IINS5211MM

IIE Module Manual IINS5211
Introduction to Information Systems

MODULE MANUAL/GUIDE 2023
(First Edition: 2022)
This manual enjoys copyright under the Berne Convention. In terms of the Copyright
Act, no 98 of 1978, no part of this manual may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording or
by any other information storage and retrieval system without permission in writing
from the proprietor.
The Independent Institute of Education (Pty) Ltd is registered

with the Department of Higher Education and Training as a
private higher education institution under the Higher Education
Act, 1997 (reg. no. 2007/HE07/002). Company registration
number: 1987/004754/07.
© The Independent Institute of Education (Pty) Ltd 2023 Page 1 of 109

DID YOU KNOW?
Student Portal
The full-service Student Portal provides you with access to your academic
administrative information, including:
• an online calendar,
• timetable,
• academic results,
• module content,
• financial account, and so much more!
Module Guides or Module Manuals
When you log into the Student Portal, the ‘Module Information’ page displays the
‘Module Purpose’ and ‘Textbook Information’ including the online ‘Module Guides or
‘Module Manuals’ and assignments for each module for which you are registered.
Supplementary Materials
For certain modules, electronic supplementary material is available to you via the
‘Supplementary Module Material’ link.
Module Discussion Forum
The ‘Module Discussion Forum’ may be used by your lecturer to discuss any topics
with you related to any supplementary materials and activities such as ICE, etc.
To view, print and annotate these related PDF documents, download Adobe
Reader at following link below:
www.adobe.com/products/reader.html

IIE Library Online Databases
The following Library Online Databases are available. These links will prompt you for
a username and password. Use the same username and password as for student
portal. Please contact your librarian if you are unable to access any of these. Here
are links to some of the databases:
Library Website This library website gives access to various online

resources and study support guides
[Link]
LibraryConnect The Online Public Access Catalogue. Here you will be

(OPAC) able to search for books that are available in all the IIE
campus libraries.
[Link]
EBSCOhost This database contains full text online articles.

[Link]
EBSCO eBook This database contains full text online eBooks.

Collection [Link]
SABINET This database will provide you with books available in

other libraries across South Africa.
[Link]
DOAJ DOAJ is an online directory that indexes and provides

access to high quality, open access, peer-reviewed
journals.
[Link]
DOAB Directory of open access books.

[Link]
IIESPACE The IIE open access research repository

[Link]
Emerald Emerald Insight

[Link]
HeinOnline Law database

[Link]
JutaStat Law database

[Link]

Table of Contents
Using this Manual ...................................................................................................... 6
Introduction ............................................................................................................... 7
Module Resources ..................................................... Error! Bookmark not defined.
Module Purpose ......................................................... Error! Bookmark not defined.
Module Outcomes ...................................................... Error! Bookmark not defined.
Pacer and Assessment Brief Applicable to Module: MODULE IINS5211 ............Error!
Bookmark not defined.
Module Pacer ............................................................. Error! Bookmark not defined.
Assessments .............................................................. Error! Bookmark not defined.
Learning Unit 1: Information Systems in Business ..................................................... 8
1 Introduction ........................................................................................................ 9
2 Building blocks of Information Systems .............................................................. 9
3 Information Systems Development ................................................................... 18
4 The Strategic Value of Information Systems ..................................................... 24
5 Recommended Additional Reading .................................................................. 28
6 Activities ........................................................................................................... 30
7 Revision Exercises ........................................................................................... 31
Learning Unit 2: Web Technologies for Business .................................................... 32
1 Introduction ...................................................................................................... 33
2 Evolution of the Web ........................................................................................ 33
3 Centralised and distributed computing models ................................................. 36
4 E-Commerce and m-Commerce ....................................................................... 46
6 Activities ........................................................................................................... 50
Learning Unit 3: Information Security ...................................................................... 52
1 Introduction ...................................................................................................... 53
2 The Information Security Triad ......................................................................... 53
3 Cybersecurity Threats ...................................................................................... 53
4 Cybersecurity controls ...................................................................................... 59
5 Cybersecurity Risk Management ...................................................................... 64
7 Activities ........................................................................................................... 71
Learning Unit 4: Issues provided by IS .................................................................... 73
9 Introduction ...................................................................................................... 74
10 Legal Issues of IS............................................................................................. 74
11 Ethical Issues of IS ........................................................................................... 79
12 Societal Issues of IS ......................................................................................... 83
14 Activities ........................................................................................................... 86
Learning Unit 5: Organisational Information Systems .............................................. 88
1 Introduction ...................................................................................................... 89
2 Information Systems......................................................................................... 89

3 Enterprise Resource Planning (ERP) Systems ................................................. 93

4 Accounting Information Systems ...................................................................... 95
6 Activities ........................................................................................................... 97
8 Bibliography ..................................................................................................... 99
Intellectual Property................................................................................................105

Using this Manual

This manual has been developed to meet the specific objectives of the module and
uses several different sources. It functions as a stand-alone resource for this module
and no prescribed textbook or material is therefore required. There may, however, be
occasions when additional readings are also recommended to supplement the
information provided. Where these are specified, please ensure that you engage with
the reading as indicated.
Various activities and revision questions are included in the learning units of this
manual. These are designed to help you to engage with the subject matter as well as
to help you prepare for your assessments.

Introduction
Welcome to the Introduction to Information Systems (IS) module. This module
provides you with an insight into the role of information systems within organisations.
This module focuses on the concept of the value of technology for future accounting
and finance professionals, and decision makers.
Since the dawn of technology, there have been significant shifts from IS being a
trendy piece of hardware for an IT manager, towards the driving IS to meet the
demands of businesses related to increased profitability, reduced cost, and strategic
business value. In the early days of technology, the “best tech” was reserved for
large corporate organisations with sizeable IT budgets. However, we are aware that
technology has become commoditised and easily accessible to organisations of all
sizes, irrespective of their size or technology budget.
In order to fully understand how IS can help organisations to achieve value, this
module begins with outlining the fundamentals of IS in organisations. Thereafter,
focus is placed on Internet technologies including different computing models
(centralised and decentralised) and different e-commerce models. Then, the module
focuses on information security threats, risk management and controls. The issues to
consider when working with IS are then discussed ranging from ethical to legal and
social issues.
Throughout this module, you will be required to engage with several texts including
seminal works, blogs, websites, whitepapers, and academic articles. In engaging with
these resources alongside your own research, you will develop an understanding of
how IS influences organisations and adds strategic business value.
To obtain maximum value from this module, it is encouraged that you do not limit
your knowledge to what is contained in the Module Guide and prescribed material.
Instead, broaden your horizon by following global and local technology blobs on
social media and attempting to situate current affairs into what you learn in this
module – your lecturer will also point out how what is happening in the world around
you is related to this module. Consider how organisations are using various
technologies to solve their business problems and begin to seek solutions to the
problems of your profession and your community in the technologies you see around
you. As you will learn in this module, it’s how you use the technology that really adds
value.
We hope that you enjoy this module and that you leave with an awareness of and
interest in potential of the technologies that you could ultimately encounter in your
profession.

Learning Unit 1: Information Systems in Business

Learning Objectives: My notes
1. Define an information system (IS).

2. Describe the components of an information
system.
3. Distinguish between the different types of
information systems.
4. Explain the process of developing software.
5. Discuss the different approaches to developing
enterprise applications
6. Discuss the implications of developing cross-
platform applications.
7. Explain the strategic value of IS for business.
8. Explain the strategic evolution of technology in
organisations.
9. Discuss the impact of the 4th industrial revolution
on 21st century organisations.
Material used for this learning unit:\
• Module Manual.
• Recommended readings outlined in this learning
unit.
How to prepare for this learning unit:
• Before this learning unit, consult the

recommended readings.
• Go onto technology websites like TechCentral,
MyBroadband and BusinessInsider and conduct
research on how information systems affect
South African organisations today.

1 Introduction
As we get into a module on Information Systems for business,
we need to explore some first principles related to the topic. As
such, in this learning unit, we will explore the building blocks of
information systems, understand how information systems are
developed, and explore how they add value to organisations.
We also explore the implications of 4IR going into the future.
2 Building blocks of Information

Systems
2.1 What is an information system?
Globally, organisations collect information on their users,
clients, employees, and suppliers. This information is utilised in
different ways to enhance the overall client experience and
deliver business value. However, it is important that
organisations collect (input), store, process, and share (output)
information in a manner that is allows them to be efficient and
profitable. To enable this, organisations turn to information
systems.
An information system is defined as a combination of

interrelated components that enable organisations to collect,
process, store and share information with the intention of
supporting business decision making, enabling coordination
and control of resources, and allowing analysis and
visualisation of data (Bourgeois, Smith, Wang, and Mortati,
2019).
Information systems are the central pillar of most organisations

today and organisations use information systems for integral
business functions including client engagement, collaborate,
transaction and sales processing, information storage, HR,
operations, client support, financial reporting, and auditing.
When you go out to eat, go shopping, make a payment using
your card or mobile device, book a holiday, or even interact
with your university, the entire process is facilitated by
information systems, many times working together to ensure
that your request is processed successfully.

2.2 Building blocks of an information system

The information systems within an organisation are not
restricted to just the applications used. Information systems
comprises all the hardware (devices), software (apps),
databases, telecommunications, processes, and people that
enable organisations to function and complete tasks.
Consider the example of making a purchase from a large retail

store and paying for the purchase with your card:
• As you walk through the store, you pick items that you
need to purchase. These items have prices attached to
them – the labels were generated using information
stored digitally somewhere within the organisation and
printed out on labels – the process was facilitated by an
information system.
• You go to the till and hand your items to cashier who
scans the barcodes of the items. Using the barcode, the
point-of-sale system accesses the prices of each item
(from a database somewhere within the organisation)
and calculates your order total – this process was also
facilitated by an information system.
• Then, you tap your card to make payment. When you
tap, the card machine might connect to your bank’s
server to confirm the availability of funds and reserve the
funds for your purchase. The bank’s servers will reply
approving (or declining) the transaction – you guessed it,
information systems at work here too.
• The cashier will print out your receipt and off you go.
To facilitate the transaction above, you relied on different

hardware and software components interacting over a network
to process your purchase.
If you were to reflect on the impact of information systems on

making our lives easier, just think about a power outage
affecting the example above. If information systems fail or
don’t support organisations, clients and staff are affected in a
manner that affects profitability.
The process can be facilitated by an information system

without much human intervention - Checkers just revealed a
shop without tills, run on AI and machine vision:
https://www.businessinsider.co.za/checkers-rush-concept-
store-has-no-checkout-and-no-queues-2021-8 [Accessed13
January 2023].

2.2.1 Hardware
As explained by Bourgeois et al (2019), hardware is the

tangible, physical portion of an information system that can be
touched. Another way to look at it is if you hit someone with it,
it will hurt. Hardware includes the internal components of
devices including the processor, motherboard, memory,
storage devices and external devices that facilitate input and
output of data through hardware like the keyboard, mouse,
monitor, printers and scanners, and camera, speakers, and
microphones. You are probably aware of these devices but if
needed, watch this video to learn more about the internal
hardware components of a computer:
https://www.youtube.com/watch?v=HB4I2CgkcCo and this
video to learn about the external hardware components of a
computer: https://www.youtube.com/watch?v=mLgTnkw558w.
[Accessed13 January 2023].
Before we move onto software, it is also necessary to consider

the form factors of hardware. Ultimately, the key functionality of
an information system is to enable the input, processing, and
output of data within an organisation and this ability is not
limited to desktop devices. Information systems may be
accessed through devices like laptops, tablets, smartphones,
wearable devices, and sensors (Bourgeois et al., 2019).
As technology is advancing, the Internet of Things will become

relatively mainstream is IoT incorporates any connected device
that is able to send or receive data over a network. IoT is
transforming industries like healthcare, education, agriculture,
aviation, entertainment, retail, and the automotive industry by
allowing them to automate processes, better understand their
business and become more efficient – check out this video:
https://www.youtube.com/watch?v=6YaXKxXSli0 [Accessed13
January 2023].
2.2.2 Software
Broadly speaking, software is of two types: operating systems

and application software (or what we call apps). As can be
gleaned from the figure alongside, operating systems and
applications, while different, are related. The operating system
functions between applications and the hardware and the
applications provide the interact to the user to interact with the
operating system and the underlying hardware. Let us delve
deeper into these two types of software.
Figure 1
2 - Different types of
software (Bourgeois et al, 2019).

2.2.2.1 Operating systems
Operating systems are essential for the functioning of

electronic devices and are loaded when your computer books
up. They provide memory and processor management,
hardware resource management, software management, user
interface rendering, and provide a platform upon which
developers can build and run other applications. This video
explains operating systems:
https://www.youtube.com/watch?v=fkGCLIQx1MI [Accessed
13 January 2023].
The common desktop or laptop operating systems in use today

are Microsoft Windows, MacOS, Linux whilst in the mobile
space Android and iOS are predominant. Whilst there are
different sources of data on the market share of each operating
system, there is consensus that Microsoft Windows dominates
in terms of desktop operating systems and Android dominates
when it comes to mobile operating systems. Here are some
stats to consider: https://gs.statcounter.com/os-market-share.
[Accessed 13 January 2023].
It is necessary to consider the level at which different operating

systems are adopted by users as this in-turn influences the
platforms that organisations roll out their own applications on.
For example, if one were to develop a mobile app, which can
be costly, which operating system (or systems) would it not be
worth building for?
2.2.2.2 Application software
Now that we have explored the operating system, let us

explore the application software.
Application software is used by organisations to complete

specific tasks and are a set of instructions that tell the
operating system and underlying hardware what to do.
Applications are used to process business transactions,
achieve productivity, facilitate communication, perform
calculations, browse the Internet, consume multimedia, play
games, or even, in the case of software developers, to develop
new software (Bourgeois et al, 2019). You can watch this video
to better understand applications:
https://www.youtube.com/watch?v=3gMOYZoMtEs.
[Accessed13 January 2023].
Typically, applications are purchased from software providers

on a once-off basis but a more common method of acquiring

software is through a license agreement or a subscription.

Whilst this format of acquiring software means that end-users
do not own the software, it does provide a means for protection
against software piracy and allows users to get updates and
security fixes as they are rolled out (Bourgeois et al, 2019).
However, licensing and subscriptions result in software
acquisitions being an operational expense rather than a capital
expense.
At a consumer-level, applications are installed from stores like

the Windows Store (https://www.microsoft.com/en-
za/store/apps/windows), Google Play Store
(https://play.google.com/) and Apple App Store
(https://www.apple.com/app-store/). However, with enterprise
applications, the installation and maintenance of such
installations would rest with an organisation’s IT department.
We will explore the concept of cloud applications later in this

module.
2.2.3 Databases
When one considers a simple example of saving simple data

on an information system, hardware, and software, as
discussed above, do not allow for data to be saved and
persisted. In order to achieve persistence, information systems
utilise databases.
To better understand the role of a database, one needs to

consider the relationship between data, information, and
knowledge (Bourgeois et al., 2019).
Figure 34 – Data
At its most basic form, data comprises the raw facts that are in information
collected by organisations. For example, in a doctor’s surgery systems
that might include a patients address, medical condition, (Bourgeois et
symptoms, etc. al, 2019).
Data, once processed or transformed, becomes information.

An example of this would a doctor pulling a report of all
patients who reside in a particular area and cross-checking the
patients’ symptoms. In order to access this report, the doctor
would need some means to sort, filter or organise the data that
has already been collected.

Once the human mind, lived experiences and contextual

circumstances are applied to information, this results in
knowledge. When combined with prior knowledge and
experience, knowledge has the potential to become wisdom.
Continuing with our example of a doctor’s surgery, the doctor
can consider nearby pollutants, patient complaints, and other
documented cases, to form a diagnosis and treatment plan
based on their own knowledge and experience.
Using the explanation above, it follows that a database is a tool

to store different types of data in an organised, structured and
logical manner (Bourgeois et al., 2019). Common database
technologies include relational databases (like Microsoft SQL,
MySQL and Oracle) and non-relational databases (like
MongoDB, Redis and Firebase). The distinguishing factor
between relational and non-relational databases lies in the fact
that data in relational databases is stored in tables with a
specific structure while data in non-relational databases is
stored in non-tabular documents which do not follow a rigid
structure.
Considering real-world data, both types of databases are

relevant. If we were to look at sales transactions in a retail
store, this data is relatively structured and can be stored in a
relational database. However, if we were to equip shopping
trolleys with sensors that show how customers move through a
store, the data will vary from customer to customer and will be
largely unstructured.
The ability to analyse relational data differs from non-relational

data. Relational data can be queried due to its definite
structure whilst analysing non-relational data takes us into the
realm of big data and machine learning due to the uncertainty
associated with the nature of the data. Using big data, we can
begin to delve into predictive analytics and better forecasting –
give this video a watch:
https://www.youtube.com/watch?v=jH44SfUNpWw [Accessed
13 January 2023].
2.2.4 Networks
Networks has transformed how information systems are used

by organisations across the globe. To give context to this,
consider how willingly you would visit a hotel or a coffee shop
which does not offer Wi-Fi.

