Security policy development for SME


This article provides explanation for security policy development for small medium enterprises. Information security has three main goals which includes: Confidentiality, Integrity and availability. Donn parker has introduced an alternative to this model by adding three more principals including: possession, authenticity and utility. After identifying the SME assets, we can perform a risk analysis on the assets to find out which asset is more important and prioritizing the risk which is involved with them. There are different security policy standards which can be used in different areas such as database security such as network security. These security policies are implemented to define and standard for company members to make sure they are following a criteria when using the companies facilities to reduce risks and vulnerabilities.


According to the European Commission, 23 million Small and medium-sized enterprises (SMEs) in the EU represents 99% of businesses and they are a key driver for economic growth.  Starting an SME is just the beginning and as they grow, they need to employ more staff so they need technologies and frameworks to be able to keep the staff in line with their standards.

Security policies are a core concept in computer security and they are implemented to regulate access to the facilities such as Email, Internet and also define standards such as password and antivirus regulations. These policies explain the acceptable and unacceptable use of these facilities along with the enforcements and responsibilities for the company members.

Key concepts and principals

European community has created a document which defines computer security with three main goals including: Confidentiality, Integrity and Availability (C.I.A Triad). Each of these three principals are important and weakness in any of these legs will cause the network to open for exploitation.

Similarly attackers have three approaches (DAD) to defeat the CIA triad which includes: Disclosure to defeat confidentiality, Alteration to defeat integrity and Destruction to defeat availability.

In 2002 Donn Parker has proposed a new model called six atomic elements of information (Parkerian hexad) which adds possession, authenticity and utility to the CIA definition. Any information security breach can be described by effecting one of these six principals.


Confidentiality relates to preventing unauthorized individuals to access the information. This principal covers many forms such as giving sensitive information over the phone conversation or  anything which allows disclosure of information such as allowing others to look at shoulder in public areas while entering sensitive information such as username and passwords or viewing other users personal information. Encryption sensitive data and transmitting sensitive information to prevent network sniffers to access to these data is also defined in this concept.


This principal covers breaches which is performed to modify or alter the data without being detected by intruders. The system must maintain the integrity of the information to keep the information safe from corruption or allowing any unauthorized access or accidental changes to it. An example would be a security hole which allows attackers to modify rules tables to gain access to the system.  So if we define integrity to prevent unauthorized actions, then confidentiality might become a part of this definition as well. Some common integrity mechanisms includes: Access control mechanisms, file system security control and cryptography by using digital signatures.


Availability is defined in ISO 7498-2 [125] as the property of being acceptable and usable upon demand by an authorized entry. In this concept it is important to keep access to the information for authorized users at all the time. Securing the system from denial of service attacks take place in this category. Also using fault-tolerant computing and distributed systems can help in case of one of the components crash to make sure the system will be up and running at all the times.


This concept relates to the controlling the information even after they being compromised or stolen. For example if a victim writes the PIN number on the credit card, in case that is stolen the victim has no control over it and is legitimately is concerned about that.


Authenticity includes authorship verification of the information to make sure that we can verify the origin of the information. An example would be using a digital signature to sign a document using a public-key cryptography. Using this principals it is easy to detect any unauthorized changes in the information as well by digital signature verification.


This principal relates to usefulness of data in case of accidental damages such as losing the encryption key or crash in a disk which causes losing private keys to encrypt the data. This will cause breaching the utility even though all the other principals are take in place.

Risks and Threat analysis

Term hazard risks relates to the damages might occur in case of an uncertain event or the risks associated with them. Hazard risks analysis is collected during design, development, deployment and operation phases. To start risk analysis we need to identify our business assets. Then we can identify threats and rate them depending the damage it may cost to the defined assets. This will provide risk analysis for us in the design phase.

Assets Identification

We can identify our SME assets into four categories including hardware, software, data & information and reputation assets.

Hardware assets

  • Servers, personal computer and laptops
  • Mobile devices.
  • Router, switches and firewalls (hardware based)
  • Mobile phone and PDAs.
  • Ethernet and wireless equipments, etc…

Includes physical assets such as computers, routers, hardware firewalls, switches, smart cards, mobile phones etc….

Software assets

  • Operating systems
  • Application and softwares
  • Website
  • Video conference and instant messenger softwares
  • Database management systems
  • Information management systems
  • Source codes
  • Payment processing and e-commerce softwares, etc…
  • Data and information
  • Customers data including name, address, credit card information and purchase history
  • Emails and communication history
  • Video and voice recordings
  • Sales data
  • Stock and suppliers data
  • Business plans
  • Website statistics data, etc…
  • Reputation
  • Includes the confidence that you have gained  which let customers trust to provide their details in your website such as their credit card details
  • Popularity of the company which gained with advertisements, etc..


A threat is an undesirable impact on the assets. There are different threat risks models which categorize these threats and define them. Some of the thread risk modelings includes: STRIDE, DREAD, TRIKE, AS/NZS 4360:2004 Risk Management and OCTAVE threat risk modeling.

For managing security threats, security conceptual framework is adapted from ISO/IEC 15408 which defines seven security concepts and their relationships:

  • Different type of threats

Using Microsoft STRIDE threat model we can categorized threats into the following categories for our SME business:

  • Spoofing identities which includes using other users account details to login into the system, such as stealing the website admin panel username and password to access the SMEs website admin back-end admin panel by hackers.
  • Tampering with data includes threats which aim to modify data in the database or during the transmission. An example would be by modifying the data which is transmitted between customer computer and the SME’s server such as man in the middle attacks.
  • Repudiation which consists of not having any proof for users who deny their performed actions. An example would be lack of auditing systems to not show proof of login at certain times for managers to show their responsibility for the action that they have taken which caused damage to the system such as data lost.
  • Information disclosure which involves exposure of the information to those who should not access these data. An example would be an intruder which can listen to conversations to get the data. Network sniffers will take place into this category as well.
  • Denial of service which consists of sending malicious traffic to the system to make in unavailable or unusable.
  • Elevation of privileges which consists of providing full access levels to all users to make them be able to crash the entire system while they only supposed to access certain part of the system.


Analysis on vulnerabilities takes place after the system has been implemented. This term includes weaknesses of the system which could lead to exploit or damaging the assets in the system. Some of the typical vulnerabilities in the IT system includes:

  • Using simple default passwords for account manager users.
  • Providing unnecessary permissions such as root permission for all processes which does not require that access level.
  • Using softwares with known bugs and vulnerabilities.
  • Implementing weak access controls to allow intruders to gain access to override settings such as changes directly into the memory.
  • Weak firewall setting such as keeping most of the unused ports open which helps attackers to use these ports to perform attacks.

It is possible to get information and advices regarding vulnerabilities from organizations such as SANS and CERTs (computer emergency response teams).

It is important to rate the vulnerabilities to measure the risk analysis and get most important vulnerabilities and give them higher priority. An example would be a vulnerability which may lead to give total control of the system by getting admin access to the intruder which is more important than  the one which may lead to give access to an intruder with a normal user account.


