got it for a 51 percent discount! Overstock quickly announced that it was halting participation in Beacon until Facebook changed its practice to opt in.E. Nakashima, “Feeling Betrayed, Facebook Users Force Site to Honor Their Privacy,” Washington Post, November 30, 2007. started a Facebook group and online petition protesting Beacon. The Center for Digital Democracy and the U.S. Public Interest Research Group asked the Federal Trade Commission to investigate Facebook’s advertising programs. And a Dallas woman sued Blockbuster for violating the Video Privacy Protection Act (a 1998 U.S. law prohibiting unauthorized access to video store rental records).

To Facebook’s credit, the firm acted swiftly. Beacon was switched to an opt-in system, where user consent must be given before partner data is sent to the feed. Zuckerberg would later say regarding Beacon: “We’ve made a lot of mistakes building this feature, but we’ve made even more with how we’ve handled them. We simply did a bad job with this release, and I apologize for it.”C. McCarthy, “Facebook’s Zuckerberg: ‘We Simply Did a Bad Job’ Handling Beacon,” CNET, December 5, 2007. Beacon was eventually shut down and $9.5 million was donated to various privacy groups as part of its legal settlement.J. Brodkin, “Facebook Shuts Down Beacon Program, Donates $9.5 Million to Settle Lawsuit,” NetworkWorld, December 8, 2009. Despite the Beacon fiasco, new users continued to flock to the site, and loyal users stuck with Zuck. Perhaps a bigger problem was that many of those forty A-list e-commerce sites that took a gamble with Facebook now had their names associated with a privacy screw-up that made headlines worldwide. A manager so burned isn’t likely to sign up first for the next round of experimentation.

From the Prada example in Chapter 3 “Zara: Fast Fashion from Savvy Systems” we learned that savvy managers look beyond technology and consider complete information systems—not just the hardware and software of technology but also the interactions among the data, people, and procedures that make up (and are impacted by) information systems. Beacon’s failure is a cautionary tale of what can go wrong if users fail to broadly consider the impact and implications of an information system on all those it can touch. Technology’s reach is often farther, wider, and more significantly impactful than we originally expect.

Reputation Damage and Increased Scrutiny—The Facebook TOS Debacle

Facebook also suffered damage to its reputation, brand, and credibility, further reinforcing perceptions that the company acts brazenly, without considering user needs, and is fast and loose on privacy and user notification. Facebook worked through the feeds outrage, eventually convincing users of the benefits of feeds. But Beacon was a fiasco. And now users, the media, and watchdogs were on the alert.

When the firm modified its terms of service (TOS) policy in Spring 2009, the uproar was immediate. As a cover story in New York magazine summed it up, Facebook’s new TOS appeared to state, “We can do anything we want with your content, forever,” even if a user deletes their account and leaves the service.V. Grigoriadis, “Do You Own Facebook? Or Does Facebook Own You?” New York, April 5, 2009. Yet another privacy backlash!

Activists organized, the press crafted juicy, attention-grabbing headlines, and the firm was forced once again to backtrack. But here’s where others can learn from Facebook’s missteps and response. The firm was contrite and reached out to explain and engage users. The old TOS were reinstated, and the firm posted a proposed new version that gave the firm broad latitude in leveraging user content without claiming ownership. And the firm renounced the right to use this content if a user closed their Facebook account. This new TOS was offered in a way that solicited user comments, and it was submitted to a community vote, considered binding if 30 percent of Facebook users participated. Zuckerberg’s move appeared to have turned Facebook into a democracy and helped empower users to determine the firm’s next step.

Despite the uproar, only about 1 percent of Facebook users eventually voted on the measure, but the 74 percent to 26 percent ruling in favor of the change gave Facebook some cover to move forward.J. Smith, “Facebook TOS Voting Concludes, Users Vote for New Revised Documents,” Inside Facebook, April 23, 2009. This event also demonstrates that a tempest can be generated by a relatively small number of passionate users. Firms ignore the vocal and influential at their own peril!

In Facebook’s defense, the broad TOS was probably more a form of legal protection than any nefarious attempt to exploit all user posts ad infinitum. The U.S. legal environment does require that explicit terms be defined and communicated to users, even if these are tough for laypeople to understand. But a “trust us” attitude toward user data doesn’t work, particularly for a firm considered to have committed ham-handed gaffes in the past. Managers must learn from the freewheeling Facebook community. In the era of social media, your actions are now subject to immediate and sustained review. Violate the public trust and expect the equivalent of a high-powered investigative microscope examining your every move, and a very public airing of the findings.

Key Takeaways

  • Word of mouth is the most powerful method for promoting products and services, and Beacon was conceived as a giant word-of-mouth machine with win-win benefits for firms, recommenders, recommendation recipients, and Facebook.
  • Beacon failed because it was an opt-out system that was not thoroughly tested beforehand, and because user behavior, expectations, and system procedures were not completely taken into account.
  • Partners associated with the rapidly rolled out, poorly conceived, and untested effort were embarrassed. Several faced legal action.
  • Facebook also reinforced negative perceptions regarding the firm’s attitudes toward users, notifications, and their privacy. This attitude only served to focus a continued spotlight on the firm’s efforts, and users became even less forgiving.
  • Activists and the media were merciless in criticizing the firm’s Terms of Service changes. Facebook’s democratizing efforts demonstrate lessons other organizations can learn from, regarding user scrutiny, public reaction, and stakeholder engagement.

Questions and Exercises

  1. What is Beacon? Why was it initially thought to be a good idea? What were the benefits to firm partners, recommenders, recommendation recipients, and Facebook? Who were Beacon’s partners and what did they seek to gain through the effort?
  2. Describe “the biggest problem with Beacon?” Would you use Beacon? Why or why not?
  3. How might Facebook and its partners have avoided the problems with Beacon? Could the effort be restructured while still delivering on its initial promise? Why or why not?
  4. Beacon shows the risk in being a pioneer—are there risks in being too cautious and not pioneering with innovative, ground-floor marketing efforts? What kinds of benefits might a firm miss out on? Is there a disadvantage in being late to the party with these efforts, as well? Why or why not?
  5. Why do you think Facebook changed its Terms of Service? Did these changes concern you? Were users right to rebel? What could Facebook have done to avoid the problem? Did Facebook do a good job in follow-up? How would you advise Facebook to apply lessons learned form the TOS controversy?

8.8 Predators and Privacy

Learning Objectives

After studying this section you should be able to do the following:

  1. Understand the extent and scope of the predator problem on online social networks.
  2. Recognize the steps firms are taking to proactively engage and limit these problems.

While spoiling Christmas is bad, sexual predators are far worse, and in October 2007, Facebook became an investigation target. Officials from the New York State Attorney General’s office had posed as teenagers on Facebook and received sexual advances. Complaints to the service from investigators posing as parents were also not immediately addressed. These were troubling developments for a firm that prided itself on trust and authenticity.

In a 2008 agreement with forty-nine states, Facebook offered aggressive programs, many of which put it in line with MySpace. MySpace had become known as a lair for predators, and after months of highly publicized tragic incidents, the firm had become very aggressive about protecting minors. To get a sense of the scope of the problem, consider that MySpace claimed that it had found and deleted some twenty-nine thousand accounts from its site after comparing profiles against a database of convicted sex offenders.“Facebook Targets China, World’s Biggest Web Market,” Reuters, June 20, 2008. Following MySpace’s lead, Facebook agreed to respond to complaints about inappropriate content within twenty-four hours and to allow an independent examiner to monitor how it handles complaints. The firm imposed age-locking restrictions on profiles, reviewing any attempt by someone under the age of eighteen to change their date of birth. Profiles of minors were no longer searchable. The site agreed to automatically send a warning message when a child is at risk of revealing personal information to an unknown adult. And links to explicit material, the most offensive Facebook groups, and any material related to cyberbullying were banned.

Busted on Facebook

Chapter 7 “Peer Production, Social Media, and Web 2.0” warned that your digital life will linger forever, and that employers are increasingly plumbing the depths of virtual communities in order to get a sense of job candidates. And it’s not just employers. Sleuths at universities and police departments have begun looking to Facebook for evidence of malfeasance. Oxford University fined graduating students more than £10,000 for their post-exam celebrations, evidence of which was picked up from Facebook. Police throughout the United States have made underage drinking busts and issued graffiti warnings based on Facebook photos, too. Beware—the Web knows!

Key Takeaways

  • Thousands of sex offenders and other miscreants have been discovered on MySpace, Facebook, and other social networks. They are a legitimate risk to the community and they harm otherwise valuable services.
  • A combination of firm policies, computerized and human monitoring, aggressive reporting and follow-up, and engagement with authorities can reduce online predator risks.
  • Firms that fail to fully engage this threat put users and communities at risk and may experience irreparable damage to firms and reputations.

Questions and Exercises

  1. How big was the predator problem on MySpace? What efforts have social networks employed to cut down on the number of predators online?
  2. Investigate the current policies regarding underage users on Facebook. Do you think the firm adequately protects its users? Why or why not?
  3. What age is appropriate for users to begin using social networks? Which services are appropriate at which ages? Are there social networks targeted at very young children? Do you think that these are safe places? Why or why not?

8.9 One Graph to Rule Them All: Facebook Takes Over the Web

Learning Objectives

After studying this section you should be able to do the following:

  1. Describe Facebook’s efforts to integrate its service with other Web sites and the potential strategic benefit for Facebook and its partners.
  2. List and discuss the potential benefits and risks of engaging in the kinds of intersite sharing and collaboration efforts described in this section.

In spring 2010, the world got a sense of the breadth and depth of Mark Zuckerberg’s vision. During the firm’s annual f8 Developers Conference, Facebook launched a series of initiatives that placed the company directly at the center of identity, sharing, and personalization—not just on Facebook but also across the Web.

With just a few lines of HTML code, any developer could add a Facebook “Like” button to their site and take advantage of the social network’s power of viral distribution. A user clicking that page’s “Like” button automatically would then send a link to that page to their news feed, where it has the potential to be seen by all of their friends. No additional sign-in is necessary as long as you logged into Facebook first (reinforcing Facebook’s importance as the first stop in your Internet surfing itinerary). While some sites renamed “Like” to “Recommend” (after all, do you really want to “like” a story about a disaster or tragedy?), the effort was adopted with stunning speed. Facebook’s “Like” button served up more than one billion times across the Web in the first twenty-four hours, and over fifty thousand Web sites signed up to add the “Like” button to their content within the first week.A. Oreskovic, “Facebook Efforts Hint at Growing Ad Clout,” The Guardian, April 30, 2010.

Facebook also offered a system where Web site operators can choose to accept a user’s Facebook credentials for logging in. Users like this because they can access content without the hurdle of creating a new account. Web sites like it because with the burden of signing up out of the way, Facebook becomes an experimentation lubricant: “Oh, I can use my Facebook ID to sign in? Then let me try this out.”

Facebook also lets Web sites embed some Facebook functionality right on their pages. A single line of code added to any page creates a “social toolbar” that shows which of your friends are logged into Facebook, and allows access to Facebook Chat without leaving that site. Site operators who are keen on making it easy for friends to summon friends to their pages can now sprinkle these little bits of Facebook across the Web.

Other efforts allow firms to leverage Facebook data to make their sites more personalized. Firms around the Web can now show if a visitor’s friends have “Liked” items on the site, posted comments, or performed other actions. Using this feature, Facebook users logging into Yelp can see a list of restaurants recommended by trusted friends instead of just the reviews posted by a bunch of strangers. Users of the music-streaming site Pandora can have the service customized based on music tastes pulled from their Facebook profile page. They can share stations with friends and have data flow back to update the music preferences listed in their Facebook profile pages. Visit CNN and the site can pull together a list of stories recommended by friends.J. Valentino-DeVries, “Facebook CEO Zuckerberg on Plans to Dominate the Web,” Wall Street Journal, April 21, 2010. Think about how this strengthens the social graph. While items in the news feed might quickly scroll away and disappear, that data can now be pulled up within a Web site, providing insight from friends when and where you’re likely to want it most.

Taken together, these features enlist Web sites to serve as vassal states in the Facebook empire. Each of these ties makes Facebook membership more valuable by enhancing network effects, strengthening switching costs, and creating larger sets of highly personalized data to leverage.

Facebook: The Bank of the Web?

Those with an eye for business disruption are watching the evolution of Facebook Credits. Credits can be used to pay for items, such as weapons in video games or virtual gifts. Facebook shares credits revenue with application developers but takes 30 percent off the top for acting as banker and transaction clearing house.

