E-risk In E-world
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View E-risk In E-world as PDF for free.
More details
- Words: 2,534
- Pages: 8
E-RISK IN E-WORLD Valentin - Petru MĂZĂREANU, Ph. D. Student, Department of Economic Informatics, Faculty of Economics and Business Administration "Al. I. Cuza" University of Iaşi, 22 Carol I Blvd., Ro-700505
Abstract We are passing through a new “Big Bang”, the one of digital economy. We trade through e-Business (not to forget mobile business), we shop from e-Mall, we pay our taxes through e-Tax, we live in an e-Democracy and we are ruled by an eGovernment. But, all these new solutions mean new kinds of risk. We can see that the virtual space is now filled with highly “performance” viruses and worms, capable of attacking mobile phones, PDAs or car‟s board computers; smart cards require new security measures; companies all over the world implement biometrics systems or behaviometrics system. We have to understand that in the new economy information risks are everywhere. A good project manager would say: it is a high risk for no risks to be found…Obviously the risk exists! But it has not been identified. Learning about this will make the process of risk identification more productive and so leading to a successful management. This paper tries to go on, in the same spirit, to some aspects about risk and information risk management in this world of “e-” where everything contains an element of risk. So a risk management policy is required. But according to Software Engineering Institute a question is born: If I implement risk management, does that guarantee success? The answer is…No. There are many aspects to achieving program success. So let‟s see what to do to improve our chances of succeeding. Keywords: information security, risk management, new economy, digital economy
In Project Risk Management, Paul S. Royer1 defines risk as the possible future event that can affect the project’s objectives in terms of costs, schedule or from technical perspectives. The effect could be positive, in this case the project manager having the opportunity to improve the project performance and to asses the risks. But most of the 1
Royer, Paul S., Project Risk Management – A Proactive Approach, Management Concepts, Project Management Institute, Inc.2000, p.109
times, the effects are contrary to the objectives. The source of risk and sometimes even the possibility of its occurrence and the quantification of its impact on project’s objectives can be identified. The identification and risk evaluation processes represent the transformation of something “unknown” in known risks in order to improve the project management. Palisade Corporation, the @Risk for Project developer, defines risk as the uncertainty or variation in the appearance of an event or decision2 and Software Engineering Institute defines the risk concept citing the Webster dictionary: “Risk is the possibility of suffering loss” 3 We deal with risk everyday and we have learned to accept it. Our daily decisions are based on analyzing the risks of different options we have. Some risks are easily to be identified (ex. The risk of overrun budget of a project – example I) Example I - The Great Belt link4 - A failure from the budget perspective - megaproject from the Trans-European Transport Network; - includes one of the longest suspended bridge in Europe and one of the longest railway aquatic tunnel; - it connects Denmark (East) with the rest of Europe; - by the time the project was approved by the Denmark parliament (1987) the estimated budget was 13.9 billions DKK; - at the end, the final cost was 21.4 billions DKK. But the risks can be much more complex and with more devastating effects: (example II) Example II - London Ambulance Service5- Failure of a computer aided dispatch (CAD) - the LAS dispatch system is responsible for: receiving calls; dispatching ambulances based on an understanding of the nature of the calls and the availability of resources; and, monitoring progress of the response to the call; a computer-aided dispatching system was to be developed and would include an automatic vehicle locating system (AVLS) and mobile data terminals (MDTs) to support automatic communication with ambulances; - immediately, following the system being made operational, the call traffic load increased. The AVLS could not keep track of the location and status of units. This lead to an incorrect database so that (a) units were being dispatched non-optimally (b) multiple units were 2
@Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade Corporation, 2000, p.268 3 Software Engineering Institute, http://www.sei.cmu.edu 4 Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003 5 http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
2
