Assessment Model of BYOD: Adoption of Personal Devices at the Workplace

Brief History of Mobile Technology; BYOD Methodology

by Steven Jordan, on December 16th 2013.

Chapter II:  Literature Review

     BYOD refers to personal devices that connect to corporate networks.  BYOD may risk concomitant threats to vulnerable corporate systems.  BYOD policy is a network strategy that manages employees’ personal devices.  Companies without BYOD policy may be unprepared as employees overwhelm network resources with smart phones, tablets, and laptops.

          This literature review contributes to the adoption process of BYOD policy.  The adoption process is an initiation phase that consists of “gathering information, outlining and planning” (Bouman, et al., 2005).  Managers and network administrators may use it as reference to support decisions on whether to implement, or reject BYOD policy.

     This literature review explores the state of BYOD technology in three areas:  (a) historical influences of workplace technologies; (b) qualitative risk and benefit analysis for personal technology at the workplace; and (c) exploration on the selection of BYOD methodology.

This literature review explores the origins of BYOD in chronological order, and is defined by four significant events: (a) Moore’s Law, as it relates to workplace technology; (b) Moore’s Law for Power Consumption; (c) Koomey’s Law, as it relates to mobile efficiency; and (d) Grove’s Law, as it relates to bandwidth controls.

     Moore’s Law.  Gordon Moore established the Intel Corporation in 1968 (Intel, 2013).  Moore’s Law is based on his prediction that states, “The number of transistors incorporated in a chip will approximately double every 24 months” (Intel, 2013).  More’s Law is specific to chip complexity, but it is an approximation for all components within a computer system (Koomey, Berard, & Sanchez, 2011, p. 47).  Perpetual innovation of computer systems has changed the way people work.

     Moore’s Law has influenced corporate computing for nearly a half century.  The first punch card tabulator was invented in the late 1880s and was used to automate U.S. census data (Carr, 2008, p. 45).  Punch cards were common by the 1930s (Carr, 2008, p. 47).  In the 1970s employees worked with terminals and datacenter mainframes (Carr, 2008, p. 52).  In the 1980s employees transitioned to desktop PCs (Carr, 2008, p. 55).  Modern workstations have become standard office technology.

      Moore’s law for power consumption.  The popularity of the workstation has created an imbalance between consumption and efficiency.  Workstations use an average 25% of their processing potential; storage capacities average under 50% utilization (Carr, 2008, p. 56).  Electricity is wasted when resources remain idle.  The workstation model is inefficient because it wastes scarce resources.

     Wu-Chen Feng introduced, “Moore’s law for power consumption – that is, the power consumption of computer nodes doubles every 18 months” (Feng, 2003).  Each generation of computer chips consumes more energy and generates more heat (Carr, 2008, p. 57).  Heat reduces computer component reliability as failure rates double with every 18°F increase in temperature (Koomey, Berard, & Sanchez, 2011, p. 49) (Feng, 2003).  Heat is especially harmful to lithium-ion powered gadgets (i.e., smartphones) (Herman, 2011).  Heat causes the average smart phone to lose 35% of its battery capacity per year (Herman, 2011).

     Moore’s law for power consumption presents an obstacle to mobile computing: (a) computers have an insatiable appetite for power consumption; and (b) heat has a negative impact on mobile efficiency.  The amount of energy required to operate PCs does not scale for mobile computing.  As a result, demand for power exceeds the available supply.  Functional scalability for mobile devices requires innovations in efficiency.

     Koomey’s Law.  Consumption and efficiency are important distinctions.  Koomey’s Law states that electrical efficiency of computations “doubled about every 1.5 years (Koomey, Berard, & Sanchez, 2011, p. 52).  Alternatively, the ratio of power per computation decreases 50% every 1.5 years (Koomey, Berard, & Sanchez, 2011, p. 52).  Koomey’s Law outlines two potential outcomes in regard to computational innovation:  (a) computational capability increases with no change in power consumption; or (b) no change in computational capability with decreases of power consumption.