Attack includes sequences of steps which take place to gain access to a system or damage it. These steps can be defined by attack trees for each attack. We can estimate cost of attacks, the chance that it may occur or the damage it can make. We will use attack trees to analyze threats to provide overall assumptions. Then we can use these Trees to adjust the system for better security on more sensitive areas. The graph below represents a sample attack tree which is performed to steal customers data from the system with its associated costs.

Prioritizing the threats

To prioritizing the threats and vulnerabilities, we can use the Common Vulnerability Scoring System (CVSS). The score depends on some factors such as threat complexity, vulnerability rating, the chance it may be used by attackers and the damage it may cost. Following image represents a sample CVSS implementation:

SME threats

SME stands for small and medium enterprises. European commission enterprise and industry publication has defined Small enterprises as: “Small enterprises are defined as enterprises which employ fewer than 50 persons and whose annual turnover or annual balance sheet total does not exceed 10 million euro.”

Similarly Medium sized enterprises are defined with less than 250 staff which their annual turnover does not exceed 50 million euros and their balance sheet total does not exceed 43 million euros.

SMEs works on basis of increasing revenue and loss prevention. Incidents such as data leakage, down time and reputation loss can reduce revenue by losing customers. A virus may cost thousands of dollars by damaging the data for SMEs.

We can categorize security threats which affect SMEs into the following categories:

  • Malicious internet content, Since most of small or medium-sized enterprises are using internet, they are in the risk of getting affected by malicious internet contents such as viruses, Trojans, Malwares, worms and social engineering attacks such as phishing.
  • Attacks on physical systems, which consists of data leak from USB and DVD drives, accessing unauthorized personnel to the data warehouses to steal data and physical theft.
  • Authentication and privilege attacks which happens when employees are using easy to guess and weak passwords. Defining a password policy may help to resolve it but by using strict password policies employees might write the password on the sticky notes which increase the risk. Sharing username and passwords between employees will make a risk of accessing some data for employees while they are not supposed to access. Those who use mobile devices to login using unsecured wireless networks pose risk for the enterprises as well.
  • Denial of service which involves an attack which prevents legitimate users from accessing the service they required. This issue can be prevented in some scale by implementing firewall and security rules such as closing unwanted ports.

GFI security threats white paper has defined security threats for SMEs using following structure:

Security Policy

To outline a security policy, we need to state each entity of the policy and explain its rules. To avoid misunderstanding and ambiguity of this document, it is a good idea to use a formal standard security policy model. Security policy models starts by a formal specification and a high level of system specification. Then we can add more details to this policy to get low-level specifications. Here I explain standard policies and also all policies applies for SMEs. As an example these policies will be written for a sample company called Majid CO.



The Bell-LaPadula Model (BLM) which is also called multi-level model, has proposed by Bell and LaPadula to enforce access control for military and government applications. Subjects and objects are divided into separate security levels so subjects can be accessible by defined objects only. Bella-LaPadula model supports also mandatory, arbitrary and discretionary access controls.


Biba model has been created to preserve the integrity in a computer system. The model prevents the unauthorized modification of data and maintains the consistency of the data (Bishop 2003). In this model, subjects and objects are assigned together in an integrity label to tell the degree of confidence which might be placed in the data (RFC 1457). This model contains 4 access models such as modify, observe, invoke and execute.


Denning et al. Developed the sea view model at Stanford Research Institute which stands for secure data view model. In this model both mandatory and discretionary policies are implemented. This model consist of two layers including reference monitor and trusted computing base.


This model is a discretionary model and in contrast with Biba model. Take-Grant model describes security based on subject and objects and uses a graph to model access controls. Access controls in this security models are read, write, take and grant. The transfer rights allow a subject to give or take away the rights of an object. This overcomes one of the problems of the Biba model, which is that it does not provide any administrative options for granting and revoking authorizations (Castano). This security model can be applied to database security and many DBMS use Take-Grant security model for authorization such as Oracle.


The object capability (OCap) model enables security enforcement abstractions that can be composed by other codes to minimize vulnerabilities in a system. Murray (2008) has defined Object-Capability model as “perhaps the best enabler of cooperation that humankind has yet developed”.

Chinese Wall

Chinese wall policy basis is including people which are only allowed access to information which does not conflict with the other rules. So the information which already possessed by users must held in the computer and that user must previously accessed that information. In a database organization using chinese wall security model, all information is stored in a hierarchically file system which contains of 3 levels. Lowest level includes individual items of information, intermediate level includes objects grouped together which provides a company dataset and highest level which includes all the company datasets grouped together.

Orange Book

Orange book is known as a document of US Department of Defense called Trusted Computer System Evaluation Criteria. This document original has been written for military systems which discuses about different protection security categories including: minimal protection, discretionary protection, mandatory protection and verified protection which is the highest security division.

Other security models

There are more security models such as Brewer and Nash, Clark-Wilson, NIST RBAC model, Ring, type enforcement, …. which are used in practical system or they been proposed in theory.

Email Policy

The Majid Co. provides employees with electronic tools such as email. This policy applies to the email use for employees at Majid company including all full-time, part-time, independent contractors, interns, consultants, suppliers, clients and other third parties. Any employee who fails to meet Majid Co. email rules and policies is subject to disciplinary action, up  to and including termination.

  • Personal Responsibility

All employees are obliged to adhere to this policy. A failure to adhere to this policy may result a disciplinary action. All users must make sure that they meed the regulations in the acceptable use stated below.

Managers are responsible to make sure that all the staff are aware of this policy. IT manager must implement this policy on behalf of the Director of Majid Co. and establish procedures that supports the implementation of this policy. Also IT Manager must deal with complains and the issues relating to the breach of this policy.

IT department is responsible of administrating user email accounts and resolving users issues regarding to accessing their accounts and also for maintenance of this policy.

  • Purpose

Majid Co. allows access to the email system only for business purposes. Using personal email accounts such as Yahoo, Hotmail or AOL for business contacts is prohibited. This policy is intended to details the rules of conduct for all the staff who use email and related services. This policy applies for use of email system for sending or receiving and also attachments.

  • Permitted use

Main purpose in for Majid Co. for providing email services is to support of approved business activities and administration.

Employees who use email system are responsible for handling the email messages they receive as well as the attachments.

Users must use the provided storage space for their mailbox appropriately and cleaning the folders, archiving and saving the archives in a timely manner.

Employees must log off their email page as soon as they leave their computer.

Once staff leave their current position, they should take adequate measures to either file, destroy or transfer the information which they have been responsible for in line with legislative principles of Freedom of Information 2000 and the Data Protection Act 1998.