Within the context of information systems, it emerges that

hardware, software and databases rely on the underlying
networks to transfer data. These include wireless and wired
networking media.
From the perspective of wireless networks, technologies like

Wi-Fi and Bluetooth enable transmission of data within a short
distance and are typically used within organisations or
even teams. Such networks are managed by IT
departments. Mobile broadband technologies like 4G and
5G technologies are used to transmit data across longer
distances and enable communication and collaboration
between organisations. Such networks are often shared
and are managed by telecommunications providers
(Bourgeois et al., 2019).
From the perspective of traditional organisational

networking, organisational networks typically comprise
LANs with intranets for the exclusive use of Figure 5 6 – Business Networks
employees, extranets for suppliers and customers to (Bourgeois et al, 2019).
access and transact on, and the Internet for
accessibility by the general public (Bourgeois et al., 2019).
However, with the rise of e-commerce, it is becoming
increasingly common for customers to access an
organisation’s public website to perform a transaction.
Another common medium that is used by telecommunications

providers to transmit data across wide areas is fibre optic
cables (Bourgeois et al, 2019). The Earth is wrapped in fibre
optic cables that run underground and under the ocean. To get
an idea of how many global undersea telecommunications
cables actually exist, visit this tool:
https://www.submarinecablemap.com/ [Accessed 13 January
2023].
2.2.5 Processes
Every organisation follows its own series of steps when

completing a task or achieving a goal. These processes are
refined over time and incorporate what an organisation
describes as best-practice in their field.
To ensure sustainability of organisations and to allow

organisations to extract maximum value from technology, it is
necessary that information systems are modelled on business
processes to ensure that information systems facilitate process
automation, derive business values, and enable the meeting of
business objectives (Bourgeois et al., 2019). As such, a critical

part of an information system is the modelling of business

processes and management of process documentation. Often,
the business analysis will complete this process and work with
software developers to ensure that this is achieved.
2.2.6 People
Over the past few years, there has been a shift in how IT has
been viewed by organisations. While this context will be
shared later in this learning unit, let us explore the nature of
the people component in information systems.
At a management level, the head of the information systems

function is typically referred to as the Chief Information Officer
(CIO) or IT Director whose primary goal is to ensure alignment
between information systems plans and operations, and the
strategic goals of the organisation. This executive-level person
is the face of IT within the organisation and needs to ensure
that the organisation’s IT strategy is effectively planned,
communicated, budgeted for, and executed upon (Bourgeois
et al., 2019).
Sitting at a level below the CIO are Functional Managers who

are responsible for a specific subset of the IT function. These
functions could include IT operations, help-desk support,
networking management, cyber security, and knowledge
management. This varies per organisation based on the key
focus of the IT strategy (Bourgeois et al., 2019).
Some other stakeholders, according to Bourgeois et al. (2019),

within the people function include:
• Systems analysts and designers: the people responsible

for identifying and detailing the business needs and in
turn working with systems designers to design
information systems are able to solve business needs.
These designs are refined and tweaked then handed
over to software developers.
• Software developers: the people responsible for writing
code in a programming language to fulfil the design
specifications provided by the system analyst/designers.
• Project managers: the people responsible for ensuring
that IT projects are delivered on time, within budget and
at a level of quality that is acceptable. While the project
stakeholders do not report to the project manager, the
project manager will coordinate the resources dedicated
to a project to ensure project success.

• Database administrators: the people responsible for the

design and management of databases for an
organisation. They work in consultation with analysts and
software developers.
As discussed above, the role of people within an information

system is a specialised and technical space. However, the
people function always places the organisational needs at its
core. In line with this, organisations face complex decisions
when it comes to the information systems function like whether
or not to outsource or keep IT in-house, how to cater for
different levels of technology adoption among users, and
technology maturity cycles which govern when to adopt
emerging technologies within an organisation (Bourgeois et al.,
2019).
2.3 Types of information systems

Having considered the building blocks of information system,
let’s shift focus towards the different types of information
systems for organisation. Within an organisation, decisions
need to be taken at different levels, i.e., operational, tactical,
and strategic (Laudon & Laudon, 2021).
To enable decisions at an operational level, transaction

processing systems (TPS) allow operational managers to track
every day transactions related to sales, supplies, receipts,
credits, refunds, and payroll. A TPS performs and records the
daily routine transactions necessary to keep the business
running (Laudon & Laudon, 2021). Typical TPS queries relate
to how many of a product has sold, how much of a raw
material we have left or how many hours of employee work we
have today.
To enable decisions to be taken at a tactical level,

organisations rely on business intelligence to monitor, control,
make decisions and administer their portfolios (Laudon &
Laudon, 2021). Management Information Systems (MIS)
provide reports on an organisations current performance to
allowing middle managers to fulfil their duties while also
enabling them to plan for future performance. An MIS provides
insight into questions like how many of a particular product
have we sold over time? How many should we order into the
future? Which products should be discontinued?

At a strategic level, another type of information system which

enables executives (and sometimes middle managers) to
make decisions are called Decision Support Systems (DSS)
which seek to assist in answering questions in a unique and
rapidly changing environment where the outcome is not known
nor is fully defined (Laudon & Laudon, 2021). Use predictive
models and external data other than what is contained in the
organisation’s TPS and MIS, they aim to answer questions that
may be affected by the external environment like what if we
were to move to a cheaper supplier? What if we were to import
rather than manufacture locally? What products and services
should we offer in the next five years?
When a DSS is packaged in a manner that is able to support

executive decisions through digital dashboard which are
personalised to the organisational context, there are referred to
as Executive Support System (ESS). Often these dashboards
may also contain real-time data to enhance business insight
and ensure that predictive models are also cognisant of the
most recent situation facing the organisation (Laudon &
Laudon, 2021).
Aside from these types of information systems, there are other

systems that support organisations including supply chain
management systems, customer relationship management
systems, knowledge management systems, collaboration tools
and other enterprise applications to support specific business
functions.
3 Information Systems Development

Having explored the types of information systems and how
they support organisations, a key component discussed earlier
is the people involved in information systems. Related to this,
this section explores the process of information systems
development.
3.1 Software development process

When developing information systems, the process is not as
straightforward as hiring a developer to write code. Instead, the
process of software development is carried out by teams
comprising end users, customers, organisational executives
(known as project sponsors), analysts, designers, developers,
testers, database administrators and server administrators

When involving a significant number of people across various

disciplines, it becomes tricky to coordinate resources, manage
expectations, and ensure efficient delivery of enterprise
software. To overcome this challenge, software development
teams must adhere to a software development methodology to
ensure that software projects remain on track to successful
completion.
3.2 Different approaches to developing

software
The view on which methodology to adopt can vary since there
are a number of methodologies that may be followed including
the systems development lifecycle (SDLC), rapid application
development (RAD), agile and learn. These are outlined in the
table below and we explore two predominant models below.
Figure 7 - Software development methodologies compared

3.2.1 The Systems Development Lifecycle (SDLC)
The SDLC is an established methodology which aims to

manage the complexity of large software projects by following
a structured set of steps that all stakeholders need to adhere
to. Project teams following this methodology would conclude
each step before moving onto the next step which gives rise to
the name waterfall methodology as steps are followed in
sequence and moving back is not possible, much like water
following down a waterfall (Bourgeois et al., 2019).

Figure 8 - The Software Development Lifecycle (Bourgeois

et al, 2019)
We explore each phase below as explained by Bourgeois et al,

(2019) and Laudon & Laudon (2021):
1. Preliminary analysis: The preliminary analysis phase is

undertaken to determine whether a software
development initiative should be undertaken. At this
point, business analysts will determine if an existing
solution could solve organisations problems or whether a
software development project needs to be undertaken.
Then, a feasibility study is carried out to determine
whether or not the software development project should
be initiated.
2. System analysis: In this phase, system analysts will work
with different stakeholders to understand the needs and
requirements of the organisation. During this step, data
is collected from users and role players, processes are
recorded, and the overall needs of the business are
understood. This step allows business analysts to
prepare a system requirements specification.
3. System design: In this phase, the system analysts,
developers, or system architects consult with the system
requirements specification to develop the technical
specifications of the information system. This includes
the design of the user interface, database, inputs and
outputs, and reporting capabilities. An outcome of this
phase is the system design document which consists of
the specifications that software developers can build
upon.

4. Programming: Up until this point, no code has been

written, but in this phase, the software developers or
software engineers code up the software.
5. Testing: In this phase, testers or the quality assurance
team, conduct a series of tests on the software including
unit tests (testing individual parts of the system), system
tests (testing the different parts once integrated
together), and user acceptance tests (where end users
utilise the system and provide feedback). Any errors or
bugs are resolved in this phase prior to implementation.
6. Implementation: In this phase, the information system is
rolled out to the organisation and includes process like
training, providing user manuals and migrating data from
any existing systems to the new system. Implementation
can be carried out with a specific number of users and in
different phases, depending on the complexity of the
project.
7. Maintenance: In this final phase, maintenance of the
system commences where reported bugs are fixed,
feature requests are considered, system updates are
performed, and subsequent versions are rolled out.
While this methodology is tried and tested for complex

projects, each phase can take a long time (months or years) to
complete. During this time, organisations may change,
technology could become obsolete and new programming
techniques can be developed. Other software development
methodologies, while following a structure, tend to break away
from the rigid nature of SDLC and offer software development
teams greater flexibility
3.2.2 Agile methodology
One methodology that is widely used is the agile methodology

which involves software being developed in incremental
changes as opposed to following a long draw out process.

Figure 9 – An agile iteration (Bourgeois et al., 2019)
During each agile iteration (or sprint) which typically lasts

between a few days to two weeks at most, the software
development team will plan their development of a specific
feature, collaborate with each other and end users to develop
the feature, code it up, release the feature to end-users, and fix
any issues that may arise. Thereafter, the team moves onto
the next sprint. Agile teams are comprised of different
stakeholders who meet on a daily basis to collaborate
Grounded in the Agile Manifesto (http://agilemanifesto.org/),

this methodology shifts away from the process-driven nature of
SDLC that requires extensive documentation and strict
scheduling moving towards a collaborative client-focused
process that offers agility when deploying software and making
changes, whilst also providing an opportunity for clients and
users to enjoy progress at the end of each iteration (Bourgeois
et al., 2019).
3.3 Cross-platform development

As touched on earlier, another important decision in the
development of information systems is the choice of which
platforms applications should be offered. Organisations can
offer desktop, web, and mobile applications to their users and
the decision would be based on several factors.

According to Stewart (2007), applications may be deployed to

desktops when applications need to be prominent to users,
need to harness operating system resources, need to be more
accessible to desktop users, and need to give the perception
of being native to the operating system. Whilst applications do
get deployed on desktops, it often requires a separate
development for different operating systems, which means two
different sets of expenses.
To overcome this challenge, organisations turn towards web

applications which run inside a browser offering cross-platform
accessibility, lower barriers to entry, a central point of
deployment, ease in getting users up and running, and
providing a means to include functionality whilst not
demanding operating system privileges (Stewart, 2007). The
beauty of web applications is that they are accessible from any
device with a browser including smartphones, laptops, and
tablets, thus catering for users regardless of which operating
system or device they utilise.
While web applications can be accessed on mobile devices,

browsers do not run natively and cannot typically access the
hardware components that may be needed for an app to run
(Bourgeois et al., 2019). In these specific instances, they may
be a need to develop native applications that are installed on
mobile devices (apps).
According to Bourgeois et al. (2019), mobile applications offer

advantages including:
• Rapidly advancing mobile technologies that apps may

harness resulting in better performance.
• Utilisation of sensors which enable developers to
understand the context in which apps operate (e.g.,
location sensors, gyroscopes and cameras).
• Ease of use for purpose-built applications
• Near immediate access to data for users
• Simplified acquisition and installation of apps through
app stores.
Caution should be extended here that building an app can

come at considerable cost and time commitments for an
organisation and should be a careful executed decision
(Shalev, 2015). Organisations will opt for a website or web
application instead of a native mobile app when brand
presence is necessary and venture into the apps when users
need to complete specific functionality like completing a sale,

processing a transaction or when utilising underlying features

of the device to offer enriched interactive experiences (Shalev,
2015).
For instances where users are across different operating

systems and devices, there has been an uptake of cross-
platform development tools like React Native, Flutter and
Xamarin which enable developers to deploy apps across
different environments from a single base of code while
maintaining consistent branding and user experience
(Sheldon, 2019). Refer to this link for more information on
cross-platform development tools: https://hackernoon.com/9-
popular-cross-platform-tools-for-app-development-in-2019-
53765004761b. [Accessed 13 January 2023].
An prominent example of a successful mobile app

implementation is the Checkers Sixty60 application which has
seen significant uptake since its launch:
https://businesstech.co.za/news/technology/518878/checkers-
is-building-something-quite-remarkable-and-far-bigger-than-its-
competitors/. Interestingly enough, prior to the launch of this
app, the organisation did not have a significant e-commerce
presence relative to competitors and mobile-first turned out to
be a beneficial strategy.
In our context, there also are examples of organisations like e-

commerce retailers and major banks that have harnessed
cross-platform development to place their applications and
functionality in the hands of users regardless of device or
operating systems.
4 The Strategic Value of Information

Systems
Now that we have explored how applications may be built and
delivered to users, let’s shift focus to how organisations can
extract value from technology investments.
4.1 IT Doesn’t Matter

In the 1990’s, large organisations began to invest in IT
infrastructure which was expensive and really cool. The nature
of the transaction was the purchasing of hardware and
software which a typical IT vendor would supply, install, and
disappear.

In the year 2000, things changed in a spectacular manner –

the dotcom bubble burst. Overnight, the stock market crashed,
and the damage lasted with many investors and companies
until today. One industry that was central to the entire crash,
and perhaps most affected even in the long term, was
technology. Once this happened, organisations began to re-
evaluate technology investment and began to question
whether or not their investments in technology were
worthwhile.
In 2003, Nicholas Carr wrote an article in the Harvard Business

Review title “IT Doesn’t Matter”. The article triggered massive
backlash from the IT industry, but the underlying message
reverberated – IT actually doesn’t matter (Bourgeois et al.,
2019).
Now is an opportune time for you to stop reading this guide

and read the article itself - https://hbr.org/2003/05/it-doesnt-
matter. [Accessed 13 January 2023].
After a critical read of the article, it emerges that IT had at that

point become commoditised and become another service (like
electricity and water) such that it did not matter where you
procured it from. At that point, it is possible that Carr was
indeed correct, and this had an impact on how technology is
bought and sold, even until today. Added to this mix was the
fact that technology was no longer just reserved for large
organisations as, owing to the dotcom crash, prices had
become within reach of smaller enterprises as well. Central to
Carr’s argument was that the IT function should be repurposed
towards keeping costs down, going with the best (and
cheapest) supplier and making sure the technology downtime
is minimised (Bourgeois et al., 2019).
In the view of organisations and executives (who were

increasingly weary of technology investments), what began to
really matter was how this now commoditised business tool
could be used to effectively enhance an organisation, enable
differentiation, and allow greater profitability.

4.2 Competitive advantage rather than

impressive technology
This is apparent in Robert Plant’s reply to the article more than
a decade later: https://hbr.org/2013/08/it-doesnt-matter-to-
ceos. In the article, he explores the notion that IT does matter,
provided it yields strategic value and competitive advantage.
When procuring IT, there have been increasing demands on

organisations to show that their IT spend aligns with business
objectives and the investment in technology will yield strategic
value. Strategic value may be derived when an organisation
wants to differentiate itself from competitors through lower
cost, provide a differentiated product, disrupt an industry,
enable innovation, or target a particular market segment
In essence, the days of procuring technology because it was

simply the coolest or the newest have long gone. It is all about
strategic value. Strategic value, or value creation, has become
a key gateway to cross when considering technology
proposals which has in turn shifted the way in which IT
companies develop their products and services for clients with
whom they then partner to help clients to realise business
value (Bourgeois et al., 2019).
4.3 The 4th industrial revolution

Aside from the revolution in mindset discussed in the previous
section, it is important to acknowledge that the next revolution
has in store. According to the World Economic Forum, the
world is undergoing a significant shift that will change how we
engage, live and work: The Fourth Industrial Revolution
(Schwab, 2016).
The First Industrial Revolution was brought about by

mechanisation of product using steam power whilst the
Second Industrial Revolution saw the massification of
production as result of electric power (Schwab, 2016). The
automation of production due to electronics and information
technology was the cornerstone of the Third Industrial
Revolution (Schwab, 2016).

According to Schwab (2016), the Fourth Industrial Revolution

(4IR) is considered as the digital revolution where technologies
fuse to develop new technologies that transcend the physical,
digital, and biological spheres. 4IR is characterised by its
speed, scope, and impact. This revolution is gaining rapid
momentum with new technologies being developed at an
unprecedented pace, with evolution happening at an
exponentially faster rate than we’ve seen before (Schwab,
2016). Furthermore, 4IR affects every industry and has the
potential to enhance every organisation including
manufacturing, education, healthcare, retail, agriculture, and
governments.
There needs to be an intricate balance. Whilst 4IR allows us to

harness technologies like collective processing power, artificial
intelligence, IoT, nanotechnology, quantum technology, it is the
responsibility of individuals, organisations, academia and
governments to ensure that there aren’t widening skills-gaps,
increased unemployment and greater disillusionment (Schwab,
2016).
In the South African space, Deloitte (2017) reports that there

are doubts over 4IR readiness due to a workforce that is not
necessarily skilled for a 4IR world coupled with concerns
related to job security. Additional concerns include the fact that
the continent in general needs to upskill the existing and future
workforce to for a world dominated by 4IR amidst education
systems that are not able to cater for the needs of
organisations and industries (Morsy, 2020). The key to
success is to begin at a grassroots level to, with time,
overcome these challenges.

