284 An Introductory Study on Business Intelligence Security decision engine or rule tuner will run automati- cally according to a machine-learning algorithm and tune or adjust the parameters or thresholds to block the attack from the source. Intrusion Prevention Techniques As intrusion prevention techniques mainly con- centrate on authentication, there are four major approaches for code security that have emerged as mentioned in Drinic and Kirovski (2004): code VLJQLQJVDQGER[HV¿UHZDOODQGSURRIFDUU\LQJ code. • Code signing: Signing a program binary for authentication purposes is conceptually the simplest code security technique. In this case, authentication is done according to standardized authentication protocols. •Sandbox: Sandbox is designed at the secu- rity layer to protect the application against malicious users and the host from malicious applications. • Firewall: Firewalling technique is used for code security to conduct comprehensive examination of the provided program at the very point where it enters the respective domain. • Proof carrying code: This is a mechanism by which the host system can determine with certainty that it is safe to execute a program provided by a distrusted source. This is ac- complished by requesting that the source provides a security proof that attests to the FRGH¶VDGKHUHQFHWRDKRVWGH¿QHGVHFXULW\ policy. Performance results based on these approaches are not satisfactory for overcoming buffer over- ÀRZH[SORLWWKHUHIRUHUHVHDUFKHUVLQ'ULQLFDQG Kirovski (2004) provided a hardware-assisted intrusion prevention platform that makes use of overlapping of program execution and MAC PHVVDJHDXWKHQWLFDWLRQFRGHYHUL¿FDWLRQ7KLV platform partitions a program binary into blocks of instructions. Each block is signed using a keyed MAC that is attached to the footer of the block. : KHQWKHFRQWUROÀRZUHDFKHVDSDUWLFXODUEORFN its instructions are speculatively executed, while GHGLFDWHGKDUGZDUHYHUL¿HV WKH DWWDFKHG0$& at run-time. In the case that the integrity check fails, the current process will be aborted by the processor. Together with a software optimization technique that aims at reducing the performance RYHUKHDGLQFXUUHGGXHWRUXQWLPH0$&YHUL¿FD- tion, this platform had shown an overhead reduc- tion of up to 90% from experimental results. As mentioned in Reynolds et al. (Reynolds, Just, Clough, & Maglich, 2003), security related IDXOWVVXFKDVLQGHVLJQSURJUDPVDQGFRQ¿JXUD- tion could propagate from machine to machine and are likely to be repeatable in time; thus, demanding more innovative and improved fault diagnosis, machine learning, and system adapta- tion techniques for intrusion prevention. The ap- proach used in Reynolds et al. (2003), therefore, is to augment the standard fault-tolerant techniques such as failure detection, failfast semantics, re- dundancy, and failover with active defenses and design diversity. Using this approach, repeatable errors are prevented by an out-of-band control V\VWHPWKDWPRGL¿HVWKHV\VWHPVHFXULW\SRVWXUH in response to detected errors. In short, the approach is built with hardware and software setups that compliment each other. 7KHKDUGZDUHLVFRQ¿JXUHGLQVXFKDZD\WKDW there is no direct communication possible be- tween the primary and backup. The potential for propagation from the primary to the out-of-band (OOB) machine is limited by constraining and monitoring the services and protocols by which OOB communicates with the primary. Failover is controlled by the mediator/adapter/control- ler (MAC) on the OOB machine. When failure 285 An Introductory Study on Business Intelligence Security occurs, possibly caused by intrusion, continued service to the end user is provided by promoting the backup to be the new primary. As for the software architecture, it consists of the following components: • Web server protective wrapper: This wrapper monitors calls to dynamic link OLEUDULHV'//VIRU¿OHDFFHVVSURFHVV execution, memory protection changes, and other potentially malicious functions. When LWGHWHFWVDYLRODWLRQRIVSHFL¿HGEHKDYLRU it will alert, disallow, or modify the call, depending on set policies. • Application monitor: This application PRQLWRU LPSOHPHQWV VSHFL¿FDWLRQEDVHG behavior, monitoring critical applications accordingly. • Host monitor: This host monitor commu- nicates with MAC and sends alerts. It has the capability to restore a failed primary to a healthy backup and is responsible for continual repair. • Forensic agent: 7KLVDJHQWDQDO\]HVD³ORJ´ that