being assigned to some calls. As a consequence of this there were a large number of exception messages and the system slowed down as the queue of messages grew. Unresponded exception messages generated repeated messages and the lists scrolled off the top of the screens so that awaiting attention and exception messages were lost from view. Ambulance crews were frustrated and, under pressure, were slow in notifying the status of their unit. They could not (or would not) use their MDTs and used incorrect sequences to enter the status information. The public were repeating their calls because of the delay in response. The AVLS no longer knew which units were available and the resource proposal software was taking a long time to perform its searches. - the entire system descended into chaos (examples: one ambulance arrived to find the patient dead and taken away by undertakers, another ambulance answered a „stroke‟ call after 11 hours - 5 hours after the patient had made their own way to hospital) - causes of the failure: the system was implemented by a company with no experience in this field; the LAS crew wasn‟t instructed in how to use the system; no backup procedures were implemented; the interface design was inadequate; the vendor wanted to enter the market, adopting a low cost policy which causes a system with problems; the phase of project monitoring was ignored because there wasn‟t any person named for this position. Risks appear in any social or economic activities. We can speak about different kind of risks6: technical problems, unsuccessful market, failures in finishing on schedule, unpredictable events, inadequate know-how, failures in manufacturing, failures in designing, legal uncertainty. These can be classified in operational risks, financial risk, strategic risks or hazard risks. Risk is a probabilistic event – it is possible for it to appear, also possible for it not to appear. That is way there is this optimistically tendency to ignore a project’s risks or to consider that these risks will not appear. Such attitudes can lead to great problems in case the risks materialize. And when we deal with big projects, risks are inevitable. So we have to understand that in these cases a risk management policy and a risk manager are compulsive. According to Software Engineering Institute (SEI)7, risk management is a practice with processes, methods, and tools for managing risks in a project. It provides a disciplined 6
Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001, pp.88-89 7 Idem 3
3
environment for proactive decision making to: assess continuously what could go wrong (risks); determine which risks are important to deal with; implement strategies to deal with those risks. Also, SEI defines seven principles which provide a framework for effective risk management: global perspective, forward-looking view, open communications, integrated management, continuous process, shared product vision, teamwork. Project Management Institute (PMI) defines Project Risk Management8 as the process concerned with identifying, analyzing, and responding to project risk. It includes maximizing the results of positive events and minimizing the consequences of adverse events and has the following major processes: Risk Identification - determining which risks are likely to affect the project and documenting the characteristics of each; Risk Quantification - evaluating risks and risk interactions to assess the range of possible project outcomes; Risk Response Development - defining enhancement steps for opportunities and responses to threats; Risk Response Control - responding to changes in risk over the course of the project. But in the “e-“ era it is hard to talk about risk management dissociated from security policy, information security, security measures and so on. That is way, starting from a Microsoft idea - security is risk management - and wishing to understand the way romanian managers deal with risks and how they treat risk management in their own business, I will correlate the subject of this paper with the results of a market research about information risk management and information security I have coordinated in spring-summer of 2004. And as we will see, the results raise many questions about how romanian managers understand to protect their most valuable capital: information. The interviewed managers came from a large area of business fields - industry, education, IT&C, financial services - , most of them from the NE of Romania, 57.2% being small and medium enterprises, 26.5% micro enterprises, and 16.3% big enterprises. We know from the theory of information security that there are 3 guidelines for the management of Automated Data Processing Systems. One of this guidelines is the “never alone” one. According to this guideline, the key activities in the information security fields must be executed by at least two persons. In this manner the illegal operations are prevented. The same thing about activities that must be executed by at
PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111, http://www.pmi.org 8
4
least two persons could be said to be true when dealing with dependences on specialists. Let’s see now the answers for the question about how many people deals with the key-activities in the information security field in your company.