5 Recommended Additional Reading

To learn more about the building blocks of information
systems, consult:
• Information Systems for Business and Beyond (2019) –

Chapter 1 to 5:
https://opentextbook.site/informationsystems2019/chapte
r/chapter-1-what-is-an-information-system-information-
systems-introduction/ [Accessed 13 January 2023].
• What is IT? -
https://searchdatacenter.techtarget.com/definition/IT
• Computer Basics – GCFGlobal -
https://edu.gcfglobal.org/en/computerbasics/ [Accessed
13 January 2023].
To learn more about software development methodologies,

consult:
• Phases & Models of Software Development Life Cycle:

https://www.guru99.com/software-development-life-
cycle-tutorial.html [Accessed 13 January 2023].
• What is Agile? - https://www.atlassian.com/agile
• Agile Manifesto - http://agilemanifesto.org/ [Accessed 13
January 2023].
To better understand the need for the strategic value of

information systems, consult:
• IT doesn’t matter: https://hbr.org/2003/05/it-doesnt-

matter [Accessed 13 January 2023].
• IT doesn’t matter (to CEOs): https://hbr.org/2013/08/it-
doesnt-matter-to-ceos [Accessed 13 January 2023].
• Why IT matters:
https://www.technologyreview.com/2004/06/01/232779/w
hy-it-matters/ [Accessed 13 January 2023].
To better understand 4IR and its implications, consult:
• Industry 4.0:
https://www2.deloitte.com/za/en/pages/consumer-
industrial-products/articles/industry-4-0--are-you-
ready.html [Accessed 13 January 2023].

• The Fourth Industrial Revolution: what it means, how to

respond: https://www.weforum.org/agenda/2016/01/the-
fourth-industrial-revolution-what-it-means-and-how-to-
respond/ [Accessed 13 January 2023].
• How can Africa succeed in the Fourth Industrial
Revolution?:
https://www.weforum.org/agenda/2020/08/africa-fourth-
industrial-revolution-technology-digital-education/

6 Activities
6.1 Activity 1
Conduct research on the different types of information systems
that may be used at a higher education institution. Classify
each of these information systems using the definitions in this
learning unit and explain how they enable an institution to
obtain operational, tactical or strategic advantage.
6.2 Activity 2
Consider this scenario: You have been asked to assemble a
team of professionals to develop an application to help
manage inventory, orders, customer management, and
reporting for a local restaurant. After conducting additional
research, identify the different stakeholders who you would
include as part of the team and describe the role that each
stakeholder will play in the successful implementation of the
application.
6.3 Activity 3
Imagine that you are in industry. You are approached by an IT
vendor wanting to sell you software, servers and the latest in
networking technology. They promise that you will be the
coolest company on the block with the best servers. Provide a
response to this approach to providing IT services in the
context how organisations should be procuring IT services.

7 Revision Exercises
Answer the following questions to test your knowledge from
this learning unit:
1. A friend has asked you to define the concept of an

information system. Write a one-paragraph description in
your own words that you feel would best describe an
information system.
2. We interact with various information systems every day:
at the store, at work, at campus, even in our cars.
Compile a list of the different information systems you
interact with daily and identify the technologies, people,
and processes involved in making these systems
function.
3. You are approached by a custom furniture company to
advise them on whether a mobile app, responsive
website, or any other platform will be more suitable for
their organisation to interact with customers. Provide a
short recommendation.
4. Conduct your own research on how developing
economies can enhance 4IR capabilities to ensure a
sustainable and globally competitive future for citizens.

Learning Unit 2: Web Technologies for

Business
1. Explain the history and evolution of

the web.
2. Discuss the ways in which
organisations can harness Web 2.0
and Web 3.0 technologies.
3. Distinguish between centralised and
distributed computing.
4. Understand the key principles of
cloud computing.
5. Outline the benefits and challenges
of cloud computing for organisations.
6. Discuss the key principles of
blockchain technologies.
7. Outline the benefits and challenges
of the blockchain for organisations
and communities.
8. Explain the role of e-commerce and
m-commerce in organisations.
9. Differentiate between e-commerce
and m-commerce.
10. Outline the benefits and risks of
utilising e-commerce and m-
commerce for business.
11. Discuss strategies to mitigate the
risks of e-commerce and m-
commerce.
Material used for this learning unit:
• Module Manual.
• Recommended readings outlined in
this learning unit.

• Go onto technology websites like
TechCentral, MyBroadband and
BusinessInsider and conduct
research on how information
systems affect South African
organisations today.

1 Introduction
As discussed in the previous learning unit, it is essential for
organisations to utilise technology to participate in the 4th
industrial revolution. This learning unit shifts focus on a critical
component of participation in the 4th industrial revolution - the
world wide web. We will explore the evolution of the web, e-
commerce and m-commerce and the nature of centralised and
decentralised computing.
As a business professional, you will be working with

technology for strategic decisions in an interconnected and
collaborative world. As such, it is important that you
understand web-based technologies to allow you to, one day in
your future career, harness the potential of the appropriate
technologies for your organisation.
2 Evolution of the Web

The origins of the Internet as we know it dates back decades
ago (1960s) with the birth of ARPAnet (Advanced Research
Projects Agency Network) which was a military project that
allowed devices to communicate over a network (Andrews,
2019). As the technology continued to evolve, and new
communication standards and protocols were developed,
different networks became interconnected, giving rise to
foundations of the Internet (Andrews, 2019).
2.1 Web 1.0

The World Wide Web, or the Web 1.0, developed by Tim
Berners-Lee in the 1990s provided a way for the Internet to be
browsed and accessed using hyperlinks and webpages
(Andrews, 2019). Envisioned as virtual space where scientists
could read, write and share their research gained traction
outside the academic space with business, individuals and
governments accessing these resources as well as
establishing their own presence (Silver, 2020).
Despite this uptake, the ability to post content in a Web 1.0 lay
in the hands of a select few with the technical ability to do so
while most users simply consumed content (Andews, 2019;
Silver, 2020). The web browser as a tool gained traction with
Netscape launching in 1994 (Silver, 2020).

2.2 Web 2.0

Towards the late 1990s and early 2000s, the term Web 2.0
was coined by O’Reilly and Battelle which referred to the world
moving from static websites towards websites more geared
towards user participation and user-generated content (Mersch
& Muirhead, 2019; Silver, 2020). As such the advent of Web
2.0 presented Internet users with a significant paradigm shift
driven by greater broadband access and mobile penetration
with the release of mobile broadband in the 2000s (Mersch &
Muirhead, 2019).
Around this time, social networks, blogs, cloud sharing, and

other forms of user-generated platforms became common with
users being always connected to their mobile devices (Silver,
2020). Along with this came the penetration of mobile apps,
prominent use of search engines and widespread use of push
notifications (Mersch & Muirhead, 2019; Silver, 2020).
Perhaps the biggest adjustment for organisations was the

lower barrier to entry when it came to sharing content and the
democratisation of the Internet where everyone had a voice.
Users became creators of content, and the web became a
space that allowed anyone to share content and get their
message out there (Silver, 2020). The user voice gained
traction in the form of user reviews, recommendations and
referrals that resulted in a greater sense of trust and turned the
Internet into a community of users who shared experiences,
and more recently, accommodation and transport (Mersch &
Muirhead, 2019).
Also, while hosting technologies that were previously

expensive to purchase and maintain, with Web 2.0 they
became commodities that could be consumed on a pay-per-
use or monthly basis thus further reducing barriers to entry
through cloud services (Mersch & Muirhead, 2019).
2.3 Web 3.0

While we have not moved beyond the realm of Web 2.0, and
possibly will not for the foreseeable future, the role of the
Internet in society and its underlying technologies are shifting.

Let us take a moment to consider the history: Web 1.0 placed

control of content and information in the hands of a selected
few who were able to procure and maintain technology, and
Web 2.0 brought about a strong degree of collaboration and
dropped barriers to sharing one’s message while
commoditising the infrastructure. The next shift, which is what
Web 3.0 brings is towards increasing the democratisation of
the internet, bringing openness and greater transparency while
shifting infrastructure to the edge of the network as opposed to
centralised storage (Mersch & Muirhead, 2019).
The paradigm shifts simply explained is that while Web 2.0

provided large organisations with the ability to host web
applications as well as to store, analyse and monetise our
data, Web 3.0 is beginning to dismantle the locus of control by
providing open, trustless and permissionless networks where
no one organisation or set of organisations hold charge of our
data (Mersch & Muirhead, 2019; Silver, 2020). Instead, such
data is distributed across multiple nodes on a network to
increase transparency, sovereignty, and resilience (Silver
2020).
With Web 3.0, it is envisaged that users will own their data and
have the freedom of knowing how it is being utilised and
shared. For society, Web 3.0 can alleviate world problems
such as unequal access to healthcare, food insecurity,
unsustainability, and financial inequality by harnessing the
capabilities of artificial intelligence (Mersch & Muirhead, 2019).
Since data will now be more widely available as opposed to
being stored and utilised centrally, Web 3.0 opens
opportunities for data to be shared, analysed, and have value
extracted from the data for wider benefit (Mersch & Muirhead,
2019).

Figure 10 – The Evolution of the Web - Mersch & Muirhead

(2019)
As depicted in Figure 7, the web has and continues to evolve

with exciting possibilities for the future of societies,
communities, and organisations. We see Web 3.0 gaining
traction in areas like the cryptocurrencies and smart contracts
all hosted on decentralised architecture.
3 Centralised and distributed

computing models
As we discuss the evolution of the web, it is also necessary to
explore the underlying infrastructure that has given rise to this
evolution. Over the past few decades, the manner in which
human beings have consumed computing services has shifted
between centralised and decentralised computing by way of
the mainframe era, the era of the PC, the cloud era and, more
recently the blockchain/IoT era – these shifts are depicted in
Figure 8.

Figure 11 – Interplay of centralised and decentralised

computing – Khetani (2021).
In a centralised model, computing power rests with a provider

of services typically located inside a data centre to which all
clients or users connect (Khetani, 2021; Mersch & Muirhead,
2019). On the other hand, in a decentralised model, computing
power rests with the end user at different nodes of a network
with each node holding data as well as the existence of shared
public ledger of all transactions within the network (Khetani,
2021; Mersch & Muirhead, 2019). The decentralised approach
ultimately results in the democratisation of technology and
causes disruption to industries with distributed trust playing a
significant role (Khetani, 2021).
If we were to consider financial transactions, the ledger of

transactions in a centralised approach will be held by a bank or
other financial institution, which while may be accurate and
audited, relies on the trust between users and the institution. If
we were to adopt a decentralised approach, every user would
hold a copy of an immutable ledger which could be updated
with every transaction, but no past transactions revised. Thus,
there would be no need to trust a single institution and the
network would incorporate greater resilience as there is no
single institutional point of failure.
Now that the difference has been established, let’s explore a

centralised computing model (cloud computing) and a
decentralised computing model (blockchain).

3.1 Centralised computing

3.1.1 What is cloud computing?
Before we delve into the cloud, let’s reflect on how computing

was offered in a pre-cloud era. In the year before cloud
computing, organisations were required to purchase servers
which would be installed either at the premises or within a
service providers data centre. While owning your own server
could be considered beneficial, procuring these servers carried
a significant capital expense and maintenance of these servers
rested with the organisation (an operational expense). These
expenses potentially limited the ability of smaller organisations
to access the latest enterprise-level technology. This is an
interesting forum which looks at the client-server architecture
vs cloud computing – give it a read:
https://softwareengineering.stackexchange.com/questions/214
629/how-iscloud-computingdifferent-from-client-server
This computing model is still widely used today and the

decision to move to the cloud varies based on what the
organisation is trying to achieve – for example, some
organisations might opt to move their email and
teleconferencing services to a cloud provider but keep their file
storage on servers within the organisation.
According to Mell & Grance (2011), cloud computing is defined

as a computing model that enables ubiquitous, convenient, on-
demand access to shared computing resources that can be
easily provisioned and deprovisioned with minimal
management effort or service provider interaction.
3.1.2 Characteristics of cloud computing
If one were to consider the difference between traditional

hosted infrastructure and cloud computing, it would be ideal to
explore the characteristics of cloud computing outlined by Mell
& Grance (2011):
• On-demand self-service: which means that a consumer

can provision cloud services as and when they require
without the need to purchase hardware or waiting for a
technician to configure it.
• Broad network access: which means that these services
can be accessed over a network across various types of
devices (mobile, desktop, laptop, workstations, etc.)

• Resource pooling: which means that the computing

resources (processing, storage, memory and bandwidth)
are shared across multiple organisations with resources
being commissioned for a specific organisation as
needed. When the resource is no longer by the
organisation, they decommissioned and become
available for use by another.
• Rapid elasticity: which means that computing resources
can be provisioned and released within a short space of
time, and even automatically scaled up and outwards as
needed.
Consider this scenario: If an organisation deploys a web
application on a single cloud server and there is a spike
in usage of the site (maybe a flash sale, promo, etc.), the
developers may configure the cloud environment such
that the application may be scaled across additional
servers automatically as usage on existing servers
reaches its limit. Users would be able to seamlessly, and
without realising it, use the same application without the
site crashing. When the usage returns to its normal level,
the additional servers are released.
• Measured service: which means that cloud providers
monitor, control, report and provide metering capability to
only bill for services utilised. In the scenario above, once
the additional servers are deprovisioned and the cloud
provider only bills for the additional servers on a pay-per-
use basis – by the minute or by the hour.
3.1.3 Cloud delivery models
Cloud computing is offered as-a-service in three

predominant models: infrastructure-as-a service, platform-
as-a-service and software-as-a-service (Mell & Grance,
2011). As explained by Adam, Wassermann & Blewett
(2016), these models may be depicted as layers where
each layer is dependent on its underlying layers.
Software-as-a-Service (SaaS) refers to the instances

where cloud-based software replaces the practice of
running applications that utilise resources installed on a
specific device (Adam et al., 2016). Here, these
Figure 12 – Cloud as-a-service
applications are accessed over the Internet and the
delivery models
underlying platform and infrastructure is managed by the
cloud provider (Mell & Grance, 2011).

Platform-as-a-Service (PaaS) is typically utilised in software

development due to its ability to support various phases of
development (Adam et al, 2016). Developers may make use of
development libraries, and services and tools in the cloud,
rather than managing resources locally (Mell & Grance, 2011).
In PaaS, the user does not manage the underlying
infrastructure. Rather, this managed by the cloud provider.
Infrastructure-as-a-Service (IaaS) enables the delivery of IT

infrastructure and eliminates the need for users to install and
maintain infrastructure but provides the ability to customise the
server in terms of processing, memory, storage and bandwidth
where the user is able to customise the operating systems and
software on the cloud server (Mell & Grance, 2011).
3.1.4 Cloud deployment models
The cloud may be deployed in four different flavours, as

outlined in the table below:
Table 1 – Cloud deployment model – Mell & Grance (2011)

Location
Deployment Ownership of
Intended use of cloud
Model infrastructure
servers
Private Users or on- organisation or
cloud customers from premise or cloud provider
within a single off-
organisation premise in
(e.g., email, user cloud data
authentication centre
and
management,
file storage,
internal
applications)
Community Users from on- one or more
cloud organisations premise or organisations
with shared off- or cloud
interests (e.g., premise in provider
higher cloud data
education, centre
research
organisations,
industry bodies,
etc.)
Public cloud General public off- cloud provider,
premise in government
cloud data entity or
centre educational
institution
Hybrid cloud A blend of two or more of the models above.

An easy way to understand all the delivery and deployment

models is to make use of an analogy. Give this Pizza-as-a-
Service article a read - https://pkerrison.medium.com/pizza-as-
a-service-2-0-5085cd4c365e [Accessed 13 January 2023].
3.1.5 Opportunities and challenges of cloud services for

organisations
The cloud brings several benefits including faster

implementation of software, availability of applications and
world-class infrastructure on-demand, cost reduction in terms
of capital expenditure, scalability with peak usage
requirements, increased security in terms of physical security
and maintenance, greater reliability due to multiple levels of
redundancy and service-level-agreements, and access to
expertise within the cloud provider’s organisation (Altynpara,
2021; Marko, 2021).
However, the cloud is not without its disadvantages. These

include complex pricing structures and increased operational
costs, increased bandwidth requirements and costs, managing
the shared responsibilities, varying customer support between
providers, the need for expertise to manage the cloud services
from within the organisation, and the regulatory requirements
in place (Marko, 2021).
Therefore, the decision to move to the cloud is not a simple

one. When deciding to adopt the cloud as a computing model,
organisations need to consider whether the advantages
outweigh the possible disadvantages or, at least, how these
disadvantages can be managed.
3.1.6 Dominant cloud provider
In addition to considering the benefits and challenges of cloud

computing, one would need to consider which cloud provider
they will be partnering with on this journey. To this end, there
are a few approaches to make the decision. One such
approach is to consult industry whitepapers and consulting
companies.
While there are many companies and websites which provide

guidance on cloud providers, we will explore just one. Gartner
Inc provides a tool that provides insight into the different cloud
providers and how they rank:
https://www.gartner.com/reviews/market/public-cloud-iaas

This online tool is supported by data obtained when developing

their Magic Quadrant for Cloud Infrastructure and Platform
Services (Bala, Gill, Smith, Ji & Wright, 2021).
Figure 13 - Magic Quadrant for Cloud Infrastructure and

Platform Services – Bala et al. (2021)
In defining the industry leaders, Gartner places each provider

on their magic quadrant based on two factors. Firstly, the
ability to execute looks at the overall viability of their
product/service, their market track record, operations, and
customer experience among other factors (Bala et al., 2021).
Secondly, Gartner looks at a provider’s completeness of vision
in terms of market understanding of cloud technology, offering,
business model and innovation. (Bala et al., 2021). Using
these factors, cloud providers are then placed on the quadrant
against other providers and positions emerge - You can read
more about the process here:
https://www.gartner.com/doc/reprints?id=1-
271OE4VR&ct=210802&st=sb [Accessed 13 January 2023].

