7 - th EUROPEAN CONFERENCE E-COMM-LINE 2006, Bucharest , September 18-19, 2006

E-WORLD VS. INFORMATION RISK MANAGEMENT

Valentin P. Măzăreanu
Department of Business Information Systems
“Al. I. Cuza” University, Faculty of Economics and Business Administration
vali.mazareanu@feaa.uaic.ro

Abstract

Herodot (484 BC – about 425 BC), pater historiae, said: caution is a wonderful thing but foresight is wise. Still, to foresee
without taking action can not produce a fundamental impact on the performance of a business or on the success of a project. For this
reason, essential in the running of a business, in the running of a project or in the administration of a human, informational or any
type of resource, whether we are talking about the security of a personal computer or the consistency of a database, whether we are
talking about the complexity of an Enterprise Resource Planning (ERP), e-Business type system or the newer Electronic Government
(e-Government) and Electronic Democracy (e-Democracy) systems is the part of implementing the project assisted by an immaculate
risk management.

Key Words: e-business, risk management, information security

Introduction

In 2005 PC Magazine presented under the title “Digital Future – technologies that will change
the way we work”, the anticipations of some experts in the field, about what‟s on the horizon
regarding electronic business, internet technologies, processing, infrastructure, frontiers …
In December 2005, Newsweek was releasing an issue dedicated especially to technologies that
will take over the research field in 2006, and Harvard Business Review presents in February 2006
an issue specially dedicated to the most revolutionary ideas for 2006.
PC Magazine was talking about developing intelligent agents, language independence through
UNICOD, interplanetary internet, communication based on quantic physics etc.
Newsweek talks about web semantic [Berners-Lee, 2005], a way of interaction between data
and about a navigation language through this data on the internet which combines the known data
with unknown, inaccessible data, thus forming new information; it talks about a new era of search
engines [Guterl, 2005] based on the concept of Questions Answering, a concept way beyond the
known Frequently Asked Questions and which would involve programs that determine computers to
understand the questions addressed by a human user; it talks about the possibility to search for
video clips based on recognizing some audio parts from that clip or about verbal interrogation
forms, applicable especially in the case of mobile devices. It also talks about the quick surfacing
and developing of AMV culture (animé music video), where animé type cartoons are taken from
different mediums, then reedited with the help of the personal computer, synchronized with famous
songs or different video clips, which brings forward the problem of copyright. Jimmy Wales
[Wales, 2005], the founder of Wikipedia, talks about the desire to surpass the copyright laws
restriction in order to introduce Wikibooks, a way of reducing the cost of books in schools, a
solution appropriate for poor or developing countries, in the end, a solution to distributing
knowledge. It also talks about nanorobots inserted in the brain [Kurzweil, 2005] through the blood
flow, which are capable of making us feel almost anything virtually.
And Harvard Business Review [HBR, 2006, p.37] talks about the emergence of some
technologies from the BANs line (Body Area Networks) implemented on the level of the clothes we
wear every day, jewels or even on the level of the common cosmetic products which will
„understand” the needs of the body and the way it is influenced by the environment.
In April 2006 [sap.com, 2006], at „The Annual Software 2006 Event”, the SAP executive
director, Shai Agassi talked about the trends on the software market, trends which companies
should follow, among which he emphasized the passing towards unique and unified business
platforms or the company‟s orientation from particular solutions towards series of business
applications.

We are passing through a new “Big Bang”, the one of digital economy. We are passing thus in
a society in which to only talk about ...capital...work...nature...is not enough anymore. Information
and informational technology are components which can no longer be ignored.

The World of „e-”