  • Banned activity

Email system provided Majid Co. should not be abused. You are not allowed to use this email system to:

  1. Create and transmitting offensive, obscene, defamatory, abusive or otherwise unlawful materials. Any emails or written communications can be used as evidence in a court of law.
  2. Create and transmitting any materials which brings Majid Co. into disrepute.
  3. Creating and transmitting any advertising materials which are unsolicited.
  4. Sending confidential material which concerns the activities of Majid Co.
  5. Transmitting any copyrighted materials which concerns activities of Majid Co.
  6. Transmitting messages which are unreasonable or excessively for personal use.
  7. Creating or sending any material which is designed or likely to cause annoyance, inconvenience or anxiety.
  8. Sending links to web pages or bulletin boards that are offensive, obscene, defamatory, abusive or otherwise unlawful.
  9. Sending any materials for your private commercial purposes.
  10. Transferring deliberate forging messages or email header information ie to make your messages  look like it it sent from another sender.
  11. Transmitting any material which violates the privacy of others or unfairly criticize or misrepresent others.
  • Auditing

In line with legislative requirements of Regulation of Investigation Powers Act 2000, it is illegal to intercept communications without the express or implied consent of both the sender and recipient of the communication.

Permitted exceptions that principles that interception without consent is unlawful includes:

  1. To investigate compliance with all the Majid Co regulations and policies.
  2. To perform monitoring to ensure the effective operation of the system such as scanning for viruses and other malicious attachments, to monitor the email storage usage, to forward messages to the correct address and eliminating spams.
  3. Investigation for detecting unauthorized use.
  4. To resolve a user problem.
  5. To monitor standards of service or training purposes.
  6. To prevent crime or in interest of national security which must be authorized by the Director of the company for when a reasonable suspicion of criminal misuse or on the request of PSNI or other specified public bodies.
  7. To check if communication is related to the Majid Co. business.
  8. Auditing will be carried out by the IT department.
  • Enforcement

In any case of breaches in the email policy, a complain must be made to the IT manager.

In a breach is verified, access to the email for the responsible person will be temporary suspended for future investigations.

Investigation must be referred to the Director of the company and any action taken must be follow the Majid Co’s agreed Disciplinary Procedure for employees.

Remote access policy

Trojan horses and viruses are an important concern when it becomes to remote access to the systems. An attempt to login in to the system from a remote location by an infected computer or trojan or virus may lead to lose of data and costs for the company.

  • Purpose

The purpose of this policy is to provide standards to access Majid Co.’s network from outside the company. These standards are designing to minimize security risks from damages which might cause by unauthorized use.

  • Policy
  1. All the employees and contractors must make sure that their internet connection is safe and they are not using an open public WIFI connections.
  2. Employees are permitted to login into the system from outside of the organization only for the facilities which are permitted by IT department.
  3. Contractors are not permitted to login into their provided control panel by Majid Co. from public areas which might allow others to see their computer screen.
  4. Employees must not open their email account outside of the organization.
  5. Employees must make sure that they set their wireless router security protocols to WPA 2 security to minimize the risk that their traffics are being compromised.
  6. Reconfiguration of a home users equipments for the purpose of split-tunneling of dual homing is not permitted at any time.
  7. Frame relay must meet minimum authentication requirements of DLCI standards.
  8. Employees must install antivirus and also keep the antivirus always updated from the computer they are using to remotely access the companies servers.
  9. Employees must make sure that the firewall software on their remote computers are up and running.
  10. Employees must make sure that they keep their operating system updated and check for the updates on a regularly basis.
  11. Users or managers must not attempt to login outside of the organization for any system level users such as root and admin.
  12. Remote login for system level users must be disabled.
  • Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up and including termination of employment.

Password policy

Passwords are an important aspect in the computer security. Using easy to guess passwords may lead to a vulnerability which let attackers to compromise whole system and access the data so passwords should be treated with same level security as a credit card PIN number.

  • Purpose

The purpose of this policy document is to establish a standard for employees to select a strong password and also protect their passwords as well as changing their passwords in a timely manner.

  • Policy

System level passwords must meet following rules:

  1. System level passwords must contain both uppercase and lowercase characters, numbers and hyphens.
  2. All system level passwords such as root and admin passwords must be changed at least once per 6 months. These passwords must be known by at least one person.
  3. In case of a  suspected security breach, system level passwords must be changed.
  4. Passwords must be kept secret and must not be inserted into email messages or other forms of electronic communications.
  5. All the accounts created for external contractors should be set to one day expiry so after the contact is finish access to that account must be closed.
  6. In case of 5 failure attempts to login the account must be locked for at least 1 hour. IT manager should have access to unlock the accounts.

All user level passwords also must meet following conditions:

  1. User level passwords must be more than 6 characters and not be a word found in a dictionary. It should at least contain both character and digits.
  2. Employees must not discuss their password over the phone or in any email messages.
  3. Employees must not share their passwords with their colleagues or family members.
  4. Employees must not write down their passwords or store it in any electronic storages such as email messages.
  5. In case of suspected password breach or a virus or trojan infection, employees must change their passwords and notify the IT manager.
  6. Employees must not use public computers to login into the system.
  7. Employees must not share their passwords to any
  8. Employees must not use the same password they are using for their personal accounts outside the company which might lead a security breach in case their personal computer at home is infected.
  • Enforcement

Any employee which found to violate this policy may be subject to a disciplinary action. IT manager may investigate the employees computer to find if the computer is infected to any virus or trojans. In case of the IT manager verifies the computer is infected, future investigations take place to detect if the employee is responsible for the security breach and a disciplinary action might take place.

Antivirus policy

A virus or trojan can cause a security hole in the system which can lead to damaging the data by intruders. Viruses can easily infect the system by opening a suspicious email or visiting a website with malicious contents.

  • Purpose

Antivirus policy focuses on prevention of security risks associated with this category. The purpose of this policy is to establish a standard for employees to make sure that they keep their antivirus software updated and also to avoid their computers to get infected by malicious contents such as viruses, trojan horses.

  • Policy
  1. Employees must not open any email attachments from unknown sources.
  2. Employees must not download any form of executable files from email messages such as .exe .com .bat files.
  3. Employees must make sure that the antivirus software on their computer is up-to-date and in case of subscription of their antivirus is expired, they must report it to the IT manager.
  4. Employees must schedule a virus scan at least once per week.
  5. All the software installations must be made IT department, employees are not allowed to install any softwares from any sources such as CD/DVD, USB drives or internet to the computer.
  6. IT Manager must disable admin user privileges which allows access to employees to install softwares.
  7. IT Manager should block access to CD drives, USB drives.
  8. If an employee detects any virus, should contact IT department and after the investigation the employee must change his/her password.
  9. Employees should not attempt to disable the antivirus or any other security softwares.
  10. In case of any trojan horse suspicious traffic on the employees computer, employees must report this matter to the IT department.
  • Enforcement

IT manager must disable the employees account until the investigation is completed and change the password if necessary. Employee might face a disciplinary action if the infection is caused by the employees negligence.

Internet usage policy

Access to the Internet is a useful means of communication,The Internet is primary for business use and employees are permitted to use the Internet for occasional and business use only.

  • Responsibilities

Majid Co. will take all reasonable steps to make sure that all employees are aware of this policy and legal obligations. This will be done by training the staff.

IT manager is responsible to monitor the network for unacceptable use and will take action against those who fail to meet this policy.

All users should take reasonable precautions to prevent virus or other malicious contents to infect the company’s network.

