ISSN 1847-3938

organizer

35th

international convention
May 21-25, 2012, Opatija - Adriatic Coast, Croatia

with mipro to knowledge society

Lampadem tradere
mipro proceedings

MIPRO 2012
Jubilee 35th International Convention
May 21 - 25, 2012 Opatija, Croatia

Proceedings
Conferences:

Microelectronics, Electronics and Electronic Technology /MEET Distributed Computing and Visualization Systems /DC-VIS Telecommunications & Information /CTI Computers in Technical Systems /CTS Intelligent Systems /CIS Computers in Education /CE Digital Economy - 9th ALADIN /DE Information Systems Security /ISS Business Intelligence Systems /miproBIS Government, Local Government, Public Services /GLGPS MIPRO Junior - Student Papers /SP
Edited by:

Petar Biljanovi

MIPRO Croatian Society

Ministry of Science, Education and Sports of the Republic of Croatia Ministry of the Maritime Affairs, Transport and Infrastructure of the Republic of Croatia Croatian Chamber of Economy Primorsko-Goranska County City of Rijeka City of Opatija Croatian Post and Electronic Communications Agency IEEE Region 8

organized by

under the auspices of

University of Rijeka, Croatia University of Zagreb, Croatia IEEE Croatia Section IEEE Croatia Section Computer Chapter IEEE Croatia Section Electron Devices/Solid State Circuits Societies Joint Chapter IEEE Croatia Section Education Chapter Faculty of Engineering, University of Rijeka, Croatia Faculty of Electrical Engineering and Computing (FER), University of Zagreb, Croatia Ruer Bokovi Institute, Zagreb, Croatia Faculty of Maritime Studies, University of Rijeka, Croatia Faculty of Organization and Informatics, University of Zagreb, Varadin, Croatia Croatian Post and Electronic Communications Agency Croatian Electricity Company (HEP), Zagreb, Croatia T-Croatian Telecom, Zagreb, Croatia Ericsson Nikola Tesla, Zagreb, Croatia Konar - Electrical Industries, Zagreb, Croatia Nokia Siemens Networks Siemens, Zagreb, Croatia VIPnet, Zagreb, Croatia Micro-Link, Zagreb, Croatia Jadranska ulaganja, Zagreb, Croatia

co-organizers

Croatian Electricity Company (HEP), Zagreb, Croatia T-Croatian Telecom, Zagreb, Croatia Ericsson Nikola Tesla, Zagreb, Croatia Konar - Electrical Industries, Zagreb, Croatia Nokia Siemens Networks Siemens, Zagreb, Croatia Infodata, Zagreb, Croatia ABB, Zagreb, Croatia Transmitters and Communications Company, Zagreb, Croatia VIPnet, Zagreb, Croatia HROTE - Croatian Energy Market Operator, Zagreb, Croatia Microsoft Croatia, Zagreb, Croatia Storm Computers, Zagreb, Croatia Supra Net, Zagreb, Croatia Micro-Link, Zagreb, Croatia Mjerne tehnologije, Zagreb, Croatia CS Computer Systems, Zagreb, Croatia Adnet, Zagreb, Croatia Selmet, Zagreb, Croatia Vidi-TO, Zagreb, Croatia Origo, Rijeka, Croatia ib-proCADD, Ljubljana, Slovenia In2, Zagreb, Croatia

sponsors

IBM Croatia, Zagreb, Croatia

convention partner

All papers are published in their original form

For Publisher: Petar Biljanovi

Publisher: Croatian Society for Information and Communication Technology, Electronics and Microelectronics - MIPRO Office: Kruna 8/II, P. O. Box 303, HR-51001 Rijeka, Croatia Phone/Fax: (+385) 51 423 984

Printed by: GRAFIK, Rijeka

ISBN 978-953-233-069-4

Copyright 2012 by MIPRO All rights reserved. No part of this book may be reproduced in any form, nor may be stored in a retrieval system or transmitted in any form, without written permission from the publisher.

