PraxIS Aug. 2008

08-08 Contents: E-Banking insecurity, demarketing, errors, ICT for development, Eusprig 2008 report

ISSN 1649-2374 This issue online at   [Previous] [Index]  [Next]

Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success  


1) Risk & Security
     Security flaws plague majority of e-banking sites
     The risks of marketing your marketing
     The $100,000 keying error
     The risks of hacking


2) ICT for Development
     IEEE Computer Journal on Computing in Developing Economies


3) Spreadsheets
     Eusprig 2008 conference report
     More spreadsheet error stories in the news


4) Off Topic
     Ecological Holidays


15 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information


Welcome to PraxIS

August is the holiday month here. On our return, I'll be fit and  ready to answer your needs for Excel spreadsheet development, testing, model review and audit!

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk

Security flaws plague majority of e-banking sites 

In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.

 47% of banks placed secure login boxes on insecure pages. 
 55% put contact information and security advice on insecure pages.
 28% use social security numbers or e-mail addresses as user IDs, or other flaws
 31% e-mail passwords or statements to customers
 30% redirect customers to a site outside of the bank's domain for certain transactions without warning. 


The risks of marketing your marketing is a guide to online marketing. They recently published this article (only open until July 30)

How to Use Wikipedia Entries for Lead Gen - 6 Steps to 18% Higher Conversion Rate

"Wikipedia's heavy traffic makes it a tempting lead-generation channel for B-to-B marketers. But you need to follow some strict user guidelines, so that you're not seen as a spammer when you use Wikipedia to generate leads. Read how a technology marketer sent more qualified traffic back to his own site. His Wikipedia referrals convert 18% more than other traffic."

The steps are obvious enough: Audit Wikipedia to find potential voids to fill, Create new pages to fill voids, Supplement existing pages, Strategically link related pages within Wikipedia, Use external links to send traffic to your site, Track and convert traffic from Wikipedia

Unfortunately, this led to a Wikipedia backlash. Gregory Kohs of commented "Good luck with future success, now that you've exposed yourself and the Anvil Media agency. I have a lot of experience observing what you tried to do here, and I guaran-damn-tee you, this isn't going to end pretty. Wikipedia is going to decimate your efforts. "  Wikipedia removed Attensa

There is a web site that returns Wikipedia statistics. For example  Attensa has been viewed 184 times in 200806


The $100,000 keying error

An ordinary bank customer, Grete Fossbakk, used Internet banking to transfer a large amount to her daughter. She keyed one digit too many into the account number field, however, inadvertently sending the money to an unknown person. This individual managed to gamble away much of the sum before police confiscated the remainder.


The risks of hacking

Computer hacker Gary McKinnon loses his Lords appeal against an order to extradite him to the US. He could face a life sentence if found guilty of gaining access to 97 American military and NASA computers from his London home. He admitted breaking into the computers but said he was trying to find information on UFOs. A statement by solicitors for McKinnon said "American officials involved in this case have stated that they want to see him 'fry'."


2) ICT for development Dr Richard Heeks of the Development Informatics Group, University of Manchester, UK, writes "The latest (June 2008) issue of IEEE Computer is a special on Computing in Developing Economies. Included in the special issue is 'ICT4D 2.0: The Next Phase of Applying ICT for International Development'. It reviews the first ten years of ICT4D, and identifies the new technologies, new approaches to innovation, and new worldviews that will be required for the next ten years of ICT4D." 


3) Spreadsheets

Eusprig 2008 conference report

"The best yet", we say every year, and never truer than this year. Of particular note were the experiences of two banks that started the journey to end-user controls - only one finished.

The sponsors, Q-Validus, demonstrated their Spreadsheet Safe examination, and the highest marks in the test were obtained by the excellent Neil Lynam of TSB who won a bottle of champagne. I am now ready to offer in-company courses to prepare people to take the Spreadsheet Safe certification.

Grenville Croll, now with Trintech, showed a statistical test: if you sample five spreadsheets from an organisation and none of them have errors, that is an indicator of organisational excellence. (Or maybe of non-random sampling?!)

Andrew McGeady of AIB Capital markets described their End User Computing (EUC) project which used the Compassoft spreadsheet control environment. (By the way, I can also provide training in the use of Compassoft's EXChecker spreadsheet auditing software). Critical EUC applications were analysed and documented in a Functional Specification, Technical Specification, and User Guide. Considerable soft skills were required too, as shown by these quotations: "Business owners do not want to cede control over their applications while IT does not want to become foster parent to applications in whose development it has played no previous part."; "Making the effort to talk personally to all involved is of vital importance in ensuring the success of EUC in the organisation"  A policy has been proposed (subject to ratification) that Operational Risk should be responsible for permitting a business area to develop critical EUC applications.

Bill Bekenn and Ray Hooper of Fairway Associates described their FormulaDataSleuth, a tool to assist in improving the integrity of changes to formula reference areas during restructuring.