Up to 5 people 26,5%
More than 5 people
10,2%
None 14,3%
One person 49,0%
Fig.1 Number of persons involved in key-activities in the fields of information We can see from the 49% for “one person” option that the risk of dependences on one specialist is a significant one. Another analyzed aspect correlated with the one above was the one about the procedures of “staff rotation”, a technique connected to the guideline of job limited exertion. According to this guideline, “nobody has to execute for a long time the same key-job in a data security department”. The answers have come up with given this result: 77.6% - we don’t apply this guideline; 22.4% - we apply this guideline. The question, the functions of your company‟s information system security are known by…is making a reference with the guideline of the segregation of duty works, a guideline which says that “nobody has to know anything about the functions of the security system, or to be exposed to problems related to this field, if he or she has no responsibilities in the field of information system security”. This guideline is connected with the “got to know” one, the latter specifying that a special position of a person in the organizational structure of a company must not give that person the unlimited right for knowing special information. Let’s see the answers: 5
Legend: 1. persons involved in the management of information system 2. persons leading the internal departments of the company 3. persons with special position (ex. Company’s administrators, members of council of management, associates) 4. all the persons interested in 4 7,0%
3 17,5%
52,6%
1
2 22,8%
Fig.2 Percent of persons who know the functions of the information system Another aspect of ensuring the information security is that of the human resource policy. In fact, the human resource is one of the most important factors in this subject. Most employees are used to having access to email and the web as essential business applications, but the potential risks and cost of misuse can be huge. Some examples9: there is always the risk that an employee may disclose some confidential material in an email; increasing amounts of work time are being taken up by the use of email and the Web. And we can add here data thefts, hackers’ attacks, viruses and worms, social engineering. But according to Paul William10 even the best-worded policies and the most technically advanced counter-measures will not compensate for human stupidity. So, one of the questions was about the rules of hiring personnel. And the answers are:
9
Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003, www.theitportal.com 10 Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com
6
The personnel is checked after the hiring
Every person is checked before hiring
34,7%
The personnel is not checked
55,1%
10,2%
Fig.3 Security policy through human resource policy There are different security measures. According to CERIS (The Center of Expertise and Response for Security Issues)11, the IT Security has seven components: organizational and administrative security, personnel security, physical security, hardware security, communications security, software security and security of operations. According to GeCAD’s consultants12, these components are: organizational security (general policies and regulations), communications security (policies, procedures, and technology), logical security (policies, procedures, and technology), physical security (secured room, access codes, physical access control etc). Other measures:13 analyzing the intruders techniques, information coding, suppressing the acoustic and electromagnetic radiation. So one of the questions was about the security measures applied in the Romanian companies. And the answers showed that 14% from the companies applies security of operations, 17.6% applies administrative security, 15.0% applies software security and 11.9% hardware security, 15.5% applies communications security and 12.4% physical security, 13.5% applies other security measures. Other problems analyzed through the questionnaire: the documentation risk, the risk generated by the software difficulty, the need of training courses about new threats and new security measures. 11
Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro http://www.gecad.ro 13 Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003, p.49 12
7
Conclusions This paper tries to put face-to-face the theory of risk management seen through the eyes of information security and the reality of Romanian management. There are many more areas of concern and certainly there are many question marks about the honesty of the answers because of the confidentiality of the subject analyzed. And it will be interesting to see the way concepts about risk management will evolve in these days of information (un-)security. But all these risks must not stop us from going further. As J.F.Kennedy once said: “…any action involves risks and costs which are less that those associated with doing nothing.” Bibliography 1. @Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade Corporation, 2000 2. Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro 3. Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003 4. http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf 5. http://www.gecad.ro 6. Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003, www.theitportal.com 7. Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001 8. Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003 9. PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111, http://www.pmi.org 10. Royer, Paul S., Project Risk Management – A Proactive Approach, Management Concepts, Project Management Institute, Inc.2000 11. Software Engineering Institute, http://www.sei.cmu.edu 12. Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com Aparut in Măzăreanu, V., e-Risk in e-World, The Proceedings of the International Conference „The Impact of European Integration on the National Economy”, 28-29 Octombrie 2005, Cluj Napoca, ISBN 973-651-007-0