DE
International Conference on DIGITAL ECONOMY 9th Alpe Adria Danube Universities Initiative (ALADIN)

Steering Committee Chairs: Members: Dragan ii, University of Rijeka, Croatia Edvard Tijan, University of Rijeka, Croatia Dario Ogrizovi, University of Rijeka, Croatia Ana Peri Hadi, University of Rijeka, Croatia Andras Gabor, Corvinus University of Budapest, Hungary Joe Griar, University of Maribor, Kranj, Slovenia Walter Ukovich, University of Trieste, Italy Christian Kittl, Evolaris Research Lab, Graz, Austria Anton Lavrin, Technical University of Koice, Slovakia Bernhard Katzy, Universitt der Bundeswehr Mnchen, Germany

DIGITAL ECONOMY 9th Alpe Adria Danube Universities Initiative (ALADIN)

PAPERS .............................................................................................................................. 1739
Global Economic Crisis and Future Perspective of Information Society Innovation and Development ..............................................................................................................................1741 M. Vidas-Bubanja Microsoft Office 365 Cloud in Business Environment ...............................................................1747 A. Skendi, B. Kovai Adoption of Smart Technology in Croatian Hotels.......................................................................1753 B. Krce Mioi, Lj. Zekanovi Korona, M. Matei E-uprava: e-porezne prijave............................................................................................................1759 I. Arbanas Competence Database: a Precondition for Successful Transfer of Technology and Knowledge .................................................................................................................................1765 H. Bezi, P. Karaniki, E. Tijan Mobile Banking - Financial Services Technology..........................................................................1770 D. Lacmanovi, I. Lacmanovi, B. Markoski Prognosis: Cloudy with SAAS.........................................................................................................1775 B. Kraut eGovernment and the Digital Divide ..............................................................................................1778 V. Lazovi, T. urikovi Investment Analysis of Information Security Management in Croatian Seaports ....................1783 S. Aksentijevi, E. Tijan, B. Hlaa QR Codes as a Time Management Tool in m-Learning ...............................................................1789 I. ulumovi upanovi, E. Tijan Improvement of System for Distance Learning Based on Dialogue by Appliance of Statistical Analysis .......................................................................................................................1794 B. Kovai, I. Jugo, V. Slavuj

INFORMATION SYSTEMS SECURITY

PAPERS .............................................................................................................................. 1801
Security of Service Requests for Cloud Based m-Commerce.......................................................1803 I. Kounelis, J. Lschner, D. Shaw, S. Scheer A New Methodology for Security Evaluation in Cloud Computing ............................................1808 S. Ristov, M. Gusev, M. Kostoska

XXVI

International Program Committee

Petar Biljanovi, President, Croatia A. Abell Gamazo, Spain S. Amon, Slovenia M.E. Auer, Austria M. Baranovi, Croatia L. Bellatreche, France N. Bogunovi, Croatia A. Budin, Croatia . Butkovi, Croatia . Car, Croatia M. Colnari, Slovenia A. Cuzzocrea, Italy M. iin-ain, Croatia D. ii, Croatia T. Eavis, Canada M. Ferrari, Italy B. Fetaji, Macedonia T. Galinac Grbac, Croatia L. Gavrilovska, Macedonia M. Golfarelli, Italy S. Golubi, Croatia F. Gregoretti, Italy N. Guid, Slovenia Y. Guo, United Kingdom J. Henno, Estonia L. Hluchy, Slovakia V. Hudek, Croatia . Hutinski, Croatia M. Ivanda, Croatia H. Jaakkola, Finland R. Jones, Switzerland P. Kacsuk, Hungary A. Karaivanova, Bulgaria M. Karasek, Czech Republic B. Katzy, Germany C. Kittl, Austria D. Kneevi, Croatia M. Mauher, Croatia B. Mikac, Croatia V. Milutinovi, Serbia A.-I. Mincu, Slovenia V. Mrvo, Croatia J.F. Novak, Croatia J. Pardillo, Spain N. Pavei, Slovenia I. Petrovi, Croatia R.S. Popovi, Switzerland G. Radi, Croatia S. Ribari, Croatia K. Skala, Croatia I. Sluganovi, Croatia V. Smokvina, Croatia N. Stojadinovi, Serbia J. Sunde, Australia A. Szabo, IEEE Croatia Section L. Szirmay-Kalos, Hungary D. imuni, Croatia A. Teixeira, Portugal A.M. Tjoa, Austria R. Trobec, Slovenia I. Turi-Prstai, Croatia W. Ukovich, Italy I. Uroda, Croatia T. Vmos, Hungary M. Varga, Croatia B. Vrdoljak, Croatia R. Wrembel, Poland B. Zajc, IEEE Region 8, Slovenia