There are real bucks to be made from digital make-believe. Analysts estimate that in 2009, virtual goods racked up $1 billion in U.S. transactions and $5 billion worldwide.B. Womack and C. Valerio, “Facebook Says Credits Won’t Pay Off Soon, Adds ‘Like’ Feature,” BusinessWeek, April 22, 2010; and C. Miller and B. Stone, “Virtual Goods Start Bringing Real Paydays,” New York Times, November 6, 2009. Facebook currently isn’t much of a player in virtual goods, but that may change. Many expect Credits use to grow into a thriving standard. Users are far more likely to trust Facebook with their credit card than a little-known app developer. There are also an increasing number of ways to pay for Credits. Facebook’s App2Credits effort lets firms offer Credits in ways that don’t involve a credit card, including getting Credits as part of a card loyalty program, converting unwanted real-world gift cards into Facebook Credits, or earning Credits for shopping or performing other online tasks.J. Kincaid, “A Look at the Future of Facebook Credits,” TechCrunch, April 21, 2010.

Credits were rolled out supporting fifteen international currencies and multiple credit cards. Transaction support is provided through a partnership with PayPal, and a deal with mobile payments start-up Zong allows users to bill credits to their phone.C. McCarthy, “Facebook to Developers: Get Ready for Credits,” CNET, February 25, 2010.

All this banking activity leaves some wondering if Facebook might not have grander ambitions. The Financial Times has referred to Facebook as being on the path to becoming “The Bank of the Web.”C. Nuttall, “Facebook Credits Bank of the Web,” Financial Times, April 23, 2010. Could Facebook morph into an actual real-currency bank? A site that knows how to reach your friends might offer an easy way to, say, settle a dinner tab or hound buddies for their Final Four pool money. This might also be a solid base for even deeper banking links between users and all those firms Facebook has begun to leverage in deeper data-sharing partnerships. This may be something to think about, or perhaps, to bank on!

More Privacy Controversy

The decision to launch these new features as “opt-out” instead of “opt-in” immediately drew the concern of lawmakers. Given the Beacon debacle, the TOS controversy, and Google’s problems with Buzz (see Chapter 14 “Google: Search, Online Advertising, and Beyond”), you’d think Facebook would have known better. But within a week of Beacon’s launch, four U.S. senators contacted the firm, asking why it was so difficult to opt out of the information-sharing platform.F. Lardinois, “Is It Time for Facebook to Make Opt-In the Default?” Read Write Web, April 27, 2010. Amid a crush of negative publicity, the firm was forced to quickly roll out simplified privacy management controls.

Facebook’s struggles show the tension faced by any firm that wants to collect data to improve the user experience (and hopefully make money along the way). Opt-out guarantees the largest possible audience and that’s key to realizing the benefits of network effects, data, and scale. Making efforts opt-in creates the very real risk that not enough users will sign up and that the reach and impact of these kinds of initiatives will be limited.F. Lardinois, “Is It Time for Facebook to Make Opt-In the Default?” Read Write Web, April 27, 2010. Fast Company calls this the paradox of privacy, saying, “We want some semblance of control over our personal data, even if we likely can’t be bothered to manage it.”F. Manjoo, “Does Privacy on Facebook, Google, and Twitter Even Matter?” Fast Company, May 1, 2010. Evidence suggests that most people are accepting some degree of data sharing as long as they know that they can easily turn it off if they want to. For example, when Google rolled out ads that tracked users across the network of Web sites running Google ads, the service also provided a link in each ad where users could visit an “ad preferences manager” to learn how they were being profiled, to change settings, and to opt out (see Chapter 14 “Google: Search, Online Advertising, and Beyond”). It turns out only one in fifteen visitors to the ad preferences manager ended up opting out completely.F. Manjoo, “Does Privacy on Facebook, Google, and Twitter Even Matter?” Fast Company, May 1, 2010. Managers seeking to leverage data should learn from the examples of Facebook and Google and be certain to offer clear controls that empower user choice.

Free Riders and Security Concerns

Facebook also allows third-party developers to create all sorts of apps to access Facebook data. Facebook feeds are now streaming through devices that include Samsung, Vizio, and Sony televisions; Xbox 360 and Wii game consoles; Verizon’s FiOS pay television service; and the Amazon Kindle. While Facebook might never have the time or resources to create apps that put its service on every gadget on the market, they don’t need to. Developers using Facebook’s access tools will gladly pick up the slack.

But there are major challenges with a more open approach, most notably a weakening of strategic assets, revenue sharing, and security. First, let’s discuss weakened assets. Mark Zuckerberg’s geeks have worked hard to make their site the top choice for most of the world’s social networkers and social network application developers. Right now, everyone goes to Facebook because everyone else is on Facebook. But as Facebook opens up access to users and content, it risks supporting efforts that undermine the firm’s two most compelling sources of competitive advantage: network effects and switching costs. Any effort that makes it easier to pack up your “social self” and move it elsewhere risks undermining vital competitive resources advantages (it still remains more difficult to export contacts, e-mails, photos, and video from Facebook than it does from sites supporting OpenSocial, a rival platform backed by Google and supported by many of Facebook’s competitors).F. Vogelstein, “The Great Wall of Facebook,” Wired, July 2009. This situation also puts more pressure on Facebook to behave. Lower those switching costs at a time when users are disgusted with firm behavior, and it’s not inconceivable that a sizable chunk of the population could bolt for a new rival (to Facebook’s credit, the site also reached out to prior critics like, showing Facebook’s data-sharing features and soliciting input months before their official release).

Along with asset weakening comes the issue of revenue sharing. As mentioned earlier, hosting content (especially photos and rich media) is a very expensive proposition. What incentive does a site have to store data if it will just be sent to a third-party site that will run ads around this content and not share the take? Too much data portability presents a free rider problemWhen others take advantage of a user or service without providing any sort of reciprocal benefit. where firms mooch off Facebook’s infrastructure without offering much in return. Consider services like TweetDeck. The free application allows users to access their Facebook feeds and post status updates—alongside Twitter updates and more—all from one interface. Cool for the user, but bad for Facebook, since each TweetDeck use means Facebook users are “off-site,” not looking at ads, and hence not helping Zuckerberg & Co. earn revenue. It’s as if the site has encouraged the equivalent of an ad blocker, yet Facebook’s openness lets this happen!

Finally, consider security. Allowing data streams that contain potentially private posts and photographs to squirt across the Internet and land where you want them raises all sorts of concerns. What’s to say an errant line of code doesn’t provide a back door to your address book or friends list? To your messaging account? To let others see photos you’d hoped to only share with family? Security breaches can occur on any site, but once the data is allowed to flow freely, every site with access is, for hackers, the equivalent of a potential door to open or a window to crawl through.

Social Networking Goes Global

Facebook will eventually see stellar growth start to slow as the law of large numbers sets in. The shift from growth business to mature one can be painful, and for online firms it can occur relatively quickly. That doesn’t mean these firms will become unprofitable, but to sustain growth (particularly important for keeping up the stock price of a publicly traded company), firms often look to expand abroad.

Facebook’s crowdsourcingThe act of taking a job traditionally performed by a designated agent (usually an employee) and outsourcing it to an undefined generally large group of people in the form of an open call. localizationAdapting products and services for different languages and regional differences. effort, where users were asked to look at Facebook phrases and offer translation suggestions for their local language (see Chapter 7 “Peer Production, Social Media, and Web 2.0”), helped the firm rapidly deploy versions in dozens of markets, blasting the firm past MySpace in global reach. But network effects are both quick and powerful, and late market entry can doom a business reliant on the positive feedback loop of a growing user base.

And global competition is out there. Worldwide, Facebook wannabes include “Studiverzeichnis” (German for “student index”); Vkontakte (“in contact”), Russia’s most popular social networking site; and Renren (formerly Xiaonei), which is said to have registered 90 percent of China’s college students.

China is proving a particularly difficult market for foreign Internet firms. Google, eBay, Yahoo! and MySpace have all struggled there (at one point, Rupert Murdoch even sent his wife, Wendi Deng Murdoch, to head up the MySpace China effort). And don’t be surprised to see some of these well-capitalized overseas innovators making a move on U.S. markets too.

While global growth can seem like a good thing, acquiring global users isn’t the same as making money from them. Free sites with large amounts of users from developing nations face real cost/revenue challenges. As the New York Times points out, there are 1.6 billion Internet users worldwide, but fewer than half of them have disposable incomes high enough to interest major advertisers.B. Stone and M. Helft, “In Developing Countries, Web Grows without Profit,” New York Times, April 27, 2009. Worse still, telecommunications costs in these markets are also often higher, too. Bandwidth costs and dim revenue options caused video site Veoh to block access coming from Africa, Eastern Europe, Latin America, and some parts of Asia. MySpace already offers a stripped-down Lite option as its default in India. And execs at YouTube and Facebook haven’t ruled out lowering the quality of streaming media, file size, or other options, discriminating by region or even by user.

Making money in the face of this so-called “International Paradox” requires an awareness of “fast and cheap” tech trends highlighted in Chapter 5 “Moore’s Law: Fast, Cheap Computing and What It Means for the Manager”, as well as an ability to make accurate predictions regarding regional macroeconomic trends. Ignore a market that’s unprofitable today and a rival could swoop in and establish network effects and other assets that are unbeatable tomorrow. But move too early and losses could drag you down.

Key Takeaways

  • Facebook has extended its reach by allowing other Web sites to leverage the site. Facebook partners can add the “Like” button to encourage viral sharing of content, leverage Facebook user IDs for log-in, and tap a user’s friend and feed data to personalize and customize a user’s experience.
  • These efforts come with risks, including enabling free riders that might exploit the firm’s content without compensation, and the potential for privacy and security risks.
  • Facebook Credits are a currency for use for virtual gifts and games. The service accepts multiple currencies and payment methods; and while virtual goods have the potential to be a big business, some speculate that Facebook may one day be able to develop a payments and banking businesses from this base.
  • Global growth is highly appealing to firms, but expensive bandwidth costs and low prospects for ad revenue create challenges akin to the free rider problem.

Questions and Exercises

  1. Cite effective examples you’ve seen of Facebook features on other Web sites (or if you haven’t seen any, do some background research to uncover such efforts). Why do the efforts you’ve highlighted “work”? How do they benefit various parties? Does everyone benefit? Is anyone at risk? If so, explain the risks.
  2. Should Facebook be as open as it is? In what ways might this benefit the firm? In what ways is it a risk?
  3. How can Facebook limit criticism of its data-sharing features? Do you think it made mistakes during rollout?
  4. What is TweetDeck? Why is a product like this a potential threat to Facebook?
  5. Research OpenSocial online. What is this effort? What challenges does it face in attempting to become a dominant standard?
  6. Facebook has global competitors. What determines the success of a social network within a given country? Why do network effects for social networks often fail to translate across national borders?
  7. How did Facebook localize its site so quickly for various different regions of the world?
  8. What factors encourage firms to grow an international user base as quickly as possible? Why is this a risk? What sorts of firms are at more risk than others?

8.10 Is Facebook Worth It?

Learning Objectives

After studying this section you should be able to do the following:

  1. Question the $15 billion valuation so often cited by the media.
  2. Understand why Microsoft might be willing to offer to invest in Facebook at a higher valuation rate.

It has often been said that the first phase of the Internet was about putting information online and giving people a way to find it. The second phase of the Web is about connecting people with one another. The Web 2.0 movement is big and impactful, but is there much money in it?

While the valuations of private firms are notoriously difficult to pin down due to a lack of financial disclosure, the often-cited $15 billion valuation from the fall of 2007 Microsoft investment was rich, even when made by such a deep-pocketed firm. Using estimates at the time of the deal, if Facebook were a publicly traded company, it would have a price-to-earnings ratio of five hundred; Google’s at the time was fifty-three, and the average for the S&P 500 is historically around fifteen.

But the math behind the deal is a bit more complex than was portrayed in most press reports. The deal was also done in conjunction with an agreement that for a time let Microsoft manage the sale of Facebook’s banner ads worldwide. And Microsoft’s investment was done on the basis of preferred stock, granting the firm benefits beyond common stock, such as preference in terms of asset liquidation.B. Stone, “Facebook Aims to Extends Its Reach across Web,” New York Times, December 1, 2008. Both of these are reasons a firm would be willing to “pay more” to get in on a deal.

Another argument can be made for Microsoft purposely inflating the value of Facebook in order to discourage rival bidders. A fat valuation by Microsoft and a deal locking up ad rights makes the firm seem more expensive, less attractive, and out of reach for all but the richest and most committed suitors. Google may be the only firm that could possibly launch a credible bid, and Zuckerberg is reported to be genuinely uninterested in being absorbed by the search sovereign.F. Vogelstein, “The Great Wall of Facebook,” Wired, July 2009.