8
Abstract We are passing through a new “Big Bang”, the one of digital economy. We trade through e-Business (not to forget mobile business), we shop from e-Mall, we pay our taxes through e-Tax, we live in an e-Democracy and we are ruled by an eGovernment. But, all these new solutions mean new kinds of risk. We can see that the virtual space is now filled with highly “performance” viruses and worms, capable of attacking mobile phones, PDAs or car‟s board computers; smart cards require new security measures; companies all over the world implement biometrics systems or behaviometrics system. We have to understand that in the new economy information risks are everywhere. A good project manager would say: it is a high risk for no risks to be found…Obviously the risk exists! But it has not been identified. Learning about this will make the process of risk identification more productive and so leading to a successful management. This paper tries to go on, in the same spirit, to some aspects about risk and information risk management in this world of “e-” where everything contains an element of risk. So a risk management policy is required. But according to Software Engineering Institute a question is born: If I implement risk management, does that guarantee success? The answer is…No. There are many aspects to achieving program success. So let‟s see what to do to improve our chances of succeeding. Keywords: information security, risk management, new economy, digital economy
In Project Risk Management, Paul S. Royer1 defines risk as the possible future event that can affect the project’s objectives in terms of costs, schedule or from technical perspectives. The effect could be positive, in this case the project manager having the opportunity to improve the project performance and to asses the risks. But most of the 1
Royer, Paul S., Project Risk Management – A Proactive Approach, Management Concepts, Project Management Institute, Inc.2000, p.109
times, the effects are contrary to the objectives. The source of risk and sometimes even the possibility of its occurrence and the quantification of its impact on project’s objectives can be identified. The identification and risk evaluation processes represent the transformation of something “unknown” in known risks in order to improve the project management. Palisade Corporation, the @Risk for Project developer, defines risk as the uncertainty or variation in the appearance of an event or decision2 and Software Engineering Institute defines the risk concept citing the Webster dictionary: “Risk is the possibility of suffering loss” 3 We deal with risk everyday and we have learned to accept it. Our daily decisions are based on analyzing the risks of different options we have. Some risks are easily to be identified (ex. The risk of overrun budget of a project – example I) Example I - The Great Belt link4 - A failure from the budget perspective - megaproject from the Trans-European Transport Network; - includes one of the longest suspended bridge in Europe and one of the longest railway aquatic tunnel; - it connects Denmark (East) with the rest of Europe; - by the time the project was approved by the Denmark parliament (1987) the estimated budget was 13.9 billions DKK; - at the end, the final cost was 21.4 billions DKK. But the risks can be much more complex and with more devastating effects: (example II) Example II - London Ambulance Service5- Failure of a computer aided dispatch (CAD) - the LAS dispatch system is responsible for: receiving calls; dispatching ambulances based on an understanding of the nature of the calls and the availability of resources; and, monitoring progress of the response to the call; a computer-aided dispatching system was to be developed and would include an automatic vehicle locating system (AVLS) and mobile data terminals (MDTs) to support automatic communication with ambulances; - immediately, following the system being made operational, the call traffic load increased. The AVLS could not keep track of the location and status of units. This lead to an incorrect database so that (a) units were being dispatched non-optimally (b) multiple units were 2
@Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade Corporation, 2000, p.268 3 Software Engineering Institute, http://www.sei.cmu.edu 4 Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003 5 http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf
2