contains recent requests to determine which request(s) may have caused the fail- ure. •Sandbox: This sandbox consists of an exact duplicate of the machine and application that failed. If a suspicious request received from Forensic Agent causes the same conditions in the Sandbox that resulted in failover of WKHSULPDU\RUEDFNXSWKHQLWLVLGHQWL¿HG DVD³%DG5HTXHVW´ &RQWHQW¿OWHU 7 K L V ¿ OW H U F R Q V L V W V RIDOLVWRI ³%D G5HTXHVWV´,WJHQHUDOL]HVEDGUHTXHVW V LGHQWL¿HGE\)RUHQVLF$JHQWVRWKDWVLPSOH variants are also blocked; hence, previously unknown attacks are automatically and immediately prevented from repeatedly causing failover. Other techniques that are discussed in Reyn- olds et al. (2003) also involve: •Diversity: This has two different Web serv- ers operating on the primary and backup based on the assumption that an exploit against one product of a type of software will seldom work against another product of the same type; thus, although the exploit succeeded on one, it should not propagate to the other. • Random rejuvenation: This is a counter- measure for an intrusion that may become part of a legitimate process over time (e.g., PDOLJQWKUHDGVWKDW³OLYH´ZLWKLQDSURFHVV ³VOHHS´IRUDQLQGH¿QLWHOHQJWKRIWLPHWKHQ ³ZDNHXS´WRGRGDPDJHE\UDQGRPO\LQL- tiating a failover with the average internal between random failovers. •Continual repairs: This is to detect un- DXWKRUL]HG ¿OH DFFHVVHV GXH WR ZUDSSHG failure or other unknown vulnerabilities to accelerate recovery; detect, and correct continuously. Weaknesses of ID and IP Techniques/Models Although it is feasible to integrate ID and IP techniques into a BI system security framework, the weak points of these techniques must not be ignored as well. Bearing in mind the downsides of the techniques could enable future research to improve further on them for best performances. This section shall thus review the weaknesses of the models that employ ID, IP, or some other security techniques. As mentioned earlier, a signature-based in- trusion detection technique is ideal for detecting known attacks but not able to detect new attacks. Anomaly-based technique, on the other hand, is able to detect new attacks but at the same time 286 An Introductory Study on Business Intelligence Security causes a high false positive rate. Intrusion-pre- vention techniques using authentication and code security are not ideal also. Authentication using user id and encrypted password or encrypted da- tabase requires a good and secure cryptographic algorithm! As mentioned in Drinic and Kirovski VHFXULW\FRGHDSSURDFKHVXVLQJD¿UHZDOO code signing, or sandbox do not provide satisfac- tory performance results for overcoming buffer RYHUÀRZH[SORLWV A study in Botha et al. (Botha, Solms, Perry, Loubser, & Yamoyany, 2002) proposed to improve the intrusion-monitoring functionality in an intru- sion detection system based on the assumption that the intruders’ behaviours could be grouped into common generic phases, and that all users’ actions on the system could be monitored in terms of these phases. However, when the underlying as- sumption changes, which is most likely overtime, as intruders’ behaviours change, so the intrusion phases have to change as well. This shall render the model lacking in consistency. In a study on security modelling in Brennan et al. (Brennan, Rudell, Faatz, & Zimmerman, WKH UHVHDUFKHUV SURYLGHGDVSHFL¿FDWLRQ for modelling security designs in graphical rep- resentation. And, to model system and security administration, it shall require building separate administration diagrams as the security require- ments and controls are different. As a result, the PRGHOODFNVWKHFRQVLVWHQF\HI¿FLHQF\DQGQRW being optimized to model security designs across different platforms. In another security modeling study in Col- lins et al. (Collins, Ford, & Thuraisingham, 1991), security-constraint processing is used to secure database query and update based on the assumption that security administration would generate an initial set of security constraints. As LWLVGLI¿FXOWWRJHQHUDWHDFRQVLVWHQWLQLWLDOVHW RIVHFXULW\FRQVWUDLQWVLWLVHYHQPRUHGLI¿FXOW to verify the completeness of this initial list of security constraints. Consequently, the model lacks consistency and completeness. BUSINESS INTELLIGENCE SECURITY: A WEB SERVICE CASE STUDY As concluded in Reynolds et al. (2003), these fault-tolerant techniques can indeed provide a means for detecting and preventing online cyber- attacks. However, future