Since the fall of 2007, several others have invested private money into Facebook as well, including the Founders Fund and Li Ka-shing, the Hong Kong billionaire behind Hutchison Whampoa. Press reports and court documents suggest that these deals were done at valuations that were lower than what Microsoft accepted. In May 2009 Russian firm Digital Sky paid $200 million for 1.96 percent of the firm, a ten-billion-dollar valuation (also in preferred stock). That’s a one-third haircut off the Microsoft price, albeit without the Redmond-specific strategic benefits of the investment.D. Kirkpatrick, “Why Microsoft Isn’t Buying Facebook,” Fortune, May 9, 2008; and S. Ante, “Facebook: Friends with Money,” BusinessWeek, May 9, 2008. And as the chart in Figure 8.2 “Revenue per User (2009)” shows, Facebook still lags well behind many of its rivals in terms of revenue per user.

Figure 8.2 Revenue per User (2009)

While Facebook’s reach has grown to over half a billion visitors a month, its user base generates far less cash on a per-person basis than many rivals do.H. Blodget, “Whoops—Facebook Is Once Again Overhyped,” Business Insider, April 26, 2010.

So despite the headlines, even at the time of the Microsoft investment, Facebook was almost certainly not valued at a pure $15 billion. This isn’t to say definitively that Facebook won’t be worth $15 billion (or more) someday, but even a valuation at “just” $10 billion is a lot to pay for a then-profitless firm with estimated 2009 revenues of $500 million. Of course, raising more capital enables Zuckerberg to go on the hunt as well. Facebook investor Peter Theil confirmed the firm had already made an offer to buy Twitter (a firm which at the time had zero dollars in revenues and no discernible business model) for a cool half billion dollars.S. Ante, “Facebook’s Thiel Explains Failed Twitter Takeover,” BusinessWeek, March 1, 2009.

Much remains to be demonstrated for any valuation to hold. Facebook is new. Its models are evolving, and it has quite a bit to prove. Consider efforts to try to leverage friend networks. According to Facebook’s own research, “an average Facebook user with 500 friends actively follows the news on only forty of them, communicates with twenty, and keeps in close touch with about ten. Those with smaller networks follow even fewer.”S. Baker, “Learning and Profiting from Online Friendships,” BusinessWeek, May 21, 2009. That might not be enough critical mass to offer real, differentiable impact, and that may have been part of the motivation behind Facebook’s mishandled attempts to encourage more public data sharing. The advantages of leveraging the friend network hinge on increased sharing and trust, a challenge for a firm that has had so many high-profile privacy stumbles. There is promise. Profiling firm Rapleaf found that targeting based on actions within a friend network can increase click-through rates threefold—that’s an advantage advertisers are willing to pay for. But Facebook is still far from proving it can consistently achieve the promise of delivering valuable ad targeting.

Steve Rubel wrote the following on his Micro Persuasion blog: “The Internet amber is littered with fossilized communities that once dominated. These former stalwarts include AOL, Angelfire,, GeoCities, and Tripod.” Network effects and switching cost advantages can be strong, but not necessarily insurmountable if value is seen elsewhere and if an effort becomes more fad than “must have.” Time will tell if Facebook’s competitive assets and constant innovation are enough to help it avoid the fate of those that have gone before them.

Key Takeaways

  • Not all investments are created equal, and a simple calculation of investment dollars multiplied by the percentage of firm owned does not tell the whole story.
  • Microsoft’s investment entitled the firm to preferred shares; it also came with advertising deal exclusivity.
  • Microsoft may also benefit from offering higher valuations that discourage rivals from making acquisition bids for Facebook.
  • Facebook has continued to invest capital raised in expansion, particularly in hardware and infrastructure. It has also pursued its own acquisitions, including a failed bid to acquire Twitter.
  • The firm’s success will hinge on its ability to create sustainably profitable revenue opportunities. It has yet to prove that data from the friend network will be large enough and can be used in a way that is differentiably attractive to advertisers. However, some experiments in profiling and ad targeting across a friend network have shown very promising results. Firms exploiting these opportunities will need to have a deft hand in offering consumer and firm value while quelling privacy concerns.

Questions and Exercises

  1. Circumstances change over time. Research the current state of Facebook’s financials—how much is the firm “valued at”? How much revenue does it bring in? How profitable is it? Are these figures easy or difficult to find? Why or why not?
  2. Who else might want to acquire Facebook? Is it worth it at current valuation rates?
  3. What motivation does Microsoft have in bidding so much for Facebook?
  4. Do you think Facebook was wise to take funds from Digital Sky? Why or why not?
  5. Do you think Facebook’s friend network is large enough to be leveraged as a source of revenue in ways that are notably different than conventional pay-per-click or CPM-based advertising? Would you be excited about certain possibilities? Creeped out by some? Explain possible scenarios that might work or might fail. Justify your interpretation of these scenarios.
  6. So you’ve had a chance to learn about Facebook, its model, growth, outlook, strategic assets, and competitive environment. How much do you think the firm is worth? Which firms do you think it should compare with in terms of value, influence, and impact? Would you invest in Facebook?
  7. Which firms might make good merger partners with Facebook? Would these deals ever go through? Why or why not?

Chapter 7: Peer Production, Social Media, and Web 2.0

7.1 Introduction

Learning Objectives

After studying this section you should be able to do the following:

  1. Recognize the unexpected rise and impact of social media and peer production systems, and understand how these services differ from prior generation tools.
  2. List the major classifications of social media services.

Over the past few years a fundamentally different class of Internet services has attracted users, made headlines, and increasingly garnered breathtaking market valuations. Often referred to under the umbrella term “Web 2.0A term broadly referring to Internet services that foster collaboration and information sharing; characteristics that distinctly set “Web 2.0” efforts apart from the static, transaction-oriented Web sites of “Web 1.0.” The term is often applied to Web sites and Internet services that foster social media or other sorts of peer production.,” these new services are targeted at harnessing the power of the Internet to empower users to collaborate, create resources, and share information in a distinctly different way from the static Web sites and transaction-focused storefronts that characterized so many failures in the dot-com bubble. Blogs, wikis, social networks, photo and video sharing sites, and tagging systems all fall under the Web 2.0 moniker, as do a host of supporting technologies and related efforts.

The term Web 2.0 is a tricky one because like so many popular technology terms there’s not a precise definition. Coined by publisher and pundit Tim O’Reilly in 2003, techies often joust over the breadth of the Web 2.0 umbrella and over whether Web 2.0 is something new or simply an extension of technologies that have existed since the creation of the Internet. These arguments aren’t really all that important. What is significant is how quickly the Web 2.0 revolution came about, how unexpected it was, and how deeply impactful these efforts have become. Some of the sites and services that have evolved and their Web 1.0 counterparts are listed in Table 7.1 “Web 1.0 versus Web 2.0”.Adapted from T. O’Reilly, “What Is Web 2.0?” O’Reilly, September 30, 2005.

Table 7.1 Web 1.0 versus Web 2.0

Web 1.0 Web 2.0
DoubleClick  →  Google AdSense
Ofoto  →  Flickr
Akamai  →  BitTorrent  →  Napster
Britannica Online  →  Wikipedia
personal Web sites  →  blogging
evite  → and Eventful
domain name speculation  →  search engine optimization
page views  →  cost per click
screen scraping  →  Web services
publishing  →  participation
content management systems  →  wikis
directories (taxonomy)  →  tagging (“folksonomy”)
stickiness  →  syndication
instant messaging  →  Twitter  →  LinkedIn

To underscore the speed with which Web 2.0 arrived on the scene, and the impact of leading Web 2.0 services, consider the following efforts:

  • According to a spring 2008 report by Morgan Stanley, Web 2.0 services ranked as seven of the world’s top ten most heavily trafficked Internet sites (YouTube,, MySpace, Facebook, Hi5, Wikipedia, and Orkut); only one of these sites (MySpace) was on the list in 2005.Morgan Stanley, Internet Trends Report, March 2008.
  • With only seven full-time employees and an operating budget of less than $1 million, Wikipedia has become the Internet’s fifth most visited site on the Internet.G. Kane and R. Fichman, “The Shoemaker’s Children: Using Wikis for Information Systems Teaching, Research, and Publication,” MIS Quarterly, March 2009. The site boasts well over fifteen million articles in over two hundred sixty different languages, all of them contributed, edited, and fact-checked by volunteers.
  • Just two years after it was founded, MySpace was bought for $580 million by Rupert Murdoch’s News Corporation (the media giant that owns the Wall Street Journal and the Fox networks, among other properties). By the end of 2007, the site accounted for some 12 percent of Internet minutes and had repeatedly ranked as the most-visited Web site in the United States.D. Chmielewski and J. Guynn, “MySpace Ready to Prove Itself in Faceoff,” Chicago Tribune, June 8, 2008. But rapid rise doesn’t always mean a sustained following, and by the start of 2010, some were beginning to write the service’s obituary as it failed to keep pace with Facebook.O. Malik, “MySpace, R.I.P.,” GigaOM, February 10, 2010.
  • The population of rival Facebook is now so large that it could be considered the third largest “nation” in the world. Half the site’s users log in at least once a day, spending an average of fifty-five minutes a day on the site.“Facebook Facts and Figures (History and Statistics),” Website Monitoring Blog, March 17, 2010. A fall 2007 investment from Microsoft pegged the firm’s overall value at $15 billion, a number that would have made it the fifth most valuable Internet firm, despite annual revenues at the time of only $150 million.M. Arrington, “Perspective: Facebook Is Now Fifth Most Valuable U.S. Internet Company,” TechCrunch, October 25, 2007. Those revenues have been growing, with the privately held firm expected to bring in from $1.2 to $2 billion in 2010.J. Vascellaro, “Facebook CEO in No Rush to ‘Friend’ Wall Street,” Wall Street Journal, March 3, 2010.
  • Just twenty months after its founding, YouTube was purchased by Google for $1.65 billion. While Google struggles to figure out how to make profitable what is currently a money-losing resource hog (over twenty hours of video are uploaded to YouTube each minute)E. Nakashima, “YouTube Ordered to Release User Data,” Washington Post, July 4, 2008. the site has emerged as the Web’s leading destination for video, hosting everything from apologies from JetBlue’s CEO for service gaffes to questions submitted as part of the 2008 U.S. presidential debates. Fifty percent of YouTube’s roughly three hundred million users visit the site at least once a week.Morgan Stanley, Internet Trends Report, March 2008.
  • Twitter has emerged as a major force that can break news and shape public opinion. China and Iran are among the governments so threatened by the power of Twitter-fueled data sharing that each has, at times, blocked Twitter access within their borders. At the first Twitter-focused Chirp conference in April 2010, Twitter boasted a population of over one hundred million users who have collectively posted more than ten billion tweets (Twitter messages). By this time, the service had also spawned an ecosystem of over one hundred thousand registered Twitter-supporting apps. In another nod to the service’s significance, the U.S. Library of Congress announced plans to archive every tweet ever sent.N. Bolton, “Chirp, Twitter’s First Developer Conference, Opens Its Doors,” New York Times, April 14, 2010; and M. Shaer, “Google Launches Archive Search for Twitter,” Christian Science Monitor, April 15, 2010.
  • Services such as Twitter, Yelp, and the highly profitable TripAdvisor have unleashed the voice of the customer so that it is now often captured and broadcast immediately at the point of service. Reviews are now incorporated into search results and maps, making them the first thing many customers see when encountering a brand online. TripAdvisor, with just five hundred employees, contributes over $150 million in profits to parent company Expedia (at roughly 50 percent margins),B. Wash, “Double Duty,” Colby Magazine, Winter 2009. while Yelp has reportedly turned down acquisition offers valuing it at $700 million.P. Burrows, “Hot Tech Companies Like Yelp Are Bypassing IPOs,” BusinessWeek, February 4, 2010.

Table 7.2 Major Social Media Tools

Description Features Technology Providers Use Case Examples
Blogs Short for “Web log”—an online diary that keeps a running chronology of entries. Readers can comment on posts. Can connect to other blogs through blog rolls or trackbacks.

Key uses: Share ideas, obtain feedback, mobilize a community.

  • Ease of use
  • Reverse chronology
  • Comment threads
  • Persistence
  • Searchability
  • Tags
  • Trackbacks
  • Blogger (Google)
  • WordPress
  • Six Apart (TypePad and Movable Type)
  • Tumblr
  • News outlets
  • Google
  • Graco
  • GM
  • Kaiser Permanente
  • Marriott
  • Microsoft
Wikis A Web site that anyone can edit directly from within the browser.

Key uses: Collaborate on common tasks or to create a common knowledge base.

  • All changes are attributed
  • A complete revision history is maintained, with the ability to roll back changes and revert to earlier versions
  • Automatic notification of updates
  • Searchability
  • Tags
  • Monitoring
  • Socialtext
  • PBWorks
  • Google Sites
  • WetPaint
  • Microsoft SharePoint
  • Apple OS X Server
  • Dresdner Kleinwort Wasserstein
  • eBay
  • The FBI, CIA, and other intelligence agencies
  • Intuit
  • Pixar
Electronic Social Network Online community that allows users to establish a personal profile, link to other profiles (i.e., friends), share content, and communicate with members via messaging, posts.