At the time or writing this guide, the dominant global providers

are included in Figure 10. It should be noted that there are
several organisations that rate cloud providers. Also, not all
providers have cloud presence within South Africa.
3.1.7 Examples of cloud use in businesses
The use of cloud computing is prevalent in the globally with

organisations like financial institutions, social media sites,
healthcare providers, entertainment providers, and government
departments utilising the cloud to enhance their organisational
processes.
A simple Google search will yield many examples of cloud

implementations helping brands that you use every day. For
the purpose of ease, here are the case studies of a few cloud
providers to browse:
• Amazon Web Services:

https://aws.amazon.com/solutions/case-studies
• Microsoft Azure: https://azure.microsoft.com/en-
us/resources/customer-stories/ [Accessed 13 January
2023].
• Google Cloud: https://cloud.google.com/customers
• IBM Cloud: https://www.ibm.com/cloud/case-studies/
In the IT industry, case studies are an ideal tool for IT service

providers to partner with clients to showcase success stories
and enable potential clients to understand the value that their
services may add to an organisation.
Be sure to complete the activity at the end of this learning unit

related to cloud case studies.
3.2 Decentralised computing

While the cloud brings significant benefits to organisations,
there has been increasing traction towards decentralised
computing, in significant part, due to the rapid rise of
cryptocurrencies. However, decentralised computing has much
more potential than cryptocurrencies.

3.2.1 What is blockchain?
According to Iansiti & Lakhani (2017), blockchain is one of

several decentralised computing models available and is
based on five fundamental principles:
1. A distributed database incorporating a complete

transaction history with no single party holding control
and every party with access to the transaction history.
2. Peer to peer transmission with data travelling between
nodes without a central node that is in control.
3. Transparency with pseudonymity through unique
alphanumeric addresses that allow users to remain
anonymous or identify themselves.
4. Irreversibility of records where once a transaction has
happened and is recorded, the record cannot be altered
in any way. This is intrinsic to blockchain technology.
5. Computation logic meaning that transactions can be
programmed so that transactions can happen
automatically take place based on triggers.
Why is it called blockchain?
A blockchain transaction (also known as blocks) is linked to its

previous transactions and any subsequent transaction is linked
to its preceding, much like a chain (Rodeck & Schmidt, 2021).
Computational algorithms are used to ensure that records (the
ledger) are permanent, chronologically ordered, and available
to all others on the network. Thus, if blockchain allowed
removal of past transactions from the ledger, this would break
the “chain” of “blocks” thus undoing the very principles
underpinning blockchain (Iansiti & Lakhani, 2017).
3.2.2 Applications of blockchain technology
Blockchain technology can serve a variety of use-cases where

a public immutable ledger of transactions is required.
Perhaps a commonly known use-case for blockchain

technology is that financial transactions can be processed on a
blockchain. For example, the blockchain is the underlying
technology for cryptocurrencies where transactions are
processed and recorded without the need for intermediaries
and unnecessary delays (Rodeck & Schmidt, 2021). In addition
to cryptocurrency transactions, fiat currency transactions (like
Rands, Dollars, Euros, etc.) may also be processed and
recorded on the blockchain (Rodeck & Schmidt, 2021).

Asset ownership is another use-case for blockchain

technology. When an asset is owned by an individual, the
proof of that ownership can be recorded in a blockchain ledger.
When the asset is sold or changes ownership, this change and
necessary documentation can also be recorded on the
blockchain. While this ledger is electronic, it can be used to
track ownership of non-digital assets including land (Mwanza &
Wilkins, 2018) and vehicle ownership (Rodeck & Schmidt,
2021). Since all transactions are stored in an immutable public
ledger, the likelihood of fraud is lessened due to increased
transparency as was witnessed in Kenya (Mwanza & Wilkins,
2018).
Along with ownership, the process of completing smart

contracts can also be processed on a blockchain with the
underlying premise being that a smart contract is finalised
once predefined conditions are met (Rodeck & Schmidt, 2021).
For example, when transferring ownership of an asset between
two parties, the actual transfer only happens once all
necessary documents are uploaded, the buyer has provided
proof of funds, the seller has provided a destination for funds
to be paid towards. This could be extended to fields like supply
chain management to pay a courier once a parcel is delivered,
HR when it comes to employee engagement, and a whole host
of other industries (Iansiti & Lakhani, 2017).
Another interesting application of the blockchain is to enable

sovereign digital identity where users can provide proof of their
identity using a mobile application based on information stored
with a blockchain as the underlying technology (Malinga,
2018). This has the potential to make identity a more robust,
prevent single points of failure and lessen the likelihood of
fraud.
Conduct your own research into other useful applications of

blockchain technology.
3.2.3 Opportunities and challenges presented by

blockchain technology
Blockchain technology provides several opportunities. Due to a

centralised ledger and peer-to-peer verification of transactions,
the likelihood of erroneous transactions is minimised, thus
increasing security (Rodeck & Schmidt, 2021). Furthermore,
given the fact that the architecture of the blockchain is
decentralised, users no longer require an intermediary like a
bank or deeds office to process transactions, thus increasing
efficiency (Rodeck & Schmidt, 2021).

However, blockchain is not without its challenges. These

include a limited number of transactions that can be
processed, higher energy costs for miners to process
transactions, and the potential for loss of assets due to illegal
activities (Rodeck & Schmidt, 2021). In essence, the
decentralised nature of blockchain is perhaps its weakness in
that nefarious users may, under the guise of anonymity, utilise
the blockchain to steal assets, or receive and make payments
using the proceeds of criminal activity (Rodeck & Schmidt,
2021). Another risk is the potential to lose ones blockchain
assets by losing the cryptographic keys to one’s digital wallet –
billions of dollars have been lost globally in this manner – read
this: https://www.nytimes.com/2021/01/12/technology/bitcoin-
passwords-wallets-fortunes.html [Accessed 13 January 2023].
4 E-Commerce and m-Commerce

Now that we have discussed the evolution of computing, let’s
shift focus towards one of the predominant users of technology
in organisations, e-commerce.
4.1 What is e-commerce?

According to Chai, Holak and Cole (2020), e-commerce (or
electronic commerce) is the purchasing and selling of good
and services over a network like the Internet. In a typical e-
commerce setting, customers access an online store through a
web browser and place orders from their device (Chai et al,
2020).
In a simple transaction scenario, when the order is placed, the

customers device sends the details to the e-commerce store’s
servers and interfaces with a payment gateway like PayPal or
PayFast to process payment. Thereafter, the order proceeds to
fulfilment (Chai et al). This varies from store to store with
additional steps and processes being needed.
Aside from this simple example, there are several different

types of e-commerce transactions including:
• Business to business (B2B) where business sell their

products and services to other business (Chai et al,
2020). Examples include ordering portals and online
directories (Chai et al., 2020).
• Business to consumer (B2C) where businesses sell their
products and services to consumers (Chai et al., 2020).

Examples include well known online stores like Amazon,

Takealot, Loot, and many other brands. Can you think of
a few?
• Consumer to consumer (C2C) where consumers sell
their products and services to other consumers (Chai et
al., 2020). Examples include Gumtree, Facebook
Marketplace and OLX.
• Consumer to business (C2B) where consumers sell their
products and services to businesses (Chai et al, 2020).
Examples include career sites and websites that allow
creators to sell their multimedia content to business
(Chai et al., 2020).
4.2 Benefits and risks of e-commerce

The rise of e-commerce in recent times and the step away
from brick-and-mortar brings several benefits for organisations
and their customers including greater availability, easier
access, wider range of products, international reach, cost
savings as opposed to running physical stores, and
personalised shopping experiences (Chai et al., 2020).
On the other hand, there are some inherent risks associated

with e-commerce that need to be managed. These include
virtual customer services, not being able to test out a product
before purchasing, a delay between purchase and delivery,
and cybersecurity threats including fraud and data theft (Chai
et al., 2020).
4.3 What is m-commerce?

With the broad prevalence of mobile devices, mobile
commerce has gained significant traction. M-commerce allows
customers to conclude transactions on their mobile devices
including smartphones and tablets and incorporates mobile
shopping applications, responsive websites, banking
applications, and mobile payment applications (Chai et al.,
2020).
In the South African context in particular, mobile broadband

penetration is significantly higher compared to fixed-line
broadband penetration with most users accessing the Internet
through mobile devices. Thus, there is a distinct need for a
mobile-first approach towards e-commerce in our context
(Watling, McCabe & Seedat, 2019).

In a “mobile-first” approach, applications are developed from

the ground up to cater for the restrictions associated with
navigating the application from a mobile device (Xia, 2017). In
order to achieve this, developers adopt responsive design and
the principle of progressive advancement where experiences
are built with their simplest features and additional complex
features are added thereafter whilst maintaining simplicity (Xia,
2017).
4.4 E-Commerce trends

Over the past few years, there has been an upward trajectory
in online shopping, but brick and mortar sales still dominate the
landscape (Watling, McCabe & Seedat, 2019). Based on this,
many South African organisations were not investing in e-
commerce. However, the advent of the COVID-19 pandemic
has resulted in a significant drop in foot traffic in brick-and-
mortar stores thus prompting a move towards increasing their
e-commerce presence (Mahlaka, 2021).
Conduct research into brands around you that are moving

online.
To get a clearer picture of e-commerce in South Africa, there

are several interesting whitepapers provided by consulting
firms that outline trends and predict the future:
• eCommerce developments across Sub Saharan Africa

(SSA) by Visa -
https://navigate.visa.com/$/v/5/cemea/m/x/SSA%20eCo
mmerce%20TL%20Paper%20CEMEA%20FINAL.pdf
• Rethinking the ecommerce opportunity in South African
by Accenture -
https://www.accenture.com/_acnmedia/PDF-
108/Accenture-eCommerce-POV.pdf [Accessed 13
January 2023].
• Digital Commerce Acceleration by Deloitte -
https://www2.deloitte.com/content/dam/Deloitte/za/Docu
ments/strategy/za-Digital-Commerce-Acceleration-2021-
Digital.pdf [Accessed 13 January 2023].
As you go through these whitepapers, make sure that you

consider how the findings and points raised would affect an
organisations decision on how to move into the e-commerce
space.


Evolution of the web
• What Is Web 3.0 & Why It Matters – click here

• What Is Web 3.0? – click here
• Who invented the Internet? click here
Centralised and distributed computing:
• Comparison – Centralised, Decentralised and Distributed

Systems – click here
• Migration to and benefits of the cloud – click here
• Explore the pros and cons of cloud computing – click
here
• NIST Definition of cloud computing – click here
• Gartner Magic Quadrant for Cloud Infrastructure and
Platform Services – click here
• Distributed VS centralized networks – click here
• Blockchain in financial services – click here
• Deloitte’s 2021 Global Blockchain Survey – click here
E-Commerce:
• Definition e-commerce – click here

• eCommerce developments across Sub Saharan Africa –
click here
• Rethinking the eCommerce Opportunity in South Africa –
click here
• Digital Commerce Acceleration – click here

6 Activities
6.1 Activity 1
You have been approached by a local FMCG retailer that has
been in existence for about 15 years. They have a national
footprint of stores in major malls and have noticed a drop in
foot-traffic over the past year. As a result, they are looking to
expand their online operations. Using the knowledge gained in
this learning unit, and with the help of additional research,
provide a one-page recommendation to the client.
6.2 Activity 2
A South African auditing firm recently suffered a major
cybersecurity breach and lost the data of clients. They are
since looking at moving their IT operations to the cloud.
Conduct research into the different types of workloads that can
be moved to the cloud as well as the major cloud providers
and outline a cloud migration strategy that incorporates what IT
services can be moved to the cloud, how this can be done, and
which providers can be used.
6.3 Activity 3
When consulting with a client in the legal field recently, they
indicate you that blockchain is all about cryptocurrency and it’s
a passing fad. Having learnt about blockchain, you feel it
imperative to politely correct their understanding. Provide an
explanation of what is blockchain and how it can be used
within the legal field. You will need to conduct additional
research.

this learning unit:
1. A friend who hosts Instagram live sessions on social

media has invited you to explain the concept of Web 3.0.
With the aid of additional research, prepare a write-up of
point that you could use in your live session.
2. Using an appropriate analogy, explain the different cloud
delivery models.
3. You have been invited to deliver a presentation on the
future of blockchain for the accounting and auditing
profession. Prepare a presentation outlining what is
blockchain, advantages and disadvantages, and provide
some real-world applications of blockchain.
4. Conduct your own research on how SMMEs can enter
the e-commerce space and the advantages of e-
commerce for smaller organisations. Ensure that you
discuss the business value that can be derived.

Learning Unit 3: Information Security

1. Describe information security threats

that confront organisations.
2. Differentiate between the various
types of information security threats
that organisations face.
3. Discuss the various control
mechanisms to avoid or mitigate the
risks of information security.
4. Outline the need for remote-working
and bring your own device (BYOD)
strategies in organisation.
5. Explain the role of cyber security risk
management.
6. Outline the process of cyber security
risk management.
7. Describe the process of risk
assessment.
8. Differentiate between business
continuity and disaster recovery.
• Module Manual.
this learning unit.

• Go onto technology websites like
TechCentral, MyBroadband and
BusinessInsider and conduct
research on how information systems
affect South African organisations
today.

8 Introduction
In the previous learning unit, we explored different computing
models that organisations may adopt in order to fulfil their IT
needs. The reality is that decisions to adopt different
technologies carry a degree of associated risk for an
organisation. A critical risk that must be considered is that of
cybersecurity.
In this learning unit, we will explore the different types of

cybersecurity threats, control mechanisms, and risk
management practices that organisations need to be cognisant
of and preparer to confront.
1 The Information Security Triad

As we commence with this learning unit, it is
appropriate to explore the Information Security Triad
which represents the core constructs of information
security.
As depicted in Figure 11, information security is the

process of maintaining confidentiality (restricting
access to only authorised users), integrity of data
(ensuring that information has not been manipulated or
modified in an unauthorised manner), and availability Figure 14- Information Security
(ensuring that information is available to authorised Triad (Bourgeois et al, 2019).
users within an appropriate timeframe) (Bourgeois et
al., 2019; Ciampa, 2017).
In order to ensure that confidentiality, integrity, and availability

is maintained, organisations need to be aware of the prevailing
threats and put in place measures to handle these threats
(Bourgeois et al, 2019).
2 Cybersecurity Threats
2.1 Threat actors
The individuals who carry out cyberattacks are known as threat
actors. Threat actors include:
• Hackers who intend to gain unauthorised access to a

device or a network (Laudon & Laudon, 2021).
• Script kiddies who wish to attack devices or networks but
do not possess the skillset. Thus, they rely on automated
scripts to perform their handiwork (Ciampa, 2017).

• Hacktivists who are activists that break into websites,

organisations, or networks to make a political statement
(Ciampa, 2017).
• Nation state actors who are hackers employed by
governments to attack their foreign or local adversaries
(Ciampa, 2017).
• Insiders who are employees or stakeholders of an
organisation who seek to sabotage the organisation due
to being disgruntled or being motivated to harm the
organisation by external forces (Ciampa, 2017).
• Competitors who attack an organisation to steal
classified information such as research, strategic, or
customer data (Ciampa, 2017).
• Organised criminals who shift from forego physical
crimes to online crimes to reduce risk and higher reward
(Ciampa, 2017).
• Brokers who uncover vulnerabilities and sell them onto
others (Ciampa, 2017).
• Cyberterrorists that attack national infrastructure to
cause panic or significant disruption to destabilise a
country (Ciampa, 2017).
As can be gleaned from the above, there are various several

types of malicious actors that could harm an organisations IT
infrastructure. These actors may carry out their attacks using a
variety of malicious software (malware) and deceptive
behavioural techniques (social engineering).
2.2 Malware
As explained by Ciampa (2017) and Laudon & Laudon (2021),
malware is software that enters a user’s system or network
without the user’s knowledge or consent, and then carries out
malicious activity. The reach and potential damage caused by
malware differs as malware varies in complexity and function
(Ciampa, 2017). The different types of malware and attacks
are outlined below:

Category of
Type Description
Attack
Circulation Viruses
Viruses are malicious code that
enters the computers file
systems and when launched, it
reproduces itself and mutates
without human intervention.
Viruses can remove files,
prevent other applications from
running, steal data, modify
settings and cause a device to
crash. Viruses travel between
devices through users sharing
infected files with each other
(Ciampa, 2017).
Worms Worms are malicious code that
enters a computer through a
network, finds a vulnerability or
security weakness on the host
system which it exploits, and
then proceeds to spread across
other devices on the network to
exploit the same vulnerability
(Ciampa, 2017).
Infection Trojans Trojans are malicious code that
enters a device by
masquerading as a legitimate
application, but then proceeds
to cause on harm on the user’s
device. This harm can include
stealing sensitive information
and allowing remote access to
a threat actor (Ciampa, 2017).
Ransomware Like its name suggestions,
ransomware is malware that
enters a user’s device, locks
the devices, restricts access to
files, and displays a ransom
message requesting payment,
typically using an offshore
means or cryptocurrency to
make it harder to track
(Ciampa, 2017; Laudon &
Laudon, 2021).
Concealment Rootkit A rootkit is malware that hides
itself within the operating
system out of reach of

antimalware tools. This is

achieved by embedding itself
inside folders that are not
visible to the operating system
and thus not detected when a
scan is carried out (Ciampa,
2017).
Collection Spyware As suggested by its name,
spyware is malware that
covertly monitors and collects
information about a user’s
resources, applications, and
sensitive information (Ciampa,
2017; Laudon & Laudon, 2021).
Keylogger A keylogger is malware that
captures and stores the
keystrokes that a user inputs
into their keyboard shares
these with threat actors.
Modern keyloggers can share
screenshots and enable a
user’s webcam (Ciampa, 2017;
Laudon & Laudon, 2021).
Data Logic bomb Malware that triggers based on
Destruction a logical event and removes
user or operating systems files
to prevent system operation.
Logical events can include
certain timeframe elapsing or
event occurring on the host
system (Ciampa, 2017).
Modified Backdoors Backdoors give threat actors
system access to a device or
security application by circumventing
normal security protocols
(Ciampa, 2017).
Launching Bots When malware gains control of
attacks a user’s device with the
purpose of using it to launch
attacks on other devices, that
device becomes a bot. When
multiple devices are attacked
and repurposed to launch a co-
ordinated attacked, they are
referred to as a botnet
(Ciampa, 2017; Laudon &
Laudon, 2021).