Dick Moffat of Personal Logic Associates described his rules for a business engagement in Excel development, including a useful list of application design and workbook design rules.

David Colver of Operis described the truly impressive amount of self-checking they build into their spreadsheets. Far in advance of common practice, it approaches (as Ray Panko pointed out) the level of investment in testing that characterises mature organisations working in conventional software development. A key take-away message is that anyone can start now, just by learning from bad experiences by designing tests that will prevent errors and building them into every new spreadsheet from that point on.

Because of the parallel tracks, I missed some of the presentations - Derek Flood of Dundalk Institute of Technology presented their Intelligent Assistive Technology for Voice Navigation of Spreadsheets; Karin Hodnigg of the University of Klagenfurt gave a paper on Metric-based Spreadsheet Visualization; Jocelyn Paine of presented a web-based component architecture; Tom Grossman of USFCA described Spreadsheet Analytics such as Sensitivity Analysis as applied to model analysis.

Brian Bishop of Dundalk Institute of Technology presented the findings of their T-CAT tool that monitored user behaviour while debugging, in order to arrive at what one might call the Skills of Highly Effective Spreadsheet Debuggers.

Jamie Chambers presented the other case of an EUC project at a bank (to whom I had delivered the Spreadsheet Safe training). One of his key points is that mitigating the risks of EUC Applications (EUCAs) may mean reworking the processes used to create them. They set up an Excel User Group of six experienced users to act as an internal source of expertise and a discussion forum.

Mbwana Alliy of Microsoft and Patty Brown of Two Degrees gave their opinions on controls and compliance, standards, and end user training, assessment, and certification. They gave a set of twelve questions that guides the assessment of criticality and risk in the use of a spreadsheet.

My own paper on Information and Data Quality started with the I Q attributes that can not be automated, but rely on human judgment. I then went on to show how D Q can be more easily assessed with Computer Aided Audit Tools and Techniques (CAATTs) such as my own XLTEST. The appendices of this paper give some useful techniques in Excel for checking data - what Ray Butler refers to as 'Excel auditing for free'!

Éric Bruillard and François-Marie Blondel of ENS Cachan presented the results of their DidaTab project to research spreadsheet usage levels in French secondary schools. For example, when students have low competency, the teachers simplify the task so they do not have to use spreadsheets. Science researchers and the government department of education assume that spreadsheets are too simple to need explanation. I look forward to hearing more of their research into the realities of spreadsheet use at Eusprig 2009 in Paris!

Ray Panko brought his taxonomy of spreadsheet error types up to date. He takes into account research into human mistakes, slips, and lapses. My own opinion is like David Colver's - that one should classify errors according to their cause and put in place preventive or detective actions to reduce their escape in the future. This corresponds more with Ray Panko's consideration of how different types of errors appear during the life cycle.

Eusprig 2009 will be our tenth anniversary - it's amazing that it is still the only conference of its type in the world!


Spreadsheet Check and Control: 47 best practices to detect and prevent errors Available worldwide from Amazon.  Our offer - free shipping to EU .


More spreadsheet error stories in the news

The Guilford Selectboard increased the tax rate for the town from $2.01 to  $2.19 per $100 of assessed residential property value. Part of the increase was to remedy a miscalulation in the town's budget spreadsheet. 

The SEC had accused Scott Hirth - a former divisional CFO at ProQuest, a producer of electronic databases of archived information - of fraudulently boosting recorded revenues and under-reporting costs. ... In another spreadsheet, the SEC claimed, the company’s running tally of expenditure on commissions was distorted by a $4.1m cell entry located well away from the other figures. Because it was in white font on a white background, this entry - which had no basis, according to the SEC - could not be seen when a hard copy of the spreadsheet was printed.



Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

4) Off Topic

We're on holidays for August. Megan has an interest in ecology, so we'll be going on a dendrology course on a Greek island:

Archipelagos, Institute of Marine & Environmental of the Aegean Sea, is a Greek non-profit, non-governmental, environmental organization. It has been active since 1998 in several parts of the Greek Seas (Ionian Sea, Sporades, Central Aegean, Lybian Sea, Eastern Aegean). Since 2000, Archipelagos' field of action has focused on the eastern Aegean, having its main research base on the island of Ikaria but with activity covering the whole of the Aegean Sea. Archipelagos action combines scientific research into the biodiversity of the marine and terrestrial environment of the Aegean Sea and islands, with efficient conservation work, in which the local communities have an active part.

We initially learned of their work some years ago at a Euro conference in Greece organised by Panos Milios of Dian Publishing; his daughter Anastasia runs the research station.


Copyright (c) Systems Modelling Limited, . Reproduction allowed provided this copyright notice is included.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the web site. I moderate posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to from your web site!
To read previous issues of this newsletter please visit our web site at

This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website