Understand and discuss how success at each phase of the software value chain affects the success of following stages. What are the metrics of success, and how are they affected by earlier stages?
What is the relation between the software value chain and interactive development processes (see section 4.2.2)? Should the value chain be considered iterative?
Qualitatively compare the four phases of computing of listed in table 2.3 for the following characteristics, important to organizations using information technology to support their business processes: levels of staffing, staff expertise, availability, responsiveness to changing business needs, user training, security, total cost of ownership.
How is the software development process (see section 4.2) intertwined with the software value chain? Discuss how provisioning, operation, and use are related to development.
What is the customer value proposition associated with each type of software release listed in table 5.2?
Consider in more detail the strategy issues a software supplier faces in deciding which past versions to continue supporting?
What are some alternative strategies for deriving revenue to a software supplier from investments in maintenance?
Understand and discuss the effect of network software distribution on provisioning and operation (see section 4.5.4). What new capabilities does this invoke?
Repeat the last question for mobile code (see section 4.5.5).
How can organizations most effectively integrate human organization and business process design with software configuration and integration in the provisioning phase?
What are the relative merits and strategies surrounding the make vs. buy decision in acquiring a software application, especially from the perspective of organization and business process design and effectiveness?
What cost accounting measures have to be in place to accurately estimate the total cost of ownership for a software application or infrastructure?
What is the appropriate trade-off between government laws and user and operator measures to ensure security? That is, to what extent should laws demand appropriate measures and actions on the part of users and operators as necessary to defend against lawbreaking? Without this, to what extent do laws against cracking reduce the incentive for preventive action?
To what extent is the detrimental effect of security on usability unavoidable? To what extent are laws as deterrence to crackers justified by the collective usability gains?
How can the harm inflicted in security breaches be quantified? How can risk be assessed in advance? Do you think it feasible to sell insurance against security breaches?
How should any laws seeking to preserve privacy distinguish between anonymous identification and personal identification?
Who has responsibility to ensure privacy? Is the onus on infrastructure service providers, on the operators of applications, on government, or on users? Presuming the answer is all of these, how should responsibility be partitioned? Does responsibility flow from the responsibility to exercise control, the ability to exercise control, the economic incentive to exercise control, or benevolence? What are the relative responsibilities of the participants, the marketplace, communities, or regulation? What is the trade-off between ethics and laws?
Assuming privacy can be adequately defined, to what extent can technology aid in achieving it, and what limitations are there on what technology can accomplish? What is the appropriate partitioning between technology and other means (like laws) for ensuring privacy? Should laws mandate that available technologies be employed to the maximum?
What is the trade-off (if any) between privacy and usability? Between security and privacy?
What fundamental differences (if any) exist between computer-mediated conditional access to information and physical access?
What differences are appropriate in laws protecting an entity that relies on the three methods for authentication and an entity that relies on only one of these?
What mechanisms (technical and legal) should be built into a public key infrastructure to account for the possibility of an accidentally or deliberately compromised secret?
Smartcards can encapsulate a secret, providing a way for a user to securely carry that secret even in the absence of a computer. A smartcard can help authenticate a user even if the device the smartcard is inserted into is not trusted. A personal identification (PIN) code (a secret memorized by the user and provided on request) further protects a smartcard from being used in case it is lost or stolen. (Note that smartcards normally cannot accept the pin code directly—they don't have a keypad embedded.) To further increase security, a smartcard's validity can be revoked. Based on the techniques described in section 5.4, explain how all these measures can be realized, and discuss the various risks involved.
A federation of certificate authorities raises the question of transitivity of trust. Should a CA-1 that trusts a CA-2 also trust a CA-3, provided CA-3 can demonstrate that it is trusted by CA-2? Discuss potential risks and possible solutions by drawing on the techniques described in section 5.4.