FOREWORD

The Jubilee 35th International ICT Convention MIPRO 2012 was held from 21st until 25th of May 2012 in Opatija, the Adriatic Coast, Croatia. The Convention consisted of ten conferences under the titles: Microelectronics, Electronics and Electronic Technology (MEET), Distributed Computing and Visualization Systems (DC-VIS), Telecommunications & Information (CTI), Computers in Technical Systems (CTS), Intelligent Systems (CIS), Computers in Education (CE), Digital Economy (DE), Information Systems Security (ISS), Business Intelligence Systems (miproBIS), Government, Local Government, Public Services (GLGPS). A special conference was dedicated to works of the students: MIPRO JuniorStudent Papers (SP). The papers presented on these conferences are contained in this comprehensive Book of Proceedings. All the papers were reviewed by an international review board. The list of reviewers is contained in the Book of Proceedings. All the positively reviewed papers are included in the Book of Proceedings. These papers were written by authors from the industry, scientific institutions, educational institutions, state and local administration. The convention was organized by the Croatian ICT Association MIPRO with the help of numerous co-organizers, sponsors and patrons to whom we owe our sincere thanks. We specially single out our gold sponsors T-Croatian Telecom, Ericsson Nikola Tesla, KonarElectrical Industries and HEPCroatian Electricity Company, and the silver sponsors Nokia Siemens Networks and IBM Croatia. Our bronze sponsors are Siemens, InfoData, OiV, VIPNet and Adnet. To all who helped organize the 35th International ICT Convention MIPRO 2012 as well as editing of this Book of Proceedings we extend our heartfelt thanks.

Prof. Petar Biljanovi, PhD International Program Committee Chairman

XLIII

Investment Analysis of Information Security Management in Croatian Seaports

Saa Aksentijevi1, Edvard Tijan2, Bojan Hlaa3
1

Saipem Mediteran Usluge

Alda Colonnella 2, Rijeka, Croatia Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
2

University of Rijeka, Faculty of Maritime Studies

3

Studentska 2, 51000 Rijeka, Croatia Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr

Rijeka Port Authority

Riva 2, 51000 Rijeka, Croatia Tel: +385 51 35 11 77 Fax: +385 33 17 64 E-mail: bojanhlaca.ri@portauthority.hr

Abstract - Existing models of Information Security Management Systems in seaports usually involve threat evaluation, vulnerability management and risk analysis. Threat evaluation is a catalogue based analysis, outlining various applicable protection levels related to architecture, hardware, software and personnel, aiming to standardize the information security management approach. Vulnerability analysis is attempting to evaluate organizational and technical aspects of all information security components in terms of their inherent flaws. Risk analysis combines both threat and vulnerability analysis in order to define countermeasures in an objective, measurable and sustainable way. However, very often all three possible approaches are devoid of economic and financial analysis of seaport information security investments. In this paper authors propose a combined model which includes both technical and financial approach to information security management and decision-making in Croatian Port Community Systems.

The purpose of such research is to establish that by using risk assessment techniques, technical and legal requirements for seaport ISMS and correlating them with available financial means of particular seaport, it is possible to enhance functioning of seaport ISMS and optimize subject capital investments. The goal of such research is to investigate, analyze and outline all characteristics of capital investments in seaport ISMS, describe what makes them different than other capital investments, define connection between technical and legal requirements and propose a model to increase efficiency of information security measures in seaports.

