Académique Documents
Professionnel Documents
Culture Documents
DOCOTORAL STUDY
BUSINESS ECONOMY
RIJEKA, 2011.
UNIVERSITY IN RIJEKA
THE FACULTY OF ECONOMY IN RIJEKA
RIJEKA
DOCOTORAL STUDY
BUSINESS ECONOMY
Course: Microeconomics
I have spent the last ten years of my career working in foreign-owned enterprises with
diverse ownership structure and business cases, all having a common trait – taking close care of
information security and information capital. Since year 2006. I have been serving also as a
company information security officer, so I was faced with a task of envisioning and organizing
integral enterprise information security management system. In the past four years a number of
policies, plans, standards, guidelines and work instructions had to be devised that encompass not
only information, but also integral corporate security. This endeavor has ended by joining post
graduate studies at the University of Economy in Rijeka where I have completed the final thesis
with the topic of integral and information security, motivated by my daily work.
In contact with colleagues of the same profession, I have noticed that many medium and
even large scale enterprises do not have a separate business function in charge of information
security, sensitive business information are protected in the same way other forms of capital are
being protected, despite the fact that information capital has intrinsic values making it
comparable to “classical” forms of capital, but also certain characteristics that make them very
different, thus requiring completely different treatment. Difficulties in definition of information
capital concept are especially clear when trying to make a clear division between raw data,
information and knowledge.
Some difficulties have been encountered during this research. The topic of information
capital has been mentioned in literature sporadically, due to the fact that best practice models of
information protection are related mainly towards data or information, and not information
capital, while enterprises systematically manage only derivatives of information capital (for
example, knowledge). The main driver behind creation of this paper is to clearly make a
distinction between information and other forms of enterprise capital, describe some measures
used to protect it within enterprises and describe relation between information capital and
enterprise efficiency.
At this point, I would like to thank my mentor prof.dr.sc. Maks Tajnikar for the patience
demonstrated during creation of the draft and the seminary paper itself.
SUMMARY
FOREWORD.............................................................................................................................. 3
SUMMARY................................................................................................................................ 4
TABLE OF CONTENTS............................................................................................................ 5
1. INTRODUCTION............................................................................................................... 7
5. CONCLUSION.................................................................................................................... 42
LITERATURE............................................................................................................................ 43
ILLUSTRATIONS…………..................................................................................................... 45
1. INTRODUCTION
Introductory part outlines research problem, subject and object, defines working
hypothesis and auxiliary hypotheses used in research, explains purpose and goals of the
research, used scientific methods and shortly describes structure of the doctoral paper.
In the broadest economic sense, capital is a production factor that by itself does not have a
particular value needed by the consumer when compared with comparable goods, but it
possesses ability to reproduce maintaining characteristics of relative non-changeability in
production process, therefore serving as a catalyst in production of other goods. Throughout the
history, schools of economic thought have formed their paradigms and theories dealing with the
term of capital and its relationship towards capital, even in the earliest periods of capitalistic
production, during mercantilism or physiocratic viewpoints.
In parallel with the development of production and social relationships refracted through
politeconomic prism, new forms of capital are being differentiated. Primary identified physical
forms of capital are therefore followed by newly identified forms of capital derived from such
development, among which mercantile and financial (banking) capital are the most easily
identified. However, throughout 20th century, due to exponential development of base of human
knowledge, rising connectivity between national economies and development of very complex
organizational blueprints as a draft for execution of economic reproduction, it has become clear
that it is not possible to describe in their entirety all factors influencing the process of money-
goods exchange just by researching physical and derived forms of capital. Such new forms of
capital are, among others, political capital, infrastructural capital, human capital, natural capital,
social capital and intellectual capital.
This division of forms of capital has opened a number of questions and dilemmas that are
not entirely solved, especially in regard to relation between different forms of capital, but also
towards other production factors known and identified by schools of political economy. For
example, human and social capital are inherently connected with paradigm of information
economy where positive economic output of enterprises and national economies is a result of
their internal processes that enable creation, processing and real application of information based
on knowledge, through usage of modern information technologies.