As Robert Plant noticed [Plant, 2000, p.1], if you ask the investors what was it that
characterized most Wall Street and the investment market towards the end of the „90s, one aspect
comes forward – technology or, more specifically, the internet. It seems it was enough to put
“.com” at the end of the company‟s name and the price of your stocks went up by 10-20% or even
more.
The internet changed all the rules by which business was conducted, more so, it changed
everyone‟s life and that especially through the new way people can now interact.
We trade through e-Business or mobile business, we shop from e-Mall, we pay our taxes
through e-Tax, we live in an e-Democracy and we are ruled by an e-Government. We are
implementing such solutions as: Enterprise Resource Planning (ERP), Customer Relantionship
Management (CRM), Supply Chain Management (SpCM) ....
Otherwise, this “e-“world is practically interminable. We live in a time when almost any human
activity can be set in an electronic form. And only to exemplify this, we mention below some of the
e-activities of 2005-2006:
- E-Learning: Virtual (e-) Schools, Virtual teachers, E-examinations, e-Libraries
Administration, Intelligent Agents for testing e-schools, etc.
- E-Communities: Virtual communities, Minorities Virtual psychological support for elder
people, Video Meetings, the Society via Computer Networks and Internet, Multiservice
networks, etc.
- E-Governance: E-Citizens, E-democracy, E-representation, E-protests, E- Elections, E-
Statistics, E-Crime, E- Police, etc.
- E-Commerce and E-Management: E-money, E-shops, E-trading, E-market, Mobile
commerce, Web Banking, Financial Accounting for e-commerce, Virtual and Extended
Enterprises, E-Taxation, Integrated Manufacturing Systems via Computer Networks,
Security and Electronic Payment Systems, etc.
- E-Marketing: E-Pricing, Retailers, e-auctions, "Info bots", E-advertisement, mobile
marketing, Web casting, Mobile Banking, Risk Management and Risk Analysis, Chains of E-
shops, E-promotion of products, Click-to-Chat technology, Smart Shops, etc.
- E-Health: Telemedicine, Tele-diagnosis, Medical Knowledge via web, On-line Health
Services, Medical Statistics via internet, Therapy of Diseases via internet, etc.
- Tele-Working: Human Resources via internet, e-supervising, relations of employers and
employees via internet, Rights of employees in tele-working, Labour law, etc.

We live in a society where the presence of the computer can no longer be ignored. It is a
component gaining an increasingly bigger place in the human activity, making our work more
effective and maybe, more pleasant.
We have mentioned a few of the applicable areas above. Talking about the project management
area, prof. Dumitru Oprea said [Oprea, 2001, p.180]: “it is inconceivable that, at the beginning of
the 21st century, the project proposals, and every other activity in the implementation phase are
done manually. If we turn to a specialized software and the problem under analysis to find solutions
to is well known, the technical operations, of drawing all sorts of diagrams, are left to the
computer. The allocating and following of the resources, including the complicated aspects of
calculating costs, can be solved through the computer as well. Also, the dialogue at the team level,
as well as that between the team and the management representatives is easier. The same goes for
the periodical communications and work sessions”.
The business world could obviously not stay away. More so, in this field a new concept was
born, „e-business is business” [Deise, 2000, p.xvi]. Without going into the theory of electronic
business, we only mention that the term e-business was used for the first time in 1997 by IBM, who
defined this concept as a way to „secure, flexible and integrated access to perform different
businesses by combining the processes and the systems that execute basic operations of business
with those who make the finding of information on the Internet possible”.
And things are just at the beginning if we were to consider the emergence of the wireless
technologies and of the mobile business.