II. FORMS OF CAPITAL SEAPORT ISMS INVESTMENTS When evaluating investments within the framework of usual business finance paradigm, it is usually being done in terms of assets controlled and in possession of the company (in this case, seaports), that are able to produce certain revenue or cash flow, offset against incurred investment, maintenance and related costs. Assets can be material (machinery, buildings), non-material (patents, computer programs, goodwill) or a special form of assets having the ability to produce revenue out of itself, which are financial assets. The most common tool used by financial managers is evaluation whether net present value of certain asset, using marginal capital cost, is positive and representative for certain type of project. Seaport ISMSes, in technical sense, are composed of the following components, related to each other in a hierarchical manner: 1. 2. Organizational forms, ensuring alignment with legal requirements, Organizational information policy, in fact seaport organizational culture and abstract knowledge related to ISMS resulting in adequate application of risk mediation techniques using adequate hardware, software and organizational information security, often formalized by security certification (e.g. ISO 27001:2005) [3[, Computer hardware (servers, switches, computers, network appliances, routers), Computer software and solutions.

I. INTRODUCTION Seaport Information Security Management Systems (ISMS) are complex sub-systems of seaport business systems whose goal is to protect information contained within port information systems from breach of confidentiality, integrity and availability [1]. Due to complex matrix of various risks which threaten seaport information assets, technical and organizational implementation of such systems is very complex and is usually related to high levels of capital investments and operative costs that can be mutually substituted. Considering the fact that the insufficient usage of economical and financial criteria when deciding about investing in seaport ISMS has a direct impact on their economic efficiency and profitability, ignoring such inherent need leads to inadequate qualitative and quantitative characteristics of such investments, therefore resulting in lower levels of operational information security and consequentially the diminished ability to generate cash flow. Therefore it is of utmost importance to research, investigate and analyze possibilities of financial and economic analysis of ISMS in seaports and to suggest possible application of methods that might be useful in evaluation of capital investments in seaport ISMS systems [2].

3. 4.

MIPRO 2012/DE

1783

Each of these components is related to the certain level of cost with high levels of substitution in terms of treatment as a capital investment or an operative cost [4]. Nearly all information security solutions can nowadays be implemented in form that can be financially treated either as an investment or an operative cost, with no change in user experience. For example, instead of purchasing security software solutions, it is possible to lease them as SaaS (Software as a Service) solutions. Instead of purchasing computer security-related hardware it is possible to rent them as cloud computing solutions. Such a divergence of possible solutions may cause additional problems in form of constant requirements for additional education stemming from rapid change of production technologies [5], while on the economic and financial level it makes the process of calculating total cost of ownership even harder. On a practical level, there is a number of related costs necessary to establish and operate ISMS, especially related to applications, information and telecommunication infrastructure of seaports. Other related ISMS costs may exist, addressing and supporting technical disciplines (for example, cost of education of personnel using new ISMS technologies). Also, ISMS certification, security studies and organizational implementations can be considered as seaport ISMS investments.

III. DIFFICULTIES IN DETERMINING INPUT PARAMETERS OF SEAPORT ISMS INVESTMENTS With the increase of distance between technical and technological aspect of seaport ISMS on one side and economic and financial analysis on the other side, a number of difficulties appear when determining input parameters of financial analysis. Some of those difficulties are the following: 1. Decision about the investment in seaport ISMS primarily depends on risk assessment as a technical discipline. Practical risk assessment does not include quantitative financial indicators. Instead, it is based on qualitative factors (experience) and evaluation of possibility of occurrence of undesired outcome. It is abstract, technical evaluation and its results are indicators used by information security experts to determine areas where they have to concentrate their efforts to achieve set goals of information security. It is a paradox that operative and financial management usually have to make decisions based on risk assessment devoid of detailed financial analysis. Furthermore, decision-making management does not have specialist technical knowledge, they usually have their reservations towards investing in information security because they do not understand it and usually they implicitly undertake unreasonable levels of risk. It is also possible that the management overinvests in information security. Therefore, the conclusion is that information security management in seaports is traditionally separated from financial analysis of information security impact on business. There is a high level of substitution of information security investments by costs that can be considered to be running costs, and this further clouds the

