Identifying the Information Requirements of Civilian Decision-Makers Who Manage Terrorist-Targeted Critical Infrastructure: EIS Versus C4I

There is a growing awareness of the importance of organizational information architecture to sound decision-making in both the civilian and military sectors. We make a case for the convergence of civilian executive information systems and military C4I due to terrorist attacks on critical infrastructures. Specifically we survey civilian decision-makers about executive information systems and contrast findings with military decisionmaking. INTRODUCTION To the extent civilians, private industry, and critical infrastructures support war efforts, they have always been targets during armed conflict. In most modern societies civilian infrastructure is used for military purposes and is thus subject to attack during armed conflict if there is a military advantage to be gained by such an attack. Past armed conflicts has targeted economic targets such as rail yards, bridges, ports, industrial plants, the electric power grid, and especially telecommunications. In the U.S. private corporations, not the government, own and manage most of these critical infrastructures. For example, it is commonly quoted that 95% of all U.S. military communications is carried over civilian infrastructure. The advent of state-sponsored terrorism targeting critical infrastructures, as in the suicide-hijack plane crashes into the World Trade Center and the Pentagon on 9/11/01and later anthrax attacks, has taken hypothesized critical infrastructure threats out of the realm of the possible and made them real. The primary military weapon used by decision-makers in this new war against terrorism is enhanced C4I (command, control, communications, computers, and intelligence) to prevent, protect, deter, defend, survive, and recover from terrorist attacks. The analog to C4I for civilian decision-makers is Executive Information Systems (EIS). Development of organizational information architecture to provide improved communication has been identified as a key issue for civilian decision-makers for at least a decade [Neiderman et al. 1991]. EIS are designed to view data and information at the highest aggregate level possible for the organization. It is a natural evolution to make an EIS the backbone of an organizational information architecture. This evolution has been referred to as a Critical Information Network (CIN) [McAuliffe and Shamlin 1992]. The concepts of C4I and EIS transcend specific technologies. The management tenet of “getting the right information to the right people at the right time” and using it to make good decisions requires not only an understanding of relevant technical issues but also of human cognitive processes and capabilities. Getting the right information to the right people at the right time is central to Joint Vision 2020, DOD’s blueprint for future operations. It is also central to the concept of network-centric warfare that seeks to bring together military decision-makers, sensors, and soldiers on a shared network. The goal of this study is thus to identify the information-seeking behaviors of civilian decision-makers as demonstrated in their use of EIS in order to compare with military decision-makers. With the converging differences in decision-making between military and civilian leaders, it becomes important to understand and subsequently tune information flow within their respective organizations given their common enemy of terrorism. The method we used to accomplish this goal was to survey 98 CEOs regarding their perceptions of organizational information architecture. Using the data cube model and the end user as a theoretical basis, respondents were asked to rate the importance of data and/or information systems usage. This is similar to the military’s use of subject matter experts (including retired and active senior officers) who are tasked with refining C4I techniques by conducting experiments to verify effectiveness. The remainder of this paper is organized as follows: Section 2 describes previous research on civilian decisionmaking highlighting the “data cube”. Section 3 details our methodology and Section 4 summarizes empirical results as a result of implementing this methodology. Section 5 compares civilian decision-making using EIS versus military decision-making using C4I. We end with a summary, conclusions, and future directions in Section 6. Figure 1: The Data Cube PREVIOUS WORK The Data Cube Rockart and Treacy (1982) identified the “data cube” as one of the first theoretical foundations for an EIS. Figure 1 shows the data cube. The three dimensions of the data cube (1) business variables; (2) time; and (3) business units – have been used in the past when discussing issues related to EIS [McAuliffe and Shamlin 1992, Mohan et al. 1990]. The first dimension, business variables, includes critical success factors, end products of the organization, and business objectives. Existing IRD methodologies suggest that executives are interested in only a few factors or variables [Rockart 1979, Volonino and Watson 1990-91]. Therefore, the number and types of variables or factors an organizational information architecture will address should be of interest to the developer. Early EIS research suggests viewing