works are still required for extending these techniques in more complex real-world applications. This opens up a feasible opportunity for ID and IP to be integrated into a BI system — a complex real-world applica- tion, be it a business performance management (BPM) system, customer relationship manage- ment (CRM) system, supplier chain management (SCM) system, or e-commerce! As mentioned in Ortiz (2002), the trend in BI application is going to be Web services enabled. As Web services are platform-neutral designed to ease and deliver BI results across platforms over the intranets and Internet, be it wired or wireless, real time and ad hoc, companies can make use of these technologies to access and analyze data in multiple locations, including information stored by partners and suppliers. Due to the fact that BI applications are going to be mainly Web services enabled in the future, users accessing through the Internet in real time, whether wired or wireless, the knowledge capital and data warehouse that are stored in centralized servers, are going to in- crease in numbers. Consequently, BI applications are still susceptible to all the common security threats such as denial of service, virus attack, ³VQLIIHU´DWWDFN³HYLOWZLQV´DWWDFNGLFWLRQDU\ DWWDFNDQGEXIIHURYHUÀRZH[SORLWPHQWLRQHGLQ an earlier section. As a result, a tighter security IUDPHZRUNWKDWLQFOXGHV,'DQG,3VLVGH¿QLWHO\ required to be integrated into the BI enterprise architecture. Subsequently, further study on BI secu- rity can be started off with a Web-service case study. In this case study, as shown in Figure 2 — Web-service case study set up, various secu- ULW\WKUHDWVVLJQL¿FDQWWRWKH%,HQYLURQPHQWWR 287 An Introductory Study on Business Intelligence Security check unauthorized access are to be simulated DQGLGHQWL¿HG&RXQWHUPHDVXUHVXVLQJ,'DQG,3 mechanisms are then designed and constructed. This prototype design consisting of ID and IP security method is then incorporated into exist- ing security framework as an enhanced security framework for BI as mentioned in the previous section. Unauthorized user access with security threats through the intranet/Internet, be it net- ZRUNHGRUZLUHOHVVDUH¿OWHUHGXVLQJLQWUXVLRQ detection and intrusion prevention techniques. This framework shall ensure that only genuine and authorized user accesses are allowed. CONCLUSION However, due to the fact that weaknesses do exist in models employing ID and IP techniques, more innovative researches have to continue to be car- ried out to improve both the signature-based and anomaly-based intrusion detection techniques. In general, for example, better and more in- novative data-mining techniques could be em- ployed in data collection and data analysis so as to reduce the overloading of unnecessary data and subsequently reducing the false positive/negative alarm rates. Better algorithms for response/pat- tern matching of intrusions data, for machine learning and retraining of data should also be explored extensively. As for intrusion prevention, improvement on network/communication protocols for both wired and wireless should also jump onto this bandwagon for innovative research of ID and IP. In addition, using biometrics for authentica- tion should be set as a future norm in parallel with improved cryptographic algorithms. Firewall, honeypot, and code security shall continue to be used perhaps with greater ingenuity and innovation for continuous improved performance. Figure 2. Web-service case study set-up 288 An Introductory Study on Business Intelligence Security In particular, more innovative researches should be carried out in the area of wireless and mobile ad hoc networks, for example in Zhang et al. (Zhang, Lee, & Huang, 2003), the research- ers had examined the vulnerabilities of wireless networks and argue that intrusion detection must be included in the security architecture for mobile computing environment. They have thus devel- oped such security architecture with distributed and cooperative features catering for anomaly detection for mobile ad hoc networks. Although experimental results from this research had also shown good performance and effectiveness, but as these researchers mentioned, new techniques must continue to be developed to make intrusion detection and prevention work better for the ever- evolving wireless networks. All in all, it can be concluded, as shown in the Web-service case study, that intrusion detection and prevention is feasible