Abstract
We are passing through a new “Big Bang”, the one of digital economy. We
trade through e-Business (not to forget mobile business), we shop from e-Mall, we
pay our taxes through e-Tax, we live in an e-Democracy and we are ruled by an e-
Government.
But, all these new solutions mean new kinds of risk. We can see that the
virtual space is now filled with highly “performance” viruses and worms, capable of
attacking mobile phones, PDAs or car‟s board computers; smart cards require new
security measures; companies all over the world implement biometrics systems or
behaviometrics system.
We have to understand that in the new economy information risks are
everywhere. A good project manager would say: it is a high risk for no risks to be
found…Obviously the risk exists! But it has not been identified. Learning about this
will make the process of risk identification more productive and so leading to a
successful management.
This paper tries to go on, in the same spirit, to some aspects about risk and
information risk management in this world of “e-” where everything contains an
element of risk.
So a risk management policy is required.
But according to Software Engineering Institute a question is born: If I implement
risk management, does that guarantee success?
The answer is…No. There are many aspects to achieving program success.
So let‟s see what to do to improve our chances of succeeding.
Keywords: information security, risk management, new economy, digital economy
2
@Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade
Corporation, 2000, p.268
3
Software Engineering Institute, http://www.sei.cmu.edu
4
Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003
5
http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
2
being assigned to some calls. As a consequence of this there were a
large number of exception messages and the system slowed down as
the queue of messages grew. Unresponded exception messages
generated repeated messages and the lists scrolled off the top of the
screens so that awaiting attention and exception messages were lost
from view. Ambulance crews were frustrated and, under pressure,
were slow in notifying the status of their unit. They could not (or
would not) use their MDTs and used incorrect sequences to enter the
status information. The public were repeating their calls because of
the delay in response. The AVLS no longer knew which units were
available and the resource proposal software was taking a long time
to perform its searches.
- the entire system descended into chaos (examples: one ambulance
arrived to find the patient dead and taken away by undertakers,
another ambulance answered a „stroke‟ call after 11 hours - 5 hours
after the patient had made their own way to hospital)
- causes of the failure: the system was implemented by a company with
no experience in this field; the LAS crew wasn‟t instructed in how to
use the system; no backup procedures were implemented; the
interface design was inadequate; the vendor wanted to enter the
market, adopting a low cost policy which causes a system with
problems; the phase of project monitoring was ignored because there
wasn‟t any person named for this position.
Risks appear in any social or economic activities. We can speak about
different kind of risks6: technical problems, unsuccessful market, failures
in finishing on schedule, unpredictable events, inadequate know-how,
failures in manufacturing, failures in designing, legal uncertainty. These
can be classified in operational risks, financial risk, strategic risks or
hazard risks. Risk is a probabilistic event – it is possible for it to appear,
also possible for it not to appear. That is way there is this optimistically
tendency to ignore a project’s risks or to consider that these risks will not
appear. Such attitudes can lead to great problems in case the risks
materialize. And when we deal with big projects, risks are inevitable. So
we have to understand that in these cases a risk management policy and a
risk manager are compulsive. According to Software Engineering
Institute (SEI)7, risk management is a practice with processes, methods,
and tools for managing risks in a project. It provides a disciplined
6
Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001,
pp.88-89
7
Idem 3
3
environment for proactive decision making to: assess continuously what
could go wrong (risks); determine which risks are important to deal with;
implement strategies to deal with those risks. Also, SEI defines seven
principles which provide a framework for effective risk management:
global perspective, forward-looking view, open communications,
integrated management, continuous process, shared product vision,
teamwork. Project Management Institute (PMI) defines Project Risk
Management8 as the process concerned with identifying, analyzing, and
responding to project risk. It includes maximizing the results of positive
events and minimizing the consequences of adverse events and has the
following major processes: Risk Identification - determining which risks
are likely to affect the project and documenting the characteristics of
each; Risk Quantification - evaluating risks and risk interactions to
assess the range of possible project outcomes; Risk Response
Development - defining enhancement steps for opportunities and
responses to threats; Risk Response Control - responding to changes in
risk over the course of the project.