  • Purpose

The purpose of this policy is to ensure the proper use of the Internet, so all the staff meet acceptable use of this policy.

  • Acceptable Internet Usage
  1. Personal use is made only outside normal working hours for limited periods is allowed
  2. Staff are not allowed to run a private business using Majid Co.’s internet facility.
  • Unacceptable Internet Usage
  1. Viewing any pornographic, obscene, indecent or any sexual materials.
  2. Viewing any illegal materials
  3. Employees are not permitted to perform any activities to run a private business.
  4. Employees are not allowed to send offensive, harassing materials or send malicious contents using Internet facility.
  5. Employees are not allowed to deliberately waste network resources such as bandwidth or any activities which may interfere other employees works.
  6. Any activity which involves deliberately introduction of viruses, spyware or malwares.
  7. Streaming video or audio, using Internet for chat, social networks or downloading is not allowed unless its related to the business.
  8. Using the Internet to send spam or illegal advertisements to other users is prohibited.
  9. Downloading or transmitting any copyrighted material is strictly prohibited.
  • System Monitoring

All the Internet traffic is logged automatically and monitored by IT department to ensure that damaging code or viruses do not enter the organizations network.

Majid Co company also uses softwares that prevents users visiting sites with harmful contents or illegal materials. Also only network ports which needs to be open will be accessible and all other ports will be closed by firewall in the IT department.

  • Enforcement

IT manager should warn the employee and also notify the manager if employee fails to meet this policy. IT department should start investigation if there is a suspected virus or trojan infection in the network. Employee might face a disciplinary action if the infection is caused by the employees negligence.


In small and medium-sized enterprises, security policy documents are created to address  constraints for behavior of the members. These documents defines acceptable use, unacceptable behavior which needs to be enforced by SMEs to ensure members are following this rules for securing the system and facilities in the organization. To outline policy documents, it is essential to understand to how create these policies most effective and enforceable.

Identifying assets, threats, vulnerabilities and attacks are steps to be taken in order to develop a risk analysis and prioritize security threats for SMEs. Using these reports, it is possible to provide more effective security policy documents to cover different facilities in SMEs. If security policies are properly implemented, they can become efficient for the information security.

There is no silver bullets in security, because attacks and threats are always changing so that should effect security policy documents as well. So security policy documents must be updated when it becomes necessary.

Security documents must be easy to access for employees and contents of policy documents should be easy to use and understand. Structuring policy documents in a hierarchical manner make them easier to understand.

Contents of security policy documents may vary for different organizations even though there are some fundamental principals that policy documents should enforce, such as password policies.


  • Gollmann, D., 2011. Computer Security. 3rd ed. United Kingdom: John Wiley and Sons Ltd.
  • The STRIDE Threat Model [ONLINE] Available at: [Accessed 15 March 2011]
  • Threat Risk Modeling – OWASP [ONLINE] Available at: [Accessed 20 March 2011]
  • Computer Security Handbook: The NIST handbook, Special Publication 800-12, pp.62
  • Practical Threat Analysis and Risk Management | Linux Journal [ONLINE] Available at:,2 [Accessed 21 March 2011]
  • Top 10 Threats to SME Data Security. 2008 [ONLINE] Available at: [Accessed 12 March 2011]
  • The new SME definition | User guide and model declaration. 2005  [ONLINE] Available at: [Accessed 20 March 2011]
  • A. P. Lenaghan, C. Onwubiko, (2007). Managing Security Threats and Vulnerabilities for Small to Medium Enterprises. In IEEE International Conference on Intelligence and Security Informatics 2007. London: Kingston University 1-6
  • C. Onwubiko, A. P. Lenaghan, L. Hebbes & R. Malyan (2005), “The Representation and use of Relation Information for the Detection of Threats by Security Information Management Systems”, Proceeding of European Conference on Computer Network Defence, EC2ND 2005, United Kingdom, Springer, December, University of Glamorgan, Wales UK, ISBN/ISSN 1- 84628-311-6 (2005)
  • GFI white paper. Security threats: a guide for small and medium enterprises[ONLINE] Available at: [Accessed 22 March 2011]
  • Bishop, M. “Hierarchical Take-Grant Protection System” Proceedings of the eighth ACM symposium on Operating systems principles. Pacific Grove, California, pgs. 109 – 122 1981.
  • RFC 1457. “Security Label Framework for the Internet” [Online] available at: [Accessed 18 March 2011]
  • N. Balon, I. Thabet (2007) Biba security model comparison, CIS 576
  • Castano, S. (et. al). Database Security, Addison Wesley, Harlow, England. 1995.
  • Object Capability Model [ONLINE] Available at: [Accessed 20 March 2011]
  • The Chinese Wall security policy [ONLINE] Available at: [Accessed 22 March 2011]
  • Orange Book Summary [ONLINE] Available at: [Accessed 22 March 2011]
  • Murray, T., Analysing object-capability security, in: Proceedings of the Joint Workshop on Foundations of Computer Security, Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (FCS-ARSPA-WITS’08), 2008, pp. 177–194.
Posted in Computer Security, Information Technology | Comments Off on Security policy development for SME

Datafollow diagrams and ERD

Here is a sample proposed system for a hotel reservation system including Datafollow diagrams, ERD and requirements.

Functional requirements

User Registration

Customers can register through the website and provide their information, this makes it possible for their next logon to book the rooms faster without requiring re-entering the requirements, during the registration users choose a unique username and also choose a password as well as their name, information and contact details. If the username is not already taken customers get a confirmation message and also get their login details in their email address.

Online booking

Customers can book the rooms online by visiting the hotel’s website, viewing the plans and selecting the room and length of stay, after confirmation if the room is available for that period, customers will be asked to pay for the room online by their credit card and get a printable receipt. If customers are already registered, they can login with their username and password, and proceed to the payment page directly, otherwise they will need to enter their name, information and contact details separately.

Sales report

Finance will produce sales report for each month according to the sales database and provide it to the manager. To get this report they need access to the hotels database and an advanced search facility to be able to get customers list for a period of time.

Non functional requirements

User friendly website

Hotel’s website should be user friendly to make it easier for customers to book rooms and get the information they need. Colours and themes used should fit the hotel environment and also make it easy to read. Using a sitemap make it easier for customers to find different locations in the website, also it should contain a good navigation structure to make it easy for users to access all of the pages with few clicks.


Customers can book rooms online and also pay online by credit card, so website should be secure and also trustable for the customers to trust and be able to pay online. Getting a SSL certificate to be able to put payment page on https protocol is necessary to ensure the security.


Website should be stable and always available, getting a stable web server is a must to make sure hotel does not lose online customers during the website down time. In the mean time this will increase trust of the customers if the website is always running smooth. For example at the order page if the website stop working, it will lose customers trust to the website.

Datafollow diagram

Datafollow diagram

Level 1 datafollow diagram

Level 2 datafollow diagram

Level 2 datafollow diagram for the payment process

ERD and requirements

In this case we have 3 entities including customers, orders and rooms.  Customers entity primary key is id, and also rooms primary key is id as well. In the orders entity which it has a unique id also, room and customer is referred  using customer_id and room_id foreign keys. Following ER diagram represents attributes for each entity as well as their primary key (PK) and foreign keys (FK).