and must be included in BI’s security architecture. This shall ensure a tighter security, subsequently protecting the knowledge base or assets of the enterprise from being unduly tampered with or used in an un- authorized manner since the knowledge base is, indeed, too valuable to allow for exploitation! REFERENCES Baroudi, S., Ziade, H., & Mounla, B. (2004). Are we really protected against hackers? In Proceed- ings of 2004 International Conference on Infor- mation and Communication Technologies: From Theory to Applications (pp. 621-622). Botha, M., Solms, R. V., Perry, K., Loubser, E., & <DPR\DQ\*7KHXWLOL]DWLRQRIDUWL¿FLDO intelligence in a hybrid intrusion detection system. In ACM International Conference Proceeding, Proceedings of the 2002 Annual Research Confer- ence of The South African Institutes of Computer Scientists and Information Technologists on En- ablement Through Technology (pp. 149-155). Brennan, J. J., Rudell, M., Faatz, D., & Zimmer- man, C. (2004). Visualizing enterprise-wide secu- rity (VIEWS). In 20 th Annual Computer Security Applications Conference (pp. 71-79). Collins, M., Ford, W., & Thuraisingham, B. (1991). Security constraint processing during the update operation in a multilevel secure database management system. In The Seventh Annual Pro- ceedings of the Computer Security Applications Conference (pp. 23-32). Deng, H., Zeng, Q A., & Agrawal, D. P. (2003). SVM-based intrusion detection system for wire- less ad hoc networks. In Vehicular Technology Conference, 2003. VTC 2003-Fall. 2003 IEEE 58 th 3 (pp. 2147-2151). Drinic, M., & Kirovski, D. (2004). A hardware- software platform for intrusion prevention. In Proceedings of the 37 th International Symposium on Microarchitecture. (MICRO-37’04) (pp. 233- 242). IEEE. Entrust® GetAccess™. (2003). Secure identity and access management, technical overview (pp. 1-28). Gangadharan, G. R., & Swami, S. N. (2004). Business intelligence systems: Design and implementation strategies. In 26 th International Conference on Information Technology Interfaces (Vol. 1, pp. 139-144). Golfarelli, M., Rizzi, S., & Cella, I. (2004). Beyond data warehousing: What’s next in busi- ness intelligence? In Proceedings of the 7 th ACM International Workshop on Data Warehousing and OLAP (pp. 1-6). Hu, X., & Cercone, N. (2002). An OLAM frame- work for Web usage mining and business intel- ligence reporting. In Proceedings of the 2002 IEEE International Conference on Fuzzy Systems, FUZZ-IEEE’02 (pp. 950-955). Huang, N F., Kao, C N., Hun, H W., Jai, G Y., & Lin, C L. (2005). Apply data mining to 289 An Introductory Study on Business Intelligence Security defense-in-depth network security system. In Proceedings of the 19 th International Conference on Advanced Information Networking and Ap- plications (AINA’05) (pp. 1-4). Information Builders. (2002). A roadmap for implementing business intelligence solutions. Best practices in information delivery (pp. 1-33). Joglekar, S. P., & Tate, S. R. (2004). ProtoMon: Embedded monitors for cryptographic protocol intrusion detection and prevention. In Proceed- ings of ITCC 2004. International Conference on Information Technology: Coding and Computing (Vol. 1, pp. 81-88). Manganaris, S., Christensen, M., Zerkle, D., & Hermiz, K. (1999). A data mining analysis of RTID alarms (pp. 1-11). IBM. Ortiz, S., Jr. (2002). Is business intelligence a smart move? Computer, 35(7), 11-14. Pilot Software Acquisition Corp. (2002). Scaling to support very large user communities. Web-based business intelligence (pp. 1-9). Reynolds, J. C., Just, J., Clough, L., & Maglich, R. (2003). Online intrusion detection and attack prevention using diversity, generate-and-test, and generalization. In Proceedings of the 36 th Annual Hawaii International Conference on System Sci- ences (p. 8). Soper, D. S. (2005). A framework for automated Web business intelligence systems. In Proceed- ings of the 38 th Annual Hawaii International Conference on System Sciences, 2005, HICSS ’05 (p. 217a). Spil, T. A. M., Stegwee, R. A., & Teitink, C. J. A. (2002). Business intelligence in healthcare organizations. In Proceedings of the 35 th Annual Hawaii International Conference on System Sci- ences, 2002, HICSS (p. 9). Xie, W., Xu, X., Sha, L., Li, Q., & Liu, H. (2001). Business intelligence based group decision sup- port system. In International Conferences on Info-tech and Info-net, 2001, Proceedings ICII 2001, Beijing (Vol. 5, pp. 295-300). Yin, C., Li, M., Ma, J., & Sun, J. (2004). Honeypot and scan detection in intrusion detection system. In Canadian Conference on Electrical and Com- puter Engineering (Vol. 2, pp. 1107-1110). Zhang, Y., Lee, W., & Huang, Y A. (2003). In- trusion detection techniques for mobile wireless networks. Wireless Networks, 9(5), 545-556. This work was previously published in Web Services Security and E-Business, edited by G. Radhamani and G. Rao, pp. 204- 217, copyright 2007 by IGI Publishing (an imprint of IGI Global). 