But in the “e-“ era it is hard to talk about risk management
dissociated from security policy, information security, security measures
and so on. That is way, starting from a Microsoft idea - security is risk
management - and wishing to understand the way romanian managers
deal with risks and how they treat risk management in their own
business, I will correlate the subject of this paper with the results of a
market research about information risk management and information
security I have coordinated in spring-summer of 2004. And as we will
see, the results raise many questions about how romanian managers
understand to protect their most valuable capital: information.
The interviewed managers came from a large area of business
fields - industry, education, IT&C, financial services - , most of them
from the NE of Romania, 57.2% being small and medium enterprises,
26.5% micro enterprises, and 16.3% big enterprises.
We know from the theory of information security that there are 3
guidelines for the management of Automated Data Processing Systems.
One of this guidelines is the “never alone” one. According to this
guideline, the key activities in the information security fields must be
executed by at least two persons. In this manner the illegal operations are
prevented. The same thing about activities that must be executed by at
8
PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111,
http://www.pmi.org
4
least two persons could be said to be true when dealing with
dependences on specialists.
Let’s see now the answers for the question about how many people deals
with the key-activities in the information security field in your company.
Up to 5 people
More than
26,5% 5 people 10,2%
None
14,3%
One person
49,0%
We can see from the 49% for “one person” option that the risk of
dependences on one specialist is a significant one. Another analyzed
aspect correlated with the one above was the one about the procedures of
“staff rotation”, a technique connected to the guideline of job limited
exertion. According to this guideline, “nobody has to execute for a long
time the same key-job in a data security department”. The answers have
come up with given this result: 77.6% - we don’t apply this guideline;
22.4% - we apply this guideline.
The question, the functions of your company‟s information system
security are known by…is making a reference with the guideline of the
segregation of duty works, a guideline which says that “nobody has to
know anything about the functions of the security system, or to be
exposed to problems related to this field, if he or she has no
responsibilities in the field of information system security”. This
guideline is connected with the “got to know” one, the latter specifying
that a special position of a person in the organizational structure of a
company must not give that person the unlimited right for knowing
special information.
Let’s see the answers:
5
Legend:
3 17,5%
52,6% 1
2 22,8%
9
Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003,
www.theitportal.com
10
Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com
6
The personnel is checked
Every person is checked
after the hiring
before hiring
34,7%
10,2%
11
Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro
12
http://www.gecad.ro
13
Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003, p.49
7
Conclusions
This paper tries to put face-to-face the theory of risk management
seen through the eyes of information security and the reality of
Romanian management. There are many more areas of concern and
certainly there are many question marks about the honesty of the answers
because of the confidentiality of the subject analyzed. And it will be
interesting to see the way concepts about risk management will evolve in
these days of information (un-)security. But all these risks must not stop
us from going further. As J.F.Kennedy once said: “…any action involves
risks and costs which are less that those associated with doing nothing.”
Bibliography
1. @Risk for Project (guide to) - Advanced Risk Analysis for Project Management,
Palisade Corporation, 2000
2. Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS),
http://www.ceris.ro
3. Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge,
2003
4. http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
5. http://www.gecad.ro
6. Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4,
2003, www.theitportal.com
7. Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom
Libris, Iaşi, 2001
8. Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003
9. PMBOKGuide - cap.11, Project Risk Management, Project Management
Institute, p.111, http://www.pmi.org
10. Royer, Paul S., Project Risk Management – A Proactive Approach, Management
Concepts, Project Management Institute, Inc.2000
11. Software Engineering Institute, http://www.sei.cmu.edu
12. Williams, Paul, Thought for the day-the IT dangers of coffee,
http://www.computerweekly.com
Aparut in Măzăreanu, V., e-Risk in e-World, The Proceedings of the International Conference „The
Impact of European Integration on the National Economy”, 28-29 Octombrie 2005, Cluj Napoca,
ISBN 973-651-007-0