Research problem can be derived from outlined research problem: what is information
capital, what is its connection with other material and non-material forms of capital and
production factors, how has management of information capital, knowledge and human capital
become a condition sine qua non of national economy development and what is the connection
between utilization of information capital and enterprise efficiency?
Research subject can be extrapolated from defined problem of the research: to research,
analyze and systematically outline basic characteristics and specifics of information capital and
its reproduction inside enterprises and research the topic of efficiency in general and impact of
information capital management on enterprise efficiency, using language of Pareto efficiency.
Research objects are information capital and its impact on enterprise efficiency.
Definition of the research problem, subject and object, leads to definition of the working
hypothesis of the paper: information capital is a separate form of capital, it is being managed and
preserved within enterprises using legislative and best practice systems and its utilization can
influence efficiency within enterprises.
In order to enable support to working hypothesis, three support hypotheses will be defined
(abbreviation S.H.):
S.H. 1) In modern enterprises, information capital is a separate form of capital defined by its
components, data, information and knowledge. It has a catalytic effect on other forms of
capital.
S.H. 2) Information capital is a basic requirement for creation of knowledge based enterprise.
While other forms of capital are preserved through legislation, information capital is
protected by technical and organizational measures aimed towards mitigation or annulation
of risk.
S.H. 3) Proper utilization of information capital inside enterprises can increase efficiency.
According to the research problem, subject and object, and working and supporting
hypotheses, purpose and goals of research are being defined.
Purpose of the research is to study, analyze and outline all characteristics of the information
capital that make it unique and clearly delimit from other forms of capital and describe the way
how identified specifics of information capital influence the efficiency of enterprise activities.
Information capital is often placed under social or political capital, or „goodwill“ or „intellectual
base“ of economy, without full understanding of relationship between different forms of capital
and factors of production.
2) What specifics and characteristics distinguish information capital from other forms of
capital?
3) What are the interactions and relations between information capital and other forms of
capital and factors of production?
4) What methods and technologies are used in protection and reproduction of information
capital on operative enterprise level?
During research, the following scientific methods will be used in appropriate combinations:
method of induction and deduction, method of analysis and synthesis, methods of abstraction and
concretization, methods of generalization and specialization, method of classification, descriptive
method, comparative method, historical method, method of mosaic, method of comparison in
pairs and method of compilation. The last method will be carefully used in those parts of the
paper that will lean onto existing scientific studies and papers, carefully quoting and citing the
sources.
In the first chapter, INTRODUCTION, problem, subject and object of the research will be
defined along with working and support hypotheses and purpose and goal of the research.
Scientific methods used in the research will be presented and in the end, its basic structure will
be presented.
Fourth chapter is aimed towards offering a new view of information capital functioning
within enterprises in a way to put in focus of the research perspectives of information capital
management development in order to facilitate efficiency. Title of this chapter is
CONSIDERATIONS OF USAGE OF ENTERPRISE INFORMATION CAPITAL IN
ACHIEVEMENT OF EFFICIENCY.
To tackle the challenge of defining importance of information security and its development,
there are three distinctive topics to be discussed: 1) definition and development of information
security, 2) strategic importance of information security in enterprises and 3) impact of the
risk concept on information security.
From the earliest days of written history, rulers and military leaders have understood
importance of the mechanism that would protect the confidentiality of written correspondence
and existence of the mechanism that would detect that such confidentiality is endangered. The
first person mentioned by historians to use such a system was Julius Caesar who has 50 years
before Christ devised a system of “Caesar coding” to prevent his messages fall into the wrong
hands.
Second World War has brought significant advances in terms of theoretical and practical
measurements of information security and this is the point when such activity is professionalized
and became a business function in enterprises and government function. The emphasis has been
put primarily on physical controls that guard the access to information processing centers. Data
1
http://www.law.cornell.edu/uscode/44/usc_sec_44_00003542----000-.html (18.05.2010.)
