Professional Documents
Culture Documents
TO A HEALTY BUSINESS
Valentin P. Măzăreanu
Department of Business Information Systems
“Al. I. Cuza” University, Faculty of Economics and Business Administration
vali.mazareanu@feaa.uaic.ro
ABSTRACT
1
In our opinion risk management is much more that being addicted to a
model, even its name is BS 7799, ISO 17799, TickIT, ITIL, SOX, CobIT,
Octave, Delphi, Mehari, and so forth. Because it is not enough to comply with
one of the above to be able to consider even for a moment that the business
you run is totally ensured and protected from risks.
In this respect we will try to break down the existing barriers in the
theory of the information risk assessment, proposing new models and a new
theory. In other words, in this paper we will try to see which are the steps for
transforming risk assessment from a complex theory, not just into a policy
governed by best practices and standards, but way beyond, into a healthy
way of running day to day businesses.
I. INTRODUCTION
Questions...
But is it enough to give an answer, theoretical by nature, to these
questions in order to be able to consider even for a moment that the business
you run is ensured and protected from risks? Or is it enough to adopt a
methodology, a best practices type policy or a standard, such as ISO 17799,
BS 7799, HIPPA Act, TickIT, ITIL, SOX, CobIT, Octave, Delphi, Mehari, etc.,
keeping in mind that every business has its uniqueness and also, that the
risks are different from situation to situation?
Just as examples:
for an airplane tickets supplying system, the availability of the solution is
the key of the business continuity, leading to the necessity of solutions for
ensuring the continuity of the business;
for an automobile manufacturer, the confidentiality of the plans and
projects represents the key for success against the competition, leading to
access control policies and solutions;
for a pension calculation system, the integrity of data concerning
employees must be kept intact for a long period of time (40-60 years) in
order to avoid future difficulties. Important in this regard are also the
2
access control policies, the purpose being though to keep the trust in the
collected data for a long period of time.
And here we are, facing some new questions...
3
and industrial espionage?” and different answers that present the arguments
for both sides, we must admit that every day life confronts us with some
difficulties, where it is hard to make a distinction between business
intelligence and industrial espionage (e.g. see the Echelon case and the
UKUSA agreement).
But information protection doesn’t just mean avoiding sensitive
information from being used by the competition, but also ensuring the quality
of the available information.
According to the GIGO phenomenon („Garbage in, garbage out”), we
must consider that the information coming from outside (possibly „damaged”,
intentionally or not) must not affect the decisional processes within the
enterprise. The causes for introducing in the informational flow such
information, that can be put on the account of the filtering/information
selection system disfunctionalities, are either hazard (because the enterprise
has not applied the means to get good quality information), either intention
(misinforming or intoxicating).
Here are some situations, undesirable, that can be avoided by
implementing a good risk management program.
4
there would be no risk management without drawing up the concept of risk;
the word risk is derived from the Italian riscare, which means to dare. As a
science, the risk was born in the renaissance era of the XVI century, the age
of great discoveries, when the gambling led to the discovery of the theory of
probability, the mathematical heart of risk. The French mathematician Blaise
Pascal solved a puzzle for the gamblers, his solution about how to split the
stakes of an unfinished game, called balla, leading to the discovery of the
theory of probabilities, which provides a method for calculating the uncertainty
[Hall, 1998, p.4].
Today we define risk as the possibility of suffering a loss. Project
Management Institute defines the concept of risk management as a
systematic identification, analysis and response process to the risks of the
project [Duncan, 1996, p.111]. But it is not the only institution that handles risk
management.
For the IT area, (informational) risk management is an important part of
integrated management which has the purpose of producing the instruments
needed for analyzing and implementing solutions which reduce the negative
effects of information damaging.
Software Risk Management, as defined by Robert T. Futrell and his
collaborators in the paper „Quality Software Project Management” is the
formal process in which the risk factors are systematically identified, assessed
and their effect reduced [Futrell, 2002, p.587].
Depending on the author of the methodology, the order or the name of
these sub-processes varies. Thus, risk identification and risk quantification are
sometimes taken together and bear the name of risk assessment or risk
analysis; the risk response plan is sometimes also met under the name of risk
mitigation plan; the risk response plan and the risk control plan are sometimes
taken together under the name of risk management plan.
5
without going into details regarding the way in which to accomplish an
adequate assessment of these.
Because we can talk about management of risks on different levels (at
the informational technology level, at the informational/informatics system
level, at the business process level, at the entire company level); also we can
talk about risks that belong to the intern or extern environment; or we can talk
about different types of risk (operational, financial etc.).
And to further strengthen the importance of risk management practice, we
also mention the words of the legendary investor, Warren Buffet [Hyperion, 2005,
From BI to BPM section, para. 6]: „ you don’t win by predicting rain. You win by
building an ark. The idea goes on: „While BI might provide important insight
into the weather, it is BPM that will ultimately empower companies to get a
head-start on building their arks – building them more quickly, more cost-
effectively, and designed more perfectly for the gathering storm.”