these variables as: (1) quantitative-financial data; (2) quantitative-physical data; and (3) qualitative data [Daniel 1961]. Another way of viewing these variables is to categorize them as: (1) market factors; (2) factors concerning the competition; (3) financial factors; (4) economic factors; (5) technological factors; and (6) sociopolitical factors [Abell and Hammond 1979]. The second dimension of the data cube, time, would relate to variables or factors such as historical data, the present situation, and projecting future trends [McAuliffe and Shamlin 1992, Rockart and Treacy 1982]. The third dimension, business units, may include groupings from individual employees, the entire organization, or an entire industry. Past research on executive’s environmental scanning behaviors indicates that all executives are not concerned with the same types of business units [Daft at al. 1988, El Sawy 1985]. From this research we can conclude different executives will be interested in different types of business units depending on their unique situation. Data related to business units could include categorization such as performance of: (1) individual employees; (2) working groups; (3) departments; (4) companies; and (5) the entire conglomerate. The System User The system user is a critical part of many computerbased information systems theoretical framework [Lucas Jr 1985, Mason and Mitroff 1973, Watson et al. 1991]. While the user is a complicated and multivariate construct, two dimensions appear to be highlighted when discussing EIS: (1) the number; and (2) the organizational level of the EIS user(s). Volonino and Watson (1990-91) mentioned the three eras of EIS identified by Rockart (1990). First era EIS were built for single users. Second era EIS were built for use by a management team. Third era EIS are built for multiple management teams at different organizational levels. Systems from each of these eras exist today. METHODOLOGY Examining the theoretical basis of EIS will shed light on the needs/wants of civilian decision-makers who manage a critical infrastructure attacked by a terrorist. In this case, the civilian decision-maker will act as a surrogate military leader with the EIS capabilities mirroring C4I capabilities. A questionnaire was created using the constructs of interest from the theoretical models: (1) business variables; (2) time; (3) business units; and (4) the user. The questionnaire stated that “an executive information system can be defined as a computerized system that provides with information that is relevant to their work.” Respondents < = T I M E = > H is to ry F u tu re < = B U S IN E S S V A R IA B L E S = > B U S IN E S S U N IT S C o m p e ti to r s C u s to m e rs In d u s tr ie s F ig u r e 1 . T h e D a ta C u b e S o u rc e : R o c k a rt a n d T re a c y , 1 9 8 2 were asked to indicate how well they agreed or disagreed with statements related to what data or information they needed or wanted. Responses were measured using a seven point self-anchoring Likert scale (1=strongly disagree and 7=strongly agree). Questionnaires were sent to Corporate 1000 CEOs identified in Business Week. EMPIRICAL RESULTS Ninety-eight usable responses were returned from the CEOs. Table 1 shows the mean responses for each of the individual items on the questionnaire ranked from most agreement to least agreement. Tables 2 through 9 show the mean responses of the CEOs with comparisons within each of the constructs of interest from the theoretical models. Each of the constructs examined showed some level of significant difference. Specifically, Tables 2, 3, and 4 show the differences among the questions that measured different aspects of the business variables. Table 2 shows that CEOs are interested in tracking many factual quantitative variables about the internal and external environment. Table 3 shows that CEOs prefer financial information. Table 4 shows that CEOs prefer information about competition and product markets. Table 5 shows that CEOs prefer information about the present and future (equally) rather than past performance. Table 7 shows that CEOs least prefer information aggregated by individual products or units of a product. Tables 6, 8, and 9 show the differences among the system user measurement. Table 6 shows that CEOs prefer information aggregated at the corporation, company, and division level. Tables 8 and 9 show that CEOs prefer that common systems support be shared between mid-top level managers. The findings of this study suggest that CEOs most prefer to have information provided which is: a) factual, quantitative b) financial and customer service oriented c) present/forward looking forecasting d) aggregated at the corporation or company level e) aimed to support top and middle management The findings of this study suggest that CEOs least prefer to have information provided which is: a) intuitive b) oriented toward technology or sociopolitical c) related to past performance d) aggregated about individual products or employees aimed to support lower management Thus CEOs have the greatest interest in factual, quantitative information related to financial and customer service. The information should be oriented toward the present and the future and aggregate data at the corporate or company level. Lastly, the data should be aimed to support the decision-making of top and middle management. CIVILIAN VS. MILITARY DECISION-MAKING The commander’s job is to make decisions and monitor their execution in the midst of great uncertainty. There is uncertainty in both the current state (attack probabilities, damage assessment) as well as in the future state (different action alternatives). The driving tasks are confirmation of attack, determining mission integrity/damage assessment, identifying the attackers, generating alternative action responses, and coordinating an action response. A well-known saying is that a plan never survives the first shot. This is another way of saying that an unexpected event not considered in planning has occurred.