2
In information security this concept is known as “C-I-A triad”, where “C” stands for confidentiality, “I” stands for
integrity and “A” stands for availability
formalization and classification of information according to their sensitivity was the next logical
step, along with personal checks before information access. Well known and documented
example is the one of “Enigma” coding machine, first time decoded by Polish engineers just
prior to World War II. The British and the American managed to do the same just during World
War II, when “Enigma” already had a new version. Information gathered from decoded
messages were used to anticipate German armed forces moves and actions.
At the end of 20th and the beginning of 21 century rapid advances in technical
possibilities of communications, computing equipment and electronic networks for data
exchange brought along new encryption techniques. Availability of smaller, more powerful and
cheap computers was the main enabler behind data processing even in small companies and in
employee`s homes. Rapid growth and widespread usage of electronic data processing and
introduction of e-business 3 in parallel with threat of international terrorism was the main reason
behind devising new and better ways of computer protection, but also protection of information
stored, exchanged and processed by the computers. Nowadays, information protection is
academic and multidisciplinary activity between different professional organization, working
towards common goal of ensuring security and protection of information systems.
3
Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and Concordia University,
2006., p.24
according to the plan of information security, because their responsibilities are usually mixed and
intertwined, but the same happens also with the risks shared throughout the organization
structure of the companies. For example, if one department of the organization maintains data
related to health of the employees, even though such data seems to be operative for that
particular department, the damage of its disclosure may be high and have significant impact for
the whole organization, so information security in such a case is not any more just operative, but
becomes strategic task. Therefore, when evaluating criticality of information security, it is
necessary not only to rely on initial evaluations and classifications but to take into consideration
the big picture, that will enable creation of overall perspective, arising from the true business
case.
Indeed, the most important initial activity on a strategic level for every enterprise is to clearly
identify organizational units, departments and key users who all commonly share the
responsibility for the information system security as a whole. All levels included need to
cooperate with nominated information security officer to create a robust information protection
plan, periodically test it and adjust it to new circumstances. The end results has to be a
continuously set process of revision of information security and report presented to the top
management of the organizations that outlines current state of affairs and measures and budget to
mitigate any gaps. Such a report should at least contain the following elements4:
1) additions to the information protection plan arising from technological and operative
development of information technology and business needs in the past period,
2) evaluation of current state of implementation of information protection plan,
3) proposed measures for improvement of information security,
4) time needed for implementation and
5) related costs and budget needed to implement proposed measures.
It is both the responsibility and right of every key user to develop and implement their own
strategic plans of information and document protection. The minimum requirements of such a
4
Aksentijevic, S.: „Operative Information Protection Plan“ , WI-SMS-ICT-105-E rev2, working instruction of
ISO 9001 system, Saipem Mediterranean Services LLc., Rijeka, 01.02.2009., p. 17.
plan is that it is signed and accepted by the key user, contains the timeframe and defines the
following requirements5:
1) name of the office, department, project or organization unit using sensitive information,
2) names of the persons authorized to access such data along with access levels,
3) administrative controls used to minimize the number of people authorized to access
sensitive information,
4) description of methods of physical protection,
5) description of the retention time of sensitive information,
6) description of methods of destruction and deletion of obsolete information,
7) description of implemented human resource training, frequency and ways of sensitive
information transfer.
The array of required knowledge to achieve all this is quite way, the main drivers behind that
are very specialized activities and short time for their implementation. For this reason, many
organizations resort to outsourcing information security as a whole, or partially. Such
outsourcing contracts have to be carefully managed and subcontractors have to prove their ability
to provide sensitive information management and security services in appropriate manner. The
main tool used to achieve this legally are exhaustive confidentiality clauses.
5
Ibidem, p.13.
6
Cf. Ibidem, p.103.-104.
5) telephony and fax access controls,
6) remote access controls,
7) virtual private networks controls.
Risk is a stochastic concept that describes potentially negative impact on enterprise activities
that can be a consequence of some ongoing process or future event. The term itself is often used
simultaneously with possibility of known loss, therefore, risk is closely connected with
expectations. In enterprises, risk is always connected with evaluation of possibility of occurrence
of certain event, and they are difficult to evaluate because of constant operative changes in the
environment and constant increase of number of potential risks. Therefore, it is almost
impossible to identify all risks: at the very moment when a risk table is drafted for a particular
enterprise, the new risks that are not identified are already present, so risk assessment is as
ongoing activity as is the implementation of the information security itself. Risk assessment
methodology is therefore also subjected to periodical evaluations to identify and mitigate new
risks or at least lower their possible impact.