     Simultaneous increases for power consumption and efficiency are ostensibly at odds. Both models scale well because each variance has different implications.  Consumption is insignificant for workstations because electric outlets supply power.  Efficiency gains are never realized while workstations consume power as their resources remain idle.  On the other hand, mobile devices are battery operated.  Efficiency benefits mobile devices because of their limited supply of power.  Efficiency gains are revolutionary for battery powered mobile devices (Koomey, Berard, & Sanchez, 2011, p. 50).  For example, assume a smart phone manufactured in 2013 will operate for 10 hours.  According to Koomey’s Law, a smart phone manufactured in 2016, with a similar CPU, will operate for 20 hours. Smart devices are available because of efficiency innovations.

     Grove’s Law.  Mobile devices require efficient power to operate.  Mobile devices also require sufficient bandwidth to be useful.  Grove’s Law says, “Telecommunications bandwidth doubles only every century” (Carr, 2008, p. 58).  Claude Shannon’s Information Theory developed the concept of bandwidth.  Shannon’s information formula calculates the maximum rate that data can be sent without error (Hardesty, 2010).

     Shannon’s Information Theory was developed in 1948 (Shannon, 1948).  It took nearly a half a century until large volumes of information (i.e., bandwidth) could be transferred over long distances.   Communication infrastructure was built upon copper cables (Carr, 2008, p. 57).  Data travels across copper cables in the form of alternating current.  Sign waves graph the positive and negative oscilations associated with alternting current (Odom, 2006, p.170).  Freaquency is a sign wave measurement that counts the number of contiguous oscilation cycles per second (i.e. alternating currnet) (Odom, 2006, p.22).  For example, 3400 cycles per second, indicates a frequency of 3400 Hetrz (Hz).  Incidentally, analog traffic uses the frequency range of 300 to 3400 Hz (Cisco, 2012).  The 3400 Hz frequency correlates with the 33.6 Kilobits per second (Kbps) analog modem; and demonstrates bandwidth is proportionate to frequency.  Copper cable restricted most commercial data transmission to the 300 to 3400 Hz frequency range until the 1990s (Cisco, 2012).

     Modern telecommunication infrastructure has “repealed Grove’s Law” (Carr, 2008, p. 60).  Internet fueled growth provides an abundance of fiber optic cable throughout the country (Carr, 2008, p. 59).  Fiber optic cable is an alternative to copper cable for data transport.  Copper cables use alternating currents to transport data.  Fiber optic cables use pulses of light to transport binary (i.e., digital) data (Odem, 2006, p. 149).

     Fiber optic cables differ from copper cables because they operate at higher frequencies (i.e.,  higher bandwidth capacity).  Long-haul copper cables have a maximum frequency of 100 MHz per km (Gambling, 2000, p. 1091). The bandwidth of long-haul copper cable is nearly 10 Megabits per second (Mbps).  Until 1992, fiber optic cables had a maximum frequency of 1000 GHz per km (Gambling, 2000, p. 1089).  The bandwidth of long-haul fiber optic cable is nearly 20 Gigabits per second (Gbps).  There is a 10,000 improvement factor from the introduction of fiber optic cable.  The invention of the erbium fiber amplifier (EDFA) in 1987, significantly increased existing fiber optic bandwidth capacity (Gambling, 2000, p. 1089).  Fiber optic cables, when amplified with EDFA, has a frequency of 5000 GHz per km.  Information pulses at 100 Gbps “over 1,000,000 km with zero error” (Gambling, 2000, p. 1089).

     Grove’s Law transcends bandwidth innovation from cables to the airwaves.  Copper and fiber optics transmit data using electrons and light (Odem, 2006, p. 152).  Wireless media uses complex analog radio waves to transmit data (Odem, 2006, p. 153).  Wireless frequencies encompass a wide scope of services: (a) LANs, (b) metropolitan-area networks (MANs), and (c) wide-area networks (WANs) (Froom, Sivaasubramanian, & Frahim, 2010, p. 425).

     Wireless LAN, MAN, and WAN services operate within the 2.4 GHz to 5 GHz range (Froom, et al., 2010, p. 424).  Wireless network technology was first introduced to the public in 2001 (Standage, 2004).  The Institute of Electrical and Electronic Engineers (IEEE) publish standards that outline wireless technologies (Table 1) (IEEE, 2013).  IEEE standards document substantial increases of wireless bandwidth.  The broadband revolution has begun to take shape and current designs favor mobility.

