E-RISK IN E-WORLD

Valentin - Petru MĂZĂREANU, Ph. D. Student,

Department of Economic Informatics,
Faculty of Economics and Business Administration
"Al. I. Cuza" University of Iaşi, 22 Carol I Blvd., Ro-700505

Abstract
We are passing through a new “Big Bang”, the one of digital economy. We
trade through e-Business (not to forget mobile business), we shop from e-Mall, we
pay our taxes through e-Tax, we live in an e-Democracy and we are ruled by an e-
Government.
But, all these new solutions mean new kinds of risk. We can see that the
virtual space is now filled with highly “performance” viruses and worms, capable of
attacking mobile phones, PDAs or car‟s board computers; smart cards require new
security measures; companies all over the world implement biometrics systems or
behaviometrics system.
We have to understand that in the new economy information risks are
everywhere. A good project manager would say: it is a high risk for no risks to be
found…Obviously the risk exists! But it has not been identified. Learning about this
will make the process of risk identification more productive and so leading to a
successful management.
This paper tries to go on, in the same spirit, to some aspects about risk and
information risk management in this world of “e-” where everything contains an
element of risk.
So a risk management policy is required.
But according to Software Engineering Institute a question is born: If I implement
risk management, does that guarantee success?
The answer is…No. There are many aspects to achieving program success.
So let‟s see what to do to improve our chances of succeeding.
Keywords: information security, risk management, new economy, digital economy

In Project Risk Management, Paul S. Royer1 defines risk as the

possible future event that can affect the project’s objectives in terms of
costs, schedule or from technical perspectives. The effect could be
positive, in this case the project manager having the opportunity to
improve the project performance and to asses the risks. But most of the
1
Royer, Paul S., Project Risk Management – A Proactive Approach, Management Concepts, Project
Management Institute, Inc.2000, p.109
times, the effects are contrary to the objectives. The source of risk and
sometimes even the possibility of its occurrence and the quantification of
its impact on project’s objectives can be identified. The identification
and risk evaluation processes represent the transformation of something
“unknown” in known risks in order to improve the project management.
Palisade Corporation, the @Risk for Project developer, defines
risk as the uncertainty or variation in the appearance of an event or
decision2 and Software Engineering Institute defines the risk concept
citing the Webster dictionary: “Risk is the possibility of suffering loss” 3
We deal with risk everyday and we have learned to accept it. Our
daily decisions are based on analyzing the risks of different options we
have. Some risks are easily to be identified (ex. The risk of overrun
budget of a project – example I)
Example I - The Great Belt link4 - A failure from the budget perspective
- megaproject from the Trans-European Transport Network;
- includes one of the longest suspended bridge in Europe and one of
the longest railway aquatic tunnel;
- it connects Denmark (East) with the rest of Europe;
- by the time the project was approved by the Denmark parliament
(1987) the estimated budget was 13.9 billions DKK;
- at the end, the final cost was 21.4 billions DKK.
But the risks can be much more complex and with more devastating
effects: (example II)
Example II - London Ambulance Service5- Failure of a computer aided
dispatch (CAD)
- the LAS dispatch system is responsible for: receiving calls;
dispatching ambulances based on an understanding of the nature of
the calls and the availability of resources; and, monitoring progress
of the response to the call; a computer-aided dispatching system was
to be developed and would include an automatic vehicle locating
system (AVLS) and mobile data terminals (MDTs) to support
automatic communication with ambulances;
- immediately, following the system being made operational, the call
traffic load increased. The AVLS could not keep track of the location
and status of units. This lead to an incorrect database so that (a)
units were being dispatched non-optimally (b) multiple units were