Entity Relationship Diagram

System Design

This form appears after user select the room and they logon, so we have their username and details plus room details so we know the room price as well, so the payment form appears like the following screen:

Payment system design

Payment process system design

Validation requirements

  • Card type is required and should be either Visa or Master card
  • Card number is required and should be a 20 digit number
  • Expiry date is required and should be a valid date and not before current date (not already expired)
  • 3 digit security code is required and should be 3 digit number
  • Name on the card is required and should be characters and space only
  • Card holder’s address is required

System Lifecycle

Initiation and planning

A feasibility study is required to find out if the new system (Hotel’s website) is achievable or not, and also discussion about if the technology we need to develop a website is currently exists or not, output of this phase will be feasibility report.

Here as we planning to develop a website to provide online payment and booking facilities to the users, we need to research on the technology we need and find out if the hotel staffs have enough experience to work with the new system, also the inputs we need for this website to be done.

Requirements gathering and analysis

In this phase, we determine if there is a problem which needed to be resolved in the current system. Also all the requirements will be gathered by breaking down the sub system into different sub systems and functions. Output of this phase will be a requirements and analysis report.

For example, in the hotel, problem is hotel is losing business and we need a way to make the booking easier to get more guests in the hotel.


In this phase we will break down all of the processes and produce layouts, screen designs, DFD and ER diagrams and also define the rules we needed in this system.

For example hotel’s website design phase provides DFD and ER plus screen design provided in the question 2, 3, and 4 of this document.

Output of this phase will provide a new system which is a collection of different sub systems.

Build or coding

In this stage, coding and programming procedures will be done. Also testing is required to make sure system contains no bugs.  For example in the hotel, in the build phase, programmers work on the website design, programming the functions required and also create and design the website according to the design phase documentations. Output of this phase will be the website with all facilities described in the design phase.


In this phase, all of the codes will be tested to make sure it contains no bug using various software test methods. For example we will test different parts of the website to make sure the booking system, registration and other parts works without any problems. Output of this phase will be a test report with detailed test dates, details and result.

Operations and maintenance

In this phase deployment will be done and also maintenance of the system will take place. For example in the hotel’s maintenance and deployment phase, we will upload the website to the actual web server and also perform maintenance to make sure the problems after website deployment will be fixed. Output of this phase will be software delivery and maintenance report

Comparing with the waterfall methodology

Waterfall model is a document driven methodology which strongly relies on the quality and quantity of each phase.

Prototyping is process of creating a system quickly and low cost for demonstration and evaluation.

In waterfall model, customer does not see what product will look like until the delivery, however in the prototyping user sees a tangible system early on the development process, which make it easier for the changes to be amended at the beginning. So in the waterfall, after delivery if customer does not like the system, it will make a lot of confusion for the development team. So waterfall model is not suitable when project needs maintenance and additions.

Waterfall model is straight flow of processes which is very easy to understand, however in the prototyping users do not know the stop point.

As users are involved in the prototyping at the beginning, we can make sure that the system is what they expect at the delivery, so prototyping method is the appropriate methodology to design this website.


Wikipedia – Systems Development Life Cycle – 20 may 2009

Wikipedia – Waterfall model – 20 may 2009

Posted in Information Technology | Tagged | Comments Off on Datafollow diagrams and ERD

Linux Explorer

Linux Explorer is a free simple bash script which allows the user to navigate through Linux folders using up and down arrows and the enter key. Its possible to customize the Linux Explorer to make it run the files with other applications if selected, such as opening the text files with nano editor and so on.

By pressing the enter key on a folder, user will see list of the files and folders in the selected folder. So it’s easy to navigate without typing commands.  Also this script displays Folders, Files and links in different colours. Users can provide initial folder as an argument.

License: MIT License
Feel free to change, redistributed or include it into your commercial projects in one condition to keep the original authors name and license information in the script.

Below is a screen shot for the Linux Explorer script:Linux Explorer

The highlighted item is the current cursor location and also an indicator show the type of the item which in this case its a directory. By pressing the enter key, current directory will be changed to the lib folder and its content will be displayed.

Download link: Download Linux Explorer

Posted in Scripts | Tagged | Comments Off on Linux Explorer

Information Management Systems

Information Management SystemsInformation Management Systems

Business reasons and the IT capabilities that have led to a move from an emphasis on data processing to information management


Information systems (IS) concept includes activities such as gathering, processing, storing, distributing and using information in organizations. Transaction processing systems, decision support systems, information management systems, knowledge management systems, database management systems, and office information system all are different types of information systems.

This article aims to discuss about reasons which lead to move from data processing / transaction processing systems to information management systems and also discuss about new capabilities of information management systems compared to transaction processing systems.

Data processing / transaction processing Systems

Transaction processing systems automates handling of data by capturing, validation and storing data for future usages such as producing reports or tracking the data. Feature of transaction processing is to speeding up data processing more accurately and deficiently.

Batch transaction processing, Real-time transaction processing, Data validation, Historical significance of transaction processing systems and Manual transaction systems are all different types of data processing systems.

Management Information Systems

A management information system is integration of different computer systems to provide information to manage organizations effectively. In this system, collection, processing, storage and dissemination of data is provided for management functions which includes: Decision support systems, Resource and people management applications, Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Customer Relationship Management(CRM), Project management and Database retrieval applications.

Business reasons

New distributed systems provides more competitive advantages for companies and allow them direct communication between suppliers and clients. In the transactional data processing systems, all the system is in one place, however in distributed management information systems, the sub systems can be distributed into different physical locations which provides more advantages. For example it makes it possible to outsource from cheaper countries such as India for customer supporting or allowing managers in different physical locations access the information system easily.

Transaction processing systems are central to a business, in case of any failure of the TPS can harm all the firms which are linked to it.
“Transaction processing systems are often so central to a business that TPS failure for a few hours can spell a firm’s demise and perhaps harm other firms linked to it. Imagine what would happen to UPS if its package tracking system were not working! What would the airlines do without their computerized reservation system?” (C. Laudon, P. Laudon, 2003: 41).

Information helps to increase profit and performance of organizations which is a good reason for organizations to move from data processing to management information systems which helps their strategic decision makings. Chaffey and Wood (2005: 10) stated that: By utilizing information resources performance of the organization can be improved to deliver better quality products or services more profitably. This can be done by providing more relevant data to employees to supports the decisions they are making.

By recognizing importance of information by the IT governance Institute COBIT (Control Objectives for Information and related Technology) framework has been developed, Regarding importance of managing information, Chaffey and Wood (2005: 10) suggests that:
Critically importance to the survival and success of an organization is effective management of information and related Information Technology (IT).

By Software improvements and lowering costs, organizations can use enterprise resource planning [ERP] systems to support their business processes such as marketing, sales, logistics and manufacturers. ERP provides a single solution to achieve all these functions. SAP, BAAN, Peoplesoft and Oracle are examples of ERP system suppliers.