Risk-Benefit Comparison

     The literature review examines two potential effects of BYOD on an organization:  (a) advantages, and (b) disadvantages.

     Advantages.  ICT departments can be viewed as an institutional process that contributes value to organizations (Brynjolfsson, 2003).  The Alcohol and Tobacco Tax and Trade Bureau (TTB) reduced costs and increased security with their remote access thin client solution (Hughes, 2012).  The TTB policy prevents employees from storing sensitive data on personal property (Hughes, 2012).  TBB’s remote terminal solution reduced legal and compliance complexities (Hughes, 2012).

     Quantifying the value of ICT (e.g., BYOD) is difficult, but not impossible (Brynjolfsson, 2003).  Colgate-Palmolive estimates their BYOD policy saved over $1 million per year by eliminating BlackBerry corporate licenses (Hof, 2011, p. 2).  The savings were realized after BYOD policy allowed personal devices access to corporate email (Hof, 2011, p. 1).

     Organizations can also benefit from with returns on productivity and competitiveness (Brynjolfsson, 2003).  For example, Hyundai incorporates smart phones as part of their manufacturing process (BusinessKorea, 2013).  Workers share multimedia message service (MMS) text messages when defects are discovered on the production line (BusinessKorea, 2013).  Hyundai’s smartphone innovation increased overall production output (BusinessKorea, 2013).

     Disadvantages.  Wireless access points with weak encryption can expose organizations to external hacking attempts (Cisco, 2010, p. 180).  Risk is also introduced when an employee unknowingly connects a compromised device to the corporate network.  Smart devices can introduce malware that targets network equipment and servers (Donohue & Stewart, 2010).

     There was a 155% increase in mobile malware across all smartphone platforms from 2010 to 2011 (Juniper, 2012, p. 6).  There was an additional 614% increase in mobile malware from 2012 to 2013 (Juniper, 2013, p. 15).  Similarly, organizations are at risk when employees copy sensitive corporate data to their personal devices (Juniper, 2013, p. 18).  Statistics based on remote management applications indicate that 17% of mobile devices are lost or stolen on an annual basis (Juniper, 2013, p. 18).

     There are circumstances when BYOD policy exposes the privacy of its employees (Barnes, 2013).  Employees may unknowingly provide their employers with administrative control of personal devices (Barnes, 2013).  Employers gain control when employees use their personal devices to check corporate email (Barnes, 2013).  In theory, employers can read private emails (e.g., Gmail) and view personal pictures (Barnes, 2013).  Furthermore, employers have the ability to remotely wipe any smartphone that synchronizes with corporate email services (Juniper, 2013, p. 18).  There are inherent risks for both employers and employees.

Methodology Models

     Methodology provides the processes, assessments, and analysis necessary to determine if technology management facilitates company goals.  The literature review examines three ICT principles of (a) innovation diffusion, (b) general risk management, and (c) organizational design.

     ICT Diffusion. ICT is the science of organizations and technology.  ICT research explores the dissemination of innovations throughout the workplace.  The employee practice of BYOD is innovative because it changes the way people work.  Each step of the diffusion process is identified and documented.  There are four steps to innovation diffusion:

1. The adoption process identifies the need for innovation or change (Bouman, et al., 2005, p. 58).  Adoption includes information gathering and team building.

2. The implementation process puts a plan into action.  The broad approach identifies the whole diffusion process, adoption through effects, as a single implementation process (Bouman, et al., 2005, p. 92).

3. The users process identifies stakeholders.  Users can include individuals, groups, and organizations (Bouman, et al., 2005, p. 94).   For example, individuals use personal devices, and the organization uses BYOD policy.

4. The effects process examines the complete diffusion process.  Analysis provides aggregated results based on process observations.  Results can be expressed as qualitative generalizations or quantitative statistics (Bouman, et al., 2005, p. 117).
General Risk Management.  Network risk management is a loss control process.  Risk management is designed to assist decision makers:

1. Identify company assets (White, 2011, pp. 482).  Assets are company resources that are vulnerable from threats (White, 2011, p. 482).