Some of the most common risks of compromising enterprise data and corporate information
capital will be described.
7
http://www.cs.berkeley.edu/~bh/hacker.html (06.05.2010.)
3) Data interception during transaction. Modern information transaction systems are a
mixture of distributed and hierarchical system: end users like physical persons or
enterprises are connected to service providers who are connected to “backbone”
providers Special computers and network equipment called routers and gateways send
these data packets to their final destinations enabling connectivity. After data package
leaves the service provider`s network, it is almost impossible to predict its route because
it primarily depends on the destination. If the destination remains unchanged, the route to
it still can be changed. This enables data interception and possibly its change during
transaction. Minimum requirements for information security during transaction is its
coding on hardware or software level. The same technology has to be used when virtual
private networks or remote connectivity is used.
4) Loss of data due to user`s mistake. This is the most common reason that leads to
sensitive data disclosure. The nature and impact of the damage depends on the type of
compromised information and the severity of the mistake. There are numerous
unintentional mistakes done by users in enterprise environments that can lead to serious
damage.
5) Physical loss of information due to disaster. Physical loss of data due to disasters like
fire, flood, terrorist actions can lead to most severe consequences including complete
interruption of activity. Enterprises plan measures of mitigation of these activities by
disaster recovery and business continuity planning.
6) Incomplete and non-documented transactions. Every transaction inside information
systems should be documented and originators who can vouch for their completeness.
However, there is a risk over “over-documenting” all transactions, so it is necessary to
limit transaction documentation just to relevant auxiliary information to vouch for its
integrity
7) Unauthorized access of employees to sensitive information. Access to information
systems has to be limited to those people who need to have access for business reasons.
Every information system requires segmentation of its elements according to owners,
users and purpose and subsystems have to be access password protected with password
rotation. A formal matrix of authorization has to be maintained that has to be subjected to
periodic reviews. Those in charge of information security (usually dedicated departments
or instances) have to undertake reasonable and adequate actions to keep pace with
development of technology to ensure security of information in transit and availability of
information only to those that are authorized.
8) Unauthorized access to sensitive information by third parties (“phishing”).
“Phishing”8 is a form of criminal activity that uses social engineering techniques in order
to get access to sensitive information. However, unauthorized access to information can
be also gained through paper documents and report or by third parties. To mitigate risk of
unauthorized internal access, information stored in electronic or paper form has to be
carefully stored to be available only to those that have proper levels of authorization.
Risk of external unauthorized access is usually diminished by introducing physical
barriers like anti-intrusion devices, cameras, visitor registrations and overall measures of
physical security.
Described risks imposed on enterprise information security are just some of the most
common scenarios that can be encountered. Despite popular opinion, information security
function is a senior management function and just partially operative and technical discipline.
Security functions have to be formally identified across the structure. Access approvals are
given based on the evaluation of the key user that certain person has to get access to certain
information. In enterprise environments, such actions are subject to compliance both to
internal information security plans but also local legislation under which the enterprise
operates. A solid set of formal procedures has to be put in place to regulate areas like
employee information security education, risk treatment and mitigation and security incident
processing. Furthermore, no enterprise should gather and store information unless that is
relevant for the business side. If it is possible, they should be gathered directly from the
information source, and not from the second hand.
The final goal of every risk treatment process is lowering the risk to a level that is
acceptable by the enterprise.
This chapter outlines in details the following sub-chapters: 1) definition and inception
of information capital, 2) data, information and knowledge as basic components of
information capital and 3) enterprise information capital management.
9
The definition of information capital is original author’s definition.
2.2.2 Data, information and knowledge as basic components of information
capital
Definitions of data, information, knowledge and information capital are often not very
well delimited. In order to make clear boundaries, all of them need to be clearly defined and
put into mutual relations. Data is a set of symbols that by itself does not have a particular
meaning, or can be directly used in the enterprise. They maintain such a form as long as they
do not enter certain usable form. Data does not have to be just a set of symbols, it can be also
signals or stimuli often defined as subjective data, to make distinction from objective data,
that is a product of observation. What the raw data is missing is business context. Only data
that possesses business context can have potential value for the enterprise.