One of the reasons which holds the small businesses to move to management information systems was the costs of the software in the past, Chaffey and Wood (2005: 63) stated that: When concept of ERP was introduced in the late 1980s and early 1990s, small organizations could’t afford it because it were cost millions of pounds. However today it is easy to implement lower-cost ERP solutions or consider open-source software option which saves money for organizations.

Internet has significant change on traditional organizations to innovate them to use new technologies. Boddy, Boonstra and Kennedy (2005: 32) stated that: The rise of internet since the mid-1990s challenges traditional organizations to innovate and integrate their processes with suppliers and customers.
“This clearly leads to corporate transformation, reinvention of value chains and new ways of doing business.” (Boddy, Boonstra and Kennedy 2005: 32)

Internet also helps organizations by implementing online inventory systems to make it possible to reduce inventory levels and its associated costs. Bobby, Boonstra and Kennedy (2005: 77) stated that:
“The internet enables large companies to transfer their purchasing operations to the Web. Secure websites connect suppliers, business partners and customers all over the world”.

Decision support systems (DSS) helps managers to make decisions, If organization is using TPS, they can only use their internal information in their DSS, however if they move to Management Information Systems, the DSS can use information from external sources as well such as stock prices and product prices by competitors. This gives a better option for managers to make decisions so its another advantage for them to move from TPS to MIS.

IT Capabilities

In the past transaction processing systems were used to store the data on mainframe computers, an example would be airline reservation systems, banking systems or accounting systems. One of the biggest issues in these systems was need to handle multiple simultaneous users.

Management information systems have changed different rules and provides new capabilities. Bidgoli (1999: 295) suggests that: “Information systems helps to deliver information simultaneously in as many places as needed”.

Employees can retrieve all the information quickly and communicate with suppliers and customers. Image processing technologies can help to for faster information delivery by reducing paper processing. Another capability is to use GroupWares to allow decision makers to function more effectively.

Bidgoli (1999: 297) suggests that: “Using Electronic mail, computer conferencing, video conferencing, computer-assisted telephone interviewing (CATI) and other related technologies can make it possible for remote groups of people to function effectively”. These are part of information system applications which all speed up processes by removing boundaries.

Management information systems let managers to get weekly, monthly and yearly reports which can help them to make strategic decisions based on these reports easier. Reports will be more efficient comparing to old transaction processing systems.

C. Laudon, P. Laudon (2003: 44) stated that: “MIS summarize and report on the company’s basic operations. The basic transaction data from TPS are compressed and are usually presented in long reports that are produced on a regular schedule”.

Since the sub-systems will be distributed in the management information systems, it gives possibility to run it in different locations and provide accessibility to suppliers and customers from any physical location.

Rule of CIO

Chief information officer is a job title given to the most senior executive in an enterprise organization. CIO reports to chief executive officer, chief operations office and chief financial officer. By growing information technology, role of CIO become move important and many organizations considering a CIO role as the key contributor for their strategic goals. CIO is responsible to increase information accessibility and integrated systems management.

“Managers need to pay attention to business processes because they determine how well the organization can execute, and thus are a potential source of strategic success or failure” (C. Laudon, P. Laudon 2003: 65)

CIO is also in charge to make sure information systems functions correctly in the firm. In new Management information systems, CIO is manager of all the information rather than being an IT manager which take cares of the hardware or software issues. CIO is responsible for information availability for all managers in the system.
Required Skills

Implementation of management information systems may impact different employees depending on their age and experiences. By implementing the MIS, employees needs to get training for how the use the new system. Managers should learn how to use decision support systems and getting timely reports whenever they are required.

If companies are going to migrate their old transactional proceedings systems to the new management information systems, they should have skills to transfer their existing data into the new system (or someone who is responsible for this purpose).

CIO requires to have knowledge on how to use the new system and also decide on how to provide information between managers in the company.


There are 3 major information systems including: Transaction processing systems, Management information systems and decision support systems. TPS provides less strategic planning for business and more focuses on operational control. In the past, organizations were using TPS to store, retrieve and process their data which has disadvantages to MIS such as accessing multiple users from different locations to the data and lack on providing information for decisions and using external data sources.

Expensive price of Management information systems has limited small organizations to implement such systems since those systems were very costly. Currently there are different suppliers which provide management information systems a lot cheaper and also companies can consider using open-source as an alternative to expensive MIS solutions.

Using MIS provides many advantages which lead to save money for companies and increase profit as well. Managers can use MIS for helping their decision making to manage organizations more efficiently. Management information systems makes it possible for managers to access information from different physical locations and also allowing customers and suppliers to connect to the system as well.


CHAFFEY, D. and WOOD, S. 2005. Business Information Management: Improving Performance using Information Systems. Harlow: Pearson Education Limited.

Boddy, D., Boonstra, A. and Kennedy, G. (2005), Managing Information Systems: An organization Prespective, Pearson Education Limited, Britain

Bidgoli, H. (1999) Handbook of Management information systems: a managerial perspective, Academic Press

Laudon, Kenneth C. and Laudon, Jane P. (2003 ). Essentials of management information systems (5th ed.) Prentice Hall

Transaction Processing Systems: Wikipedia [Online] 
Available a:t [1 Dec 2010]

Information Systems Discipline: Wikipedia [Online]
Available at: [2 Dec 2010]

Types of information systems: [Online]
Available at: [1 Dec 2010]

Transaction processing systems: [Online]
Available at: [2 Dec 2010]

Chief information officer: Wikipedia [Online]
Available at: [3 Dec 2010]

Posted in Information Technology | Tagged | Comments Off on Information Management Systems

PHP OOP Factory Pattern

PHP OOP Tutorial – Factory Pattern

Here I am providing an example on how to build up an PHP object oriented programming project, using the factory design pattern.  In this example, Factory class contains one static function to create a new class and return reference to the constructed object.
The idea is to construct each object only once. Account class contains two functions to register and login users. After user logon, a User object will be constructed and returned. This pattern can be used in almost all scenarios by adding an object through the parent class, and that object can be a parent for another class as well. Imagine Account can be an Stock object and User can be a Product class. Our User class can become a parent of another Order class as well and so on.

First of all, lets create the Factory class which contains one static method to construct other instances from our classes:
class Factory
// Holds references to the class instances
private static $instances = array();/*
* Returns a reference to a class instance,
* create if it doesn’t already exist.
* @static
* @access public
* @param    string    $class        Class name
* @param    array    $options    Class arguments
* @return refrence to the class instance
public static function &getClass($class, $options = array())
// Createa unique signature for every class with its arguments
$signature = serialize(array(
“className” => $class,
“options” => $options
));// Construct the instance if the instance is not exists
if (empty(Factory::$instances[$signature]))

// Get the class path
$class_path = “”;
switch ($class)
case “Account”:
$class_path = “Account.class.php”;
break;case “Database”:
$class_path = “Database.class.php”;
            }// Check if the class path is valid, die with an error
if ($class_path == “” || !is_file($class_path))
die(” There was an error loading the : ” . $class . ” class”);
}// Require the class path only once
require_once $class_path;Factory::$instances[$signature] = new $class($options);

// Return the previously constructed class
return Factory::$instances[$signature];

Now lets create our Account class which contains two simple register and login public functions.