The key word in the statement above is really not prediction, but
building. Because otherwise we could also ask: but is there any point, or
worse, should I still build an ark, while being in full flooding?
What it is that we are trying to underline in this paper is going in the
same direction as Warren Buffet’s statement. Because in business, as far as
informational protection and security is concerned, to rely only on the ability to
„predict” a certain situation, even if you do this probabilistic study based on
consistent statistic data and using complex mathematical models, it is still
quite a risky practice.
Just as risky is to adopt a certain standard or a certain methodology, to
respect it ad literam, without noticing what goes on around you.
Let’s remember that when the famous Golden Gate bridge was built in
San Francisco, Joseph Strauss, the founder of this project, a symphony in
steel as it is called by John Bernard McGloin, professor at the University of
San Francisco, dismissed one of his best workers because he, so confident of
himself, refused to follow the required work protection measures (e.g. wearing
a protective helmet, ensuring himself with safety wires).
6
Or more recently, talking about Google’s human resources policy, Eric
Schmidt (CEO Google) and Hal Varian (professor at Berkeley and consultant
for Google) highlighted the fact that, in a project, it is almost fatal to have in a
team an intelligent but inflexible person. Exactly for this reason the
combination of recommendations „he is the most clever person I have ever
met” and „I would never want to work with this person again” represents a bad
solution for Google [Schmidt & Varian, 2005, p.48].
The law system introduces the concept of „the benefit of the doubt or
innocent until proven guilty” according to which every person is considered
not guilty until proof of his/her guilt is brought through a final decision.
If we were to start from the well-known saying by Cicero errare
humanum est (to err is human) or from what Paul Williams said in one of his
articles from the series „Thought for the day” [Williams, 2002, para. 10], that
is, „even the best-worded policies and the most technically advanced counter-
measures will not compensate for human stupidity”, we could safely say that
at least as far as informational security is concerned seen through the human
factor, there should be in risk management the concept of „guilty until proven
innocent”.
But by taking this concept form the desire of making it easier to be
accepted we come to the „predisposition to risk”. (See fig. 1)
7
This concept can also be applied to the human factor – the man is
subject to mistake, blackmail, is corruptible, etc. – as well as to any other
element – the informational system is fragile, can be affected by viruses, by a
sudden shortage of power or by a natural disaster, etc.; a building’s frame is
affected by the lapse of time, etc.).
8
Business Continuity: the ability to maintain the availability of business
processes and information within the company.
Disaster Recovery: recovery of the calculation and communication system
after a natural or man made disaster, in a definite period of time.
But these practices take into account especially the administration of
risks associated with the physical component. This aspect has always been
important, but maybe not as publicized as after the September 11 2001
events. Some of the economic effects of this unfortunate event:
shortly after that losses on the international financial market have been
noticed;
air plane company around the world have been greatly affected by a
dramatic decrease in the number of passengers;
the insurance industry has registered its greatest loss in history;
the communications industry has suffered a sudden break;
loss of documents and files vital for running some businesses;
etc.
Following the September 11 events, a research study published by
Business Continuity Institute and McKinsey, who analyzed the efficiency of
the existent plans, concluded [Planificarea continuitatii afacerii, 2002, para. 4]:
numerous continuity plans were not updated;
most of the plans haven’t considered the loss of key-employees within the
company;
the necessary time for resuming the activity in normal conditions was
underestimated;
post-traumatic counseling of the employees was not considered in most of
the plans;
dependency on the communication means and electronic equipments has
been underestimated;
the location where the relocation and the reserve available equipment
were planned proved to be insufficient.
One of the lessons learnt after such an event is that no one can
anticipate all the disasters and the possible causes of a disaster. For this
reason, in the business continuity plans the focus has to be on the way in
9
which an unforeseen event can affect the business itself and the
environment/community in which it operates, as well as on the diminishing of
this negative impact.
But let us not forget that a special role in any system is played by the
human factor, maybe the most incontrollable component of the environment,
primary source of uncertainty according to John von Neuman and Oskar
Morgenstern, component that needs to be considered at least from two points
of view, that is, the risk generated by the attacks on the informational system
and the risk generated by the „key position” status of a human resource within
the system.
X. REFERENCES
Futrell, T. R., Shafer, F. D., & Shafer, I. L. (2002) Quality Software Project
Management. Upper Sadle River: Prentice Hall PTR.
10
Information Economy. Retrieved November 12, 2005 from
http://www.technologyevaluation.com
Silaşi, G., Stanc, A., & Sava, V. (2000). Inteligenţa Economică, armă a
războiului global, Timisoara: Orizonturi Universitare.
Williams, P. (2002). Thought for the day: The IT danger of coffee. Retrieved
May 14, 2006 from http://www.computerweekly.com/
Aparut in Măzăreanu, P.V., Information Risk Management – From Theory To A Healty Business, The
Proceedings of International Conference on Business Information Systems, InfoBUSINESS 2006,
Alexandru Ioan Cuza University, Faculty of Economics and Business Administration, Business
Information Systems Department, ISBN 978-973-703-207-2, 973-703-207-1
11