INFORMATION RISK MANAGEMENT – FROM THEORY

TO A HEALTY BUSINESS
Valentin P. Măzăreanu
Department of Business Information Systems
“Al. I. Cuza” University, Faculty of Economics and Business Administration
vali.mazareanu@feaa.uaic.ro

ABSTRACT

How is risk defined? And what is the definition of risk management?

Which is the correct attitude of a good manager in front of risk? And how
come risk is considered to be a combination of danger and opportunity by the
Asiatic philosophy? Is it possible to consider risk an opportunity? Or it is just
an unfortunately event?
The risk management concept is relatively new, being taken into
consideration in the business environment only at the end of the ’90s. And
according to Project Management Institute risk management is a systematic
process of identification, analysis and response to project risks, a process
which includes risk identification, risk quantification, risk response plan and
risk response control. Depending on the author of the methodology, the order
or the name of these sub-processes varies. Thus, risk identification and risk
quantification are sometimes taken together and bear the name of risk
assessment or risk analysis; the risk response plan is sometimes also met
under the name of risk mitigation plan; the risk response plan and the risk
control plan are sometimes taken together under the name of risk
management plan. All these processes are important in a risk management
plan, but one is definitely considered to be a “landmark” for the rest. And this
is risk assessment.
As we will see in this paper, risk management means making steps in
order to identify those risks with a highly probability of causing problems, to
analyze the probability of loss and the magnitude of loss for each risk and
developing composed risks, to classify the risk points identified according to
the composed risks they belong to.

1
 In our opinion risk management is much more that being addicted to a
model, even its name is BS 7799, ISO 17799, TickIT, ITIL, SOX, CobIT,
Octave, Delphi, Mehari, and so forth. Because it is not enough to comply with
one of the above to be able to consider even for a moment that the business
you run is totally ensured and protected from risks.
In this respect we will try to break down the existing barriers in the
theory of the information risk assessment, proposing new models and a new
theory. In other words, in this paper we will try to see which are the steps for
transforming risk assessment from a complex theory, not just into a policy
governed by best practices and standards, but way beyond, into a healthy
way of running day to day businesses.

KEYWORDS: risk, management, assessment, information, security

I. INTRODUCTION

Questions...
But is it enough to give an answer, theoretical by nature, to these
questions in order to be able to consider even for a moment that the business
you run is ensured and protected from risks? Or is it enough to adopt a
methodology, a best practices type policy or a standard, such as ISO 17799,
BS 7799, HIPPA Act, TickIT, ITIL, SOX, CobIT, Octave, Delphi, Mehari, etc.,
keeping in mind that every business has its uniqueness and also, that the
risks are different from situation to situation?
Just as examples:
 for an airplane tickets supplying system, the availability of the solution is
the key of the business continuity, leading to the necessity of solutions for
ensuring the continuity of the business;
 for an automobile manufacturer, the confidentiality of the plans and
projects represents the key for success against the competition, leading to
access control policies and solutions;
 for a pension calculation system, the integrity of data concerning
employees must be kept intact for a long period of time (40-60 years) in
order to avoid future difficulties. Important in this regard are also the

2
 access control policies, the purpose being though to keep the trust in the
collected data for a long period of time.
And here we are, facing some new questions...

II. STATEMENT OF THE PROBLEM

We have to understand that the risk is different from entity to entity.

And as far as the consequences, the plan to reduce the impact of this risk
also differs. We have seen above some situations, but there can also be
many others. And here are a few scenarios, that maybe belong to another
area, but which should also be considered by a risk management and
informational security department, in any company or public institution. It is
about the diversity and adaptability of the techniques used by a company,
public institution or even state, to collect information from any competitive
company, respectively state or institution, whether it is a state of war or
peace. Namely [Silaşi, 2000, p.121]:
 the discrete assignment of a journalist by a competitor that should, under
the pretext of documenting on some social aspects in an enterprise,
oversee the internal activity, the people, the internal publications and even
to access technical documents;
 financing research of an university professor, with the condition that he
sends, each year, interns to his sponsor’s competition and submits them
to some questions; at the end of the internship their summary will be
communicated by the professor to the commanding society;
 due to visits to university laboratories and to enterprises, with the help of
photographing installations, researches, production processes etc. can be
reconstructed;
 sending a number of specialists to employment meetings with the
competition, presenting themselves under false names and with a false
curriculum vitae;
 getting access passwords to databases, for an amount of money,
These are examples taken from the business intelligence area that is
quite close to industrial espionage. And even if there are for and against
opinions regarding the question „is there a link between business intelligence