290 Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 1.20 Strategies for Business Process Outsourcing: An Analysis of Alternatives, Opportunities, and Risks Subrata Chakrabarty Texas A&M University, USA ABSTRACT This chapter provides a comprehensive overview of business process outsourcing (BPO) strategies and analyzes related issues. The discussions in this chapter can serve as an aid to decision makers who face the great dilemma of whether to insource or outsource a process, and additionally how to handle outsourcing to offshore locations. While business processes themselves are activities that QHHGWREHSHUIRUPHGHI¿FLHQWO\RXWVRXUFLQJ them is essentially a strategic decision that can ultimately impact the competitiveness of the client ¿UP7KLVFKDSWHUH[SORUHVWKHULVNVDQGRSSRU- tunities associated with the numerous strategies related to outsourcing and offshoring alternatives, business process migration, contracting and alli- ance building, the role of the vendor, the nature of the relationship, multiclient or multivendor relationships, infusing maturity and ushering transformations in business processes, locating required expertise and quantity of workers, and also utilizing on-demand software services from application service providers. INTRODUCTION In business process outsourcing (BPO), a client’s business process is performed by a vendor. Certain business processes of the client are transferred RYHUWRWKHYHQGRUDQGWKHYHQGRU¶VRI¿FHWKHQ EHFRPHV WKH ³EDFN RI¿FH´ IRU WKH FOLHQW¶V RXW- sourced business processes. The vendors are given the responsibility to manage the client’s busi- ness processes, such as call centers, emergency hotlines, claims management, helpdesks, data management, document processing and storage, ¿QDQFLDOVHUYLFHVEDQNVDQGLQVXUDQFHSD\UROO auditing, accounting, travel management systems, 291 Strategies for Business Process Outsourcing various logistics and information systems services (Millar, 1994, as cited in Lacity & Hirschheim, 1995, pp. 4-5; Sparrow, 2003, p. 11). Hence, a BPO vendor needs to have the capability to provide consistent levels of customer service spanning across a range of services and businesses. Though BPO has inherent risks, it also provides PDQ\EHQH¿WVWRWKHFOLHQW$SDUWIURPIRFXVLQJ RQVKRUWWHUPFRVWVDYLQJVDQGRSHUDWLRQDOHI¿- ciencies, it is important that BPO be performed with a strategic mindset, whereby decisions are based on wider business context and help in gain- ing competitive advantages in the tough external environment (Sparrow, 2003, p. 8). For effective BPO, an organization should segregate its business processes into two broad categories: (1) the ones where its own core competencies are strong and ZKLFKKDYHVWUDWHJLFVLJQL¿FDQFHDQGWKRVH that can be performed better by a vendor (Adler, 2003, p.53). In most cases, business processes that represent the client’s core competencies and have high strategic stakes are best performed in-house. In order to identify its “core competencies,” an organization needs to be very clear about where its own strengths lie and identify the processes that truly give the organization its business value. ,QRUGHUWRLGHQWLI\SURFHVVHVWKDWDUH³VWUDWHJLF´ the organizations need to be able to identify pro- cesses that differentiate it from its competitors in the marketplace, or processes that gives it the competitive advantage (Porter, 1996). Importantly, the market is dynamic where the demands and competition changes over time and, therefore, the core competencies or the strategic nature of associated business processes may accordingly change. Hence, organizations also need to have a clear vision of their goals and future strategy in the dynamic marketplace and, accordingly, identify its business processes for outsourcing. Failure to do so can make an orga- nization overly dependent on the BPO vendors for its core or strategic business processes, and it would effectively be at the mercy of vendors. The key here is to have complete power