2. Identify network threats (White, 2011, p. 482).  Threats are anything that causes harm to a company asset (White, 2011, p. 482).  NIST publishes a comprehensive list of threat events (NIST, 2012).

3. Identify system vulnerabilities (White, 2011, p. 482).  Vulnerabilities, are root conditions that exposes assets to harm (White, 2011, p. 482).  NIST publishes a comprehensive list of vulnerabilities (NIST, 2012).

4. Estimate the likelihood of an exploit (White, 2011, p. 482).  Likelihood estimates the probability that a threat will exploit a vulnerability (i.e., compromise the production servers) (White, 2011, p. 483).  Likelihood is determined with a risk assessment matrix.

5. Estimate the impact from a harmful event (White, 2011, p. 483).  Impact estimates the loss experienced from a vulnerability that is exploited by a threat (White, 2011, p. 483).  NIST publishes a comprehensive list of adverse impacts (NIST, 2012).

6. Estimate risk through a qualitative risk management matrix.

     Risk is estimated by multiplying vulnerability, impact, and likelihood:  R = V x I x L (Brock, 1999).  The assessment formula is calculated with the risk assessment matrix (Table 2).  The assessment team determines the risk matrix likelihood values.  Choosing the likelihood values requires majority quorum.  The assessment team assigns one risk value to each vulnerability: (a) high risk, (b) medium risk, (c) or low risk.

Organizational Design.

     The Star Model for Decision Making is an organizational design.  The Star Model outlines the problem in common language, forces designs based on long-term goals, and provides decision makers a series of understandable choices (Kates & Gakbraith, 2007, p. 2).  The approach begins by identifying the strategic goal.  Proceeding steps outline the goal’s structure, processes, incentives, and people.  The Star Model asks five main questions:  (a) What is being done?  (b) Who is doing it?  (c) Why are they doing it? (d) How are they doing it?  And, (d) should it be done? (Figure 1)  (Malone, Laubacher, & Dellarocas, 2010).

Figure 1.  Star Methodology outline.

     This literature review concludes organizations will benefit from a network risk assessment process.  The recommendation is based on (a) the historical developments in technology; (b) examination of potential benefits and risks; and (c) BYOD methodology processes.

     History.  The use of personal technology in the workplace is a modern phenomenon.  Personal devices are possible because of recent innovations of power efficiencies and bandwidth.  BYOD is prevalent as a results from technology influencing use.

Benefits and risks.  Mobile personal devices are common tools.  Analysis indicates that organizations can benefit from financial, efficiency, and productivity gains.  On the other hand, personal devices can introduce threats to vulnerable system resources.

Methodology Processes.  There are various methodology processes that can assist organizations assess the potential benefits and risks introduced from mobile personal devices.

Chapter III:  Methodology

     The infrastructure goal states that production servers must be available to customers. The network has a successful record for continuous operations.  To date, customers have not experienced major disruptions of services.  Previous successes may be attributed to the collective knowledge and experience of the organization's ICT staff.  In any case, conjectural mitigation is not a prudent strategy.  New security controls are required because employees connect their personal devices to the company network.  Consequently, network threats may manifest as smart devices connect to the corporate network.

     The organization employs a sophisticated network but its mitigation resources are mostly undocumented.  Existing network security processes are unproven propositions because they are based on incomplete information.  Unfounded assumptions, “can lead to broken, misconfigured, or bypassed security mechanisms” (Cisco Press, 2010).  An effective network assessment allows companies to make informed decisions.

Methodology Overview

     This study seeks to align the use of employee personal technology with business strategy.  Methodology provides the processes, assessments, and analysis necessary to determine if technology management facilitates company goals.  It proposes a synthesized methodology, the ICT Risk Assessment Model (IRAM) which provides an in-depth understanding of BYOD policy through a process of systematic planning.  The IRAM model is based on three ICT principles of (a) innovation diffusion, (b) general risk management, and (c) organizational design (Figure 2).  Each principle uniquely contributes to the IRAM methodology goal.  Innovation diffusion provides IRAM with a framework through four diffusion phases.  Risk management identifies risk conditions and uses a qualitative assessment for evaluation.  Organizational design introduces a logical and straightforward interpretation.  Decision makers will benefit from a pithy interpretation.  