2
@Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade
Corporation, 2000, p.268
3
Software Engineering Institute, http://www.sei.cmu.edu
4
Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003
5
http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
2
 being assigned to some calls. As a consequence of this there were a
large number of exception messages and the system slowed down as
the queue of messages grew. Unresponded exception messages
generated repeated messages and the lists scrolled off the top of the
screens so that awaiting attention and exception messages were lost
from view. Ambulance crews were frustrated and, under pressure,
were slow in notifying the status of their unit. They could not (or
would not) use their MDTs and used incorrect sequences to enter the
status information. The public were repeating their calls because of
the delay in response. The AVLS no longer knew which units were
available and the resource proposal software was taking a long time
to perform its searches.
- the entire system descended into chaos (examples: one ambulance
arrived to find the patient dead and taken away by undertakers,
another ambulance answered a „stroke‟ call after 11 hours - 5 hours
after the patient had made their own way to hospital)
- causes of the failure: the system was implemented by a company with
no experience in this field; the LAS crew wasn‟t instructed in how to
use the system; no backup procedures were implemented; the
interface design was inadequate; the vendor wanted to enter the
market, adopting a low cost policy which causes a system with
problems; the phase of project monitoring was ignored because there
wasn‟t any person named for this position.
Risks appear in any social or economic activities. We can speak about
different kind of risks6: technical problems, unsuccessful market, failures
in finishing on schedule, unpredictable events, inadequate know-how,
failures in manufacturing, failures in designing, legal uncertainty. These
can be classified in operational risks, financial risk, strategic risks or
hazard risks. Risk is a probabilistic event – it is possible for it to appear,
also possible for it not to appear. That is way there is this optimistically
tendency to ignore a project’s risks or to consider that these risks will not
appear. Such attitudes can lead to great problems in case the risks
materialize. And when we deal with big projects, risks are inevitable. So
we have to understand that in these cases a risk management policy and a
risk manager are compulsive. According to Software Engineering
Institute (SEI)7, risk management is a practice with processes, methods,
and tools for managing risks in a project. It provides a disciplined

6
Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001,
pp.88-89
7
Idem 3
3
environment for proactive decision making to: assess continuously what
could go wrong (risks); determine which risks are important to deal with;
implement strategies to deal with those risks. Also, SEI defines seven
principles which provide a framework for effective risk management:
global perspective, forward-looking view, open communications,
integrated management, continuous process, shared product vision,
teamwork. Project Management Institute (PMI) defines Project Risk
Management8 as the process concerned with identifying, analyzing, and
responding to project risk. It includes maximizing the results of positive
events and minimizing the consequences of adverse events and has the
following major processes: Risk Identification - determining which risks
are likely to affect the project and documenting the characteristics of
each; Risk Quantification - evaluating risks and risk interactions to
assess the range of possible project outcomes; Risk Response
Development - defining enhancement steps for opportunities and
responses to threats; Risk Response Control - responding to changes in
risk over the course of the project.
But in the “e-“ era it is hard to talk about risk management
dissociated from security policy, information security, security measures
and so on. That is way, starting from a Microsoft idea - security is risk
management - and wishing to understand the way romanian managers
deal with risks and how they treat risk management in their own
business, I will correlate the subject of this paper with the results of a
market research about information risk management and information
security I have coordinated in spring-summer of 2004. And as we will
see, the results raise many questions about how romanian managers
understand to protect their most valuable capital: information.
The interviewed managers came from a large area of business
fields - industry, education, IT&C, financial services - , most of them
from the NE of Romania, 57.2% being small and medium enterprises,
26.5% micro enterprises, and 16.3% big enterprises.
We know from the theory of information security that there are 3
guidelines for the management of Automated Data Processing Systems.
One of this guidelines is the “never alone” one. According to this
guideline, the key activities in the information security fields must be
executed by at least two persons. In this manner the illegal operations are
prevented. The same thing about activities that must be executed by at

8
PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111,
http://www.pmi.org
4
least two persons could be said to be true when dealing with
dependences on specialists.
Let’s see now the answers for the question about how many people deals
with the key-activities in the information security field in your company.