Disabling Denial of In a DoS, threat actors flood a

infrastructure Service service with thousands or tens
(DoS) of thousands of requests with
attacks the purpose of crashing the
service and clogging up the
network. When carried out from
several computers across
locations, this referred to as a
distributed denial of service
attack (Laudon & Laudon,
2021).
As can be gleaned from the above, there are a several types of

malware that could affect devices and networks. The
abovementioned list is not exhaustive as new threats continue
emerge.
2.3 Social engineering

Aside from technological attacks by means of malware, threat
actors may also adopt social engineering attacks on users and
organisations. Social engineering relies on a psychological
approach whereby a victim of an attack is persuaded to
provide information or carry out an action (Ciampa, 2017).
Social engineering succeeds because attacked provide an

intended victim with rational reasons, project confidence, use
evasive behaviour, and even utilise humour to build trust with a
user in order to get them to share personal information,
unwittingly provide access, or even to download and install
malware on their devices (Ciampa, 2017).
Social engineering attacks may be classified as follows:
Type of
Description
Attack
Impersonation An attack where a threat actor impersonates
some legitimate person like a support
technician who calls a user to solve a problem
that they were not aware of in order to obtain
details, sensitive information or install
malware.
Phishing In a phishing attack, a threat actor sends an
email that falsely claims and seems to be from
a legitimate organization or enterprise, like a
financial institution or law enforcement
agency. The user then acts on this information

and surrenders sensitive information.

Spam Spam refers to unsolicited email that is sent to
a large number of recipients. Spam is lucrative
for threat actors because it is easy and cheap
to send. Other than containing annoying and
unwanted content, spam may also be used to
distribute malware through attachments.
Hoaxes As its name suggests, hoaxes are false
warnings that are sent to an intended victim in
an email prompting them user to download
software in order to combat non-existent
threat. Users who fall for hoaxes inadvertently
install malware on their devices.
Watering hole Similar to a watering hole in real life, threat
attack actors target a website or a service that users
are known to commonly frequent thereby
giving the opportunity for malware to be
installed on as many user devices as possible.
Dumpster As its name suggests, dumpster diving
diving involves digging through trash of users and
organizations in order to retrieve items or
information that may be considered otherwise
useless but could yield the potential for an
attack to be launched. This attack may be
successful when organisations or users throw
away confidential or sensitive information
rather than shredding or destroying it.
Tailgating Tailgating refers to the process of gaining
access to a restricted area within an
organisation by following behind uses who
authorised to access that particular area. It
may also refer to authorised users granting
access to restricted areas.
Shoulder Shoulder surfing refers to casually observing
surfing somebody entering secret information like a
password or pin number on a keypad without
their knowledge. This may also apply to a
utilisation of smartphone cameras or
webcams to observe users’ actions.
When it comes to these types of attacks, it is essential to

ensure that users within an organisation are aware and
exercise the necessary vigilance in order to avoid social
engineering attacks. In essence, vigilant users are the best
defence to overcome social engineering.

3 Cybersecurity controls
Armed with knowledge of threats facing organisations, we can
now explore mechanisms that organisations can adopt to
control and manage these threats by way of a comprehensive
information security strategy.
3.1 Information Security Controls

According to Laudon and Laudon (2021), there are several
types of controls that may be put into place to overcome
threats:
Type of Control Aim

Software Ensure that only authorised users may gain
controls access to system resources. E.g., antivirus
software, antimalware software, firewalls,
etc.
Hardware Ensure that hardware is physically secure,
controls not malfunctioning and that regular
backups are maintained. E.g., physically
locking down devices, off-site backups, etc.
Operations Ensure that procedures are in place when it
controls comes to the backup and recovery
procedures as well as data storage.
Organisations need to ensure that these
align with industry best practices. E.g.,
ensure that the organisation can recover
operations from an outage with minimal
loss of data.
Data security Ensure that organisational files are
controls maintained internally and externally, and
that unauthorised access, modification or
destruction are prevented. E.g., off-site
backups, encryption, restricted access, etc.
Implementation Ensure that while business systems are
controls being developed, the process is properly
controlled and managed.
Administrative Ensure that an organization's admin
controls process is are executed properly to ensure
information security and that rules are
enforced. E.g., ensuring that there is an
information security policy in place.

3.2 Additional cybersecurity controls

In addition to the controls described above, the following
cybersecurity controls should also be a part of comprehensive
information security strategy:
3.2.1 User awareness
User awareness is perhaps the most important control

mechanism that can be put into place. Information security
may be likened to a chain where a nefarious actor will target
the weakest link. As explained by Romney & Steinbart (2018),
employees and managers should be taught the value of
information security for the long-term sustainability of the
organisation. Simple aspects like not sharing passwords, never
opening unsolicited attachments, never divulging information
telephonically, physically protecting organisational devices can
go a long way in enhancing information security (Romney &
Steinbart, 2018).
3.2.2 Information security policies
Falling under the responsibility of the Chief Security Officer

(CSO), the information security policy outlines the way the
organisation will respond to information security threats
(Laudon & Laudon, 2021).
An information security policy broadly outlines the information

security risks facing an organisation, acceptable information
security goals, and methods that will be taken to achieve these
goals. More specifically, this document outlines each of a firm’s
information assets, the level of risk applicable to each asset,
and the level of cost to manage the risk (Laudon & Laudon,
2021).
If we were to tie this to the example of the student results

system at your institution, this is an important information asset
for current and past students. The system stores results
obtained by all past and present students. It may be accessed
by students as results are updated as well as potential
employers who seek to hire graduates. The information
security policy would acknowledge this reality, in addition to
the risk that this system could be susceptible to cyber-attacks,
unauthorized access to results or even one student accessing
another student’s results by mistake. To overcome this, the
information security policy will outline the risk management
strategies that could be put into place including off-site

backups, encryption, segregation of information based on user

role, logins, two-factor authentication, and so on.
Risk management is discussed later in this learning unit.
3.2.3 System access control
When it comes to securing an information system, it is

necessary to control access to the technology resources to
those who need them to complete their tasks. The process of
process of restricting access of users to specific portions of the
system and limiting what actions they are permitted to perform
is known as authorisation (Romney & Steinbart, 2018). An
example of where this may be crucial is payroll information.
Whilst the Human Resources and Finance departments would
need access to the salary data of employees, employees in
sales, operations and marketing should not have access to
such data.
To enable this, organisations may make use of authentication

to verify the identity of a user that attempts to access a
technology resource to ensure that only legitimate users can
access the resource (Romney & Steinbart, 2018). This may
take the form of passwords, PIN numbers, smart cards, or
biometric identifiers like fingerprints (Romney & Steinbart,
2018).
Whilst each authentication method on its own can be effective,

it is far more effective to utilise a combination of methods for
greater security – this is known multifactor authentication. A
simple example of this is that when a student logs in to access
their results, they may receive a one-time PIN code on their
mobile device to complete the login process.
The processes that an organisation uses for access control,

including password sharing updating, and complexity
requirements, should also be defined in the information
security policy. The policy will also outline how users’ access
should be added and removed as they join or leave the
organisation.

3.2.4 Network access controls
Organisations run networks of varying sizes that allow users to

collaborate in real-time across a building, and over the
Internet. To ensure that the network remains secure,
organisations adopt a multipronged approach to ensure that
the organisation’s network is built to be robust and resilient.
If we were to consider the network

architecture in Figure 12, there
are several security measures in
place. Can you explain the
components in the diagram?
A border router, sometimes called

a gateway, connects the
organisation to the Internet.
Directly behind it sits a firewall
that ensures that the network is
protected from an outside attack
via the Internet. In addition to
firewalls, organisations may utilise
intrusion detection and/or
prevention systems (IPS) to
monitor traffic flow to proactively
detect and protect the
organisation from attacked on the
network (Romney & Steinbart,
2018).
Within the network, the different

Figure 15 – Sample Network Architecture
departments are separated into their
(Romney & Steinbart, 2018).
own local area networks (LANs), each
with a firewall protecting each LAN to ensure that if any
department is attached from within, the other departments are
protected.
Within each LAN, the different devices (laptops, desktops,

tablets, etc.) would be protected by several measures including
installing antimalware and antivirus software, ensuring
software and operating systems are regularly updated, and
having a bring-your-own-device (BYOD) policy is in place
(Romney & Steinbart, 2018). BYOD is discussed in the next
section.

Aside from the organisational network, organisations can

implement a demilitarized zone (DMZ) to host resources that
need to face the Internet and could be accessible outside their
network including their web server, ecommerce platform, email
server, and wireless access (Romney & Steinbart, 2018). It
would make sense to put wireless access in a DMZ as it
comes with considerable risk of unauthorized access from
external devices and keeping it separate adds an additional
layer of complexity for any nefarious actors (Romney &
Steinbart, 2018).
3.2.5 Physical access control
Whilst implementing software and network access, controls are

essential, it is necessary to protect the physical infrastructure
from harm, damage and even sabotage (Bourgeois et al.,
2019).
To ensure this, Bourgeois et al. (2019) advise that an

organisation take several measures:
• Locked doors to ensure physical devices cannot be

removed or accessed by unauthorized personnel.
• Intrusion detection including camera and motion sensors.
• Secured equipment locked in server racks or locked
down.
• Environmental control including heating, ventilation, and
cooling (HVAC) as well as fire suppression.
• Employee awareness to ensure that employees’ devices
are not a source of intrusion into the network (e.g., to not
leave laptops unattended).
3.3 Bring your own device (BYOD)

As mobility has become common with the advent of laptops,
smartphone and tablets, employees have begun to use their
own personal devices for work to increase productivity to the
extent that organisation are reconsidering how they will
procure devices for employees in the future Laudon & Laudon
(2021).
With greater emphasis on working from home, this new reality

brings about a new challenge relating to security of information
as not all users take necessary steps to protect their devices
(PINs, passwords, or software updates) whilst also opening the
organisation to theft of intellectual property (theft or an
employee with malicious intent).

To solve this challenge, organisations implement BYOD

policies (Bourgeois et al, 2019). A BYOD policy defines what
constitutes acceptable use of one’s own technology for the
purpose of work whilst ensuring that the organisation remains
safe from threats (Chouffani, 2021).
As part of this policy, organisations can define a policy that

considers use of the camera at work (prevention), use of voice
recording (inside the workplace), encryption of company data,
network settings, VPN use when accessing company data,
mandatory password settings on devices, lost or stolen device
reporting procedures, device location, and backup and
recovery from loss (Bourgeois et al., 2019).
4 Cybersecurity Risk Management

As can be gleaned in this learning unit, organisations face
several risks that cannot be ignored. These risks need to be
handled in the best interests of the organisation. In this
section, we explore the concept of risk management. As
discussed previously, a risk management is the identification of
risks associated with an organisation’s IT assets,
understanding the nature of the risks and deciding on a way
forward.
4.1 Understanding IT risk

An IT risk is defined as the loss, disruption or damage to an
organisation due to the failure or misuse of its ICT
infrastructure (Sotnikov, 2022). Examples of risks can include
theft of data, hardware damage, malware, compromised
credentials, unauthorized access, infrastructure failure, system
downtime, and even natural disaster (Sotnikov, 2022).
Sotnikov (2022) outlines three key considerations for a

cybersecurity risk assessment:
1. What are the key IT assets of the organisation – where

the outage would affect business operations?
2. What are they key business processes that utilise this
asset?
3. What threats could affect the ability of the business
process to operate?

If we were contextualising this with an example of a retail

supermarket, an IT asset would be the point-of-sale system
which is used at checkout – which could be a series of pay
points linked to a central inventory system. The key business
processes that utilise this IT asset is processing sales and
receiving payment from customers. Some threats that could
affect the IT assets that run this process could be hacking,
system downtime, inability to process card payments,
loadshedding, etc. This process can be repeated for each IT
asset within the supermarket including despatch, goods
receiving, payroll, supplier systems, email, etc.
Now that we understand the assets involved, the business

processes that they affect, and threats, we can begin to decide
how to manage the risks associated with the IT asset. As part
of this process, Sotnikov (2022) explains that organisations
then need to consider which risks needs addressing, its priority
and a cost-effective way to approach it (considering legal fees,
downtime, lost business, etc.).
Back to our point-of-sale example: If the business process

related to the point-of-sale system were to stop, the business
will grind to a halt. This immediately classifies this risk as a
high priority risk that needs to be managed. Other risks like the
payroll system going down in the second week of the month,
whilst risky to the business, may be deemed lower risk as
salaries are processed and paid in the last week of a month.
Furthermore, there would be less impact on the business as
some processes may be carried out manually if the payroll
system were to go offline.
The abovementioned example has several implications:
• The organisation would focus more expertise to manage

the risks associated with the point-of-sale system as
compared to the payroll system.
• The organisation would spend more on ensuring that the
point-of-sale system is always available as compared to
the payroll system.
• Fixes and updates to the payroll system would have to
happen after hours.
• Whilst data in sensitive in both examples, there may be
greater investment to protect salary data from
unauthorized access as opposed to inventory data which
is used across the organisation.

• It is more likely that the point-of-sale system could go

down due to a network outage as opposed to a natural
disaster like an earthquake, in the South African context.
These are the kinds of implications that need to be considered

in a risk management strategy.
4.2 IT risk assessment formula

As discussed, there is a need to define the risks an
organisation faces. There are four key components that must
be considered:
1. Threat: Any threat that could harm the organisation.

2. Vulnerability: Any weak point that could allow a threat to
cause harm.
3. Impact: Total damage if a vulnerability were exploited.
4. Likelihood: How likely is this to occur?
An example of the above:
1. Threat: Malware
2. Vulnerability: Outdated malware on an employee’s
laptop.
3. Impact: Depending on the malware, it could be isolated
to a single machine or devastating across the network.
4. Likelihood: Employees’ device accesses the internet so
the risk could be very likely.
This gives rise to a logical (not mathematical) formula:

Risk Score = Threat x Vulnerability x Value of the IT Asset
for business processes
If the contribution of any of these factors are high, it contributes

to a higher overall risk that the organisation is exposed to, and
this allows us to understand which risks to focus more on.

4.3 Process of cybersecurity risk

management
Sotnikov (2022) outlines 9 formal steps to conduct an IT risk
management assessment:
• Step 1: Identify and prioritize assets – this has been

discussed.
• Step 2: Identify threats – this has been discussed.
• Step 3: Identify vulnerabilities – this has been
discussed.
• Step 4: Analyse controls
In this step, the current controls in place are assessed. It
could be documented here that point-of-sale devices
have antivirus software installed, a backup connection,
backup power, etc.
• Step 5: Determine the likelihood of an incident – this
has been discussed.
• Step 6: Assess the impact of a threat – this has been
discussed in terms of the risk formula.
• Step 7: Prioritise the risk
Using the risk formula, the impact of the risk can be
established as critical, medium or low. This is how we
determine that a point-of-sale system is at greater risk
than the payroll system in terms of downtime.
• Step 8: Recommend controls
Controls can encompass any measures taken to manage
the risk, address vulnerabilities, lessen the impact, or
lessen the likelihood.
• Step 9: Document the results

Figure 16 – Sample Risk Assessment Report -

Sotnikov (2022)
This step allows for the development of a risk

management report to allow for decisions to be made
on which risks will be managed. This report is
presented in a table format and can inform budget,
policies, and processes. A sample is included in Figure
13.
4.4 Business continuity and disaster

recovery (BCDR)
As we conclude this learning unit, let us explore the concepts
of business continuity (BC) and disaster recovery (DR) which
focus on ensuring that an organisation can continue operations
after an event that has caused a disruption or outage (Moore,
2020).
Business continuity and disaster recovery are similar in that

they consider unplanned events from human error, cybercrime,
and natural disasters. Furthermore, their aim is to return to
close-to-normal operations as soon as possible (Moore, 2020).
However, they are not interchangeable terms.

Business continuity is proactive and focuses on the processes

and procedures that an organisation must undertake to ensure
that business functions can continue during and after a
disaster and involves a longer-term outlook (Moore, 2020).
Business continuity incorporates risk management, employee
safe, organisation-wide process planning to ensure that an
organisation stays active during an event (Moore, 2020). On
the other hand, disaster recovery is more reactive and focuses
on steps that must be taken to resume operations in the
immediate aftermath of a disaster (Moore, 2020). With disaster
recovery, focus is placed on the technology infrastructure and
getting it up and running.
In achieving this, organisations may setup hot sites or cold

sites to resume operations. In the event of a disaster, a hot site
is a location that is fully setup with all the required equipment
and support staff, and ready to go at short notice so that
employees may login and continue working where they left off
and data is current (Sullivan, 2018). This option is more suited
to mission-critical data and is more expensive to maintain. A
cold site, on the other hand, is a site with little to no IT
equipment or resources in place but serve as space that could
be setup if the need arises (Sullivan, 2018). As such, they are
cheaper to run and take longer to setup – meaning they are
more suited to non-essential business functions.