ICT Diffusion

     Innovation diffusion is the first phase of the IRAM methodology process.    Each step of the innovation diffusion process, (i.e., adoption, implementation, use, and effects) is documented:

1. This study identifies BYOD policy as the candidate for change within the organization.  Team participants will include those most familiar with network operations; system administrators and management.

2. This study uses a narrow interpretation of implementation and emphasizes the design and development.  The focal point for this implementation phase centers on the risk management assessment.

3. This study identifies users as stakeholders.

4. This study takes a narrow interpretation of effects and defers specific analysis to the IRAM organizational design process.  The completed analysis will determine if BYOD policy aligns with company goals.

Risk Management

     Risk management is the second phase of the IRAM methodology process.  Data attributes are identified and applied to the risk assessment.  Likelihood and impact are calculated by proxy of risk assessment:

1. This study identifies the production servers as the primary assets.

2. This study uses a broad interpretation of threats, and identifies four potential events: (a) changing data, (b) deleting data, (c) stealing data, and (d) disruption of services.  Future research may include a narrow scope for threat identification:  For example, viruses, Trojan Horses, worms, and Denial of Service (DoS) attacks.

3. This study uses a broad interpretation of vulnerabilities, and identifies four potential conditions:  (a) infrastructure design, (b) applications, (c) operations, and (d) people.  Future research may include a narrow scope of vulnerabilities:  For example, firewalls, custom macros, policies and procedures, and accidents.

4. Likelihood is expressed in qualitative format during the risk assessment.

5. This study uses a broad interpretation of impact and identifies three potential conditions:  (a) data confidentiality, (b) data integrity, and (c) data availability.  Future research may include a narrow scope of impact:  financial losses, customer losses, etc…

6. The Network assessment team identifies risk using the risk assessment matrix (Table 2).

Organizational Design

     The Star Model for Decision Making encapsulates IRAM methodology within a simple framework.  Star Model questions are framed according to the project scope.  The results formalize the IRAM methodology into two formats: (a) pithy report, and (b) tabular reference (Table 3).

IRAM Methodology

1. What is the goal?  Data integrity, confidently, and reliability are at risk from the combination of vulnerabilities and threats.  The goal is to reduce or prevent the likelihood of production server exploitations.  The IRAM goal aligns with the adoption process of diffusion because an innovation has been identified.

2. Who is at risk?  The organization stakeholders are at risk from vulnerabilities and threats.  The stakeholders are the production processes, data, and systems.  Stakeholders are participants in the usage process of diffusion.

3. Why are the production systems at risk?  Production servers are vulnerable from a wide scope of interactions with infrastructure, applications, operations, and people.  Vulnerabilities are risk conditions that source from the implementation process of diffusion.

4. How are the production servers at risk?  Circumstances and events can harm production servers with threats of data changes, data theft, data disruption, and data destruction.  Threats are closely related to vulnerabilities, and both components align with the implementation phase of the diffusion process.

5. Should the risk be mitigated?  The IRAM risk assessment matrix estimates the effects and likelihood for vulnerabilities.  Network operators will use the assessment to determine whether controls are needed to mitigate the potential impact from risks.  Risk assessments align with the diffusion process of effects.

Data Analysis

Decision makers can use the IRAM methodology process to help determine if BYOD is appropriate for their organization.  System areas that denote high risk require mitigation.  Medium risk deserves substantial consideration.  Mitigation may be optional for low risk areas.

     This study recommends a detailed qualitative mitigation assessment for systems that require mitigation.  Qualitative mitigation assessments assign monetary values for assets (i.e., production servers) and mitigation processes (i.e., firewalls, anti-virus software, etc…). Ultimately, organizations must decide if the benefits of BYOD is worth the potential risks.