3
and industrial espionage?” and different answers that present the arguments
for both sides, we must admit that every day life confronts us with some
difficulties, where it is hard to make a distinction between business
intelligence and industrial espionage (e.g. see the Echelon case and the
UKUSA agreement).
But information protection doesn’t just mean avoiding sensitive
information from being used by the competition, but also ensuring the quality
of the available information.
According to the GIGO phenomenon („Garbage in, garbage out”), we
must consider that the information coming from outside (possibly „damaged”,
intentionally or not) must not affect the decisional processes within the
enterprise. The causes for introducing in the informational flow such
information, that can be put on the account of the filtering/information
selection system disfunctionalities, are either hazard (because the enterprise
has not applied the means to get good quality information), either intention
(misinforming or intoxicating).
Here are some situations, undesirable, that can be avoided by
implementing a good risk management program.

III. PURPOSE OF THE STUDY

The British politician Benjamin Disraeli (1804 – 1881), talking more

about the ways of reaching satisfaction professionally said: “the secret of
success in life is for a man to be ready for his opportunity when it comes”.
In the same spirit, we are trying to transform this concept into ... the
secret of success in a company’s life is for the business to be ready for an
unfortunate event when it comes.
In other words, we will try to see which are the steps for transforming
risk management from a complex theory, not just into a policy governed by
best practices and standards, but way beyond, into a healthy way of running
day to day businesses.

IV. REVIEW OF THE LITERATURE

The risk management concept is relatively new, being taken into

consideration in the business environment only at the end of the ’90s. But

4
there would be no risk management without drawing up the concept of risk;
the word risk is derived from the Italian riscare, which means to dare. As a
science, the risk was born in the renaissance era of the XVI century, the age
of great discoveries, when the gambling led to the discovery of the theory of
probability, the mathematical heart of risk. The French mathematician Blaise
Pascal solved a puzzle for the gamblers, his solution about how to split the
stakes of an unfinished game, called balla, leading to the discovery of the
theory of probabilities, which provides a method for calculating the uncertainty
[Hall, 1998, p.4].
Today we define risk as the possibility of suffering a loss. Project
Management Institute defines the concept of risk management as a
systematic identification, analysis and response process to the risks of the
project [Duncan, 1996, p.111]. But it is not the only institution that handles risk
management.
For the IT area, (informational) risk management is an important part of
integrated management which has the purpose of producing the instruments
needed for analyzing and implementing solutions which reduce the negative
effects of information damaging.
Software Risk Management, as defined by Robert T. Futrell and his
collaborators in the paper „Quality Software Project Management” is the
formal process in which the risk factors are systematically identified, assessed
and their effect reduced [Futrell, 2002, p.587].
Depending on the author of the methodology, the order or the name of
these sub-processes varies. Thus, risk identification and risk quantification are
sometimes taken together and bear the name of risk assessment or risk
analysis; the risk response plan is sometimes also met under the name of risk
mitigation plan; the risk response plan and the risk control plan are sometimes
taken together under the name of risk management plan.

V. QUESTIONS AND / OR HYPOTHESES

But so far everything we have discussed is just theory. Even the

standards and politics of the best practices in informational security are only
trying to tell us that we should implement a risk management procedure,