decision making process about investments. Usually, treating ISMS solutions as running costs at a first glance seems to be a better solution, but such superficial analysis usually does not include many hidden costs like education of technical staff, users, major version upgrade costs etc. 3. Software, hardware and telecommunication security solutions within seaports usually include inherent need to stipulate long-term maintenance contract, sometimes resulting in undesired situations like vendor lock-in. These contracts are used to provide support to users throughout life period of the seaport information security solutions, but very often it is not possible to use such solutions without such contracts: without them, for example, in case of security software or appliances, it would not be possible to get the latest security patches or definitions, or it would not be possible to integrate them into existing seaport security solutions. Therefore, during analysis of input parameters it is important to determine which part of the initial cost or investment is related to true investment and which is related to maintenance in order to correctly determine total cost of ownership (in fact, introduction and usage) of certain seaport ISMS solution. 4. It is very difficult to initially evaluate the remaining value of ISMS solution. Some information security solutions have longer technical life span than accounting life span (for example, technical and network solutions), and they can be used even after the depreciation period has expired. Functionality of such systems depends on the maintenance options because the manufacturer is able to maintain the solution viable by software upgrades (which is especially valid in case of software security solutions). 5. In case of micro, small and medium enterprises, there is usually no specialist in-house knowledge available in order to adequately evaluate the influence of investments in ISMS on the business as a whole. Considering that seaports are typically large enterprises, it is expected that they should not suffer from inadequate availability of said resources.

IV. ECONOMIC AND FINANCIAL ANALYSIS OF SEAPORT ISMS INVESTMENTS Economic analysis of ISMS investments typically neglects the analysis of financing resources (own capital, cash flow or financial leverage). The reason for this is the fact that interest on credit does not diminish the economic potential of information security solution to produce results; it only lowers the financial potential of the seaport system as a whole. This kind of analysis requires initial evaluation of effects of seaport information solution by using price levels from the first year of the project or the first year of solution life. Costs are those items that detract from the economic potential of the solution. In the context of seaport ISMS solutions, the detrimental costs could be as follows:

2.

1784

MIPRO 2012/DE

1. 2. 3. 4. 5. 6. 7.

initial investment in information solution or project, cost of maintenance of information security solution, material cost of operation (for example, electricity, air conditioning), cost of external solutions and services (for example, consultancy), cost of education of employees during implementation, cost of education of employees during operation, gross equivalent salaries of employees during implementation.

V. EVALUATION OF POSSIBILITY OF USAGE OF INTERNAL RATE OF RETURN (RoR) IN SEAPORT ISMS INVESTMENTS Classical paradigm of usage of internal RoR requires that discount rate pairing investments with pure cash flows has to be bigger than defined discount rate depending on risks and cost of deployed capital. Considering the fact that security risks are present during the whole period of information security solution deployment and anticipated cash flow in form of avoidance of risk, measured financially, is present throughout its lifetime, classical internal RoR method can be used in evaluation of seaport ISMS solutions. However, there are several aspects of internal RoR method that have to be considered during its usage: 1. This method cannot be used during analysis or evaluation of different solutions, as its results are not comparable. It can be used only on a standalone basis, during the evaluation of a single information security solution or project. 2. Internal RoR method anticipates reinvesting positive net cash flow into projects or solutions having the equal RoR, or into other comparable projects or solutions. For this reason, internal RoR method will underestimate those projects whose reinvested cash flow goes into projects with lower RoR. This is particularly true for those project s having the high RoR, because it is very difficult for companies to reinvest into projects that have equally high (and attractive) RoR. 3. As a rule, in seaport information security solutions, cash flows should not change algebraic sign (from positive to negative and vice versa). Therefore, it is assumed that a problem of multiple RoR should not exist. 4. Finally, this method will provide only the relative measurement of return when investing into particular seaport information security solution, not its absolute value. Real implementation of RoR method in seaport ISMS investment decision-making shows that it is possible, under initial constraints, to calculate internal RoR of information security solution or a project. Further simulations prove that this method is particularly sensitive to the following three input variables: 1. 2. Time (duration of usage of seaport information security solution or project), Perception of ability of particular information security solution to generate positive cash flow during its life span, Used discount rate.