<?php// Include the User class
require_once “User.class.php”;class Account
* Register a new user
* @access public
* @param    string  $name        full name
* @param    string    $username    username
* @param    string    $password    password
public function register($name, $username, $password)
// Validate inputs
if ($name == “”)

throw new Exception(“Name is required”);
}if ($username == “”)
throw new Exception(“Username is required”);
}if ($password == “”)
throw new Exception(“Password is required”);
}// Get the database object
$db = Factory::getClass(“Database”);// Insert Query
$query = “insert into users ( name , username , password ) ” .

                ” values ( ” . $db->escape($name) . “‘,'” .
                $db->escape($username) . “‘,'” .
                $db->escape(md5($password)) . “‘)”;// Run the query

* Login the user
* @access public
* @param    string    $username    username
* @param    string    $password    password
* @return   User
public function login($username, $password)
// Get the database object
$db = Factory::getClass(“Database”);

$query = “select * from users where username = ‘” .

                    $db->escape($username) . “‘ and password = ‘” .
                    $db->escape(md5($password)) . “‘”;// Retrieve the result
$result = $db->query($query);// Throw an error if result was empty
if (empty($result))

throw new Exception(“Invalid username or password”);
}// construct a new User object and return it
return new User( $result[0);

Here is our User class which will be constructed through its parent class (Account).

<?phpclass User
private $id = “”;
private $name = “”;
private $username = “”;
private $password = “”;/**
* Default constructor
* @access public
* @param    integer    $id    user id
function __construct( $record = array() )

        $this->id = $record[“id”];
        $this->name = $record[“name”];
        $this->username = $record[“username”];
        $this->password = $record[“password”];

* Get the user id
* @access public
* @return integer
public function getId()
return $this->id;

* Get the full name
* @access public
* @return string
public function getName()
return $this->name;

* Change the full name
* @access public
* @param    string    $name    full name
public function setName($name)
$this->name = $name;

* Returns the username
* @access public
* @return    string
public function getUsername()
return $this->username;

* Change the password
* @access public
public function setPassword($password)
$this->password = md5($password);

* Save the changes
* @access public
public function save()

        // Get the database object
        $db = Factory::getClass(“Database”);
        // Update query
        $query = “update users set name='”.
                    $db->escape( $this->name ).”‘ and password='”.
                    $db->escape( $this->password ).”‘”.
             ” where id = ‘” . $db->escape($this->id) . “‘”;
        // Run the query


* Delete the user
* @access public
public function delete()
// Get the database object
$db = Factory::getClass(“Database”);

$query = “delete from users where id = ‘” .

            $db->escape($this->id) . “‘”;// Run the query

And finally a test file to use the above classes:
<?php// Include the Factory class
require_once “Factory.class.php”;$account = Factory::getClass(“Account”);


// Register
$account->register(“Majid Khosravi”, “majid”, “mypassword”);// Login
$user = $account->login(“majid”, “mypassword”);
echo $user->getName();
catch ( Exception $ex )
  echo $ex->getMessage();
Posted in Scripts | Comments Off on PHP OOP Factory Pattern

You may experience problems accessing your unicode data from Java on your database if you have used PHP to insert those data in there. The reason is that PHP saves the data using Latin1 encoding by default. Sometimes you cannot change the encoding back to real unicode so here is the solution to resolve this issue.  This problem arises when you need to run a query and select a row based on a unicode column such as usernames which contain unicode characters.

Using this method, you can insert  and access data in both PHP and Java without encoding issues. Here is the solution to overcome this issue:
1- Use utf8 encoding in the connection string
String connectionString = "jdbc:mysql://".
2- Create a function to set the encoding to utf8 and run it before a select statement:

public void setUTF8()


  PreparedStatement pstmt;


    pstmt = con.prepareStatement("set names utf8" );    




  catch (SQLException e) 





3- Create a function to set the encoding to latin1 and run it before every update or insert statement:

public void setLatin1()


  PreparedStatement pstmt;


    pstmt = con.prepareStatement("set names latin1" );    




  catch (SQLException e) 





This provides perfect compatibility between PHP and Java for accessing and adding data in your database.

4- Convert the unicode column to utf8 from latin1 in your MySQL using the Convert and Cast functions:

select CONVERT(CAST(username as binary) USING utf8) from users;

Here is an example of accessing the data:
String username = "مجید";
String sqlQuery = "select * from users where".
                  " CONVERT(CAST(username as binary) USING utf8) = ? ";
Connection con = myDB.getConnection();
PreparedStatement query = con.prepareStatement(sqlQuery);
query.setString(1 , username);
rs = query.executeQuery();
// Login successful
catch (SQLException ex)

// Insert unicode data in latin1 encoding in Java


sqlQuery = "insert into users (username) values (?)";

Connection con = myDB.getConnection();
PreparedStatement query = con.prepareStatement(sqlQuery);
query.setString(1 , username);
catch (SQLException ex)
Posted on by majid | Comments Off on Unicode with PHP and Java in MySQL

How to program in Scheme

History of scheme

Scheme programming language started with development of earlier programming languages such as Lisp and ALGOL.

Lisp was invented in the MIT University by John McCarthy in 1958 and ALGOL was created in 1958 at ETH Zurich in a meeting of European and American computer scientists.

Scheme language took its syntax from Lisp, and lexical scope and block structure from ALGOL. In 1971 Sussman, Drew McDermott, and Eugene Charniak had developed Micro-Planner.
Since there were problems in the Planner, Hewitt and his students invented the Actor model of computation in 1972.

Steele and Sussman then wrote a Lisp Interpreter using Maclisp and then added mechanisms to it to understand Carl Hewitt’s Actor model. They decided to try model Actors in the lambda calculus. They called their modelling system Schemer since there was a tradition in calling lisp-driver languages such as Planner or Conniver. Scheme was called Schemer at the beginning which was stand for Scheme Programmer. [1]

What is Scheme

Scheme is a functional programming language which is similar to the other Lisp programming language and is based on S-Expressions. A scheme program consists of nested lists which are main data structures in this language. A good feature of scheme programming language is that codes can easily be created and executed dynamically. Scheme contains a set of list processing functions such as cons, car and cdr which can be used to process lists and produce new lists. [2]

Scheme is a very simple language; it is easy to use lambda calculus to derive much of the syntax of the language from more primitive forms. [2]

What is an S-Expression?

S-Expression is a list based data structure. It can be a nested list of other S-Expressions and represented in text by parenthesized. Atoms are strings of characters and all atoms are S-Expressions, so all atoms and lists are S-Expressions [3].

Here are examples of S-Expresions:

abc atoms are S-Expressions
(a b c)                 lists are S-Expressions
(a (b) c)               nested lists are S-Expressions

An S-Expression can be a string, a symbol, a number, a boolean, a char, or a list of S-expressions.