Risks are everywhere ... but risk management is everything

But, all these new solutions mean new kinds of risk. We can see that the virtual space is now
filled with “state of the art” viruses and worms, capable of attacking mobile phones, PDAs or car‟s
board computers; smart cards require new security measures; companies all over the world
implement biometrics systems or behaviometrics system.
Under these circumstances we cannot not talk about informational security (INFOSEC) and
about informational technology security (ITSEC).
IT security handles informational technology security and is concentrated on hardware, software
security, network, system, data base security, which support the business processes.
Informational security is concentrated on information and its security. The key word is
“information” and not “informational technology”. At this level the emphasis is on the value of
information, the regulation requests and relevant controls, security policies etc. Information is one
of the success keys of a business, so informational security will be more focused on the business
process than on technology.
Under these circumstances the technological risks and the informational risks will be regarded
as two different areas. There is also an overlap at some point, because informational technology
deals with the use of technology with the purpose of making the processes of information storage,
their finding and analysis much more efficient for the business.
But how is risk defined? And what is the definition of risk management? Which is the correct
attitude of a good manager in front of risk? And how come risk is considered to be a combination of
danger and opportunity by the Asiatic philosophy? Is it possible to consider risk an opportunity? Or
it is just an unfortunately event?
Today we define risk as the possibility of suffering a loss. Project Management Institute defines
the concept of risk management as a systematic identification, analysis and response process to the
risks of the project [Duncan, 1996, p.111]. But it is not the only institution that handles risk
management.
Jean-Paul Louisot, associated professor at the Paris1 University, Pantheon Sorbona, presents
risk management as a continuous decisional process and a decision results monitoring process
which will reduce to an acceptable level the impact or the uncertainties resulted from the risk
exposures suffered by different entities [Louisot, 2002, p.13] and Antonio Borghesi, economy and
business administration professor at the University in Verona, presents with the occasion of the
“Risk Management Forum – Barcelona, October 2001” his paper “Credit Risk in the New
Economy”, in which the concept of risk management is defined as a business process whose
purpose is to ensure that the organization is protected against risks and their effects, implying thus
the identification, quantification and administration of risks [Borghesi, 2001, p.2].
For the IT area, (informational) risk management is an important part of integrated management
which has the purpose of producing the instruments needed for analyzing and implementing
solutions which reduce the negative effects of information damaging.
Software Risk Management, as defined by Robert T. Futrell and his collaborators in the paper
„Quality Software Project Management” is the formal process in which the risk factors are
systematically identified, assessed and their effect reduced [Futrell, 2002, p.587].
 Depending on the author of the methodology, the order or the name of these sub-processes
varies. Thus, risk identification and risk quantification are sometimes taken together and bear the
name of risk assessment or risk analysis; the risk response plan is sometimes also met under the
name of risk mitigation plan; the risk response plan and the risk control plan are sometimes taken
together under the name of risk management plan.
And to emphasize this aspect, we mention some of these methodologies, maybe the most
representative ones in this area. Thus:
Barry Boehm, a pioneer of risk management in IT projects, considered otherwise to be the best
theorist in this area, has developed his own methodology of IT risk management, providing a 6 step
risk management process, steps divided in two stages [McNeece, 1997, Barry Boehm section, para.
2]:
 Risk assessment (made of the identification of those risks with a probability of causing
problems; analysis for determining the probability of loss and the magnitude of loss for each
risk and developing composed risks; prioritization for classifying the risk points identified
according to the composed risks they belong to) and
 Risk control (made of management planning for controlling the identified risk points;
resolutions for eliminating or solving the risk points; monitoring for tracking the progress of
risk minimizing within the project and application of corrective actions where this measure
proves to be necessary).
Paul S. Royer, starting from the five project management processes defined by the Project
Management Institute in PMBOKGuide (Initiation Processes, Planning Processes, Execution
Processes, Control Processes, Closing Processes), assigns for each of these a risk management
process [Royer, PMI Inc., 2000, pp.1-3].
Thus:
 initiation processes  assessment of project opportunities
o assessment opportunities vs. risks
 planning processes  risk management planning
o identification of risks and development of strategies for minimizing the effects and
of contingency plans for minimizing impact
 execution processes  project risk auditing
o project management process efficiency auditing
 control processes  risk management continuity
o monitoring identified risks
o identifying new risks
 closing processes  risk knowledge transfer
o recording learned lessons for applying them in future projects
There are many risk sources: technology, logistic, people, change, chance, policy, technical
equipment, schedule, cost, opportunities, demands etc. Risk administration implies a continuous
activity process.
Starting from these ideas, Software Engineering Institute has defined the SEI Risk Management
paradigm, from their point of view, risk management processes being [Williams, Pandelios &
Behrens, 1999, p.5]:
 risk identification (Identify) – before administrating risks they have to be identified;
 risk analysis (Analyze) – converting risk data into decisional information about risk;
reviewing, prioritizing and selecting the most critical risks on which to work;
 planning (Plan) – transforming risk data into decisions and actions; actions addressed to
individual risks are developed, actions are prioritized, a risk management plan is created; in
planning, the future consequences of the decisions made in the present are considered; it is
taken into consideration:
o the reduction of the impact of risk through the development of response plans to
unforeseen events;
o the study of risk to obtain more information and to better determine the cause of its
appearance;
  tracking (Track) – monitoring of the risks and of the actions taken to reduce their negative
effects;
 control (Control) – correction of deviation from the planned actions;
 communication (Communicate) – essential component without which there can be no talk of
the viability of a risk management process.
As an observation, the model proposed by SEI is based on the Shewhart-Deming wheel.

Approaches for identifying and analyzing the main risks that the use of informational
technologies in business processes involves are also found in the different standards, methodologies
and best practices adopted regarding the informational technology security management. By using
these approaches the ability to understand IT services and processes is enriched. Also, they can use
new information control instruments. These standards handle, among other things, the identification
of unauthorized network access, unauthorized access to confidential messages, identification of loss
of electronic transaction integrity, of shortages in data confidentiality, of viruses etc.
We will not go into detail in the presentation of these standards, but we will only mention the
most important ones: COBIT - Control Objectives for Information and related Technology), ITIL –
Infrastructure Library IT, ISO/IEC 17799:2000 – the practice code in Informational Security
Management, an international standard based on BS 7799-1, ISO/IEC TR 13335 - Information
Technology - Guidelines for the Management of IT Security, ISO/IEC 15408 – Security
Techniques- assessment criteria for informational technology security, TickIT, NIST 800 - 14 –
Generally accepted principles and practices in Informational technology security, COSO –
Integrated work plan, report of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO).