Key Uses: Discover and reinforce affiliations; identify experts; message individuals or groups; virally share media.

  • Detailed personal profiles using multimedia
  • Affiliations with groups
  • Affiliations with individuals
  • Messaging and public discussions
  • Media sharing
  • “Feeds” of recent activity among members
  • Facebook
  • LinkedIn
  • MySpace
  • Ning
  • SelectMinds
  • LiveWorld
  • IBM/Lotus Connections
  • Socialtext
  • Barack Obama (campaign and government organizing)
  • Currensee (foreign exchange trading)
  • Dell
  • Deloitte Consulting
  • Goldman-Sachs
  • IBM
  • Reuters
  • Starbucks
Microblogging Short, asynchronous messaging system. Users send messages to “followers.”

Key Uses: distribute time-sensitive information, share opinions, virally spread ideas, run contests and promotions, solicit feedback, provide customer support, track commentary on firms/products/issues, organize protests.

  • 140-character messages sent and received from mobile device
  • Ability to respond publicly or privately
  • Can specify tags to classify discussion topics for easy searching and building comment threads
  • Follower lists
  • Twitter
  • Socialtext Signals
  • Yammer
  • (Chatter)
  • Dell
  • Starbucks
  • Intuit
  • Small businesses
  • Celebrities
  • Zappos

Millions of users, billions of dollars, huge social impact, and these efforts weren’t even on the radar of most business professionals when today’s graduating college seniors first enrolled as freshmen. The trend demonstrates that even some of the world’s preeminent thought leaders and business publications can be sideswiped by the speed of the Internet.

Consider that when management guru Michael Porter wrote a piece titled “Strategy and the Internet” at the end of the dot-com bubble, he lamented the high cost of building brand online, questioned the power of network effects, and cast a skeptical eye on ad-supported revenue models. Well, it turns out Web 2.0 efforts challenged all of these concerns. Among the efforts above, all built brand on the cheap with little conventional advertising, and each owes their hypergrowth and high valuation to their ability to harness the network effect.

While the Web 2.0 moniker is a murky one, we’ll add some precision to our discussion of these efforts by focusing on peer productionWhen users collaboratively work to create content, products, and services. Includes social media sites, open source software, and peer-produced services, such as Skype and BitTorrent, where the participation of users provide the infrastructure and computational resources that enable the service., perhaps Web 2.0’s most powerful feature, where users work, often collaboratively, to create content and provide services online. Web-based efforts that foster peer production are often referred to as social mediaContent that is created, shared, and commented on by a broader community of users. Services that support the production and sharing of social media include blogs, wikis, video sites like YouTube, and social networks. or user-generated content sites. These sites include blogs; wikis; social networks like Facebook and MySpace; communal bookmarking and tagging sites like; media sharing sites like YouTube and Flickr; and a host of supporting technologies. And it’s not just about media. Peer-produced services like Skype and BitTorrent leverage users’ computers instead of a central IT resource to forward phone calls and video. This ability saves their sponsors the substantial cost of servers, storage, and bandwidth. Peer production is also leveraged to create much of the open source software that supports many of the Web 2.0 efforts described above. Techniques such as crowdsourcing, where initially undefined groups of users band together to solve problems, create code, and develop services, are also a type of peer production. These efforts often seek to leverage the so-called wisdom of crowds, the idea that a large, diverse group often has more collective insight than a single or small group of trained professionals. These efforts will be expanded on below, along with several examples of their use and impact.

Key Takeaways

  • A new generation of Internet applications is enabling consumers to participate in creating content and services online. Examples include Web 2.0 efforts such as social networks, blogs, and wikis, as well as efforts such as Skype and BitTorrent, which leverage the collective hardware of their user communities to provide a service.
  • These efforts have grown rapidly, most with remarkably little investment in promotion. Nearly all of these new efforts leverage network effects to add value and establish their dominance and viral marketing to build awareness and attract users.
  • Experts often argue whether Web 2.0 is something new or merely an extension of existing technologies. The bottom line is the magnitude of the impact of the current generation of services.
  • Peer production and social media fall under the Web 2.0 umbrella. These services often leverage the wisdom of crowds to provide insight or production that can be far more accurate or valuable than that provided by a smaller group of professionals.
  • Network effects play a leading role in enabling Web 2.0 firms. Many of these services also rely on ad-supported revenue models.

Questions and Exercises

  1. What distinguishes Web 2.0 technologies and services from the prior generation of Internet sites?
  2. Several examples of rapidly rising Web 2.0 efforts are listed in this section. Can you think of other dramatic examples? Are there cautionary tales of efforts that may not have lived up to their initial hype or promise? Why do you suppose they failed?
  3. Make your own list of Web 1.0 and Web 2.0 services and technologies. Would you invest in them? Why or why not?
  4. In what ways do Web 2.0 efforts challenge the assumptions that Michael Porter made regarding Strategy and the Internet?

7.2 Blogs

Learning Objectives

After studying this section you should be able to do the following:

  1. Know what blogs are and how corporations, executives, individuals, and the media use them.
  2. Understand the benefits and risks of blogging.
  3. Appreciate the growth in the number of blogs, their influence, and their capacity to generate revenue.

BlogsOnline journal entries, usually made in a reverse chronological order. Blogs typically provide comment mechanisms where users can post feedback for authors and other readers. (short for Web logs) first emerged almost a decade ago as a medium for posting online diaries. (In a perhaps apocryphal story, Wired magazine claimed the term “Web log” was coined by Jorn Barger, a sometimes homeless, yet profoundly prolific, Internet poster). From humble beginnings, the blogging phenomenon has grown to a point where the number of public blogs tracked by Technorati (the popular blog index) has surpassed one hundred million.D. Takahashi, “Technorati Releases Data on State of the Blogosphere: Bloggers of the World Have United,” VentureBeat, September 28, 2008. This number is clearly a long tailIn this context, refers to an extremely large selection of content or products. The long tail is a phenomenon whereby firms can make money by offering a near-limitless selection. phenomenon, loaded with niche content that remains “discoverable” through search engines and blog indexes. TrackbacksLinks in a blog post that refer eaders back to cited sources. Trackbacks allow a blogger to see which and how many other bloggers are referring to their content. A “trackback” field is supported by most blog software and while it’s not required to enter a trackback when citing another post, it’s considered good “netiquette” to do so. (third-party links back to original blog post), and blog rollsA list of a blogger’s favorite blogs. While not all blogs include blog rolls, those that do are often displayed on the right or left column of a blog’s main page. (a list of a blogger’s favorite sites—a sort of shout-out to blogging peers) also help distinguish and reinforce the reputation of widely read blogs.

The most popular blogs offer cutting-edge news and commentary, with postings running the gamut from professional publications to personal diaries. While this cacophony of content was once dismissed, blogging is now a respected and influential medium. Some might say that many of the most popular blogs have grown beyond the term, transforming into robust media enterprises. Consider that the political blog The Huffington Post is now more popular than all but eight newspaper sites and has a valuation higher than many publicly traded papers.E. Alterman, “Out of Print, the Death and Life of the American Newspaper,” New Yorker, March 31, 2008; and M. Learmonth, “Huffington Post More Valuable Than Some Newspaper Cos.,” DigitalNext, December 1, 2008. Keep in mind that this is a site without the sports, local news, weather, and other content offered by most papers. Ratings like this are hard to achieve—most bloggers can’t make a living off their musings. But among the elite ranks, killer subscriber numbers are a magnet for advertisers. Top blogs operating on shoestring budgets can snare several hundred thousand dollars a month in ad revenue.S. Zuckerman, “Yes, Some Blogs Are Profitable—Very Profitable,” San Francisco Chronicle, October 21, 2007. Most start with ad networks like Google AdSense, but the most elite engage advertisers directly for high-value deals and extended sponsorships.

Top blogs have begun to attract well-known journalists away from print media. The Huffington Post hired a former Washington Post editor Lawrence Roberts to head the site’s investigative unit. The popular blog TechCrunch now features posts by Sarah Lacy (a BusinessWeek cover-story writer) and has hired Erick Schonfeld away from Time Warner’s business publishing empire. Schonfeld’s colleague, Om Malik, has gone on to found another highly ranked tech industry blog, GigaOM.

Senior executives from many industries have also begun to weigh in with online ruminations, going directly to the people without a journalist filtering their comments. Hotel chief Bill Marriott, Paul Levy (CEO of health care quality leader Beth Israel Deaconess Medical Center), Toyota’s Akio Toyoda, and Zappos’ CEO Tony Hsieh use their blogs for purposes that include a combination of marketing, sharing ideas, gathering feedback, press response, image shaping, and reaching consumers directly without press filtering. Blogs have the luxury of being more topically focused than traditional media, with no limits on page size, word count, or publication deadline. Some of the best examples engage new developments in topic domains much more quickly and deeply than traditional media. For example, it’s not uncommon for blogs focused on the law or politics to provide a detailed dissection of a Supreme Court opinion within hours of its release—offering analysis well ahead of, and with greater depth, than via what bloggers call the mainstream media (MSM)Refers to newspapers, magazines, television, and radio. The MSM is distinctly different from Internet media such as blogs.. As such, it’s not surprising that most mainstream news outlets have begun supplementing their content with blogs that can offer greater depth, more detail, and deadline-free timeliness.


While the feature set of a particular blog depends on the underlying platform and the preferences of the blogger, several key features are common to most blogs:

  • Ease of use. Creating a new post usually involves clicking a single button.
  • Reverse chronology. Posts are listed in reverse order of creation, making it easy to see the most recent content.
  • Comment threads. Readers can offer comments on posts.
  • Persistence. Posts are maintained indefinitely at locations accessible by permanent links.
  • Searchability. Current and archived posts are easily searchable.
  • Tags. Posts are often classified under an organized tagging scheme.
  • Trackbacks. Allows an author to acknowledge the source of an item in their post, which allows bloggers to follow the popularity of their posts among other bloggers.

The voice of the blogosphereA term referring to the collective community of bloggers, as well as those who read and comment on blogs. can wield significant influence. Examples include leading the charge for Dan Rather’s resignation and prompting the design of a new insulin pump. In an example of what can happen when a firm ignores social media, consider the flare-up Ingersoll Rand faced when the online community exposed a design flaw in its Kryptonite bike lock.

Online posts showed the thick metal lock could be broken with a simple ball-point pen. A video showing the hack was posted online. When Ingersoll Rand failed to react quickly, the blogosphere erupted with criticism. Just days after online reports appeared, the mainstream media picked up the story. The New York Times ran a piece titled “The Pen Is Mightier Than the Lock” that included a series of photos demonstrating the ballpoint Kryptonite lock pick. The event tarnished the once-strong brand and eventually resulted in a loss of over $10 million.

Like any Web page, blogs can be public, tucked behind a corporate firewall, or password protected. Most blogs offer a two-way dialogue, allowing users to comment on posts (sort of instant “letters to the editor,” posted online and delivered directly to the author). The running dialogue can read like an electronic bulletin board, and can be an effective way to gather opinion when vetting ideas. Comments help keep a blogger honest. Just as the “wisdom of crowds” keeps Wikipedia accurate, a vigorous community of commenters will quickly expose a blogger’s errors of fact or logic.

Despite this increased popularity, blogging has its downside. Blog comments can be a hothouse for spam and the disgruntled. Ham-handed corporate efforts (such as poor response to public criticism or bogus “praise posts”) have been ridiculed. Employee blogging can be difficult to control and public postings can “live” forever in the bowels of an Internet search engine or as content pasted on other Web sites. Many firms have employee blogging and broader Internet posting policies to guide online conduct that may be linked to the firm (see Section 7.9 “Get SMART: The Social Media Awareness and Response Team”). Bloggers, beware—there are dozens of examples of workers who have been fired for what employers viewed as inappropriate posts.

Blogs can be hosted via third-party services (Google Blogger, WordPress, Tumblr, TypePad, Windows Live Spaces), with most offering a combination of free and premium features. Blogging features have also been incorporated into social networks such as Facebook, MySpace, and Ning, as well as corporate social media platforms such as Socialtext. Blogging software can also be run on third-party servers, allowing the developer more control in areas such as security and formatting. The most popular platform for users choosing to host their own blog server is the open source WordPress system.

In the end, the value of any particular blog derives from a combination of technical and social features. The technical features make it easy for a blogger and his or her community to engage in an ongoing conversation on some topic of shared interest. But the social norms and patterns of use that emerge over time in each blog are what determine whether technology features will be harnessed for good or ill. Some blogs develop norms of fairness, accuracy, proper attribution, quality writing, and good faith argumentation, and attract readers that find these norms attractive. Others mix it up with hotly contested debate, one-sided partisanship, or deliberately provocative posts, attracting a decidedly different type of discourse.