being assigned to some calls. As a consequence of this there were a large number of exception messages and the system slowed down as the queue of messages grew. Unresponded exception messages generated repeated messages and the lists scrolled off the top of the screens so that awaiting attention and exception messages were lost from view. Ambulance crews were frustrated and, under pressure, were slow in notifying the status of their unit. They could not (or would not) use their MDTs and used incorrect sequences to enter the status information. The public were repeating their calls because of the delay in response. The AVLS no longer knew which units were available and the resource proposal software was taking a long time to perform its searches. - the entire system descended into chaos (examples: one ambulance arrived to find the patient dead and taken away by undertakers, another ambulance answered a „stroke‟ call after 11 hours - 5 hours after the patient had made their own way to hospital) - causes of the failure: the system was implemented by a company with no experience in this field; the LAS crew wasn‟t instructed in how to use the system; no backup procedures were implemented; the interface design was inadequate; the vendor wanted to enter the market, adopting a low cost policy which causes a system with problems; the phase of project monitoring was ignored because there wasn‟t any person named for this position. Risks appear in any social or economic activities. We can speak about different kind of risks6: technical problems, unsuccessful market, failures in finishing on schedule, unpredictable events, inadequate know-how, failures in manufacturing, failures in designing, legal uncertainty. These can be classified in operational risks, financial risk, strategic risks or hazard risks. Risk is a probabilistic event – it is possible for it to appear, also possible for it not to appear. That is way there is this optimistically tendency to ignore a project’s risks or to consider that these risks will not appear. Such attitudes can lead to great problems in case the risks materialize. And when we deal with big projects, risks are inevitable. So we have to understand that in these cases a risk management policy and a risk manager are compulsive. According to Software Engineering Institute (SEI)7, risk management is a practice with processes, methods, and tools for managing risks in a project. It provides a disciplined 6
Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001, pp.88-89 7 Idem 3
3
environment for proactive decision making to: assess continuously what could go wrong (risks); determine which risks are important to deal with; implement strategies to deal with those risks. Also, SEI defines seven principles which provide a framework for effective risk management: global perspective, forward-looking view, open communications, integrated management, continuous process, shared product vision, teamwork. Project Management Institute (PMI) defines Project Risk Management8 as the process concerned with identifying, analyzing, and responding to project risk. It includes maximizing the results of positive events and minimizing the consequences of adverse events and has the following major processes: Risk Identification - determining which risks are likely to affect the project and documenting the characteristics of each; Risk Quantification - evaluating risks and risk interactions to assess the range of possible project outcomes; Risk Response Development - defining enhancement steps for opportunities and responses to threats; Risk Response Control - responding to changes in risk over the course of the project. But in the “e-“ era it is hard to talk about risk management dissociated from security policy, information security, security measures and so on. That is way, starting from a Microsoft idea - security is risk management - and wishing to understand the way romanian managers deal with risks and how they treat risk management in their own business, I will correlate the subject of this paper with the results of a market research about information risk management and information security I have coordinated in spring-summer of 2004. And as we will see, the results raise many questions about how romanian managers understand to protect their most valuable capital: information. The interviewed managers came from a large area of business fields - industry, education, IT&C, financial services - , most of them from the NE of Romania, 57.2% being small and medium enterprises, 26.5% micro enterprises, and 16.3% big enterprises. We know from the theory of information security that there are 3 guidelines for the management of Automated Data Processing Systems. One of this guidelines is the “never alone” one. According to this guideline, the key activities in the information security fields must be executed by at least two persons. In this manner the illegal operations are prevented. The same thing about activities that must be executed by at
PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111, http://www.pmi.org 8
4
least two persons could be said to be true when dealing with dependences on specialists. Let’s see now the answers for the question about how many people deals with the key-activities in the information security field in your company.