and control over one’s core and strategic business processes, while gaining maximum advantages out of the various vendors’ strengths in noncore business processes. This chapter discusses the various alternative strategies that clients should consider while pursuing BPO. STRATEGIES: BASICS OF OUTSOURCING AND OFFSHORING Business Process Insourcing and Outsourcing The two basic strategies in sourcing business processes are insourcing and outsourcing. While in business process insourcingD¿UPH[HFXWHV business processes on its own, in business process outsourcing%32WKHFOLHQW¿UPHVWDEOLVKHVD contractual relationship and hands over the re- sponsibility of executing the business processes to DYHQGRU,QRWKHUZRUGVDFRPSDQ\³LQVRXUFHV´ IURP ZLWKLQ DQG ³RXWVRXUFHV´ WR DQ H[WHUQDO company, that is, outsourcing is the sourcing of work across organizational boundaries. • Insourcing: The business processes are performed by the client itself or a client entity (such as a subsidiary or an internal department). • Outsourcing: The business processes are performed by a nonclient entity (such as a vendor/supplier). :KHQD¿UPGHFLGHVWRLQVRXUFHLWVEXVLQHVV processes, there are two basic strategies: (1) the ³2.DVLV´ strategy where the client feels that it LVUXQQLQJLWVEXVLQHVVSURFHVVHVHI¿FLHQWO\DQG satisfactorily, and hence the strategy is to simply FRQWLQXHZLWKWKHVWDWXVTXRDQGWKH³¿[DQG keep in-house” strategy where the client might be DELWXQVDWLV¿HGZLWKWKHHI¿FLHQF\RILWVLQKRXVH business processes, but believes that insourcing 292 Strategies for Business Process Outsourcing is still the best option, and decides to invest in the adoption of better practices to identify and ¿[WKHGH¿FLHQFLHV:LEEHOVPDQ0DLHUR 1994, as cited in Dibbern, Goles, Hirschheim, -D\DWLODNDS+HUH¿UPVWDUJHWWKH KLJKHVWHI¿FLHQF\OHYHOVDFKLHYHGE\FRPSHWLWRUV or vendors), set them as the benchmarks, and are self driven and motivated to achieve those high HI¿FLHQFLHVLQWKHLUEXVLQHVVSURFHVVHV :KHQD¿UPGHFLGHVWRRXWVRXUFHLWVEXVLQHVV SURFHVVHVWZREDVLFVWUDWHJLHVDUHWKH³RSWLRQ to reverse” strategy where business processes are outsourced to a vendor, but it also takes into ac- count the possibility of bringing the outsourced business processes back in-house whenever needed, and (2) the ³GLYHVWFRPSOHWHO\´VWUDWHJ\ where business processes that are perceived to be best managed by a vendor are outsourced permanently (Wibbelsman & Maiero, 1994, as cited in Dibbern et al., 2004, p. 11). Additionally, it is also important to note that a client’s option is not limited to outsourcing to just one vendor, and it can potentially outsource to multiple ven- dors. Similarly, vendors often provide services to multiple clients. The strategic aspects related to multiple clients and multiple vendors will be discussed later in the chapter. Making the Insourcing vs. Outsourcing Choice To evaluate the experiences of organizations with outsourcing, 14 case studies were carried out by Hirschheim and Lacity (2000). The case studies show that when departments executing in-house business processes get the required support from the upper management, they too can improve performance and imitate the various cost-reduc- LQJDQGHI¿FLHQF\HQKDQFLQJWDFWLFVDGRSWHGE\ the vendors, and thus provide a strong alternative to outsourcing. Furthermore, they highlight the risk of lesser control and lower–than-expected service levels that may result from large-scale outsourcing. Moreover, they report that some organizations were considering the discontinu- ation of outsourcing, which involved getting the outsourced work back in-house by either waiting for the contract period to end or by simply rene- gotiating/terminating the contract. Outsourcing is not easy, and a great amount of planning along with immaculate execution is needed for it to be completely successful. Based on an extensive review of the academic literature, some of the salient advantages of insourcing and outsourcing are compiled (Ang & Straub, 1998; Aubert, Rivard, & Patry, 1996; Chakrabarty, 2006b; Currie & Willcocks, 1998; Earl, 1996; Jurison, 1995; Loh & Venkatraman, 1992; Loh & Venkatraman, 1995; Nam, Rajagopalan, Rao, & Chaudhury, 1996; Nelson, Richmond, & Seidmann, 1996; Poppo & Zenger, 1998): Advantages of business process insourcing: • Insourcing allows greater control over the strategic assets and resources that are used in the business processes. •Possibility of opportunistic behavior of a vendor is a major hassle, and insourcing safeguards