Key Takeaways

  • Blogs provide a rapid way to distribute ideas and information from one writer to many readers.
  • Ranking engines, trackbacks, and comments allow a blogger’s community of readers to spread the word on interesting posts and participate in the conversation, and help distinguish and reinforce the reputations of widely read blogs.
  • Well-known blogs can be powerfully influential, acting as flashpoints on public opinion.
  • Firms ignore influential bloggers at their peril, but organizations should also be cautious about how they use and engage blogs, and avoid flagrantly promotional or biased efforts.
  • Top blogs have gained popularity, valuations, and profits that far exceed those of many leading traditional newspapers, and leading blogs have begun to attract well-known journalists away from print media.
  • Senior executives from several industries use blogs for business purposes, including marketing, sharing ideas, gathering feedback, press response, image shaping, and reaching consumers directly without press filtering.

Questions and Exercises

  1. Visit Technorati and find out which blogs are currently the most popular. Why do you suppose the leaders are so popular?
  2. How are popular blogs discovered? How is their popularity reinforced?
  3. Are blog comment fields useful? If so, to whom or how? What is the risk associated with allowing users to comment on blog posts? How should a blogger deal with comments that they don’t agree with?
  4. Why would a corporation, an executive, a news outlet, or a college student want to blog? What are the benefits? What are the concerns?
  5. Identify firms and executives that are blogging online. Bring examples to class and be prepared to offer your critique of their efforts.
  6. How do bloggers make money? Do all bloggers have to make money? Do you think the profit motive influences their content?
  7. Investigate current U.S. Federal Trade Commission laws (or the laws in your home country) that govern bloggers and other social media use. How do these restrictions impact how firms interact with bloggers? What are the penalties and implications if such rules aren’t followed? Are there unwritten rules of good practice that firms and bloggers should consider as well? What might those be?
  8. According to your reading, how does the blog The Huffington Post compare with the popularity of newspaper Web sites?
  9. What advantage do blogs have over the MSM? What advantage does the MSM have over the most popular blogs?
  10. Start a blog using,, or some other blogging service. Post a comment to another blog. Look for the trackback field when making a post, and be sure to enter the trackback for any content you cite in your blog.

7.3 Wikis

Learning Objectives

After studying this section you should be able to do the following:

  1. Know what wikis are and how they are used by corporations and the public at large.
  2. Understand the technical and social features that drive effective and useful wikis.
  3. Suggest opportunities where wikis would be useful and consider under what circumstances their use may present risks.
  4. Recognize how social media such as wikis and blogs can influence a firm’s customers and brand.

A wikiA Web site that can be modified by anyone, from directly within a Web browser (provided that user is granted edit access). is a Web site anyone can edit directly within a Web browser (provided the site grants the user edit access). Wikis derive their name from the Hawaiian word for “quick.” Ward Cunningham, the “wiki father” christened this new class of software with the moniker in honor of the wiki-wiki shuttle bus at the Honolulu airport. Wikis can indeed be one of the speediest ways to collaboratively create content online. Many popular online wikis serve as a shared knowledge repository in some domain.

The largest and most popular wiki is Wikipedia, but there are hundreds of publicly accessible wikis that anyone can participate in. Each attempts to chronicle a world of knowledge within a particular domain, with examples ranging from Wine Wiki for oenophiles to Wookieepedia, the Star Wars wiki. But wikis can be used for any collaborative effort—from meeting planning to project management. And in addition to the hundreds of public wikis, there are many thousand more that are hidden away behind firewalls, used as proprietary internal tools for organizational collaboration.

Like blogs, the value of a wiki derives from both technical and social features. The technology makes it easy to create, edit, and refine content; learn when content has been changed, how and by whom; and to change content back to a prior state. But it is the social motivations of individuals (to make a contribution, to share knowledge) that allow these features to be harnessed. The larger and more active a wiki community, the more likely it is that content will be up-to-date and that errors will be quickly corrected (again, we see the influence of network effects, where products and services with larger user bases become more valuable). Several studies have shown that large community wiki entries are as or more accurate than professional publication counterparts.S. Robert Lichter, Are Chemicals Killing Us? Statistical Assessment Service, May 21, 2009; J. Kane, R. Fichman, J. Gallaugher, and J. Glaser, “Community Relations 2.0,” Harvard Business Review, November 2009.

Want to add to or edit a wiki entry? On most sites you just click the “Edit” link. Wikis support what you see is what you get (WYSIWYG)A phrase used to describe graphical editing tools, such as those found in a wiki, page layout program, or other design tool. editing that, while not as robust as traditional word processors, is still easy enough for most users to grasp without training or knowledge of arcane code or markup language. Users can make changes to existing content and can easily create new pages or articles and link them to other pages in the wiki. Wikis also provide a version history. Click the “History” link on Wikipedia, for example, and you can see when edits were made and by whom. This feature allows the community to roll backThe ability to revert a wiki page to a prior version. This is useful for restoring earlier work in the event of a posting error, inaccuracy, or vandalism. a wiki to a prior page, in the event that someone accidentally deletes key info, or intentionally defaces a page.

Vandalism is a problem on Wikipedia, but it’s more of a nuisance than a crisis. A Wired article chronicled how Wikipedia’s entry for former U.S. President Jimmy Carter was regularly replaced by a photo of a “scruffy, random unshaven man with his left index finger shoved firmly up his nose.”D. Pink, “The Book Stops Here,” Wired, March 2005. Nasty and inappropriate, to be sure, but the Wikipedia editorial community is now so large and so vigilant that most vandalism is caught and corrected within seconds. Watch-lists for the most active targets (say the Web pages of political figures or controversial topics) tip off the community when changes are made. The accounts of vandals can be suspended, and while mischief-makers can log in under another name, most vandals simply become discouraged and move on. It’s as if an army of do-gooders follows a graffiti tagger and immediately repaints any defacement.


As with blogs, a wiki’s features set varies depending on the specific wiki tool chosen, as well as administrator design, but most wikis support the following key features:

  • All changes are attributed, so others can see who made a given edit.
  • A complete revision history is maintained so changes can be compared against prior versions and rolled back as needed.
  • There is automatic notification and monitoring of updates; users subscribe to wiki content and can receive updates via e-mail or RSS feed when pages have been changed or new content has been added.
  • All the pages in a wiki are searchable.
  • Specific wiki pages can be classified under an organized tagging scheme.

Wikis are available both as software (commercial as well as open source varieties) that firms can install on their own computers or as online services (both subscription or ad-supported) where content is hosted off-site by third parties. Since wikis can be started without the oversight or involvement of a firm’s IT department, their appearance in organizations often comes from grassroots user initiative. Many wiki services offer additional tools such as blogs, message boards, or spreadsheets as part of their feature set, making most wikis really more full-featured platforms for social computing.

Jump-starting a wiki can be a challenge, and an underused wiki can be a ghost town of orphan, out-of-date, and inaccurate content. Fortunately, once users see the value of wikis, use and effectiveness often snowballs. The unstructured nature of wikis are also both a strength and weakness. Some organizations employ wikimastersIndividuals often employed by organizations to review community content in order to delete excessive posts, move commentary to the best location, and edit as necessary. to “garden” community content; “prune” excessive posts, “transplant” commentary to the best location, and “weed” as necessary. offers a guide to the stages of wiki adoption and a collection of community-building and content-building strategies.

Examples of Wiki Use

Wikis can be vital tools for collecting and leveraging knowledge that would otherwise be scattered throughout an organization; reducing geographic distance; removing boundaries between functional areas; and flattening preexisting hierarchies. Companies have used wikis in a number of ways:

  • At Pixar, all product meetings have an associated wiki to improve productivity. The online agenda ensures that all attendees can arrive knowing the topics and issues to be covered. Anyone attending the meeting (and even those who can’t make it) can update the agenda, post supporting materials, and make comments to streamline and focus in-person efforts.
  • At European investment bank Dresdner Kleinwort Wasserstein, employees use wikis for everything from setting meeting agendas to building multimedia training for new hires. Six months after launch, wiki use had surpassed activity on the firm’s established intranet. Wikis are also credited with helping to reduce Dresdner e-mail traffic by 75 percent.D. Carlin, “Corporate Wikis Go Viral,” BusinessWeek, March 12, 2007.
  • Sony’s PlayStation team uses wikis to regularly maintain one-page overviews on the status of various projects. In this way, legal, marketing, and finance staff can get quick, up-to-date status reports on relevant projects, including the latest projected deadlines, action items, and benchmark progress. Strong security measures are enforced that limit access to only those who must be in the know, since the overviews often discuss products that have not been released.
  • Employees at investment-advisory firm Manning and Napier use a wiki to collaboratively track news in areas of critical interest. Providing central repositories for employees to share articles and update evolving summaries on topics such as health care legislation, enables the firm to collect and focus what would otherwise be fragmented findings and insight. Now all employees can refer to central pages that each serve as a lightning rod attracting the latest and most relevant findings.
  • Intellipedia is a secure wiki built on Intelink, a U.S. government system connecting sixteen spy agencies, military organizations, and the Department of State. The wiki is a “magnum opus of espionage,” handling some one hundred thousand user accounts and five thousand page edits a day. Access is classified in tiers as “unclassified,” “secret,” and “top secret” (the latter hosting 439,387 pages and 57,248 user accounts). A page on the Mumbai terror attacks was up within minutes of the event, while a set of field instructions relating to the use of chlorine-based terror bombs in Iraq was posted and refined within two days of material identification—with the document edited by twenty-three users at eighteen locations.M. Calabrese, “Wikipedia for Spies: The CIA Discovers Web 2.0,” Time, April 8, 2009.

When brought outside the firewall, corporate wikis can also be a sort of value-generation greenhouse, allowing organizations to leverage input from their customers and partners:

  • Intuit has created a “community wiki” that encourages the sharing of experience and knowledge not just regarding Intuit products, such as QuickBooks, but also across broader topics its customers may be interested in, such as industry-specific issues (e.g., architecture, nonprofit) or small business tips (e.g., hiring and training employees). The TurboTax maker has also sponsored, a wiki-based tax resource and research community.
  • Microsoft leveraged its customer base to supplement documentation for its Visual Studio software development tool. The firm was able to enter the Brazilian market with Visual Studio in part because users had created product documentation in Portuguese.R. King, “No Rest for the Wiki,” BusinessWeek, March 12, 2007.
  • ABC and CBS have created public wikis for the television programs Lost, The Amazing Race, and CSI, among others, offering an outlet for fans, and a way for new viewers to catch up on character backgrounds and complex plot lines.
  • Executive Travel, owned by American Express Publishing, has created a travel wiki for its more than one hundred and thirty thousand readers with the goal of creating what it refers to as “a digital mosaic that in theory is more authoritative, comprehensive, and useful” than comments on a Web site, and far more up-to-date than any paper-based travel guide.R. King, “No Rest for the Wiki,” BusinessWeek, March 12, 2007. Of course, one challenge in running such a corporate effort is that there may be a competing public effort already in place. currently holds the top spot among travel-based wikis, and network effects suggest it will likely grow and remain more current than rival efforts.

Don’t Underestimate the Power of Wikipedia

Not only is the nonprofit Wikipedia, with its enthusiastic army of unpaid experts and editors, replacing the three-hundred-year reference reign of Encyclopedia Britannica, Wikipedia entries can impact nearly all large-sized organizations. Wikipedia is the go-to, first-choice reference site for a generation of “netizens,” and Wikipedia entries are invariably one of the top links, often the first link, to appear in Internet search results.

This position means that anyone from top executives to political candidates to any firm large enough to warrant an entry has to contend with the very public commentary offered up in a Wikipedia entry. In the same way that firms monitor their online reputations in blog posts and Twitter tweets, they’ve also got to keep an eye on wikis.

But firms that overreach and try to influence an entry outside of Wikipedia’s mandated neutral point of view (NPOV)An editorial style that is free of bias and opinion. Wikipedia norms dictate that all articles must be written in NPOV., risk a backlash and public exposure. Version tracking means the wiki sees all. Users on computers at right-leaning Fox News were embarrassingly caught editing the wiki page of the lefty pundit and politician Al Franken (a nemesis of Fox’s Bill O’Reilly);A. Bergman, “Wikipedia Is Only as Anonymous as your I.P.,” O’Reilly Radar, August 14, 2007. Sony staffers were flagged as editing the entry for the Xbox game Halo 3;I. Williams, “Sony Caught Editing Halo 3 Wikipedia Entry,”, September 5, 2007. and none other than Wikipedia founder Jimmy Wales was criticized for editing his own Wikipedia biographyE. Hansen, “Wikipedia Founder Edits Own Bio,” Wired, December 19, 2005.—acts that some consider bad online form at best, and dishonest at worst.

