Abstract
Along with the incontestable benefits for the modern society, the information and communication technology developments induce new vulnerabilities. Mobile computing devices, cloud computing, and privacy issues are just a few elements that should be taken into account when shaping the modern information security that is essential to our modern way of life. Since information security risks are rapidly evolving and taking new forms, the real benefits of information and communication technologies may be exploited only if trust is built on every layer of responsibility. This study explores of the present main information security threats faced by Romanian organizations, as well as of the attitude of Romanian organizations towards information security, as resulted from a research and detailed survey questionnaire performed by the authors. Following the results of this research, the authors propose a way to improve the security posture of Romanian organizations, as well as knowledge, capabilities, and decision making of business managers.
TopIntroduction
Business has changed dramatically since the beginning of the 21st century. Especially over the past 10 years, development of information and communication technologies (ICTs) have made their way straight to the very heart of any type of business (Ruževičius & Gedminaitė, 2007; Hadžiosmanović, Bolzoni, & Hartel, 2012; Tiago, Manoj, & Espadanal, 2014; Agrawal & Tapaswi, 2017). The cheap, real-time, easy access modality to transfer huge amounts of data all around the world has allowed companies to obtain a new geographical perspective and to develop towards regions otherwise unreachable. Contemporary globalism is built in great measure on ICT development (Andress, 2003; Hong, Kim, & Cho, 2010; Mittelman, 2011; Singh & Fhom, 2017). However, making profit from all of these advantages is feasible only if proper protection of transferred data and of network services is ensured (Willems, 2011; Stepchenko & Voronova, 2015; Malatras, Geneiatakis, & Vakalis, 2016; Lin, Lin, & Pei, 2017).
Protection implies that no access to, modification of, deletion of, or otherwise denial of access to data or network resources or services is performed by unauthorized persons or entities (Kesan & Hayes, 2012; Arukonda & Sinha, 2015; Gandino, Celozzi, & Rebaudengo, 2017). The organization’s risk management covers a wider range of risks – especially operational risks, reputation risks to the organization and, more recently, strategic risks (Hjortdal, 2011; Chen, Ge, & Xie, 2015). Moreover, within a growing number of organizations responsibilities associated with risk management are assumed by top management which generally coordinates the teams of specialists directly responsible for monitoring the risks and the risk handling measures (Yang, Wu, & Wang, 2014).
In this context, it is of major interest that managers be aware of the importance of establishing correct information security policies, commensurate with the sensitivity of the data their companies process, transmit or store in electronic format (Liaudanskienel, Ustinovicius, & Bogdanovicius, 2009; Collins & McCombie, 2012; Singer & Friedman, 2014; Friedberg, McLaughlin, Smith, Laverty, & Sezer, 2016). In the opinion of other specialists such as Landoll (2010), risk analysis is defined as an objective analysis of the effectiveness of the security measures in place to protect the interests of the organization and a determination of the likelihood of prejudice to those interests.
More specifically, risk analysis is defined by Peltier (2010) as a process of calculating risk. Algorithms for calculating risk did so as a function of the organization’s assets, threats, and vulnerabilities. Risk analysis is the first stage of risk management and is a crucial component of this process. It provides an assessment of the potential exposure to environmental threat, and the basis for the definition of the events -acceptable and unacceptable from the point of view of organization. The result of this process helps to identify appropriate measures to reduce or eliminate the identified risks. To determine the probability of an undesirable event, threats to the organization should be analyzed in conjunction with the potential vulnerabilities and security measures already implemented (Karim, 2007).
Key Terms in this Chapter
Risk Management: The implementation and updating of methods and tools to minimize risks associated with the information system of an organization, such as the Information Security policies, procedures and practices associated formalized and adopted other means in order to bring these risks to acceptable levels.
Availability: Ensuring the conditions necessary for easy retrieval and use of information and system resources, whenever necessary, with strict conditions of confidentiality and integrity.
Integrity: The prohibition amendment—by deleting or adding—or the unauthorized destruction of information; integrity refers to confidence in the data and resources of a system by which to manage information.
Vulnerabilities: Gaps or weaknesses in the design and implementation of safety or security measures which could be exploited accidentally or intentionally by a threat.
Prevention: Implementation of mechanisms that users not be able to counteract and are implemented correctly, unaltered, so the attacker cannot alter them.
Threats: The possibility of accidental or deliberate compromise of information security, the loss of confidentiality, integrity or availability or impaired functions that provide authenticity and non-repudiation of information.