5
without going into details regarding the way in which to accomplish an
adequate assessment of these.
Because we can talk about management of risks on different levels (at
the informational technology level, at the informational/informatics system
level, at the business process level, at the entire company level); also we can
talk about risks that belong to the intern or extern environment; or we can talk
about different types of risk (operational, financial etc.).
And to further strengthen the importance of risk management practice, we
also mention the words of the legendary investor, Warren Buffet [Hyperion, 2005,
From BI to BPM section, para. 6]: „ you don’t win by predicting rain. You win by
building an ark. The idea goes on: „While BI might provide important insight
into the weather, it is BPM that will ultimately empower companies to get a
head-start on building their arks – building them more quickly, more cost-
effectively, and designed more perfectly for the gathering storm.”
The key word in the statement above is really not prediction, but
building. Because otherwise we could also ask: but is there any point, or
worse, should I still build an ark, while being in full flooding?
What it is that we are trying to underline in this paper is going in the
same direction as Warren Buffet’s statement. Because in business, as far as
informational protection and security is concerned, to rely only on the ability to
„predict” a certain situation, even if you do this probabilistic study based on
consistent statistic data and using complex mathematical models, it is still
quite a risky practice.
Just as risky is to adopt a certain standard or a certain methodology, to
respect it ad literam, without noticing what goes on around you.

VI. A NEW APPROACH TO RISK MANAGEMENT

Let’s remember that when the famous Golden Gate bridge was built in
San Francisco, Joseph Strauss, the founder of this project, a symphony in
steel as it is called by John Bernard McGloin, professor at the University of
San Francisco, dismissed one of his best workers because he, so confident of
himself, refused to follow the required work protection measures (e.g. wearing
a protective helmet, ensuring himself with safety wires).

6
 Or more recently, talking about Google’s human resources policy, Eric
Schmidt (CEO Google) and Hal Varian (professor at Berkeley and consultant
for Google) highlighted the fact that, in a project, it is almost fatal to have in a
team an intelligent but inflexible person. Exactly for this reason the
combination of recommendations „he is the most clever person I have ever
met” and „I would never want to work with this person again” represents a bad
solution for Google [Schmidt & Varian, 2005, p.48].
The law system introduces the concept of „the benefit of the doubt or
innocent until proven guilty” according to which every person is considered
not guilty until proof of his/her guilt is brought through a final decision.
If we were to start from the well-known saying by Cicero errare
humanum est (to err is human) or from what Paul Williams said in one of his
articles from the series „Thought for the day” [Williams, 2002, para. 10], that
is, „even the best-worded policies and the most technically advanced counter-
measures will not compensate for human stupidity”, we could safely say that
at least as far as informational security is concerned seen through the human
factor, there should be in risk management the concept of „guilty until proven
innocent”.
But by taking this concept form the desire of making it easier to be
accepted we come to the „predisposition to risk”. (See fig. 1)

Figure 1 A new approach to risk management

7
 This concept can also be applied to the human factor – the man is
subject to mistake, blackmail, is corruptible, etc. – as well as to any other
element – the informational system is fragile, can be affected by viruses, by a
sudden shortage of power or by a natural disaster, etc.; a building’s frame is
affected by the lapse of time, etc.).

VII. SAMPLING AND INSTRUMENTATION

When trying to create a risk profile for the implementation of a project

one takes into consideration some aspects related to project plan, project
resources, the opportunities and the staff duties, the justification of the
project’s costs and benefits, the proficiency of the project staff and of the
consortium members, the clarity of the project’s requests and the adequate
managerial techniques. But evidently, not exclusive.
In this paper we tried to introduce a new concept, the “predisposition to
risk” one. And especially when the human factor is considered.
When taking about the human factor, the elements which are analysed
are: health and safety at the workplace, the position in the project (the risk of
dependency on the key staff) and some aspects regarding the human
resource policies. The model we propose is taking into consideration the
psychological aspect, namely the identification of the temperamental type and
the personality.
Why bother to evaluate the personality?
The reason why is predicting the behaviour. More exactly, the goal is to
be able to predict the future behaviour of a person without having to rely on
information from the systematic observation of the person. And this approach
can be done with psychological instruments like the Gaston Berger’s test, the
Big Five or 16 PF tests.