against this risk. • Insourcing is best when high uncertainty is associated with the business process • Many business processes require very high amounts of ¿UPVSHFL¿FNQRZOHGJH (busi- ness/technical) for their effective execution. Transferring such knowledge to a vendor not only takes time and effort, but may also FRPSURPLVHWKHFRQ¿GHQWLDOLW\RIWKH¿UP VSHFL¿FNQRZOHGJH • Negotiating intellectual property rights associated with business processes (with a vendor) are always a tricky issue, and insourcing reduces the risk of IP rights violations. • Not all business processes can be effectively carried out by vendors (no matter what the 293 Strategies for Business Process Outsourcing sales/marketing representatives of the ven- dors say). Hence, insourcing is sometimes the only option when competent vendors are absent. Advantages of business process outsourcing (BPO): • BPO can lead to considerable cost advan- tages: º The client does not have to invest in the infrastructure or the technol- ogy required to execute the business processes and hence saves on capital expenditure. º The vendor’s economies of scale and economies of scope help in reducing the costs of running the business pro- cesses. º The very process of bidding for and negotiating the outsourcing contract makes the respective vendors give esti- mates on the costs involved in executing the business processes, which in turn makes the costs more predictable for the client. • BPO allows organizations to focus its core business, and outsource the noncore busi- ness that take up a considerable amount of management time and resources. • BPO makes a client’s transition to newer business processes easier, wherein the legacy or current business processes are outsourced to a vendor during the transition period. %32 JLYHV PRUH ÀH[LELOLW\ LQ PDQDJLQJ labor: º Any upsurge or downswing in the volume of business process work would entail variations in the required manpower. The client does not need to worry about this because the recruit- PHQWDQGVWDI¿QJIRURXWVRXUFHGEXVL- ness processes would be the vendor’s responsibility. A vendor organization can more easily manage variations in manpower needs since it would be executing a huge number of business processes (for various clients) that involve a large number of vendor em- ployees working on similar tasks. The vendor can easily balance out variations L QV W D I ¿ Q J Q H H G V D F U R V VLW V Y D U L R X V%32 projects. º BPO frees up a client’s in-house re - sources (infrastructure, manpower, etc.) from noncore activities, and they can instead be utilized in the devel- opment of core competencies and processes that could give the client a competitive edge in the market. º BPO gives the client access to the process and technical expertise of the vendor personnel, which can have a positive impact on the way the client’s business processes are executed. • To stay competitive, most vendors strive to adopt the best business process maturity models that can guarantee better quality DQGVHUYLFH+HQFHFOLHQWVFDQEHQH¿WIURP the quality provided by the best-in-class vendors. Apte and Mason (1995, p. 1258; see also Dib- bern et al., 2004, p. 33) proposed that the choice between insourcing and outsourcing can be as- FHUWDLQHGE\WKH³VWUDWHJLFLPSRUWDQFH´DQGWKH FOLHQW¶V³UHODWLYHHI¿FLHQF\´LQFDUU\LQJRXWDQ activity in-house. Insourcing of business processes is suitable when both the strategic importance and the UHODWLYHHI¿FLHQF\ of performing the business processes in-house are high. However, if both these factors are low, the BPO is favorable. But what if the strategic importance is high but the client’s UHODWLYHHI¿FLHQF\ is low? In this case the client has the following options: (1) invest time, money, DQGHIIRUWLQWRLQFUHDVLQJWKHHI¿FLHQF\RIWKHVH strategic or core competency business processes, (2) ask external consultants or vendors to come to . according to standardized authentication protocols. •Sandbox: Sandbox is designed at the secu- rity layer to protect the application against malicious users and the host from malicious applications. . propagate from machine to machine and are likely to be repeatable in time; thus, demanding more innovative and improved fault diagnosis, machine learning, and system adapta- tion techniques. be- tween the primary and backup. The potential for propagation from the primary to the out-of-band (OOB) machine is limited by constraining and monitoring the services and protocols by which