One last point on using Wikipedia for research. Remember that according to its own stated policies, Wikipedia isn’t an original information source; rather, it’s a clearinghouse for verified information. So citing Wikipedia as a reference usually isn’t considered good form. Instead, seek out original (and verifiable) sources, such as those presented via the links at the bottom of Wikipedia entries.

Key Takeaways

  • Wikis can be powerful tools for many-to-many content collaboration, and can be ideal for creating resources that benefit from the input of many such as encyclopedia entries, meeting agendas, and project status documents.
  • The greater the number of wiki users, the more likely the information contained in the wiki will be accurate and grow in value.
  • Wikis can be public or private.
  • The availability of free or low-cost wiki tools can create a knowledge clearinghouse on topics, firms, products, and even individuals. Organizations can seek to harness the collective intelligence (wisdom of crowds) of online communities. The openness of wikis also acts as a mechanism for promoting organizational transparency and accountability.

Questions and Exercises

  1. Visit a wiki, either an established site like Wikipedia, or a wiki service like Socialtext. Make an edit to a wiki entry or use a wiki service to create a new wiki for your own use (e.g., for a class team to use in managing a group project). Be prepared to share your experience with the class.
  2. What factors determine the value of a wiki? Which key concept, first introduced in Chapter 2 “Strategy and Technology: Concepts and Frameworks for Understanding What Separates Winners from Losers”, drives a wiki’s success?
  3. If anyone can edit a wiki, why aren’t more sites crippled by vandalism or by inaccurate or inappropriate content? Are there technical reasons not to be concerned? Are there “social” reasons that can alleviate concern?
  4. Give examples of corporate wiki use, as well as examples where firms used wikis to engage their customers or partners. What is the potential payoff of these efforts? Are there risks associated with these efforts?
  5. Do you feel that you can trust content in wikis? Do you feel this content is more or less reliable than content in print encyclopedias? Than the content in newspaper articles? Why?
  6. Have you ever run across an error in a wiki entry? Describe the situation.
  7. Is it ethical for a firm or individual to edit their own Wikipedia entry? Under what circumstances would editing a Wikipedia entry seem unethical to you? Why? What are the risks a firm or individual is exposed to when making edits to public wiki entries? How do you suppose individuals and organizations are identified when making wiki edits?
  8. Would you cite Wikipedia as a reference when writing a paper? Why or why not?

7.4 Electronic Social Networks

Learning Objectives

After studying this section you should be able to do the following:

  1. Know what social networks are, be able to list key features, and understand how they are used by individuals, groups, and corporations.
  2. Understand the difference between major social networks MySpace, Facebook, and LinkedIn.
  3. Recognize the benefits and risks of using social networks.
  4. Be aware of trends that may influence the evolution of social networks.

Social networksAn online community that allows users to establish a personal profile and communicate with others. Large public social networks include MySpace, Facebook, LinkedIn, and Google’s Orkut. have garnered increasing attention as established networks grow and innovate, new networks emerge, and value is demonstrated. MySpace signed a billion-dollar deal to carry ads from Google’s AdSense network. Meanwhile, privately held Facebook has blown past the flagging MySpace. Its leadership in privacy management, offering new features, allowing third-party applications on its platform, and providing sophisticated analytics tools to corporations and other on-site sponsors have helped the firm move beyond its college roots. LinkedIn, which rounds out the big three U.S. public social networks, has grown to the point where its influence is threatening recruiting sites like and CareerBuilder.M. Boyle, “Recruiting: Enough to Make a Monster Tremble,” BusinessWeek, June 25, 2009. It now offers services for messaging, information sharing, and even integration with the BusinessWeek Web site.

Media reports often mention MySpace, Facebook, and LinkedIn in the same sentence. However, while these networks share some common features, they serve very different purposes. MySpace pages are largely for public consumption. Started by musicians, MySpace casts itself as a media discovery tool bringing together users with similar tastes.B. Johnson, “MySpace Bosses Battle to Oust Facebook from Social Networking Top Spot,” The Guardian, March 15, 2010.

Facebook, by contrast, is more oriented towards reinforcing existing social ties between people who already know each other. This difference leads to varying usage patterns. Since Facebook is perceived by users as relatively secure, with only invited “friends” seeing your profile, over a third of Facebook users post their mobile phone numbers on their profile pages.

LinkedIn was conceived from the start as a social network for business users. The site’s profiles act as a sort of digital Rolodex that users update as they move or change jobs. Users can pose questions to members of their network, engage in group discussions, ask for introductions through mutual contacts, and comment on others’ profiles (e.g., recommending a member). Active members find the site invaluable for maintaining professional contacts, seeking peer advice, networking, and even recruiting. Carmen Hudson, Starbucks manager of enterprise staffing, states LinkedIn is “one of the best things for finding midlevel executives.”R. King, “No Rest for the Wiki,” BusinessWeek, March 12, 2007. Such networks are also putting increasing pressure on firms to work particularly hard to retain top talent. While once HR managers fiercely guarded employee directories for fear that a list of talent may fall into the hands of rivals, today’s social networks make it easy for anyone to gain a list of a firm’s staff, complete with contact information.

While these networks dominate in the United States, the network effect and cultural differences work to create islands where other social networks are favored by a particular culture or region. The first site to gain traction in a given market is usually the winner. Google’s Orkut, Mixi, and Cyworld have small U.S. followings, but are among the largest sites in Brazil, Japan, and South Korea. Research by Ipsos Insight also suggests that users in many global markets, including Brazil, South Korea, and China, are more active social networkers than their U.S. counterparts.Ipsos Insights, Online Video and Social Networking Web Sites Set to Drive the Evolution of Tomorrow’s Digital Lifestyle Globally, July 5, 2007.

Perhaps the most powerful (and controversial) feature of most social networks is the feedAn update on an individual’s activities that are broadcast to a member’s contacts or “friends.” Feeds may include activities such as posting messages, photos, or video, joining groups, or installing applications. (or newsfeed). Pioneered by Facebook but now adopted by most services, feeds provide a timely update on the activities of people or topics that an individual has an association with. Feeds can give you a heads-up when someone makes a friend, joins a group, posts a photo, or installs an application.

Feeds are inherently viralIn this context, information or applications that spread rapidly between users.. By seeing what others are doing on a social network, feeds can rapidly mobilize populations and dramatically spread the adoption of applications. Leveraging feeds, it took just ten days for the Facebook group Support the Monks’ Protest in Burma to amass over one hundred and sixty thousand Facebook members. Feeds also helped music app iLike garner three million Facebook users just two weeks after its launch.S. Lacy, Once You’re Lucky, Twice You’re Good: The Rebirth of Silicon Valley and the Rise of Web 2.0 (New York: Gotham Books, 2008); and K. Nicole, “iLike Sees Exponential Growth with Facebook App,” Mashable, June 11, 2007. Its previous Web-based effort took eight months to reach those numbers.

But feeds are also controversial. Many users react negatively to this sort of public broadcast of their online activity, and feed mismanagement can create public relations snafus, user discontent, and potentially open up a site to legal action. Facebook initially dealt with a massive user outcry at the launch of feeds, and faced a subsequent backlash when its Beacon service broadcast user purchases without first explicitly asking their permission, and during attempts to rework its privacy policy and make Facebook data more public and accessible. (See Chapter 8 “Facebook: Building a Business from the Social Graph” for more details.)

Social Networks

The foundation of a social network is the user profile, but utility goes beyond the sort of listing found in a corporate information directory. Typical features of a social network include support for the following:

  • Detailed personal profiles
  • Affiliations with groups, such as alumni, employers, hobbies, fans, health conditions)
  • Affiliations with individuals (e.g., specific “friends”)
  • Private messaging and public discussions
  • Media sharing (text, photos, video)
  • Discovery-fueling feeds of recent activity among members (e.g., status changes, new postings, photos, applications installed)
  • The ability to install and use third-party applications tailored to the service (games, media viewers, survey tools, etc.), many of which are also social and allow others to interact

Corporate Use of Social Networks

Hundreds of firms have established “fan” pages on Facebook and communites on LinkedIn. These are now legitimate customer- and client-engagement platforms that also support advertising. If a customer has decided to press the “like” button of a firm’s Facebook page and become a “fan,” corporate information will appear in their newsfeed, gaining more user attention than the often-ignored ads that run on the sides of social networks. (For more on social networks and advertising, see Chapter 8 “Facebook: Building a Business from the Social Graph”.)

But social networks have also become organizational productivity tools. Many employees have organized groups using publicly available social networking sites because similar tools are not offered by their firms. Workforce Management reported that MySpace had over forty thousand groups devoted to companies or coworkers, while Facebook had over eight thousand.E. Frauenheim, “Social Revolution,” Workforce Management, October 2007. Assuming a large fraction of these groups are focused on internal projects, this demonstrates a clear pent-up demand for corporate-centric social networks (and creates issues as work dialogue moves outside firm-supported services).

Many firms are choosing to meet this demand by implementing internal social network platforms that are secure and tailored to firm needs. At the most basic level, these networks have supplanted the traditional employee directory. Social network listings are easy to update and expand. Employees are encouraged to add their own photos, interests, and expertise to create a living digital identity.

Firms such as Deloitte, Dow Chemical, and Goldman Sachs have created social networks for “alumni” who have left the firm or retired. These networks can be useful in maintaining contacts for future business leads, rehiring former employees (20 percent of Deloitte’s experienced hires are so-called boomerangs, or returning employees), or recruiting retired staff to serve as contractors when labor is tight.R. King, “Social Networks: Execs Use Them Too,” BusinessWeek, November 11, 2006. Maintaining such networks will be critical in industries like IT and health care that are likely to be plagued by worker shortages for years to come.

Social networking can also be important for organizations like IBM, where some 42 percent of employees regularly work from home or client locations. IBM’s social network makes it easier to locate employee expertise within the firm, organize virtual work groups, and communicate across large distances.W. Bulkley, “Playing Well with Others,” Wall Street Journal, June 18, 2007. As a dialogue catalyst, a social network transforms the public directory into a font of knowledge sharing that promotes organization flattening and value-adding expertise sharing.

While IBM has developed their own social network platforms, firms are increasingly turning to third-party vendors like SelectMinds (adopted by Deloitte, Dow Chemical, and Goldman Sachs) and LiveWorld (adopted by Intuit, eBay, the NBA, and Scientific American). Ning allows anyone to create a social network and currently hosts over 2.3 million separate online communities.K. Swisher, “Ning CEO Gina Bianchini to Step Down—Becomes an EIR at Andreessen Horowitz,” AllThingsD, March 15, 2010.

A Little Too Public?

As with any type of social media, content flows in social networks are difficult to control. Embarrassing disclosures can emerge from public systems or insecure internal networks. Employees embracing a culture of digital sharing may err and release confidential or proprietary information. Networks could serve as a focal point for the disgruntled (imagine the activity on a corporate social network after a painful layoff). Publicly declared affiliations, political or religious views, excessive contact, declined participation, and other factors might lead to awkward or strained employee relationships. Users may not want to add a coworker as a friend on a public network if it means they’ll expose their activities, lives, persona, photos, sense of humor, and friends as they exist outside of work. And many firms fear wasted time as employees surf the musings and photos of their peers.

All are advised to be cautious in their social media sharing. Employers are trawling the Internet, mining Facebook, and scouring YouTube for any tip-off that a would-be hire should be passed over. A word to the wise: those Facebook party pics, YouTube videos of open mic performances, or blog postings from a particularly militant period might not age well and may haunt you forever in a Google search. Think twice before clicking the upload button! As Socialnomics author Erik Qualman puts it, “What happens in Vegas stays on YouTube (and Flickr, Twitter, Facebook…).”

Firms have also created their own online communities to foster brainstorming and customer engagement. Dell’s forum collects user feedback and is credited with prompting line offerings, such as the firm’s introduction of a Linux-based laptop.D. Greenfield, “How Companies Are Using I.T. to Spot Innovative Ideas,” InformationWeek, November 8, 2008. At, the coffee giant has leveraged user input to launch a series of innovations ranging from splash sticks that prevent spills in to-go cups, to new menu items. Both IdeaStorm and MyStarbucksIdea run on a platform offered by that not only hosts these sites but also provides integration into Facebook and other services. Starbucks (the corporate brand with the most Facebook “fans”) has extensively leveraged the site, using Facebook as a linchpin in the “Free Pastry Day” promotion (credited with generating one million in-store visits in a single day) and promotion of the firm’s AIDS-related (Starbucks) RED campaign, which garnered an astonishing three hundred ninety million “viral impressions” through feeds, wall posts, and other messaging.M. Brandau, “Starbucks Brews Up Spot on the List of Top Social Brands in 2008,” Nation’s Restaurant News, April 6, 2009.