It is possible to use sexp? function to check if the given value is S-Expression:

(require 2htdp/universe)
> (sexp? ‘abc)


> (sexp? “a”)


> (sexp? ‘(a (b) c))


Description of the different programming paradigms

There are 3 programming paradigms including: Functional ProgrammingProcedural   Programming and Object-oriented Programming.

  1. Functional Programming

Functions, not objects or procedures, are the fundamental building blocks of a program. So programs are designed by the composition of functions. SCHEME, Lisp, HOPE and ML are examples of functional programming. Functional programming has functions to process lists easily [4].

  1. Imperative programming (Procedural Programming)

A program is a series of instructions which operate on variables.  It is also known as procedural programming. FORTRAN, ALGOL, Pascal, C, MODULA2, Ada and BASIC are examples of procedural programming [5].

  1. Object-oriented Programming

Object oriented programming is characterised by the defining of classes of objects, and their properties. It is possible to Inheritance of properties to reducing the amount of programming. Java and C++ are examples of object-oriented programming [6].

 Example code snippets to demonstrate the principal differences

  • Functional Programming:(define sum
    (lambda(x y)
    (+ x y)))

> (sum 1 2)

It is possible to apply a function to a list easily.
Here is a sample to add VAT to a list of numbers:

(define add-vat
(lambda (x)
(+ (* x 0.175) x)))

(map add-vat ‘(100 200 150 120 130))

(117.5 235.0 176.25 141.0 152.75)

  • Object oriented programming: 

    class MyMath
    public MyMath()
    public int sum(int x, int y)
    return x+y;

public class Main{
public static void main(String args[])
MyMath math = new MyMath();

  • Imperative Programming 

    int sum(int x, int y)
    return x + y;

int main(void) {
int c = sum(12, 230);
printf(“%d “, c);


Advantages & disadvantages of functional programming 

  • Advantages:
    The major advantage is that a program written in a functional manner is easy to understand and functions are easily reusable.
    Since it is possible to develop large software’s which consists of many functions, it is easily possible to test all the functions separately and their results. It is easy to write the program with few lines of code while doing the same takes a lot of coding using other programming languages, The reason is that you can easily map a function to a list and use list processing functions to produce the output.
    Functional programming encourages safe ways of programming and also it is easy to catch exceptions and errors [4].
  • Disadvantages:
    The major disadvantage of functional programming is that it is difficulty of doing input-output because this is inherently non functional.
    Another disadvantage is that functional programming is not widely used [4].


  1. History of the Scheme, [Online], Available at: [20 May 2010]
  2. Scheme programming language, [Online], available at: [22 May 2010]
  3. S-Expression, [Online], available at:  [22 May 2010]
  4. Functional Programming, [Online], Available at: [19 May 2010]
  5. Imperative Programming, [Online], Available at: [22 May 2010]
  6. Object Oriented Programming, [Online], Available at: [22 May 2010]
  7. Programming paradigms, [Online], Available at: [20 May 2010]
  8. Functional Programming, [Online], Available at: [20 May 2010]
Posted in Scripts | Comments Off on How to program in Scheme

What is SEO

Search Engine Optimization

SEO stands for Search Engine Optimization and it is basically optimizing your web page to bring it on top of the search engine results. Since Google is dominating search engine, most of the SEO is focusing on Google rankings.


Before designing a website, first step is to gather the data for your website and plan the overal structure of your website, what you need in terms of software and hardwares and basically technical requirements.

Choosing right keywords

Next step is to choose high impression keywords relating to the topic of your website. Its most likely that these keywords are high competitive and you do not have a good chance to begin with these keywords. To find low competitive keywords, you can try the Google Keyword Tool in the adwords by typting you desire keyword. Lets say we want to build a software website, you can get the keyword list in the Google Keyword Tool which relates to the “software” term with their competitive rank and searching rank per month. Do a sort by number of searches and pick few of the top keywords with Low competition for your website keywords to focus with.

Meta tags and page names

In this step, you need to set the relevant page names in your website according to the desire keywords. If the more than one word is focuses on that page, separate the keywords by dash character. So if your website is about software development, you might have a software-development.html page. Next step is to add the keyword in the title tag <title>Software Development</title>. Writing a good description is as important as the other steps too, try to come up with a well structured one line description starting with your keywords and not exceeding 150 characters. Also in the keywords tag, separate your keywords by comma and start with your main keyword, here for example we do “software development, software design, web design, …”. Again try not to use more than 8 keywords.

Keyword Density

The next critical step is to write your page contents focusing on your keywords with the following criteria:
– Do not exceed more than 2% of your keywords
– Add your main keyword in the <h1> tag, your second important keyword in <h2> tag and same for the 3rd keyword.
– Keep a good rate of number of unique keywords per page, atleast 400 unique keywords is a good idea.
You can check the keyword density in using the various tools you can find in the Google search engine. Make sure you have slightly higher repeat of the main keyword in your contents.
Also try to embed a picture and name the picture your main keywords as well. Make sure you have alt and title tags as well: <img src=”software-development.jpg” alt=”Software Development” title=”Software development” width=”100px” height=”100px” />

Building Backlinks

Once you have built your web pages with above tips, now its time to add some backlinks, the first and one of the most important websites you need to get your website in there is website. Its the directory which is being used by many other websites and having your website in there there is a guaranteed pagerank and multiple backlinks plus a better position on Google search results.
Other places would be via comment forms, those who allow a website URL, however be careful to not list your site under spamming sites and you don’t spam other sites with your comments too.

Good luck!

Posted in Miscellaneous, SEO | Comments Off on What is SEO


Welcome to my blog.
Here you can find out about my latest projects, articles and notes.

The first programming language I have learned was Turbo C++ language back into 1996 for about 2 years. After that, I’ve spent my time mostly to learn other stuff such as Visual Basic, 3DStudio Max, Photoshop and Corel Draw.

I have started my professional career at 2002 by designing multimedia softwares. At December 2004, I have continued my profession by focusing on the website development. During the past years, my experiences have been enhanced in various areas such as system administration, databases, programming, graphics and development. In this blog, I will provide you with a brief outline of my activities, tutorials, code snippets and projects which covers the above areas.

My programming skills  covers Java, PHP, Flash action script 2 and 3, HTML5, JavaScript, Ajax,  ASP.NET, Visual Basic, Scheme, Perl and Linux Bash Scripting.

Some of the past activities include:

  • Designing advertisement digital contents using Flash & Photoshop
  • 3D animation and sound effects by 3DStudio Max & Adobe Premier
  • Developing open source applications under SVN and Git version control systems.
  • Developing multimedia softwares using Visual Basic
  • Developing Flash components and interactive contents using Adobe Flash and Flex
  • Developing dynamic web applications and websites using PHP, MySQL, HTML and CSS
  • Building distributed systems using Java EJBs and web services  on the JBoss application server
  • Mobile development for the Android OS
  • Building Facebook apps

Please feel free to contact me at anytime, your messages and feedbacks are most welcome.

Posted in Miscellaneous | Comments Off on Welcome