The data that can be useful for particular enterprise and its activity is information. It is
represented by organized and well-structured data, processed in a way that is relevant for
certain purpose or context. Its main values are significance, value, usability and relevance.
Knowledge is a concept that is very elusive and difficult to define. Usually, its definition
is very similar to the definition of information. Knowledge is a combination of experience,
value, context, professional insight and founded intuition that represents a framework and
environment for evaluation and inclusion of new experiences and information in enterprise
environment. Accumulated enterprise knowledge can be seen not only in documentation and
processed information stored inside information systems, but also in organizational routine,
practices and norms. Those enterprises that have the highest level of produced knowledge
and usage of new technologies based on knowledge achieve the highest growth rates.
Especially important form of knowledge is leadership knowledge, also known as “business
wisdom”.
After defining data, information and knowledge, it is possible to derive the relationship
between information capital and them. This relationship is shown on Fig 1.
Fig. 1. Pyramid of relationship: data, information, knowledge and business strategy
Usage of information to achieve set goals and
Business
produce enterprise results
strategy
Knowledge
Analysis and synthesis of derived information
Information Data with added significance/context
Business data and facts
Data
Informations are a basis for enterprise decision making, they respond to the question „how to
achieve something“.However, enterprise leaders operate on a different level, they have a deep
understanding of why is something the way it is in the business environment and what is the best
course of action with given input. Therefore, enterprise leadership has a distinctive note of
deeper understanding leaned towards future, while daily usage of data, information and
knowledge is usually oriented towards the past.
Definition of information capital implies that enterprises have awareness of information
intrinsic value that can be used as means of exchange inside the enterprise and towards its
surroundings. Some authors take position that information capital is just that part of overall
information pool that makes so called „knowledge capital“ that can be exchanged. However,
identification of enterprise information capital depends on business strategy and differs between
enterprises and across business sectors. For example, information capital that is of high value in
pharmaceutical sector might be completely useless in wood processing industry; information
capital of high importance for complex technology industry will be insignificant in construction
business enteprises. Therefore, when evaluating true importance of information capital, it is very
important to put it inside business case context of particular enterprise.
2.2.3 Enterprise information capital management
Information capital management consists of a set of strategies and practical blueprints used in
organizations to identify, create, represent, distribute and enable assimilation of that kind of
knowledge inside enterprise that enhances its output. Information capital is therefore necessarily
integral element of the knowledge that makes possible for all participants to follow
organizational processes in a way outlined in business strategy. Its management is relatively new
discipline developed in the past 20 years, even though enterprises have historically been
implementing measures aimed towards protection of their information capital. It has roots in
those business functions and disciplines that are open to new technologies endorsed by business
management or information science.
Most large enterprises and organizations have separate task or organizational groups
dedicated to internal information capital management and their exact formulation is usually
embodied in functions of business strategy development, information technologies or human
resource management. Due to the “elusive” nature of information capital and the fact that related
activities are both systematic and long term and not single-instance effort, companies tend to
outsource these activities, sometimes to other companies that provide strategic advising support.
Information capital management should not serve its own purpose, it has to be focused on set
organizational goals like improvement of corporate performance, its competitiveness,
innovations, integration and quality improvement. It is clear that in modern systems, information
capital management and quality control/quality assurance are tightly connected activities.
However, every modern enterprises has to match not only internal, but also external criteria that
can be divided to three different sets of criteria and perspectives to be satisfied10:
10
Aksentijevic, S: “Information security in function of information capital management”, seminary paper,
Economy of University, Rijeka, 2010., p. 26 (not published)
- Ecological perspective, focused on interaction between people, their identity,
knowledge and surrounding factors, starting from the fact that human cooperation on
knowledge creation is comparable to functioning of natural eco-system, because both
systems are complex and adaptable.