Social Networks and Health Care

Dr. Daniel Palestrant often shows a gruesome slide that provides a powerful anecdote for Sermo, the social network for physicians that he cofounded and where he serves as CEO. The image is of an eight-inch saw blade poking through both sides of the bloodied thumb of a construction worker who’d recently arrived in a hospital emergency room. A photo of the incident was posted to Sermo, along with an inquiry on how to remove the blade without damaging tissue or risking a severed nerve. Within minutes replies started coming back. While many replies advised to get a hand surgeon, one novel approach suggested cutting a straw lengthwise, inserting it under the teeth of the blade, and sliding the protected blade out while minimizing further tissue tears.M. Schulder, “50on50: Saw Blade through Thumb. What Would You Do?” CNN, November 4, 2009. The example illustrates how doctors using tools like Sermo can tap into the wisdom of crowds to save thumbs and a whole lot more.

Sermo is a godsend to remote physicians looking to gain peer opinion on confounding cases or other medical questions. The American Medical Association endorsed the site early on,The AMA and Sermo have since broken ties; see B. Comer, “Sermo and AMA Break Ties,” Medical Marketing and Media, July 9, 2009. and the Nature scientific journals have included a “Discuss on Sermo” button alongside the online versions of their medical articles. Doctors are screened and verified to maintain the integrity of participants. Members leverage the site both to share information with each other and to engage in learning opportunities provided by pharmaceutical companies and other firms. Institutional investors also pay for special access to poll Sermo doctors on key questions, such as opinions on pending FDA drug approval. Sermo posts can send valuable warning signals on issues such as disease outbreaks or unseen drug side effects. And doctors have also used the service to rally against insurance company policy changes.

While Sermo focuses on the provider side of the health care equation, a short walk from the firm’s Cambridge, Massachusetts, headquarters will bring one to PatientsLikeMe (PLM), a social network empowering chronically ill patients across a wide variety of disease states. The firm’s “openness policy” is in contrast to privacy rules posted on many sites and encourages patients to publicly track and post conditions, treatments, and symptom variation over time, using the site’s sophisticated graphing and charting tools. The goal is to help others improve the quality of their own care by harnessing the wisdom of crowds.

Todd Small, a multiple sclerosis sufferer, used the member charts and data on PLM to discover that his physician had been undermedicating him. After sharing site data with his doctor, his physician verified the problem and upped the dose. Small reports that the finding changed his life, helping him walk better than he had in a decade and a half and eliminating a feeling that he described as being trapped in “quicksand.”T. Goetz, “Practicing Patients,” New York Times Magazine, March 23, 2008. In another example of PLM’s people power, the site ran its own clinical trial–like experiment to rapidly investigate promising claims that the drug Lithium could improve conditions for ALS (amyotrophic lateral sclerosis) patients. While community efforts did not support these initial claims, a decision was arrived at in months, whereas previous efforts to marshal researchers and resources to focus on the relatively rare disease would have taken many years, even if funding could be found.J. Kane, R. Fichman, J. Gallaugher, and J. Glaser, “Community Relations 2.0,” Harvard Business Review, November 2009.

Both Sermo and PatientsLikeMe are start-ups that are still exploring the best way to fund their efforts for growth and impact. Regardless of where these firms end up, it should be clear from these examples that social media will remain a powerful force on the health care landscape.

Key Takeaways

  • Electronic social networks help individuals maintain contacts, discover and engage people with common interests, share updates, and organize as groups.
  • Modern social networks are major messaging services, supporting private one-to-one notes, public postings, and broadcast updates or “feeds.”
  • Social networks also raise some of the strongest privacy concerns, as status updates, past messages, photos, and other content linger, even as a user’s online behavior and network of contacts changes.
  • Network effects and cultural differences result in one social network being favored over others in a particular culture or region.
  • Information spreads virally via news feeds. Feeds can rapidly mobilize populations, and dramatically spread the adoption of applications. The flow of content in social networks is also difficult to control and sometimes results in embarrassing public disclosures.
  • Feeds have a downside and there have been instances where feed mismanagement has caused user discontent, public relations problems, and the possibility of legal action.
  • The use of public social networks within private organizations is growing, and many organizations are implementing their own, private, social networks.
  • Firms are also setting up social networks for customer engagement and mining these sites for customer ideas, innovation, and feedback.

Questions and Exercises

  1. Visit the major social networks (MySpace, Facebook, LinkedIn). What distinguishes one from the other? Are you a member of any of these services? Why or why not?
  2. How are organizations like Deloitte, Goldman Sachs, and IBM using social networks? What advantages do they gain from these systems?
  3. What factors might cause an individual, employee, or firm to be cautious in their use of social networks?
  4. How do you feel about the feed feature common in social networks like Facebook? What risks does a firm expose itself to if it leverages feeds? How might a firm mitigate these kinds of risks?
  5. What sorts of restrictions or guidelines should firms place on the use of social networks or the other Web 2.0 tools discussed in this chapter? Are these tools a threat to security? Can they tarnish a firm’s reputation? Can they enhance a firm’s reputation? How so?
  6. Why do information and applications spread so quickly within networks like Facebook? What feature enables this? What key promotional concept (described in Chapter 2 “Strategy and Technology: Concepts and Frameworks for Understanding What Separates Winners from Losers”) does this feature foster?
  7. Why are some social networks more popular in some nations than others?
  8. Investigate social networks on your own. Look for examples of their use for fostering political and social movements; for their use in health care, among doctors, patients, and physicians; and for their use among other professional groups or enthusiasts. Identify how these networks might be used effectively, and also look for any potential risks or downside. How are these efforts supported? Is there a clear revenue model, and do you find these methods appropriate or potentially controversial? Be prepared to share your findings with your class.

7.5 Twitter and the Rise of Microblogging

Learning Objectives

After studying this section you should be able to do the following:

  1. Appreciate the rapid rise of Twitter—its scale, scope, and broad appeal.
  2. Understand how Twitter is being used by individuals, organizations, and political movements.
  3. Contrast Twitter and microblogging with Facebook, conventional blogs, and other Web 2.0 efforts.
  4. Consider the commercial viability of the effort, its competitive environment, and concerns regarding limited revenue.

Spawned in 2006 as a side project at the now-failed podcasting start-up Odeo (an effort backed by founder Evan Williams), Twitter has been on a rocket ride. The site’s user numbers have blasted past both mainstream and new media sites, dwarfing New York Times, LinkedIn, and Digg, among others. Reports surfaced of rebuffed buyout offers as high as $500 million.S. Ante, “Facebook’s Thiel Explains Failed Twitter Takeover,” BusinessWeek, March 1, 2009. By the firm’s first developer conference in April 2010, Twitter and its staff of 175 employees had created a global phenomenon embraced by over one hundred million users worldwide.

Twitter is a microbloggingA type of short-message blogging, often made via mobile device. Microblogs are designed to provide rapid notification to their readership (e.g., a news flash, an update on one’s activities), rather than detailed or in-depth comments. Twitter is the most popular microblogging service. service that allows users to post 140-character messages (tweetsA Twitter post, limited to 140 characters.) via the Web, SMSA text messaging standard used by many mobile phones., or a variety of third-party desktop and smartphone applications. The microblog moniker is a bit of a misnomer. The service actually has more in common with Facebook’s status updates and news feeds than it does with traditional blogs. But unlike Facebook, where most users must approve “friends” before they can see status updates, Twitter’s default setting allows for asymmetrical following (although it is possible to set up private Twitter accounts and to block followers).

Sure, there’s a lot of inane “tweeting” going on—lots of meaningless updates that read, “I’m having a sandwich” or “in line at the airport.” But while not every user may have something worthwhile to tweet, many find that Twitter makes for invaluable reading, offering a sense of what friends, customers, thought leaders, and newsmakers are thinking. Twitter leadership has described the service as communicating “The Pulse of the Planet.”E. Schonfeld, “Twitter’s Internal Strategy Laid Bare: To Be ‘The Pulse of The Planet,’” TechCrunch, July 19, 2009. For many, Twitter is a discovery engine, a taste-making machine, a critical source of market intelligence, a source of breaking news, and an instantaneous way to plug into the moment’s zeitgeist.

Many also find Twitter to be an effective tool for quickly blasting queries to friends, colleagues, or strangers who might offer potentially valuable input. Says futurist Paul Saffo, “Instead of creating the group you want, you send it and the group self-assembles.”C. Miller, “Putting Twitter’s World to Use,” New York Times, April 13, 2009. Users can classify comments on a given topic using hash tagsA method for organizing tweets where keywords are preceeded by the # character. (keywords preceded by the “#” or “hash” symbol), allowing others to quickly find related tweets (e.g., #iranelection, #mumbai, #swineflu, #sxsw). Any user can create a hash tag—just type it into your tweet (you may want to search Twitter first to make sure that the tag is not in use by an unrelated topic and that if it is in use, it appropriately describes how you want your tweet classified).

Twitter users have broken news during disasters, terror attacks, and other major events. Dictators fear the people power Twitter enables, and totalitarian governments worldwide have moved to block citizen access to the service (prompting Twitter to work on censor-evading technology). During the 2009 Iranian election protests, the U.S. State Department even asked Twitter to postpone maintenance to ensure the service would continue to be available to support the voice and activism of Iran’s democracy advocates.C. Ruffini, “State Dept. Asked Twitter to Delay Maintenance,” CBS News, June 16, 2009.

Twitter is also emerging as a legitimate business tool. Consider the following commercial examples:

  • Starbucks uses Twitter in a variety of ways. It has run Twitter-based contests and used the service to spread free samples of new products, such as its VIA instant coffee line. Twitter has also been a way for the company to engage customers in its cause-based marketing efforts, such as (Starbucks) RED, which supports (Product) RED. Starbucks has even recruited staff via Twitter and was one of the first firms to participate in Twitter’s advertising model featuring “promoted tweets.”
  • Dell used Twitter to uncover an early warning sign indicating poor design of the keyboard on its Mini 9 Netbook PC. After a series of tweets from early adopters indicated that the apostrophe and return keys were positioned too closely together, the firm dispatched design change orders quickly enough to correct the problem when the Mini 10 was launched just three months later. By December 2009, Dell also claimed to have netted $6.5 million in outlet store sales referred via the Twitter account @DellOutlet (more than 1.5 million followers)K. Eaton, “Twitter Really Works: Makes $6.5 Million in Sales for Dell,” Fast Company, December 8, 2009. and another $1 million from customers who have bounced from the outlet to the new products site.J. Abel, “Dude—Dell’s Making Money Off Twitter!” Wired News, June 12, 2009.
  • Brooklyn Museum patrons can pay an additional $20 a year for access to the private, members-only “1stFans” Twitter feed that shares information on special events and exclusive access to artist content.
  • Twitter is credited with having raised millions via Text-to-Donate and other fundraising efforts following the Haiti earthquake.
  • Twitter can be a boon for sharing time-sensitive information. The True Massage and Wellness Spa in San Francisco tweets last-minute cancellations to tell customers of an unexpected schedule opening. With Twitter, appointments remain booked solid. Gourmet food trucks, popular in many American cities, are also using Twitter to share location and create hipster buzz. Los Angeles’s Kogi Korean Taco Truck now has over sixty thousand followers and uses Twitter to reveal where it’s parked, ensuring long lines of BBQ-craving foodies. Of the firm’s success, owner Roy Choi says, “I have to give all the credit to Twitter.”A. Romano, “Now 4 Restaurant 2.0,” Newsweek, February 28, 2009.
  • Electronics retailer Best Buy has recruited over 2,300 Blue Shirt and Geek Squad staffers to crowdsource Twitter-driven inquiries via @Twelpforce, the firm’s customer service Twitter account. Best Buy staffers register their personal Twitter accounts on a separate Best Buy–run site. Then any registered employees tweeting using the #twelpforce, will automatically have those posts echoed through @Twelpforce, with the employee’s account credited at the end of the tweet. As of November 2009, Twelpforce had provided answers to over 19,500 customer, “Case Study: Best Buy Twelpforce,” Twitter 101,

Figure 7.1 A Sampling of Tweets Filtered through Best Buy’s @Twelpforce Twitter Account

Surgeons and residents at Henry Ford Hospital have even tweeted during brain surgery (the teaching hospital sees the service as an educational tool). Some tweets are from those so young they’ve got “negative age.” is an experimental fetal monitor band that sends tweets when motion is detected: “I kicked Mommy at 08:52.” And savvy hackers are embedding “tweeting” sensors into all sorts of devices. Botanicalls, for example, offers an electronic flowerpot stick that detects when plants need care and sends Twitter status updates to owners (sample post: “URGENT! Water me!”).