These are just a few of the opinions regarding risk management processes. And we can‟t say
that an opinion is better than another or that one of them ensures the success to a greater length.
Just as one of the definitions given to this process says that risk management is a journey not a
destination, we understand that in risk management the chosen methodology or the desired finality
is not that important, which is obviously the insurance of the project‟s success, but much more
important is the active involvement at the level of each sub-process, the use of automated analysis
and risk measurement systems which are intended to ease the work for people, the running of an
adequate risk monitoring and control program during the entire life cycle of the project and the
introduction in this program of the risk communication and documentation practice. Also, some
authors see this last mention as an independent process of risk management, called Risk Knowledge
Transfer, which could include activities of informing the participants to the project or the
assessment and documentation of success/failure resulted from the chosen methodology.
Ironically, the application of a single model gives birth to a new type of risk, that is, risk of
being addicted to a model...

Conclusions

Risks are everywhere.... We have to understand that in the new economy information risks are
everywhere. A good project manager would say: it is a high risk for no risks to be
found…Obviously the risk exists! It has not been identified. The solution is risk management, a
process which implies the identification of the risks which could affect the success of a project and
the proactive administration of these, so as to eliminate or reduce their impact
It is almost as Sun Tzu said in The Art of War: “it is better to capture the opposing army, than
to destroy it; it is better to capture a battalion, a company or a group of five people intact than it is
to destroy them.”

References

1. Berners-Lee, Tim, Beyond the Old Web, Newsweek, Issues 2006, December 2005
 2. Borghesi, A., Credit risk and the new economy. Academic Risk Management Association Italy,
2001, retrieved May 14, 2006 from http://www.arimas.it/papers.htm
3. Deise, Martin, V., Nowikow, Conrad, King, Patrick, Wright, Amy, Executive‟s Guide to E-Business
– from tactics to strategy, PricewaterhouseCoopers, John Wiley & Sons, INC., 2000
4. Duncan, W. R., A Guide to the Project Management Body of Knowledge. Upper Darby: Project Risk
Management, 1996
5. Futrell, T. R., Shafer, F. D., & Shafer, I. L., Quality Software Project Management. Upper Sadle
River: Prentice Hall PTR, 2002
6. Guterl, Fred, Upson, Sandra, Smarter Search, Newsweek, Issues 2006, December 2005
7. Kurzweil, Ray, Science, Not Fiction, Newsweek, Issues 2006, December 2005
8. Louisot, J. P., Risk management for private & public entities. Academic Risk Management
Association Italy, 2002, retrieved May 14, 2006 from http://www.arimas.it/papers.htm
9. McNeece, P., Managing risk with metrics, 1997, retrieved May 14, 2006 from
http://www.baz.com/kjordan/swse625/docs/tp-pm.doc
10. Oprea, Dumitru, Managementul Proiectelor – teorie şi cazuri practice, Ed. Sedcom Libris, Iaşi,
2001
11. Plant, Robert, eCommerce - formulation of Strategy, Prentice Hall PTR, 2000
12. Royer, P. S., Project Risk Management – A Proactive Approach. Viena: Management Concepts Inc.,
2000
13. Wales, Jimmy, I am not a Thief, Newsweek, Issues 2006, December 2005
14. Williams, R. C., Pandelios, G. J., & Behrens, S. G., Software Risk Evaluation (SRE). Method
description (Version 2.0). Software Engineering Institute, 1999, retrieved May 14, 2006 from
http://www.sei.cmu.edu/publications/index.html
15. ***, SAP Executive Shai Agassi Identifies Five Key Software Trends for Companies to Watch,
retrieved at 18.04.2006 from http://www.sap.com
16. ***, The HBR List – Breakthrough Ideas for 2006, Harvard Business Review, February 2006

Aparut in Măzăreanu, P.V., e-World vs. Information risk management, 7-th European Conference On E-Business/ E-
Commerce/ E-Learning/ E-Work/ E-Government/ E-Democracy/ E-Health/ E-Mediary, E-Inclusion / Bb-Broad-Band
And On-Line Services / E-Marine / E-Banking And Their Influences On The Economic/ Social Environment And
Contributions To Era - E-COMM-LINE 2006, September 18-19, 2006, Bucharest, ROMANIA, ECAS TRADE, ISBN
973-88046-0-4, ISBN 978-973-88046-0-9