VIII. LIMITATIONS AND DELIMITATIONS

Up to a certain point this approach could be mistaken for the practice of

insurance plans for business continuity and of insurance of recovering the
business (business disaster recovery plan, business continuity plan). In a few
words, these concepts could be defined as follows:

8
  Business Continuity: the ability to maintain the availability of business
processes and information within the company.
 Disaster Recovery: recovery of the calculation and communication system
after a natural or man made disaster, in a definite period of time.
But these practices take into account especially the administration of
risks associated with the physical component. This aspect has always been
important, but maybe not as publicized as after the September 11 2001
events. Some of the economic effects of this unfortunate event:
 shortly after that losses on the international financial market have been
noticed;
 air plane company around the world have been greatly affected by a
dramatic decrease in the number of passengers;
 the insurance industry has registered its greatest loss in history;
 the communications industry has suffered a sudden break;
 loss of documents and files vital for running some businesses;
 etc.
Following the September 11 events, a research study published by
Business Continuity Institute and McKinsey, who analyzed the efficiency of
the existent plans, concluded [Planificarea continuitatii afacerii, 2002, para. 4]:
 numerous continuity plans were not updated;
 most of the plans haven’t considered the loss of key-employees within the
company;
 the necessary time for resuming the activity in normal conditions was
underestimated;
 post-traumatic counseling of the employees was not considered in most of
the plans;
 dependency on the communication means and electronic equipments has
been underestimated;
 the location where the relocation and the reserve available equipment
were planned proved to be insufficient.
One of the lessons learnt after such an event is that no one can
anticipate all the disasters and the possible causes of a disaster. For this
reason, in the business continuity plans the focus has to be on the way in

9
which an unforeseen event can affect the business itself and the
environment/community in which it operates, as well as on the diminishing of
this negative impact.
But let us not forget that a special role in any system is played by the
human factor, maybe the most incontrollable component of the environment,
primary source of uncertainty according to John von Neuman and Oskar
Morgenstern, component that needs to be considered at least from two points
of view, that is, the risk generated by the attacks on the informational system
and the risk generated by the „key position” status of a human resource within
the system.

IX. SIGNIFICANCE OF THE STUDY

Through a risk predisposition type philosophy these objectives could be

achieved. More so, we consider that the difference between risk management
applied through the attempt to predict unfortunate events that could affect the
flow of the business, and that applied through considering any component of
the system as being risk predisposed would have also been felt in the case of
the September 11 attacks, but would also determine the success of the
present projects.
Mentioning Murphy and his laws (for example: „the unexpected always
takes place”), is an approach of the realistic pessimist, of that person who
puts the worse in front, highlighting (but not uncalculated) the negative part of
an uncertain situation from the desire to be prepared for any type of
consequence.

X. REFERENCES

Duncan, W. R. (1996). A Guide to the Project Management Body of

Knowledge. Upper Darby: Project Risk Management.

Futrell, T. R., Shafer, F. D., & Shafer, I. L. (2002) Quality Software Project
Management. Upper Sadle River: Prentice Hall PTR.

Hall, M. E. (1990). Managing Risk: Methods for Software Systems

Development. Reading, Massachusetts: Addison Wesley.

Hyperion Solutions Corporation (2005). Transforming Business Intelligence

Into Business Performance Management: Competitive Advantage in the

10
Information Economy. Retrieved November 12, 2005 from
http://www.technologyevaluation.com

Schmidt, E. & Varian, H. (2005, December). Google-Ten Golden Rules.

Newsweek, 48-50.

Silaşi, G., Stanc, A., & Sava, V. (2000). Inteligenţa Economică, armă a
războiului global, Timisoara: Orizonturi Universitare.

Williams, P. (2002). Thought for the day: The IT danger of coffee. Retrieved
May 14, 2006 from http://www.computerweekly.com/

***, Planificarea continuitatii afacerii (2002, March 1), Risk Management

Newsletter, 1

ABOUT THE AUTHOR

Valentin P. Măzăreanu is a PhD student at the Faculty of Economics and

Business Administration, Business Information Systems Department at the
“Alexandru Ioan Cuza” University, Iaşi, România. His work focuses on the
processes of risk management in the new economy. He is currently studying
risk assessment, the emerging technologies and e-Government.

Aparut in Măzăreanu, P.V., Information Risk Management – From Theory To A Healty Business, The
Proceedings of International Conference on Business Information Systems, InfoBUSINESS 2006,
Alexandru Ioan Cuza University, Faculty of Economics and Business Administration, Business
Information Systems Department, ISBN 978-973-703-207-2, 973-703-207-1

11