Economic analysis of ISMS solutions is difficult because it is difficult to determine the income (revenue) offset by outlined investment costs. In a classical economic sense they are represented by the sum of income during exploitation period and the remaining (scrap) value at the end of exploitation. This kind of income can be difficult to evaluate because there is no clear connection between the investments in information security and the derived benefits. Therefore, one of the solutions would be to evaluate various implemented elements of ISMS in terms of potential damage incurred by information risks materialized as security incidents yielding measurable damage. From the static viewpoint, initially, that kind of investment in ISMS seaport solution whose cumulative benefits (total avoided damage), increased for the salvage value of information security solution is higher than total implementation cost is the investment that would seem reasonable to pursue. Financial (cash flow) analysis, unlike the economic analysis, also considers the source of project financing and obligations towards those sources (interest). It also includes time value of money in form of discounting. Further financial analysis may include different dynamic evaluation methods, which includes, but is not limited to [6]: 1. Investment time to return, represented by the number of years needed to recover information security investment in seaports, In case that time value of money has to be incorporated, method of discounted investment time to return will be used, Net present value method of investment into information security represents the difference between sum of discounted cash flows during the lifetime of information security solution, Information security solution internal profitability rate presents internal discount rate that matches pure cash flow of usage of information security solution with its investment flows, Profitability index can be used as an additional criterion in seaport ISMS investment analysis. It is a ratio of discounted cash flows of information security solution during its lifetime and its investments over the time of usage.

2.

3.

4.

5.

3.

Therefore, the conclusion is that this model can be used in real life seaport management while the biggest issue is the ability to anticipate the value of positive cash flow related to avoidance of cost related to occurrence of security incidents.

MIPRO 2012/DE

1785

VI. EVALUATION OF USAGE OF OTHER METHODS IN DECISION MAKING IN SEAPORT ISMS There are several possible methods for further evaluation of investments in seaport ISMS solutions. One of them is modern portfolio theory (MPT) that was invented more than 60 years ago and has meanwhile been modified in order to make its initial assumptions more realistic [7]. For example, some variations of MPT are attempting to address the issue of risk asymmetry (risks follow Gauss or normal distribution in a classical version of MPT). These modifications have enabled the MPT to be implemented not only in investment portfolio optimization process, but also in the research of product quality variations and labor force variations, in psychology during evaluations of personal psychological traits or data search enhancement. Basic assumption of portfolio theory applied to information security solutions would be that particular solutions are not chosen according to individual goals achieved by a particular solution, but also the important part of overall evaluation is the influence of particular solution to other solutions and overall level of information security using particular portfolio selection. Therefore, this method can outline how to choose a portfolio that will achieve maximum return for a selected risk level, or vice versa, how to choose a portfolio having the minimum risk for a set level of return. While initially it seems that MPT would be applicable to information security realm, it is necessary to evaluate is this really so, by careful evaluation of model's basis presumptions. There are several MPT's presumptions that might prove to be problematic when applying them to seaport ISMS's: 1. Function of information security management is often divided to technical discipline, dealt with by technical teams, and management deciding about ISMS investments. There should be a tight connection between them, but instead there is an inherent struggle. Management does not like investments which it does not thoroughly understand, while technical functions prefer completely foolproof systems regardless of their financial impact. Risk assessment in information security is a purely subjective discipline. Those who are involved in risk assessment cannot know all involved risks, or technical part of risk assessment can be done in a way that lowers the ability of ISMS solution to lower security risk. Selection of ISMS solutions should not influence the ability of a particular solution to lower the impact of possible security incident. In reality it is not so because there is a high correlation between security solutions. Therefore, introduction of one information security solution can change the probability of occurrence of a certain security incident related to another security solution, initially unaffected. Risk-mitigation ability of separate components of ISMS does not follow normal (Gauss) distribution, which is a base requirement of MPT.