Cybersecurity threats:
• What is Social Engineering? Examples & Prevention

Tips: https://www.webroot.com/za/en/resources/tips-
articles/what-is-social-engineering [Accessed 13 January
2023].
• 5 biggest cybersecurity threats:
https://www.securitymagazine.com/articles/94506-5-
biggest-cybersecurity-threats [Accessed 13 January
2023].
BYOD:
• BYOD (bring your own device)

https://whatis.techtarget.com/definition/BYOD-bring-your-
own-device. [Accessed 13 January 2023].
• Understanding the BYOD landscape:
https://www2.deloitte.com/uk/en/pages/technology-
media-and-telecommunications/articles/understanding-
the-bring-your-own-device-landscape.html [Accessed 13
January 2023].
Risk Management:
• Risk formula with an example:

https://www.youtube.com/watch?v=kTBT7fkEGF4&ab_c
hannel=Netwrix [Accessed 13 January 2023].
• Risk assessment process:
https://blog.netwrix.com/2018/01/16/how-to-perform-it-
risk-assessment/ [Accessed 13 January 2023].
BCDR
• What is BCDR? Business continuity and disaster

recovery guide:
https://searchdisasterrecovery.techtarget.com/definition/
Business-Continuity-and-Disaster-Recovery-BCDR
• What's the difference between a hot site and cold site for
DR?:
https://searchdisasterrecovery.techtarget.com/answer/W
hats-the-difference-between-a-hot-site-and-cold-site-for-
disaster-recovery [Accessed 13 January 2023].

6 Activities
6.1 Activity 1
Visit the campus IT department and conduct research on the
password policy at our institution. How often do users have to
change passwords? What are the minimum requirements for a
password?
6.2 Activity 2
Being a student who is familiar with cybersecurity, you have
been invited to present a discussion on social engineering.
Conduct additional research and find three relevant interesting
cases of social engineering. Using these three cases, explain
the intended target, how each attack was carried out and why
the attack was or was not successful, and outline the lessons
that can be learnt.
6.3 Activity 3
Consider this scenario: You are a business owner of an
organisation with over 50 employees. A new employee is
joining the company but does not want to use the laptop that
the company will issue. Instead, they want to use their laptop
to connect to the Wi-Fi, use collaboration software, access
emails, and share files on the network. Craft a short BYOD
policy for your organisation.

this learning unit (you may be required to conduct additional
research):
1. What is meant by password policies? Define some of the

common aspects included in a password policy?
2. Describe one method of multi-factor authentication that
you have experienced and discuss the pros and cons of
using multi-factor authentication.
3. Differentiate between authorisation and authentication.
4. What are the components of an information security
policy? Briefly describe what each component
comprises.
5. Discuss the process of IT risk management.
6. Differentiate between business continuity and disaster
recovery.

Learning Unit 4: Issues provided by IS

1. Outline the legal issues brought

about by IS.
2. Discuss the implications of
legislation on IS in organisations.
3. Discuss ethical issues of IS.
4. Discuss the challenge of intellectual
property in organisations.
5. Describe the challenges brought
about by misinformation.
6. Outline the implications of utilising
artificial intelligence in decision-
making processes.
7. Describe the issues of the digital
divide.
8. Describe the challenges associated
with broadband access in South
Africa.
9. Discuss strategies that may be
adopted to bridge the digital divide.
10. Module Manual.

11. Recommended readings outlined in
this learning unit.
12. Before this learning unit, consult the


8 Introduction
Aside from information security, there are other issues
presented by IS for business. This learning unit explores the
legal, ethical, and social issues associated with technology.
When exploring legal issues, we will explore South African
legislation and how they affect IS in organisations. We will also
explore the ethical issues like misinformation, and the role of
artificial intelligence in decision making. Lastly, we will discuss
societal issues like the digital divide, broadband access being
a human right and how to bridge the digital divide.
9 Legal Issues of IS
9.1 Legal vs ethical issues
Before we jump into legal and ethical issues, let’s look at the
difference between these two concepts.
Ethics deals with the concepts of right and wrong, and how
one should behave. It would be considered ethically wrong to
murder somebody, for example. (Velasquez, Andre, Shanks
and Meyer, 2010)
Laws also deal with right and wrong, but breaking a law has
consequences. (Sullivan and Pecorino, 2002) The fact that
society considers murder to be ethically wrong, does not have
any consequences attached to it. But the fact that it is illegal,
means that a murderer can be apprehended and punished.
Murder is both unethical and illegal. But there can be actions

that are legal and yet unethical, or illegal but ethical. Can you
think of some examples?
9.2 South African legislation

The South African Constitution is the highest law in the
country. (Gov.za, 1996) Chapter 2 of the Constitution is the Bill
of Rights, which lists all the rights that every person in the
country has. If you have not read this before, pause now and
do so. For easy reference, here is the link:
https://justice.gov.za/legislation/constitution/SAConstitution-
web-eng.pdf [Accessed 13 January 2023].

Figure 14 – Section 14 of the South African Constitution

(Gov.za, 1996)
Section 14(d) of the Bill of Rights (see Figure 14) specifically

recognises the right to privacy of communications. This forms
the basis for several laws that details how this is put into
practice.
When reading online sources about laws, always make sure

that you are looking at a source from the right country. Laws
can differ between countries in subtle or dramatic ways, so
make sure you read South African sources to avoid confusion.
Laws in South Africa go through a very specific process before

they come into effect. When a law is first proposed, it is called
a Bill. When it has gone through all the approvals, including by
signature the President, it is called an Act (or in full an Act of
Parliament). (Parliament of the Republic of South Africa, n.d.)
So, when we discuss the various Acts below, these are laws
that have already gone through the whole approval process.
The below short synopsis of each of the Acts is provided as an

introduction to the Act, and by no means a complete
description of the contents of the Act. Links to the full text of
each of these Acts can be found in the recommended reading
section below.
It is important to note that an Act may only come into effect

after some time, and parts of an Act can come into effect at
different times. When you look at the links in the recommended
reading section, take note of the Commencement heading.
9.2.1 Electronic Communications and Transactions Act

25 of 2002
The Electronic Communications and Transactions Act is all

about regulating electronic communications and transactions.
In includes clauses on the legal recognition of data messages,
requirements for digital signatures, and how data messages
can be used in legal proceedings. It also has clauses around

cryptography and authentication providers. (South African

Government, 2002a) It also touches on consumer protection,
and the protection of personal information, both of which were
expanded later into full Acts.
9.2.2 Regulation of Interception of Communications and

Provision of Communication-related Information
Act 70 of 2002
So, if all people have the right to privacy, how can interception
of communication then be legal? The Regulation of
Interception of Communications and Provision of
Communication-related Information Act (RICA) explains when
law enforcement officers may intercept communication, for
example to provide serious harm to someone. It describes how
warrants can be obtained, and how intercepted communication
may be used. And it expressly prohibits other parties from
even building equipment that could intercept communications,
let alone actually intercepting communications. Another
interesting requirement is that telecommunications services
must have the capability to be intercepted. (South African
Government, 2002b)
You might be familiar with RICA as a verb – to RICA when you

get a new sim card for your cell phone. The requirements to
register a name and address before a sim card can be
activated is prescribed by this law. CellC (n.d.) describes the
exact requirements for validating this information. And details
the penalties connected to breaking this law, which is quite
severe for both service provider and customer.
The Constitutional Court of South Africa ruled on 4 February

2021 that RICA is unconstitutional, “to the extent that it fails to
provide adequate safeguards to protect the right to privacy, as
buttressed by the rights of access to courts, freedom of
expression and the media, and legal privilege.” (Constitutional
Court of South Africa, 2021) This does not mean that the law is
no longer in effect. The Court rules that the declaration of
invalidity will only take effect in three years, giving Parliament
enough time to update the law. (Constitutional Court of South
Africa, 2021)
Read the media summary of the case that prompted this ruling
here: http://www.saflii.org/za/cases/ZACC/2021/3media.pdf

This is an example of the Constitution taking precedence over

an Act, just as it was supposed to.
9.2.3 Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act (PoPIA) describes

how personal information must be protected – both by
companies and the government. So, what is personal
information exactly? According to PoPIA, it is “information
relating to an identifiable, living, natural person, and where it is
applicable, an identifiable, existing juristic person”. (South
African Government, 2013) It includes things like your name,
address, age, etc. A comprehensive list can be found on page
14 of the Act.
Parts of the Act only came into effect in 2021, despite the Act
dating back to 2013. This means that companies had plenty of
time to adapt their systems and processes.
Under PoPIA, personal information must be collected and

processed with the person’s consent. Only the relevant data
may be collected, and only used for the purpose that it was
intended. (South African Government, 2013) An online clothing
store would, for example, not have any reason to collect and
store medical information about their customers.
The information provided by a person then needs to be stored

safely. This means that measures must be taken to safeguard
against cyberattacks. And the Act also prescribes that, in the
case of a breach, people whose information was accessed
must be notified in writing. (South African Government, 2013)
PoPIA also deals with direct marketing using electronic

communication. Personal data is not allowed to be used for
direct marketing unless the person provides consent, or if the
person is already a customer of the company. That means that
a company that wants to market to a person must first request
consent. (South African Government, 2013)
A very important point for companies to note is that the

communication of personal information outside the borders of
the country is strictly controlled by this Act. (South African
Government, 2013)

9.2.4 Financial Intelligence Centre Act 38 of 2001
Another Act that we have come to use as a verb is FICA – the

Financial Intelligence Centre Act. The purpose of this Act is to
stop money laundering.
According to FICA, money laundering is “means an activity

which has or is likely to have the effect of concealing or
disguising the nature, source, location, disposition or
movement of the proceeds of unlawful activities or any interest
which anyone has in such proceeds.” (South African
Government, 2001)
As an individual, the effect of FICA is that you need to provide

proof of identity as well as address when dealing with financial
institutions. However, the law has lots of details about how
financial institutions must process data and report
irregularities. As such, the information systems of a financial
institution must comply with this Act.
9.2.5 King III
As an individual, it is easy to comply with the law. However,

companies are legal entities and are also expected to comply
with laws. And companies are made up of a lot of people. So,
how do you get a large company to collectively obey the law?
Through good corporate governance.
Corporate governance rules help management to effectively

lead an organisation. King III is, the third edition of the King
Committee’s report about corporate governance, detailing
principles and best practices. (Bowman Gilfillan Attorneys,
n.d.)
King III is not a law. So, why bring it up here at all? Because
good governance means that it is easy for a company to
comply with the law. (Bowman Gilfillan Attorneys, n.d.) Many
South African companies apply this code, and you will likely
come across it in your career.

9.3 Implications of legislation for

organisations
Organisations that conduct business within the borders of
South Africa, must comply with the laws of the country. This
means that organisations must be aware of the laws that
apply, train their employees to understand their responsibilities
under the relevant laws, and proactively ensure that the
processes and systems used comply.
Breaking a law can lead to fines and other penalties as

prescribed by the law. But it can also severely damage the
reputation of the organisation.
If an organisation does business in other countries too, it is

worth noting that there are laws like the European General
Data Protection Regulation (GRPD) which also should be
considered. (Bourgeois et al., 2019)
10 Ethical Issues of IS
Ethics can be applied to different areas of life, especially in the
workplace. While general ethics like “murder is wrong” might
go without saying, there could be ethics in the context of
information systems that might not be as obvious. One way to
know what is considered ethical, is to read a code of ethics,
such as the one written by Association for Computing
Machinery (ACM). (Bourgeois et al., 2019)
Pause here and read the ACM code of ethics:

https://www.acm.org/code-of-ethics [Accessed 13 January
2023].
The ACM code of ethics lists things like honesty, fairness, and
respecting privacy. So, here we see where ethics and South
African law correspond. (Association for Computing Machinery.
2018)
10.1 Intellectual property

Intellectual property is “property (such as an idea, invention, or
process) that derives from the work of the mind or intellect”.
(Merriam-Webster, 2022) A song and a short story are
examples of intellectual property.

Copyright
Intellectual Property
Patent Trademark
Figure 15 – Types of Intellectual Property

10.1.1 Copyright
Let us start from the perspective of an individual creating an

artwork. Under the Berne Convention, copyright is automatic.
This means you do not need to apply to get your work
copyrighted, in all countries that signed the Berne Convention.
(World Intellectual Property Organisation, n.d.)
South Africa is a signatory of the Berne Convention. Further

details about copyright in South Africa, including the duration
of copyright, can be found in the Copyright Act of 1978. (Smit
& Van Wyk Attorneys, n.d.)
Copyright is simple when an individual creates a work on their

own. But what if somebody creates a work as part of their job?
Typically, the employer will then own the copyright. (Kamaar
and Diedericks, 2022)
10.1.2 Trademarks
Intellectual property goes beyond just copyright though. It also

encompasses the trademark: “a device (such as a word)
pointing distinctly to the origin or ownership of merchandise to
which it is applied and legally reserved to the exclusive use of
the owner as maker or seller”. (Merriam-Webster, 2022b)
Think of the Coca Cola logo for example. It clearly identifies
the drink as manufactured by them.
Trademarks can either be registered or unregistered.

Registered trademarks are protected under the Trademarks
Act 194 of 1993 and is easy to protect because the mark is
registered with a central authority. Unregistered trademarks
are harder to project. (Innovus, 2022a)
10.1.3 Patents
When something new is invented, it is possible to apply for a

patent for that invention. Protected by the Patens Act 57 of
1978, the patent then grants the patent holder the sole right to
the invention for a period of 20 years. (Innovus, 2022b)
10.2 Misinformation
Using social media, anybody can publish anything they want to
and reach a large audience. There is no regulatory oversight.
(Susarla, Kim and Zuckerman, 2021)

Misinformation (or fake news) can have serious

consequences. For example, misinformation about COVID-19
can cause illness and death. And misleading information can
change the outcome of an election. (Susarla, Kim and
Zuckerman, 2021)
Deepfakes use sophisticated algorithms to generate footage of

someone doing or saying something that they didn’t actually
do. (Botha and Pieterse, 2020) The technology is quite
impressive, and not problematic in and of itself. But what would
happen if a deepfake of world leader is posted on social
media, declaring war on another nation? The consequences
could be far reaching.
10.3 Artificial intelligence in decision-making

In learning unit 1, we looked at databases and how data can
be processed to become information, which can in turn be
used for decision making. The technology provided the data
and processing capabilities, but the decisions were still made
by humans.
Increasingly, artificial intelligence (AI) is used to make

decisions. Some of the decisions are clearly beneficial, like
identifying malignant tumours. Or even when a streaming
service predicts what you might enjoy watching next. But when
AI is used in law enforcement, or to automatically approve loan
applications, there are risks. The biases of the people that built
the AI will be inherent in the AI system unless, they very
specifically work to avoid introducing bias. (Eisikovits and
Feldman, 2022)
Another problem is that some forms of AI will produce an

answer without any humanly understandable explanation of
how it got to the answer. (Sandtner, 2020) If a human denied a
loan application, they would be able to explain which factors
contributed to the decision. But if an AI just says no, because
of algorithms, it is not exactly a satisfying answer.
Explainable AI is a way to describe what an AI does in its

calculations in a way that humans can understand. This goes a
long way towards making AI more acceptable and using the
technology in a responsible way. (Sandtner, 2020)

11 Societal Issues of IS
11.1 The digital divide
The digital divide is the gap between the people that have
access to technology and those that do not. There are different
factors that contribute to the digital divide in South Africa:
(Huge Connect, 2022)
1. Students that do not have access to computers at school

level, miss out on learning computer skills.
2. Internet is not available everywhere, so some people
don’t have access to the information it provides.
3. Websites don’t cater for all our official languages.
4. Some rural areas lack infrastructure such as electricity.
When the COVID-19 pandemic started, and we went into

lockdown, students that did not have access to devices and
the Internet had to put their studies on hold. (Huge Connect,
2022) While students that did have access, could continue to
learn, further increasing the skills gap.
11.2 Strategies to bridge the digital divide

The Electronic Communications and Transactions Act
promoted “universal access to electronic communications and
transactions and the use of electronic transactions by SMMEs”
(South African Government. 2002a) This is a positive step in
the right direction. But we have not closed this gap just yet. So,
what can be done to help bridge the digital divide?
If the cost of Internet access is lowered, a larger part of the

population will be able to afford connectivity. (Huge Connect,
2022) This is especially important since prepaid data is more
expensive than post-paid data. (Business Tech, 2021)
In 2021, the idea of free basic data in South Africa was

mentioned. (Business Tech, 2021) However, no further
mention of this initiative could be found.
The second way to close the gap is to improve education.

(Huge Connect, 2022)
The third way of improving access to digital systems is to

ensure that websites, especially government sites, can be
accessed in all 11 official languages. (Huge Connect, 2022)


Legal issues of IS:
• The Constitution of the Republic of South Africa, 1996:

https://justice.gov.za/legislation/constitution/SAConstituti
on-web-eng.pdf [Accessed 13 January 2023].
• Electronic Communications and Transactions Act 25 of
2002: https://www.gov.za/documents/electronic-
communications-and-transactions-act [Accessed 13
January 2023].
• Regulation of Interception of Communications and
Provision of Communication -related Information Act 70
of 2002:
https://www.gov.za/documents/regulation-interception-
communications-and-provision-communication-related-
information—13 [Accessed 13 January 2023].
• Protection of Personal Information Act 4 of 2013:
https://www.gov.za/documents/protection-personal-
information-act [Accessed 13 January 2023].
• Protection of Personal Information Act: a new era of
privacy for South Africa:
https://assets.ey.com/content/dam/ey-sites/ey-
com/en_za/generic/ey-popia-report-2020.pdf [Accessed
13 January 2023].
• Financial Intelligence Centre Act 38 of 2001:
https://www.gov.za/documents/financial-intelligence-
centre-act [Accessed 13 January 2023].
• Quick Guide to Corporate Governance and King III:
http://diversionservices.dsd.gov.za/FORMS/download/Co
rporate-Governance-King-3.pdf [Accessed 13 January
2023].
Ethical issues of IS:
• Artificial intelligence and digital labour in financial

services: https://www.pwc.com/us/en/industries/financial-
services/research-institute/top-issues/artificial-
intelligence.html [Accessed 13 January 2023].
• AI is killing choice and chance – which means changing
what it means to be human:
https://theconversation.com/ai-is-killing-choice-and-
chance-which-means-changing-what-it-means-to-be-
human-151826 [Accessed 13 January 2023].
• The Moral Machine:
https://www.moralmachine.net/ [Accessed 13 January
2023].