Organizations are well advised to monitor Twitter activity related to the firm, as it can act as a sort of canary-in-a-coal mine uncovering emerging events. Users are increasingly using the service as a way to form flash protest crowds., for example, was caught off guard over a spring 2009 holiday weekend when thousands used Twitter to rapidly protest the firm’s reclassification of gay and lesbian books (hash tag #amazonfail). Others use the platform for shame and ridicule. BP has endured withering ridicule from the satire account @BPGlobalPR (followed by roughly 200,000 two months after the spill).

For all the excitement, many wonder if Twitter is overhyped. Some reports suggest that many Twitter users are curious experimenters who drop the service shortly after signing up.D. Martin, “Update: Return of the Twitter Quitters,” Nielsen Wire, April 30, 2009. This raises the question of whether Twitter is a durable phenomenon or just a fad.

Pundits also wonder if revenues will ever justify initially high valuations and if rivals could usurp Twitter’s efforts with similar features. Thus far, Twitter has been following a “grow-first-harvest-later” approach.J. Murrell, “Twitter Treads Gently into Advertising Minefield,” San Jose Mercury News, April 13, 2010. The site’s rapid rise has allowed it to attract enough start-up capital to enable it to approach revenue gradually and with caution, in the hopes that it won’t alienate users with too much advertising (an approach not unlike Google’s efforts to nurture YouTube). MIT’s Technology Review reports that data sharing deals with Google and Bing may have brought in enough money to make the service profitable in 2009, but that amount was modest (just $25 million).D. Talbot, “Can Twitter Make Money?” Technology Review, March/April 2010. Twitter’s advertising platform is expected to be far more lucrative. Reflecting Twitter’s “deliberately cautious” approach to revenue development, the ad model featuring sponsored ‘‘promoted tweets” rolled out first as part of the search, with distribution to individual Twitter feeds progressing as the firm experiments and learns what works best for users and advertisers.

Another issue—many Twitter users rarely visit the site. Most active users post and read tweets using one of many—often free—applications provided by third parties, such as Seesmic, TweetDeck, and Twhirl. This happens because Twitter made its data available for free to other developers via API (application programming interface)Programming hooks, or guidelines, published by firms that tell other programs how to get a service to perform a task such as send or receive data. For example, provides APIs to let developers write their own applications and Websites that can send the firm orders.. Exposing data can be a good move as it spawned an ecosystem of over one hundred thousand complementary third-party products and services that enhance Twitter’s reach and usefulness (generating network effects from complementary offerings similar to other “platforms” like Windows, iPhone, and Facebook). There are potential downsides to such openness. If users don’t visit, that lessens the impact of any ads running on the site. This creates what is known as the “free rider problemWhen others take advantage of a user or service without providing any sort of reciprocal benefit.,” where users benefit from a service while offering no value in exchange. Encouraging software and service partners to accept ads for a percentage of the cut could lessen the free rider problem.P. Kafka, “Twitter’s Ad Plan: Copy Google,” AllThingsD, February 25, 2010.

When users don’t visit a service, it makes it difficult to spread awareness of new products and features. It can also create branding challenges and customer frustration. Twitter execs lamented that customers were often confused when they searched for “Twitter” in the iPhone App Store and were presented with scores of offerings but none from Twitter itself.D. Goldman, “Twitter Grows Up: Take a Peek Inside,” CNN, April 16, 2010. Twitter’s purchase of the iPhone app Tweetie (subsequently turned into the free “Twitter for iPhone” app) and the launch of its own URL-shortening service (competing with and others) signal that Twitter is willing to move into product and service niches and compete with third parties that are reliant on the Twitter ecosystem.

Microblogging does appear to be here to stay, and the impact of Twitter has been deep, broad, stunningly swift, and at times humbling in the power that it wields. But whether Twitter will be a durable, profit-gushing powerhouse remains to be seen. Speculation on Twitter’s future hasn’t prevented many firms from commercializing new microblogging services, and a host of companies have targeted these tools for internal corporate use.’s Chatter, Socialtext Signals, and Yammer are all services that have been billed as “Twitter for the Enterprise.” Such efforts allow for Twitter-style microblogging that is restricted for participation and viewing by firm-approved accounts.

Key Takeaways

  • While many public and private microblogging services exist, Twitter remains by far the dominant service.
  • Unlike status updates found on services like Facebook and LinkedIn, Twitter’s default supports asymmetric communication, where someone can follow updates without first getting their approval. This function makes Twitter a good choice for anyone cultivating a following—authors, celebrities, organizations, and brand promoters.
  • You don’t need to tweet to get value. Many Twitter users follow friends, firms, celebrities, and thought leaders, quickly gaining access to trending topics.
  • Twitter hash tags (keywords preceded by the # character) are used to organize “tweets” on a given topic. Users can search on hash tags, and many third-party applications allow for Tweets to be organized and displayed by tag.
  • Firms are leveraging Twitter in a variety of ways, including: promotion, customer response, gathering feedback, and time-sensitive communication.
  • Like other forms of social media, Twitter can serve as a hothouse that attracts opinion and forces organizational transparency and accountability.
  • Activists have leveraged the service worldwide, and it has also served as an early warning mechanism in disasters, terror, and other events.
  • Despite its rapid growth and impact, significant questions remain regarding the firm’s durability, revenue prospects, and enduring appeal to initial users.
  • Twitter makes its data available to third parties via an API (application programming interface). The API has helped a rich ecosystem of over seventy thousand Twitter-supporting products and services emerge. But by making the Twitter stream available to third parties, Twitter may suffer from the free rider problem where others firms benefit from Twitter’s service without providing much benefit back to Twitter itself. New ad models may provide a way to distribute revenue-generating content through these services. Twitter has also begun acquiring firms that compete with other players in its ecosystem.

Questions and Exercises

  1. If you don’t already have one, set up a Twitter account and “follow” several others. Follow a diverse group—corporations, executives, pundits, or other organizations. Do you trust these account holders are who they say they are? Why? Which examples do you think use the service most effectively? Which provide the weaker examples of effective Twitter use? Why? Have you encountered Twitter “spam” or unwanted followers? What can you do to limit such experiences? Be prepared to discuss your experiences with class.
  2. If you haven’t done so, install a popular Twitter application such as TweetDeck, Seesmic, or a Twitter client for your mobile device. Why did you select the product you chose? What advantages does your choice offer over simply using Twitter’s Web page? What challenges do these clients offer Twitter? Does the client you chose have a clear revenue model? Is it backed by a viable business?
  3. Visit Which Twitter hash tags are most active at this time? Are there other “trending topics” that aren’t associated with hash tags? What do you think of the activity in these areas? Is there legitimate, productive activity happening? Search Twitter on topics, firms, brand names, and issues of interest to you. What do you think of the quality of the information you’ve uncovered on Twitter? Who might find this to be useful?
  4. Why would someone choose to use Twitter over Facebook’s status update, or other services? Which (if either) do you prefer and why?
  5. What do you think of Twitter’s revenue prospects? Is the firm a viable independent service or simply a feature to be incorporated into other social media activity? Advocate where you think the service will be in two years, five, ten. Would you invest in Twitter? Would you suggest that other firms do so? Why?
  6. Assume the role of a manager for your firm. Advocate how the organization should leverage Twitter and other forms of social media. Provide examples of effective use, and cautionary tales, to back up your recommendation.
  7. Some instructors have mandated Twitter for classroom use. Do you think this is productive? Would your professor advocate tweeting during lectures? What are the pros and cons of such use? Work with your instructor to discuss a set of common guidelines for in-class and course use of social media.
  8. As of this writing, Twitter was just rolling out advertising via “promoted tweets.” Perform some additional research. How have Twitter’s attempts to grow revenues fared? How has user growth been trending? Has the firm’s estimated value increased or decreased from the offer figures cited in this chapter? Why?
  9. What do you think of Twitter’s use of the API? What are the benefits of offering an API? What are the downsides? Would you create a company to take advantage of the Twitter API? Why or why not?
  10. Follow this book’s author at Tweet him if you run across interesting examples that you think would be appropriate for the next version of the book.

7.6 Other Key Web 2.0 Terms and Concepts

Learning Objectives

After studying this section you should be able to do the following:

  1. Know key terms related to social media, peer production, and Web 2.0, including RSS, folksonomies, mash-ups, location-based services, virtual worlds, and rich media.
  2. Provide examples of the effective business use of these terms and technologies.


RSSA method for sending/broadcasting data to users who subscribe to a service’s “RSS feed.” Many Web sites and blogs forward headlines to users who subscribe to their “feed,” making it easy to scan headlines and click to access relevant news and information. (an acronym that stands for both “really simple syndication” and “rich site summary”) enables busy users to scan the headlines of newly available content and click on an item’s title to view items of interest, thus sparing them from having to continually visit sites to find out what’s new. Users begin by subscribing to an RSS feed for a Web site, blog, podcast, or other data source. The title or headline of any new content will then show up in an RSS readerA tool for subscribing to and accessing RSS feeds. Most e-mail programs and Web browsers can also act as RSS readers. There are also many Web sites (including Google Reader) that allow users to subscribe to and read RSS feeds.. Subscribe to the New York Times Technology news feed, for example, and you will regularly receive headlines of tech news from the Times. Viewing an article of interest is as easy as clicking the title you like. Subscribing is often as easy as clicking on the RSS icon appearing on the home page of a Web site of interest.

Many firms use RSS feeds as a way to mange information overload, opting to distribute content via feed rather than e-mail. Some even distribute corporate reports via RSS. RSS readers are offered by third-party Web sites such as Google and Yahoo! and they have been incorporated into all popular browsers and most e-mail programs. Most blogging platforms provide a mechanism for bloggers to automatically publish a feed when each new post becomes available. Google’s FeedBurner is the largest publisher of RSS blog feeds, and offers features to distribute content via e-mail as well.

Figure 7.2

RSS readers like Google Reader can be an easy way to scan blog headlines and click through to follow interesting stories.

Figure 7.3

Web sites that support RSS feeds will have an icon in the address bar. Click it to subscribe.


FolksonomiesKeyword-based classification systems created by user communities (also known as social tagging). (sometimes referred to as social tagging) are keyword-based classification systems created by user communities as they generate and review content. (The label is meant to refer to a people-powered taxonomy.) Bookmarking site, photo-sharing site Flickr (both owned by Yahoo!), and Twitter’s hash tags all make heavy use of folksonomies.

With this approach, classification schemes emerge from the people most likely to understand them—the users. By leveraging the collective power of the community to identify and classify content, objects on the Internet become easier to locate, and content carries a degree of recommendation and endorsement.

Flickr cofounder Stewart Butterfield describes the spirit of folksonomies, saying, “The job of tags isn’t to organize all the world’s information into tidy categories, it’s to add value to the giant piles of data that are already out there.”D. Terdiman, “Folksonomies Tap People Power,” Wired, February 1, 2005. The Guggenheim Museum in New York City and the San Francisco Museum of Modern Art, among other museums, are taking a folksonomic approach to their online collections, allowing user-generated categories to supplement the specialized lexicon of curators. has introduced a system that allows readers to classify books, and most blog posts and wiki pages allow for social tagging, oftentimes with hot topics indexed and accessible via a “tag cloud” in the page’s sidebar.


Mash-upsThe combination of two or more technologies or data feeds into a single, integrated tool. are combinations of two or more technologies or data feeds into a single, integrated tool. Some of the best known mash-ups leverage Google’s mapping tools. combines listings with Google Maps for a map-based display for apartment hunters. IBM linked together job feeds and Google Maps to create a job-seeker service for victims of Hurricane Katrina. SimplyHired links job listings with Google Maps, LinkedIn listings, and salary data from And has tools that allow data from its customer relationship management (CRM) system to be combined with data feeds and maps from third parties.

Mash-ups are made easy by a tagging system called XMLAbbreviation of Extensible Markup Language. A tagging language that can be used to identify data fields made available for use by other applications. For example, programmers may wrap XML tags around elements in an address data stream (e.g., 〈business name〉, 〈street address〉, 〈city〉, 〈state〉) to allow other programs to recognize and use these data items. (for extensible markup language). Site owners publish the parameters of XML data feeds that a service can accept or offer (e.g., an address, price, product descriptions, images). Other developers are free to leverage these public feeds using application programming interfaces (APIs), published instructions on how to make programs call one another, to share data, or to perform tasks. Using APIs and XML, mash-up authors smoosh together seemingly unrelated data sources and services in new and novel ways. Lightweight, browser-friendly software technologies like Ajax and HTML5 can often make a Web site interface as rich as a desktop application, and rapid deployment frameworks like Ruby on Rails will enable and accelerate mash-up creation and deployment.

Location-Based Services

Computing devices increasingly know wher