Another possible method that could be used to determine composition of information security systems is the Analytic Hierarchy Process (AHP) method. It is a technique of organization and analysis of complex decisions based on quantitative methods that also includes a subjective element. Usage of AHP method does not reach ideal decisions, but incorporates all important decision-making criteria, even if they initially seem to be incompatible or incomparable [8]. Their influence is then evaluated in relation to the sum of goals that need to be achieved and alternative solutions are being rated. During the usage of AHP, it is necessary to define the criteria important in decision-making for particular information security investment. These are voluntary made criteria derived from business requirements related to management and introduction of ISMS. For example, such criteria can be the following: 1. 2. 3. 4. Lowering information security risk Availability of financing Measurability of direct benefits Availability of internal specialists for ISMS implementation

During the usage of AHP in seaport ISMS, it is important to pay special attention to the consistency ratio of subjective decision making (CR). AHP method requires CR to be lower than 10%. If so, decision making inconsistency is acceptable, if it is higher than 10%, preferences during alternatives decision making should be re-evaluated. Considering that the information security models are complex, this means that the AHP method could be used if the number of involved criteria and alternatives is lower. Therefore, it might not be best suited for very complex scenarios, or if entire ISMS system is being evaluated using the AHP method.

VII. INTEGRATION OF TECHNICAL, ECONOMIC AND FINANCIAL EVALUATION IN SEAPORT ISMS INVESTMENT DECISION MAKING PROCESS From outlined so far, it is obvious that looking at seaport ISMS just by using technical paradigm, or by using only financial criteria, does not lead to adequate results. It is clear that both technical and financial criteria have to be used in order to create a robust system of technical and organizational controls working in conjunction to enhance information and process security. Another possible approach is the risk analysis approach based on the fact that depending on the structure and organization of information systems and the type of information that is being processed and stored, every organization requires different approach to information security that cannot be satisfied only using a standard catalogue of threats. Risk analysis contains both threat and vulnerability analysis. It also lists in details those parts of technical and organizational architecture that should be analyzed in terms of protection, threat and vulnerability requirements and business activity matched against adequate countermeasures. This method may be accompanied by cost-benefit analysis of seaport

2.

3.

4.

1786

MIPRO 2012/DE

information security controls in order to avoid implementation of those controls that are not really necessary or those that are not financially viable. Some of the considerations during the usage of different methods of information security project investments in seaports are outlined in table 1. Table 1: Different methods of evaluation of seaport information security investments
Method of evaluation Economic analysis Complexity low Reliability low Constraints - static - does not account for time value of money - dynamic - accounts for time value of money - highly sensitive to anticipated discount rate -dynamic -can be misguiding -best used with other profitability indicators -may yield several rates of return -cannot be used to compare different information security projects -very complex -requires determination of correct distrubution and adaptation of the model Applicability - high - immediate

Financial analysis

med.

med.

- high - immediate

problematic to anticipate all possible scenarios and to implement all controls. Furthermore, application of basic protection measures is typically late in respect to technology and threat development and it does not contain any financial aspects or analysis. The basic issue in information security decision making is the fact that financial or economic indicators generally do not incorporate the relation towards the technical domain (risk assessment, vulnerabilities). This request has lead to introduction of Return on Security Investment (ROSI) indicator requiring that monetary risk avoidance (savings which are compared to the loss caused by security incidents) has to be higher than the cost of implementation of security control, of course, in a cumulative form [9]. This form of evaluation helps during the seaport information security investment decision making, but it does not create a relation between several possible alternatives because there is no real correlation towards engaged capital level. Therefore, scenario or option analysis combined with technical risk analysis is the only viable way to fully integrate technical information security risks with financial investment analysis.