Barnes, N. M. (2013, September 26). BYOD: balancing employee privacy concerns against employer security needs. Retrieved from Association of Corporate Counsel:
Bouwman, H., Dijk, J. van, Hooff, B. van den, and Wijngaert, L. van de (2005). Information & Communication Technology in Organizations. London:  SAGE Publications.
Brynjolfsson, E. (2003, July). The IT Productivity Gap. Optimize Magazine (21). Retrieved from
BusinessKorea. (2013, November 22). Reason for Increasing Recalls. Seoul, Korea. Retrieved from
Carr, N. (2008). The Big Switch. New York: W. W. Norton & Company, Inc.
Chen, B. X. (2013, May 1st). Cellphone Thefts Grow, but the Industry Looks the Other Way. New York Times, p. A1. Retrieved from
Cisco. (2010). 6.4.3 Wireless Security Solutions. In Cisco, CCNA Security Course Booklet (p. 180). Indianapolis, IN: Cisco Press.
Cisco. (2012). BYOD and Virtualization Survey Report. Indianapolis: Cisco IBSG. Retrieved from
Cisco. (2012, October 16). Digital Subscriber Lines. Retrieved from Cisco Systems, Inc.:
Craig-Wood, K. (2012, April 26). Energy-efficient cloud computing: Jevons Paradox vs. Moore’s Law. Retrieved from Mesmet Blog:
Donohue, D., & Stewart, B. (2010). Campus Network Security. In CCNP Routing and Switching Quick Reference (p. 191). Indianapolis, IN.: Cisco Press.
Feng, W.-c. (2003, October 1). Making a Case for Efficient Supercomputing. Queue - Power Management, 1(7), p. 54. doi:
File, T. (2013). Computer and Internet Use in the United States. Washington DC: U.S. Census P20-569. Retrieved from
Fortinet. (2013, October). Fortinet Internet Security Census 2013. Retrieved from
Froom, R., Sivaasubramanian, B., & Frahim, E. (2010). Implementing Cisco IP Switched Networks (SWITCH). Indianapolis: Cisco Press.
Gambling, W. A. (2000, Nov-Dec). The Rise and Rise of Optical Fibers. IEEE Journal on Selected Topics in Quantum Electronics, 6(6), 1077-1093. doi: 10.1109/2944.902157
Glanz, J. (2012, September 22). The Cloud Factories: Power, Pollution and the Internet. Retrieved from The New York Times:
Hardesty, L. (2010, January 19). Explained: The Shannon limit. Retrieved from Massachusetts Institute of Technology News:
Herman, J. (2011, September 21). Why is My Phone So Hot? Popular Mechanics. Retrieved from
Hof, R. (2011, August 15). Bring Your Own Device. Retrieved from MIT Technology Review:
Hughes, R. (2012, August 13). Allowing Bring Your Own Device with Minimal Policy or Legal Implications. Retrieved from The White House:
IEEE. (2013, December). IEEE Std 802.11. Retrieved from IEEE Standards Association:
Intel. (2013, October 5). More's Law and Intel Innovation. Retrieved from Intel:
Juniper Networks. (2012, February). 2011 Mobile Threats Report. Retrieved from Juniper Networks:
Juniper Networks. (2013). Juniper Networks Third Annual Mobile Threats Report. Retrieved from Juniper Networks:
Koomey, J. (2011, February 13). A fascinating encounter with advocates of large rebound effects. Retrieved from Jonathan G. Koomey, PHD.:
Koomey, J., Berard, S., & Sanchez, M. (2011, July-September). Implications of Historical Trends in the Electrical Efficiency of Computing. 33(3), pp. 46-53. doi:
Odom, W. (2006). Networking Basics. Indianapolis: Cisco Press.
Owen, D. (2010, December 20). Annals of Environmentalism the Efficiency Dilemma. The New Yorker, 78-79. Retrieved from
Pew Internet. (2013, October 18). Pew Internet and American Life Project. Retrieved from Tablet and E-reader Ownership Update:
Shannon, C. E. (1948, July, October). A Mathematical Theory of Communication. The Bell System Technical Journal, 27, 379-423, 623-656. Retrieved from
Standage, T. (2004, June 12). A brief history of Wi-Fi. The Economist. Retrieved from
Troianovski, A. (2012, April 3). Optical Delusion? Fiber Booms Again, Despite Bust. Retrieved from The Wall Street Journal:
White, G. (2011). Security+ Certification. In G. White, Security+ Certification (pp. 477-4994). Emeryville: McGraw-Hill.