Up to 5 people 26,5%
More than 5 people
10,2%
None 14,3%
One person 49,0%
Fig.1 Number of persons involved in key-activities in the fields of information We can see from the 49% for “one person” option that the risk of dependences on one specialist is a significant one. Another analyzed aspect correlated with the one above was the one about the procedures of “staff rotation”, a technique connected to the guideline of job limited exertion. According to this guideline, “nobody has to execute for a long time the same key-job in a data security department”. The answers have come up with given this result: 77.6% - we don’t apply this guideline; 22.4% - we apply this guideline. The question, the functions of your company‟s information system security are known by…is making a reference with the guideline of the segregation of duty works, a guideline which says that “nobody has to know anything about the functions of the security system, or to be exposed to problems related to this field, if he or she has no responsibilities in the field of information system security”. This guideline is connected with the “got to know” one, the latter specifying that a special position of a person in the organizational structure of a company must not give that person the unlimited right for knowing special information. Let’s see the answers: 5
Legend: 1. persons involved in the management of information system 2. persons leading the internal departments of the company 3. persons with special position (ex. Company’s administrators, members of council of management, associates) 4. all the persons interested in 4 7,0%
3 17,5%
52,6%
1
2 22,8%
Fig.2 Percent of persons who know the functions of the information system Another aspect of ensuring the information security is that of the human resource policy. In fact, the human resource is one of the most important factors in this subject. Most employees are used to having access to email and the web as essential business applications, but the potential risks and cost of misuse can be huge. Some examples9: there is always the risk that an employee may disclose some confidential material in an email; increasing amounts of work time are being taken up by the use of email and the Web. And we can add here data thefts, hackers’ attacks, viruses and worms, social engineering. But according to Paul William10 even the best-worded policies and the most technically advanced counter-measures will not compensate for human stupidity. So, one of the questions was about the rules of hiring personnel. And the answers are:
9
Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003, www.theitportal.com 10 Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com
6
The personnel is checked after the hiring
Every person is checked before hiring
34,7%
The personnel is not checked
55,1%
10,2%
Fig.3 Security policy through human resource policy There are different security measures. According to CERIS (The Center of Expertise and Response for Security Issues)11, the IT Security has seven components: organizational and administrative security, personnel security, physical security, hardware security, communications security, software security and security of operations. According to GeCAD’s consultants12, these components are: organizational security (general policies and regulations), communications security (policies, procedures, and technology), logical security (policies, procedures, and technology), physical security (secured room, access codes, physical access control etc). Other measures:13 analyzing the intruders techniques, information coding, suppressing the acoustic and electromagnetic radiation. So one of the questions was about the security measures applied in the Romanian companies. And the answers showed that 14% from the companies applies security of operations, 17.6% applies administrative security, 15.0% applies software security and 11.9% hardware security, 15.5% applies communications security and 12.4% physical security, 13.5% applies other security measures. Other problems analyzed through the questionnaire: the documentation risk, the risk generated by the software difficulty, the need of training courses about new threats and new security measures. 11
Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro http://www.gecad.ro 13 Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003, p.49 12
7
Conclusions This paper tries to put face-to-face the theory of risk management seen through the eyes of information security and the reality of Romanian management. There are many more areas of concern and certainly there are many question marks about the honesty of the answers because of the confidentiality of the subject analyzed. And it will be interesting to see the way concepts about risk management will evolve in these days of information (un-)security. But all these risks must not stop us from going further. As J.F.Kennedy once said: “…any action involves risks and costs which are less that those associated with doing nothing.” Bibliography 1. @Risk for Project (guide to) - Advanced Risk Analysis for Project Management, Palisade Corporation, 2000 2. Centrul de Expertiză şi Răspuns pentru Incidente de Securitate (CERIS), http://www.ceris.ro 3. Flyvbjerg, Bent, Megaprojects and Risk-an anatomy of ambition, Cambridge, 2003 4. http://www.cs.ucl.ac.uk/staff/a.finkelstein/papers/lascase.pdf 5. http://www.gecad.ro 6. Naylor, Jonathan, Employee email/web use: The risks and the Law, September 4, 2003, www.theitportal.com 7. Oprea, Dumitru, Managementul Proiectelor-teorie şi cazuri practice, Sedcom Libris, Iaşi, 2001 8. Oprea, Dumitru, Protecţia şi securitatea informaţiilor, Polirom, Iaşi, 2003 9. PMBOKGuide - cap.11, Project Risk Management, Project Management Institute, p.111, http://www.pmi.org 10. Royer, Paul S., Project Risk Management – A Proactive Approach, Management Concepts, Project Management Institute, Inc.2000 11. Software Engineering Institute, http://www.sei.cmu.edu 12. Williams, Paul, Thought for the day-the IT dangers of coffee, http://www.computerweekly.com Aparut in Măzăreanu, V., e-Risk in e-World, The Proceedings of the International Conference „The Impact of European Integration on the National Economy”, 28-29 Octombrie 2005, Cluj Napoca, ISBN 973-651-007-0
8