VIII. CONCLUSION
- applicable, if evaluation of perceived cost of security incident can be obtained

Internal rate of return

med.

high

MPT

high

high

- applicable, if there is available commercial database of security incident distribution or if the port community is collecting its data over past period of time

This process begins with the concentration on threat analysis that might cause security incidents. All different controls related to architecture, organization, personnel, hardware, software, communication and threats are being evaluated and the end result of this process is detailed catalogue or all threats and controls (protections) used to lower the impact of threats. The goal is to reach basic protection level: it is satisfied if all threats that can be foreseen are eliminated by using adequate controls. The advantage of this approach is that is standardizes protection in case that there are low to medium-high needs for controls and the disadvantage is that the total number of threats and protections is so high that it is quite

Complex systems like Croatian seaports are exposed to challenges of modern, de-materialized economy. Information security became a new business function in the past two decades, especially with the introduction of networking and communication technologies. It is inevitable that the additional task to introduction of Port Community Systems in Croatian seaports is making sure that data used in them or being transmitted through them is sufficiently protected from loss of integrity, availability or confidentiality. There are also pronounced levels of legal requirements for measures of information security. However, it is a basic business request to join two opposed perspectives: techno centric one, insisting on concept of total security and financial one, insisting on rational investments resulting in satisfactory and measurable return. The balance between two perspectives is a key in decision making: the shift of this balance in either way results in the diminished financial performance of the seaport or the implicit acceptance of too high and unreasonable risk levels. There are several proven quantitative methods which are able to deal with all these challenges. It is possible to use modified methods of economic and financial evaluation, with pronounced problem of determination of input parameters, similar to standard used models of capital investment evaluation. Revenue side of the equation in this case may be determined by quantifying avoidance of loss caused by incidents in seaport information systems environment. It is also possible to use the modified internal rate of return method, adjusted to the topic of information security investment. Theoretically, it should be possible to also use the modified Modern Portfolio Theory to analyze portfolio of various information security solutions, but practically, it would be very difficult to properly determine input variables. The method should also be adjusted to be able to use other distribution than normal distribution, which is not applicable in this particular case. Finally, during various simulations, Monte Carlo and other

MIPRO 2012/DE

1787

simulation methods might be of use. For selection and rating of various competing solutions, the proven Analytical Hierarchy Process method may be used and also, in particular phases of decision making, standard linear and non-linear programming methods might be of help. However, in any case, the basic assumption has to be maintained throughout quantification process, regardless of the chosen method: the summary cost of information security implementation has to outweigh the summary loss caused by security incidents.

[4] Hirshleifer, J., Riley, John G., "The Analytics of Uncertainty and Information", Cambridge Surveys of Economic Literature, Cambridge, UK, 1992., p. 98 [5] Malik, Krishan A., Petroleum Project Evaluation & Investment Decision Making, Institute for Petroleum Development, Austin, Texas, 2011., p. 107 [6] http://www.scribd.com/doc/75998229/Metode-ZaOcjenu-Financijske-Efikasnosti, (25.11.2011.) [7] Elton, Edwin J.; Gruber, Martin J.,, Brown, Stephen J.,. Goetzmann, William N, Modern Portfolio Theory and Investment Analysis, 8th edition, Wiley, Bognor Regis, West Sussex, 2009., p. 74 [8] Haas, R., Meixner, O., An illustrated guide to the Analytic Hierarchy Process, Institute of Marketing & Innovation, University of Natural Resources and Applied Life Sciences, Vienna, 2011., p. 5 [9] Sonnenreich,W., Albanese, J., Stout, B.: Return On Security Investment (ROSI): A Practical Quantitative Model, SageSecure, LLC, 2005., p. 6

REFERENCES [1] http://www.law.cornell.edu/uscode/44/usc_sec_ 44_00003542----000-.html (18.05.2010.) [2] Birchler, U., Btler, M., Information Economics, Routledge Advanced Texts in Economics and Finance, Routledge, 2007., p.45 [3] International Standard ISO/IEC 27001 - Information technology Security techniques Information security management systems Requirements, SAI GLOBAL, Index House, Ascot, Berks, SL5 7EU, UK, p. 13

1788

MIPRO 2012/DE