• Fake news and deepfakes: A dangerous threat for 21st

century information security:
https://researchspace.csir.co.za/dspace/handle/10204/11
946 [Accessed 13 January 2023].
Societal issues of IS:
• Digital Infrastructure: Overcoming Digital Divide in

Emerging Economies:
https://pdfs.semanticscholar.org/a513/de546a8c8ceda79
fb4e8492c15cd84c7f983.pdf [Accessed 13 January
2023].
• South Africa is looking at giving free data to citizens:
https://businesstech.co.za/news/broadband/512368/sout
h-africa-is-looking-at-giving-free-data-to-citizens-similar-
to-water-and-electricity/ [Accessed 13 January 2023].

13 Activities
13.1 Activity 1
Read through the contract that you signed when you registered
as a student. Do you think any parts of the contract relate to
the laws described in this learning unit?

research):
1. What is the difference between ethics and the law?

2. What are the main points of the Protection of Personal
Information Act?
3. What is the difference between copyright and patents?
4. What are some examples of misinformation?
5. What is the digital divide?
6. How can the digital divide be bridged?

Learning Unit 5: Organisational

Information Systems
1. Discuss the different types of

systems within an organisation.
2. Explain the role of a transaction
processing system in an
organisation.
3. Explain the role of a management
information system in an
organisation.
4. Explain the role of a decision
support system in an organisation.
5. Explain the role of an executive
support system in an organisation.
6. Explain the role of a customer
relationship management system in
an organisation.
7. Explain the role of a knowledge
management system in an
organisation.
8. Explain the role of an ERP system in
organisations.
9. Outline the key components of an
ERP system.
10. Explain the role of ERP systems in
an organisation.
11. Explain the role of AIS in
organisations.
12. Distinguish between the features of
an accounting information systems
available to organisations.
13. Explain how can 4IR enable the role
of AIS in an organisation.
• Module Manual.
this learning unit.


15 Introduction
Now that you are equipped with an understanding of
Information Systems (IS), this learning unit explores the
different types of organisational information systems,
enterprise resource planning systems, Accounting Information
Systems and the impact of the Fourth Industrial Revolutions
(4IR).
16 Information Systems
Figure 15 – Types of Information Systems
One way to classify information systems in an organisation, is

based on how each is used in the organisation – at the
operational, tactical, or strategic level. Operational systems
typically deal with structured data, and at the other extreme
strategic systems make used of unstructured data. Tactical
systems typically use semi-structured data. (Christiansen,
2021)

16.1 Transaction Processing Systems

A transaction processing system (TPS) is used to manage the
day-to-day transactions that take place in an organisation.
(Naini, 2021) When you think of business systems from a
customer perspective, you are probably thinking of a TPS. At
an online retailer, for example, the customer facing website
where customers place their orders is a TPS.
But a TPS is not necessarily directly customer facing. That

same retailer will also have an inventory management system,
that tracks the availability of items. Warehouse employees will
use such a system during their day-to-day work.
The business transactions recorded by a TPS are structured

and relational in nature. A customer places an order for a
specific product. A warehouse receives a quantity of an
inventory item. Each record that is stored has a predictable
format.
There are two types of TPS:
1. Online Transaction Processing System (OLTP). This is a

system where a transaction is immediately completed.
(Naini, 2021) When you place an order at an online
retailer, for example, the order is immediately recorded in
their database.
2. Batch processing. This is where several transactions are
grouped into a batch, for later processing. An example of
this is payroll, where the details of what the employees
must be paid is gathered over the course of a month,
and at the end of the month all the employees are paid in
one batch. (Naini, 2021)
16.2 Knowledge Management Systems

Much can be said about knowledge management in an
organisation. But here we will focus on the Knowledge
Management System (KMS) that enables knowledge
management.
“A knowledge management system is any kind of IT system

that stores and retrieves knowledge to improve understanding,
collaboration, and process alignment.” (Birkett, 2022)

Imagine you start working at a company that manufactures

spaceship components. You walk into the office on the very
first morning and have no idea what is going on. It is a complex
industry with very specific processes. Where do you find
information? Well, you can ask someone of course. But no one
individual can possibly know everything. So, consult the
knowledge management system.
A typical KMS contains items such as articles, tutorials, case

studies and videos. This content must be organised in a way
that makes things easy to find. And it can either be used by
employees only, or also by customers. (Birkett, 2022)
Here is an example of a customer-facing knowledge base –

the Microsoft Support site:
https://support.microsoft.com/en-US [Accessed 13 January

2023].
Pause for a moment here, and search for something in the

knowledge base to get a feeling for how it works. Try “Excel
how to calculate average” for example. How do you think the
information you see is stored?
A KMS does not track day-to-day transactional data, but it is

still used in the operations of a company. That is why it is
classified as operational.

16.3 Management Information Systems

A management information system (MIS) provides information
to managers. Operating at the tactical level, an MIS is used by
middle management. (Martin, 2021)
An MIS presents information to a manager that helps with

decision making. (Luenendonk, 2017) It takes data from
different sources, and process it into information that is
useable by a specific person.
An example of an MIS is an inventory system. (Luenendonk,

2017) A good inventory system will enable a warehouse
manager to know when to order more stock. This could be
based on current stock levels, but also on anticipated demand
for an item. Heart-shaped candy is very much in demand just
before Valentine’s Day, and lots of stock should be available in
the warehouse then. But during the rest of year, there is no
need to dedicate a whole wing of the warehouse to chocolate.
16.4 Decision Support Systems

Finally, we are now moving to the systems used by senior
management in an organisation: the decision support system
(DSS). Using inputs from both TPS and MIS, and even
external sources, these systems have sophisticated models to
answer questions. For example, the question might be how the
introduction of a new product line will affect the finances of the
company. (Martin, 2021)
16.5 Executive Support Systems

An executive support system (ESS) is used at the executive
level. It is like a DSS in the sense that it helps with decision
making. But this time, the questions are less routine.
(Christiansen, 2021)
16.6 Customer Relationship Management

Systems
A customer relationship management (CRM) system is “a
technology for managing all your company’s relationships and
interactions with customers and potential customers.”
(Salesforce, 2022)

Anyone in a company that interacts with customers can make

use of the data in a CRM. This can include for example sales,
marketing, and customer services. (Salesforce, 2022) When
you contact the call centre of an online retailer, the person you
speak to would never have met you before. But the CRM
system gives them all the relevant information to know how to
assist you.
A CRM is an integrated system where you can have a single

view of customers. (Salesforce, 2022)
17 Enterprise Resource Planning (ERP)

Systems
17.1 Role of an ERP System
An enterprise resource planning (ERP) system is a “a business
process management software that manages and integrates a
company’s financials, supply chain, operations, commerce,
reporting, manufacturing, and human resource activities.”
(Microsoft, 2022)
As we can see from this definition, an ERP encompasses all

the aspects of a company. When using an ERP, departments
can work more closely together to achieve benefits such as
cost reduction and higher efficiency across the organisation.
(Oracle, 2022)

17.2 Components of an ERP System
Financial
Accounting
Manufacture and
Stock and Sales
Distribution
ERP
Components
Human Customer
Resources and Relationship
Payroll Management
Figure 16 – Components of an ERP, based on Davies

(2021)
The five major components described by Davies (2021) can be

seen in Figure 16. Let’s have a quick look at each component.
1. Accounting. These systems keep track of financial

information. (Davies, 2021) More about that in the next
section.
2. Manufacture and distribution. These systems keep
track of supply and demand. (Davies, 2021)
3. Customer relationship management. (Davies, 2021)
Read section 2.6 again for more details.
4. Human Resources and payroll. This keeps track of
employees and ensures that they get paid. (Davies,
2021)

5. Stock and sales. Keeping track of inventory and sales

numbers. (Davies, 2021)
18 Accounting Information Systems

18.1 Role of an AIS
Many of the business systems we have discussed so far are
not really country specific. A KMS is a KMS, regardless of
where it is used. Yes, business have their own processes. And
the way systems are used will differ from organisation to
organisation. But there is no reason why a KMS developed
anywhere else in the world would not work in South Africa.
When it comes to accounting systems though, every country
has very specific, unique legal requirements in addition to the
generally accepted accounting principles. So, when choosing
an accounting information system (AIS), it is important to
check that the chosen system is compliant.
An AIS is used by an organisation “to collect, store and

process the accounting and the financial data which is used by
the internal users of the company in order to give report
regarding various information to the stakeholders of the
company such as creditors, investors, tax authorities, etc.”
(Jain, n.d.)
It is important to keep accurate financial information, so be

able to answer questions such as “How much profit did we
make this quarter?” And of course, to correctly calculate tax
that is due.
18.2 Accounting System Features

The features provided by an AIS includes: (Fuscaldo, 2021)
• Accounts receivable – keeping track of who owes the

organisation money.
• Accounts payable – keeping track of who the
organisation needs to pay.
• Banking and payments – being able to pay and receive
amounts using automated integration with a bank
account.
• Payroll – keeping track of the salaries paid to employees.
• Reporting – from basic reports such as an income
statement to more advanced things like cost predictions.

Advanced features provided by some AIS including managing

shipping as well as inventory. (Fuscaldo, 2021)
18.3 4IR and Accounting Information Systems

The 4IR impacts so many aspects of business, including
accounting. As AIS becomes more sophisticated, accountants
may have fewer job opportunities in future. (Exceed, 2022)
While that might seem like a very pessimistic outlook, new

technologies do also have significant benefits. This new era of
technology should be seen as a positive change and an
opportunity for growth in the AIS space Accounting
professionals can use automated systems to do the repetitive
work that used to be the bulk of an accountant’s job. And that
frees them up to provide better, more timeous inputs to their
organisations. (Exceed, 2022)
18.4 How 4IR is changing how accounting and

auditing companies operate:
Exceed (2022) highlights the following benefits of 4IR for the
accounting professional can actually improve client relations in
several ways:
• Removing repetitive tasks done by employees thus

allowing more time for other valuable work and
interaction with clients.
• Instead traditional bookkeeping and auditing tasks, using
new software and other technologies will make the task
at hand more efficient.
• Cloud-based accounting solutions will allow for files can
be accessed from anywhere and anytime.
• Client data can be managed with speed and accuracy.
• Security and compliance measures to protect clients are
greatly enhanced.
• Traditional “number crunching” is eliminates to adapt
and focus on other types of expertise.


• The 6 Main Types of Information Systems:
https://altametrics.com/information-systems/information-
system-types.html [Accessed 13 January 2023].
• Management Information Systems (MIS): Definition and
How It Works:
https://www.cleverism.com/management-information-
systems-mis/ [Accessed 13 January 2023].
• 6 Core Components of the ERP System
https://www.sagesoftware.co.in/blogs/6-core-
components-of-the-erp-system-2/ [Accessed 13 January
2023].
20 Activities
20.1 Activity 1
Visit campus IT and ask them about the kinds of systems used
in the management of student data.

research):
1. Why is a knowledge management system important for a

large organisation?
2. What is a customer relationship management system
used for?
3. What are examples of transaction management systems
that you can see in action in your daily life?
4IR and its implications:

• Industry 4.0:
https://www2.deloitte.com/za/en/pages/consumer-
industrial-products/articles/industry-4-0--are-you-ready.html
Accessed 13 January 2023].
• The Fourth Industrial Revolution: what it means, how to

respond: https://www.weforum.org/agenda/2016/01/the-
fourth-industrial-revolution-what-it-means-and-how-to-
respond/ Accessed 13 January 2023].
• How can Africa succeed in the Fourth Industrial

Revolution?:
https://www.weforum.org/agenda/2020/08/africa-fourth-
industrial-revolution-technology-digital-education/
Accessed 13 January 2023].
• Accounting Profession and 4IR :

https://www.researchgate.net/publication/328609537_Sust
ainability_of_Accounting_Profession_at_the_Age_of_Fourt
h_Industrial_Revolution [Accessed 13 January 2023].

23 Bibliography
Adam, E., Wassermann, J. and Blewett, C. 2016. An investigation of UKZN students’
adoption and utilisation of personal cloud technologies. South African Journal of
Higher Education, 29(6).
Altynpara, E. 2021. Why Migrate To The Cloud: The Basics, Benefits And Real-Life
Examples. Forbes Technology Council.
https://www.forbes.com/sites/forbestechcouncil/2021/03/12/why-migrate-to-the-cloud-
the-basics-benefits-and-real-life-examples/?sh=f62fdd25e272 [Accessed 13 January
2023].
Andrews, E. 2019. Who Invented the Internet? History Channel.

https://www.history.com/news/who-invented-the-internet [Accessed 13 January
2023].
Association for Computing Machinery. 2018. ACM Code of Ethics and Professional
Conduct. [Online] Available at: https://www.acm.org/code-of-ethics [Accessed 13
January 2023].
Bala, R., Gill, B., Smith, D., Ji, K. Wright, D. 2021. Magic Quadrant for Cloud
Infrastructure and Platform Services. Gartner.
https://www.gartner.com/doc/reprints?id=1-271OE4VR&ct=210802&st=sb [Accessed
13 January 2023].
Birkett, A. 2022. Knowledge Management Systems: The Ultimate Guide. [Online]

Available at: https://www.hubspot.com/knowledge-management-systems [Accessed
13 January 2023].
Botha, J. and Pieterse, H. 2020. Fake News and Deepfakes: A Dangerous Threat for
21st Century Information Security. [Online] Available at:
https://www.proquest.com/openview/67064446abb3dec6bea4c680d5aa3a31/1?cbl=3
96500&pq-origsite=gscholar [Accessed 13 January 2023].
Bourgeois, David T., Smith, James L., Wang, S., and Mortati, J. 2019. Information
Systems for Business and Beyond. Open Textbooks.
https://digitalcommons.biola.edu/open-textbooks/1 [Accessed 13 January 2023].
Bowman Gilfillan Attorneys. n.d. Quick Guide to Corporate Governance and King III.
[Online] Available at:
http://diversionservices.dsd.gov.za/FORMS/download/Corporate-Governance-King-
3.pdf [Accessed 13 January 2023].
Business Tech. 2021. South Africa is looking at giving free data to citizens – similar
to water and electricity. [Online] Available at:
https://businesstech.co.za/news/broadband/512368/south-africa-is-looking-at-giving-
free-data-to-citizens-similar-to-water-and-electricity/ [Accessed 13 January 2023].

CellC, n.d. What is RICA? [Online] Available at: https://www.cellc.co.za/cellc/static-

content/PDF/RICA.pdf [Accessed 13 January 2023].
Ciampa, M. 2018. Security+ Guide to Network Security Fundamentals. 6th ed.

Cengage. Boston, MA.
Chai, W., Holak, B, & Cole, B. 2020. What is e-commerce? Definition and meaning.
TechTarget. https://searchcio.techtarget.com/definition/e-commerce [Accessed 13
January 2023].
Chouffani, R. 2021. BYOD (bring your own device). TechTarget.

https://whatis.techtarget.com/definition/BYOD-bring-your-own-device [Accessed 13
January 2023].
Christiansen, L. 2021. The 6 Main Types of Information Systems. [Online] Available

at: https://altametrics.com/information-systems/information-system-types.html
Constitutional Court of South Africa. 2021. CCT 278/19 and CCT 279/19 Media
Summary. [Online] Available at:
http://www.saflii.org/za/cases/ZACC/2021/3media.pdf [Accessed 13 January 2023].
Davies, J. 2021. The Components of ERP Software. [Online] Available at:

https://www.winman.com/blog/the-components-of-erp-software [Accessed 13
January 2023].
Deloitte, 2017. Industry 4.0 — The Fourth Industrial Revolution is here, are you
ready? Deloitte. https://www2.deloitte.com/za/en/pages/consumer-industrial-
products/articles/industry-4-0—are-you-ready.html [Accessed 13 January 2023].
Eisikovits, N. and Feldman, D. 2021. AI is killing choice and chance – which means
changing what it means to be human. [Online] Available at:
https://theconversation.com/ai-is-killing-choice-and-chance-which-means-changing-
what-it-means-to-be-human-151826 [Accessed 13 January 2023].
Exceed. 2022. Fourth Industrial Revolution (4IR): An understanding of the impact of

technology on the accountancy profession. [Online] Available at:
https://www.exceed.co.za/fourth-industrial-revolution-4ir-an-understanding-of-the-
impact-of-technology-on-the-accountancy-profession/ [Accessed 13 January 2023].
Fuscaldo, D. 2021. A Guide to Accounting Software Features and Benefits. [Online]

Available at: https://www.business.com/articles/features-of-accounting-software/
Gov.za, 1996. The Constitution of the Republic of South. [online] Available at:
https://justice.gov.za/legislation/constitution/SAConstitution-web-eng.pdf [Accessed
13 January 2023].
Huge Connect, 2022. Digital Divide in South Africa. [Online] Available at:
https://hugeconnect.co.za/digital-divide-in-south-africa/ [Accessed 13 January 2023].
Iansiti, M. and Lakhani, K. R. 2017. The Truth About Blockchain. Harvard Business
Review. https://hbr.org/2017/01/the-truth-about-blockchain [Accessed 13 January
2023].
Innovus. 2022a. Trade Mark. [Online] Available at:

https://www.innovus.co.za/working-with-innovus/intellectual-property-
2/trademark.html [Accessed 13 January 2023].
Innovus. 2022b. Patents. [Online] Available at: https://www.innovus.co.za/patents-