[Hill, Surdu & Pooch 2000] In most real scenarios the combinatorics of possible attacks and possible responses overwhelm brute force deterministic planning such that flexibility is key. Both EIS (in the civilian context) and C4I (in the military context) provide flexibility to adapt in real-time to unfolding events. Both civilian and military decision-makers desire highlevel reports fused from multiple independent sources into an overall situation assessment. These reports should cluster supporting data by similar criteria (i.e., time, target) and hypothesize likely plans. In addition, the information architecture (EIS or C4I) should provide the decision-maker with the ability to view and direct activities. The result is a single integrated framework that provides management assistance to the CEO or military commander. The goal of the military decision-maker is to plan faster and better to stay inside the enemy decision cycle as measured through metrics such as “loss of life” and strategic victories. The goal of the civilian decision-maker is to plan faster and better to stay ahead of competition as measured through metrics such as efficiency of operations and return on investment. Another similarity is the role of middle managers in the civilian and military contexts. Middle managers do not make unilateral decisions but rather cooperate in formulating unified tactical responses. Clearly defense must be coordinated across different middle managers or they would undo the work of each other, redo the work of each other, or ignore the work of each other. This coordination can be exploited to support a defense-in-depth strategy popular for its robust protection. However, there are striking some differences security is achieved in a civilian environment differently than it is in a military environment because threat agents have traditionally acted differently. The military threat model of well-funded organizations operating within the law in a foreign country, keeping their methods secret until released at some moment of perceived maximum effect. Civilian threat agents, on the other hand, are generally significantly less funded, operate outside the law, and launch attacks as soon as they are developed. Traditionally, civilian business decision-making is in many ways a subset of defense decision-making. Defense systems must be protected against both civilian attacks but also military ambush attacks developed by a well-funded adversary in secret and not exposed through use until an opportunistic time. Protection in a military environment thus relies on sound decision-making much more so than attacks that evolve in public. Since all critical infrastructures have underlying computer systems, software protection is important. The penetrate-and-patch approach to software protection is more practical in a civilian environment than in a military environment since progress in the development of attacks is revealed in an ongoing fashion. An IT supplier can track attacker techniques and implement a system of patches to secure operations. Businesses also rely on law enforcement and insurance to manage risk such that they do not always employ comprehensive protection that may be available. The convergence is not all one-sided with civilian decision-makers being confronted with the realities of terrorism – military decision-makers are learning to deal with new C4I architectures. Military C4I had relied on centralized, closed, dedicated networks but has now shifted to distributed, open, and commercial networks due to cost and lifecycle efficiencies. This brings with it new vulnerabilities and threats: [Fowler & Seate 1997] 1) increased software access via the global Internet 2) increased access points to system hardware 3) increasingly sophisticated automated attacks 4) new technologies whose vulnerabilities have not yet been characterized. CONCLUSIONS Effective response to terrorism requires understanding and timely management of rapidly changing situations. This paper has attempted to quantify what information is truly required for the decision-maker in this environment. We make the case that information architecture for civilian and military organizations are converging and show empirical results for civilian decision-makers and compare this with military decision-making. Further research is needed to facilitate the integration of civilian and military decision-making to share intelligence of past/future events and management of real-time events while preventing disclosure of national security and proprietary commercial information.