Up to 5 people

More than
26,5% 5 people 10,2%

None

14,3%

One person

49,0%

Fig.1 Number of persons involved in key-activities in the fields of

information

We can see from the 49% for “one person” option that the risk of
dependences on one specialist is a significant one. Another analyzed
aspect correlated with the one above was the one about the procedures of
“staff rotation”, a technique connected to the guideline of job limited
exertion. According to this guideline, “nobody has to execute for a long
time the same key-job in a data security department”. The answers have
come up with given this result: 77.6% - we don’t apply this guideline;
22.4% - we apply this guideline.
The question, the functions of your company‟s information system
security are known by…is making a reference with the guideline of the
segregation of duty works, a guideline which says that “nobody has to
know anything about the functions of the security system, or to be
exposed to problems related to this field, if he or she has no
responsibilities in the field of information system security”. This
guideline is connected with the “got to know” one, the latter specifying
that a special position of a person in the organizational structure of a
company must not give that person the unlimited right for knowing
special information.
Let’s see the answers:
5
 Legend:

1. persons involved in the management of information

system
2. persons leading the internal departments of the
company
3. persons with special position (ex. Company’s
administrators, members of council of management,
associates)
4. all the persons interested in
4 7,0%

3 17,5%

52,6% 1

2 22,8%

Fig.2 Percent of persons who know the functions of the information

system

Another aspect of ensuring the information security is that of the

human resource policy. In fact, the human resource is one of the most
important factors in this subject. Most employees are used to having
access to email and the web as essential business applications, but the
potential risks and cost of misuse can be huge. Some examples9: there is
always the risk that an employee may disclose some confidential
material in an email; increasing amounts of work time are being taken up
by the use of email and the Web. And we can add here data thefts,
hackers’ attacks, viruses and worms, social engineering. But according
to Paul William10 even the best-worded policies and the most technically
advanced counter-measures will not compensate for human stupidity.
So, one of the questions was about the rules of hiring personnel. And the
answers are:

9
Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003,
www.theitportal.com
10
Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com
6
 The personnel is checked
Every person is checked
after the hiring
before hiring

34,7%

The personnel is not 55,1%

checked

10,2%

Fig.3 Security policy through human resource policy

There are different security measures. According to CERIS (The

Center of Expertise and Response for Security Issues)11, the IT Security
has seven components: organizational and administrative security,
personnel security, physical security, hardware security, communications
security, software security and security of operations. According to
GeCAD’s consultants12, these components are: organizational security
(general policies and regulations), communications security (policies,
procedures, and technology), logical security (policies, procedures, and
technology), physical security (secured room, access codes, physical
access control etc). Other measures:13 analyzing the intruders techniques,
information coding, suppressing the acoustic and electromagnetic
radiation.
So one of the questions was about the security measures applied in the
Romanian companies. And the answers showed that 14% from the
companies applies security of operations, 17.6% applies administrative
security, 15.0% applies software security and 11.9% hardware security,
15.5% applies communications security and 12.4% physical security,
13.5% applies other security measures.
Other problems analyzed through the questionnaire: the
documentation risk, the risk generated by the software difficulty, the
need of training courses about new threats and new security measures.

11
Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro
12
http://www.gecad.ro
13
Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003, p.49
7
Conclusions
This paper tries to put face-to-face the theory of risk management
seen through the eyes of information security and the reality of
Romanian management. There are many more areas of concern and
certainly there are many question marks about the honesty of the answers
because of the confidentiality of the subject analyzed. And it will be
interesting to see the way concepts about risk management will evolve in
these days of information (un-)security. But all these risks must not stop
us from going further. As J.F.Kennedy once said: “…any action involves
risks and costs which are less that those associated with doing nothing.”

Bibliography
1. @Risk for Project (guide to) - Advanced Risk Analysis for Project Management,
Palisade Corporation, 2000
2. Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS),
http://www.ceris.ro
3. Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge,
2003
4. http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
5. http://www.gecad.ro
6. Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4,
2003, www.theitportal.com
7. Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom
Libris, Iaşi, 2001
8. Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003
9. PMBOKGuide - cap.11, Project Risk Management, Project Management
Institute, p.111, http://www.pmi.org
10. Royer, Paul S., Project Risk Management – A Proactive Approach, Management
Concepts, Project Management Institute, Inc.2000
11. Software Engineering Institute, http://www.sei.cmu.edu
12. Williams, Paul, Thought for the day-the IT dangers of coffee,
http://www.computerweekly.com

Aparut in Măzăreanu, V., e-Risk in e-World, The Proceedings of the International Conference „The
Impact of European Integration on the National Economy”, 28-29 Octombrie 2005, Cluj Napoca,
ISBN 973-651-007-0