1.html [Accessed 13 January 2023]
Jain, P. n.d. Accounting Information System (AIS). [Online] Available at:

https://www.wallstreetmojo.com/accounting-information-system/ [Accessed 13
January 2023].
Kamaar, A. and Diedericks, N. 2022. Copyright Laws and Regulations 2022. [Online]
Available at: https://iclg.com/practice-areas/copyright-laws-and-regulations/south-
africa [Accessed 13 January 2023].
Khetani, S. 2021. Evolution of computing From mainframe (centralized) to blockchain

(decentralized). Sknotes.com. https://sajidkhetani.medium.com/evolution-of-
computing-8a5ce5e07033 [Accessed 13 January 2023].
Laudon, K. C. and Laudon, J. P. 2021. Management information systems: Managing

the digital firm. 16th ed. Pearson. Hoboken, NJ.
Luenendonk, M. 2017. Management Information Systems (MIS): Definition and How

It Works. [Online] Available at: https://www.cleverism.com/management-information-
systems-mis/ [Accessed 13 January 2023].
Mahlaka, R. 2021. South Africa’s shopping mall malaise worsens – and the road to
recovery will be long. Daily Maverick. https://www.dailymaverick.co.za/article/2021-
09-15-south-africas-shopping-mall-malaise-worsens-and-the-road-to-recovery-will-
be-long/ [Accessed 13 January 2023].
Malinga, S., 2018. Absa joins Sovrin Foundation in blockchain, security push. ITWeb.
https://www.itweb.co.za/content/Kjlyr7wdjPQMk6am [Accessed 13 January 2023].
Marko, K. 2020. Explore the pros and cons of cloud computing. TechTarget.
https://searchcloudcomputing.techtarget.com/tip/Explore-the-pros-and-cons-of-cloud-
computing [Accessed 13 January 2023].
Martin, M. 2021. Types of Information System: MIS, TPS, DSS, Pyramid Diagram.
[Online] Available at: https://www.guru99.com/mis-types-information-system.html
Mell, P. & Grance, T. 2011, The NIST Definition of Cloud Computing. National
Institute of Standards and Technology.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
Merriam-Webster, 2022. Intellectual property. [Online] Available at:

https://www.merriam-webster.com/dictionary/intellectual%20property [Accessed 13
January 2023].
Merriam-Webster, 2022b. Trademark. [Online] Available at: https://www.merriam-

webster.com/dictionary/trademark [Accessed 13 January 2023].
Mersch, M. & Muirhead, R. 2019. What Is Web 3.0 & Why It Matters. Fabric
Ventures. https://medium.com/fabric-ventures/what-is-web-3-0-why-it-matters-
934eb07f3d2b [Accessed 13 January 2023].
Microsoft. 2022. What is ERP and why do you need it? [Online] Available at:
https://dynamics.microsoft.com/en-us/erp/what-is-erp/ [Accessed 13 January 2023].
Mwanza, K. & Wilkins, H. 2018. African startups bet on blockchain to tackle land
fraud. Thomson Reuters Foundation. https://www.reuters.com/article/us-africa-
landrights-blockchain-idUSKCN1G00YK [Accessed 13 January 2023].
Moore, J. 2020. What is BCDR? Business continuity and disaster recovery guide.
TechTarget. https://searchdisasterrecovery.techtarget.com/definition/Business-
Continuity-and-Disaster-Recovery-BCDR [Accessed 13 January 2023].
Morsy, H. 2020. How can Africa succeed in the Fourth Industrial Revolution? World
Economic Forum. https://www.weforum.org/agenda/2020/08/africa-fourth-industrial-
revolution-technology-digital-education/ [Accessed 13 January 2023].
Naini, A. 2021. What is Transaction Processing System? [Online] Available at:

https://mindmajix.com/what-is-transaction-processing-system [Accessed 13 January
2023].
Oracle. 2022. What is ERP? [Online] Available at: https://dynamics.microsoft.com/en-

us/erp/what-is-erp/ [Accessed 13 January 2023].
Parliament of the Republic of South Africa, n.d. How a law is made. [Online]
Available at: https://www.parliament.gov.za/how-law-made [Accessed 13 January
2023].
Rodeck D. & Schmidt, J. 2021. What is Blockchain? Forbes Advisor.

https://www.forbes.com/advisor/investing/what-is-blockchain/ [Accessed 13 January
2023].
Romney, M. B. & Steinbart, P.J. 2018. Accounting Information Systems. 14th ed.
Pearson. New York.
Salesforce. 2022. CRM 101: What is CRM? [Online] Available at:

https://www.salesforce.com/crm/what-is-crm/ [Accessed 13 January 2023].
Sandtner, C. 2020. Ethics and (Explainable) AI. [Online] Available at:

https://towardsdatascience.com/ethics-and-explainable-ai-e13664d50b4e [Accessed
13 January 2023].
Schwab, K. 2016. The Fourth Industrial Revolution: what it means, how to respond.
World Economic Forum. https://www.weforum.org/agenda/2016/01/the-fourth-
industrial-revolution-what-it-means-and-how-to-respond/ [Accessed 13 January
2023].
Shalev, K. 2015. Does Your Company Need an App, a Website or Both?

https://www.entrepreneur.com/article/245704 [Accessed 13 January 2023].
Sheldon, A. 2021. Popular Cross-Platform Tools for App Development (Updated

Version 2021). https://hackernoon.com/9-popular-cross-platform-tools-for-app-
development-in-2019-53765004761b [Accessed 13 January 2023].
Silver, C. 2020. What Is Web 3.0? Forbes Technology Council.

https://www.forbes.com/sites/forbestechcouncil/2020/01/06/what-is-web-3-
0/?sh=1bc60c0b58df [Accessed 13 January 2023].
Smit & Van Wyk Attorneys. n.d. Copyright Law in South Africa. [Online] Available at:
https://www.svw.co.za/copyright-law-in-south-africa/ [Accessed 13 January 2023].
Sotnikov, I. 2022. How to Perform IT Risk Assessment. Netwrix.

https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/ [Accessed
13 January 2023].
South African Government. 2001. Financial Intelligence Centre Act 38 of 2001.

[Online] Available at: https://www.gov.za/documents/financial-intelligence-centre-act
South African Government. 2002a. Electronic Communications and Transactions Act

25 of 2002. [Online] Available at: https://www.gov.za/documents/electronic-
communications-and-transactions-act [Accessed 13 January 2023].
South African Government. 2002b. Regulation of Interception of Communications

and Provision of Communication-related Information Act 70 of 2002. [Online]
Available at: https://www.gov.za/documents/regulation-interception-communications-

and-provision-communication-related-information--13 [Accessed 13 January 2023].
South African Government. 2013. Protection of Personal Information Act 4 of 2013.

[Online] Available at: https://www.gov.za/documents/protection-personal-information-
act [Accessed 13 January 2023].
Stewart, R. 2007. Desktop vs. Browser - when to deploy applications for each.
ZDNet. https://www.zdnet.com/article/desktop-vs-browser-when-to-deploy-
applications-for-each/ [Accessed 13 January 2023].
Sullivan, E. 2018. What's the difference between a hot site and cold site for DR?
TechTarget. https://searchdisasterrecovery.techtarget.com/answer/Whats-the-
difference-between-a-hot-site-and-cold-site-for-disaster-recovery [Accessed 13
January 2023].
Sullivan, S.O. and Pecorino, P.A. 2002. Ethics and Law. [Online] Available at:
https://www.qcc.cuny.edu/SocialSciences/ppecorino/ETHICS_TEXT/Chapter_1_Intro
duction/Ethics_and_Law.htm [Accessed 13 January 2023].
Susarla, A., Kim, D.H, and Zuckerman, E. 2021. Misinformation could be a growing
challenge in 2022, experts predict. [Online] Available at:
https://www.upi.com/Voices/2021/12/28/social-media-
misinformation/9701640614447/ [Accessed 13 January 2023].
Velasquez, M., Andre, C., Shanks, T., S.J., and Meyer, M.J. 2010. What is Ethics?
[Online] Available at: https://www.scu.edu/ethics/ethics-resources/ethical-decision-
making/what-is-ethics/ [Accessed 13 January 2023].
Watling, J., McCabe, J. & Seedat Y., 2019. Rethinking the eCommerce Opportunity
in South Africa. Accenture. https://www.accenture.com/_acnmedia/PDF-
108/Accenture-eCommerce-POV.pdf [Accessed 13 January 2023].
World Intellectual Property Organisation. n.d. Summary of the Berne Convention for
the Protection of Literary and Artistic Works (1886). [Online] Available at:
https://www.wipo.int/treaties/en/ip/berne/summary_berne.html [Accessed 13 January
2023].
Xia, V. 2017. What is Mobile First Design? Why It’s Important & How To Make It?
Medium. https://medium.com/@Vincentxia77/what-is-mobile-first-design-why-its-
important-how-to-make-it-7d3cf2e29d00 [Accessed 13 January 2023].
Intellectual Property
Plagiarism occurs in a variety of forms. Ultimately though, it refers to the use of the
words, ideas or images of another person without acknowledging the source using
the required conventions. The IIE publishes a Quick Reference Guide that provides
more detailed guidance, but a brief description of plagiarism and referencing is
included below for your reference. It is vital that you are familiar with this information
and the Intellectual Integrity Policy before attempting any assignments.
Introduction to Referencing and Plagiarism

What is ‘Plagiarism’?
‘Plagiarism’ is the act of taking someone’s words or ideas and presenting them as
your own.
What is ‘Referencing’?
‘Referencing’ is the act of citing or giving credit to the authors of any work that you
have referred to or consulted. A ‘reference’ then refers to a citation (a credit) or the
actual information from a publication that is referred to.
Referencing is the acknowledgment of any work that is not your own, but is used by
you in an academic document. It is simply a way of giving credit to and
acknowledging the ideas and words of others.
When writing assignments, students are required to acknowledge the work, words or
ideas of others through the technique of referencing. Referencing occurs in the text
at the place where the work of others is being cited, and at the end of the document,
in the bibliography.
The bibliography is a list of all the work (published and unpublished) that a writer has
read in the course of preparing a piece of writing. This includes items that are not
directly cited in the work.
A reference is required when you:
• Quote directly: when you use the exact words as they appear in the source;
• Copy directly: when you copy data, figures, tables, images, music, videos or
frameworks;
• Summarise: when you write a short account of what is in the source;
• Paraphrase: when you state the work, words and ideas of someone else in
your own words.
It is standard practice in the academic world to recognise and respect the ownership
of ideas, known as intellectual property, through good referencing techniques.
However, there are other reasons why referencing is useful.
Good Reasons for Referencing
It is good academic practice to reference because:
• It enhances the quality of your writing;

• It demonstrates the scope, depth and breadth of your research;
• It gives structure and strength to the aims of your article or paper;
• It endorses your arguments;
• It allows readers to access source documents relating to your work, quickly and
easily.
Sources
The following would count as ‘sources’:
• Books,
• Chapters from books,
• Encyclopaedias,
• Articles,
• Journals,
• Magazines,
• Periodicals,
• Newspaper articles,
• Items from the Internet (images, videos, etc.),
• Pictures,
• Unpublished notes, articles, papers, books, manuscripts, dissertations, theses,
etc.,
• Diagrams,
• Videos,
• Films,
• Music,
• Works of fiction (novels, short stories or poetry).
What You Need to Document from the Hard Copy Source You
are Using
(Not every detail will be applicable in every case. However, the following lists provide
a guide to what information is needed.)
You need to acknowledge:
• The words or work of the author(s),

• The author(s)’s or editor(s)’s full names,
• If your source is a group/ organisation/ body, you need all the details,
• Name of the journal, periodical, magazine, book, etc.,
• Edition,
• Publisher’s name,
• Place of publication (i.e. the city of publication),
• Year of publication,
• Volume number,
• Issue number,
• Page numbers.
What You Need to Document if you are Citing Electronic

Sources
• Author(s)’s/ editor(s)’s name,

• Title of the page,
• Title of the site,
• Copyright date, or the date that the page was last updated,
• Full Internet address of page(s),
• Date you accessed/ viewed the source,
• Any other relevant information pertaining to the web page or website.
Referencing Systems
There are a number of referencing systems in use and each has its own consistent
rules. While these may differ from system-to-system, the referencing system followed
needs to be used consistently, throughout the text. Different referencing systems
cannot be mixed in the same piece of work!
A detailed guide to referencing, entitled Referencing and Plagiarism Guide is

available from your library. Please refer to it if you require further assistance.
When is Referencing Not Necessary?
This is a difficult question to answer – usually when something is ‘common

knowledge’. However, it is not always clear what ‘common knowledge’ is.
Examples of ‘common knowledge’ are:
• Nelson Mandela was released from prison in 1990;

• The world’s largest diamond was found in South Africa;
• South Africa is divided into nine (9) provinces;
• The lion is also known as ‘The King of the Jungle’.
• 𝐸 = 𝑚𝑐 2
• The sky is blue.
Usually, all of the above examples would not be referenced. The equation 𝐸 = 𝑚𝑐 2
is Einstein’s famous equation for calculations of total energy and has become so
familiar that it is not referenced to Einstein.
Sometimes what we think is ‘common knowledge’, is not. For example, the above
statement about the sky being blue is only partly true. The light from the sun looks
white, but it is actually made up of all the colours of the rainbow. Sunlight reaches the
Earth's atmosphere and is scattered in all directions by all the gases and particles in
the air. The smallest particles are by coincidence the same length as the wavelength
of blue light. Blue is scattered more than the other colours because it travels as
shorter, smaller waves. It is not entirely accurate then to claim that the sky is blue. It
is thus generally safer to always check your facts and try to find a reputable source
for your claim.
Important Plagiarism Reminders

The IIE respects the intellectual property of other people and requires its students to
be familiar with the necessary referencing conventions. Please ensure that you seek
assistance in this regard before submitting work if you are uncertain.
If you fail to acknowledge the work or ideas of others or do so inadequately this will
be handled in terms of the Intellectual Integrity Policy (available in the library) and/ or
the Student Code of Conduct – depending on whether or not plagiarism and/ or
cheating (passing off the work of other people as your own by copying the work of
other students or copying off the Internet or from another source) is suspected.
Your campus offers individual and group training on referencing conventions –

please speak to your librarian or ADC/ Campus Co-Navigator in this regard.
Reiteration of the Declaration you have signed:
1. I have been informed about the seriousness of acts of plagiarism.

2. I understand what plagiarism is.
3. I am aware that The Independent Institute of Education (IIE) has a policy
regarding plagiarism and that it does not accept acts of plagiarism.
4. I am aware that the Intellectual Integrity Policy and the Student Code of
Conduct prescribe the consequences of plagiarism.
5. I am aware that referencing guides are available in my student handbook or

equivalent and in the library and that following them is a requirement for
successful completion of my programme.
6. I am aware that should I require support or assistance in using referencing
guides to avoid plagiarism I may speak to the lecturers, the librarian or the
campus ADC/ Campus Co-Navigator.
7. I am aware of the consequences of plagiarism.
Please ask for assistance prior to submitting work if you are at all unsure.

IINS5211MM

Uploaded by

Copyright:

Available Formats

IINS5211MM

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IINS5211MM

Uploaded by

Copyright:

Available Formats

IIE Module Manual IINS5211

Introduction to Information Systems

The Independent Institute of Education (Pty) Ltd is registered

© The Independent Institute of Education (Pty) Ltd 2023 Page 1 of 109

DID YOU KNOW?

Module Guides or Module Manuals

Module Discussion Forum

© The Independent Institute of Education (Pty) Ltd 2023 Page 2 of 109

IIE Library Online Databases

Library Website This library website gives access to various online

LibraryConnect The Online Public Access Catalogue. Here you will be

EBSCOhost This database contains full text online articles.

EBSCO eBook This database contains full text online eBooks.

SABINET This database will provide you with books available in

DOAJ DOAJ is an online directory that indexes and provides

DOAB Directory of open access books.

IIESPACE The IIE open access research repository

Emerald Emerald Insight

HeinOnline Law database

JutaStat Law database

© The Independent Institute of Education (Pty) Ltd 2023 Page 3 of 109

© The Independent Institute of Education (Pty) Ltd 2023 Page 4 of 109

3 Enterprise Resource Planning (ERP) Systems ................................................. 93

© The Independent Institute of Education (Pty) Ltd 2023 Page 5 of 109

Using this Manual

© The Independent Institute of Education (Pty) Ltd 2023 Page 6 of 109

© The Independent Institute of Education (Pty) Ltd 2023 Page 7 of 109

Learning Unit 1: Information Systems in Business

1. Define an information system (IS).

• Before this learning unit, consult the

© The Independent Institute of Education (Pty) Ltd 2023 Page 8 of 109

2 Building blocks of Information

An information system is defined as a combination of

Information systems are the central pillar of most organisations

© The Independent Institute of Education (Pty) Ltd 2023 Page 9 of 109

2.2 Building blocks of an information system

Consider the example of making a purchase from a large retail

To facilitate the transaction above, you relied on different

If you were to reflect on the impact of information systems on

The process can be facilitated by an information system

© The Independent Institute of Education (Pty) Ltd 2023 Page 10 of 109

As explained by Bourgeois et al (2019), hardware is the

Before we move onto software, it is also necessary to consider

As technology is advancing, the Internet of Things will become

Broadly speaking, software is of two types: operating systems

© The Independent Institute of Education (Pty) Ltd 2023 Page 11 of 109

2.2.2.1 Operating systems

Operating systems are essential for the functioning of

The common desktop or laptop operating systems in use today

It is necessary to consider the level at which different operating

2.2.2.2 Application software

Now that we have explored the operating system, let us

Application software is used by organisations to complete

Typically, applications are purchased from software providers

© The Independent Institute of Education (Pty) Ltd 2023 Page 12 of 109

software is through a license agreement or a subscription.

At a consumer-level, applications are installed from stores like

We will explore the concept of cloud applications later in this

When one considers a simple example of saving simple data