The key issue most enterprises is facing is – how to identify information capital? Information
systems usually store data, as already shown, if that data is given a certain context, they represent
information and information may become knowledge and information capital if they help the
management and enterprise to improve business outcome. However, it is very difficult to delimit
and identify information capital. It is achieved by deployment of measures of data and
information classification, using information lifecycle management techniques. Information
capital identification has to be done inside enterprises to achieve the following11:
11
Cf. Tijan, E.:“Data classification and information lifecycle management in port community systems“, Journal
of maritime studies, The faculty of maritime studies, Rijeka year. 23, num.. 2, 2009., p. 557.-568.
incorrect information may results in wrong decisions, business result and loss of clients.
Structurally classified and stored information capital enables usage of data and
information in real time during critical decision making.
5) Comparative advantage. Usually, when enterprises are oriented towards achievement of
one of business goals, like goals of excellence, new products, services and models, it is
quite obvious they have already achieved certain level of comparative advantage against
competition. Additional deployment of information capital results in increased business
efficiency.
6) Daily operations. Enterprises typically primarily invest in information technology
because it is necessary for daily operations. With deeper analysis, this may lead to more
structured approach, but information capital is certainly main facilitator behind daily
operations of enterprises.
It can be concluded that information capital is only that set of data, information and
structured knowledge used inside enterprises to create new forms or organization, management,
products and services and that gives enterprises competitive edge. Enterprise information capital
is protected by technical and organizational measures of integral and information security and by
legal regulations.
Data classification and information lifecycle management are two mutually connected
activities. Once the data and information are adequately classified, the rules for their
management may be selectively applied. The rules for data classification do not differ
significantly from the rules for object classification in a domain system where similar objects or
users are grouped and a set of rules specific for that group is applied on them. The main goal is
to group information to classes having similar characteristics and therefore, requiring similar
approach to their management. There are several reasons why information classification is a
demanding and complex task. This process refers not only to existing information, but also to
information that might enter the system after it was once initially deployed. It is much easier to
add new information into already established system than introduce classification process to
existing data. The reason for this is rather simple: new information can be adjusted to existing
classification framework while already existing information may be present in form that does not
allow for such malleability. These reasons may take form of different database structures,
application and business layers or internal information owners.
There are also strict requirements for enterprises to maintain information in a structured
form. Data classification refers to enterprise information capital regardless of its form: it can be
documents stored on papers, centralized servers, transaction systems, other types of databases or
stored in a distributed way. Data classification can also be applied on services like electronic
mail or data contained on smart phones or telephones. Activity of information classification has
to be sponsored by highest management levels and information process management. The steps
in information lifecycle management are outlined in fig 2.
Information capital classification and categorization
Balancing of information classes and business needs
Determining service levels and cost goals
Establishing support services
Selection of inf. infrastructure management tools
Source: modified by the candidate, according to Tijan, E.:“Data classification and information
lifecycle management in port community systems“, Journal of maritime studies, The
faculty of maritime studies, Rijeka, year. 23, br. 2, p.562.
Information classification has to follow business processes and has to be adjusted to the
form of enterprise, real issues, goals and quality control system. Its goal is to set up a system that
enables not only information capital protection but also competition advantage arising from
systematic management of one`s own knowledge.
Modern policy of information classification and lifecycle management has to include
wider perspective than just legal requirements and information maturity (age). Among criteria to
be evaluated is also management of content, Intranet and Extranet management, connection of
enterprise information system with other enterprise systems, data mining and requirements of top
management decision systems. The end result of this process, and in the same time, input signal
for the information lifecycle management process is addition of business value to different
categories of data. This is best achieved in technologically highly developed enterprises where
service levels are well established and translated into standard offering of information services.
However, despite popular opinion, information capital is dynamic in nature and its attributes
rapidly change. This means that information capital movement inside organization may cause
change of their attributes. Such a process is best managed using a consistent system of best-
practice information service management like ITIL.
There are several models that can be utilized to create taxonomy of information classification.
Each of them assigns attribute to stored information. One of the most often used models is
12
Cf. Ibidem, p. 565
developed by Bell and LaPadula and it relies to classic concept of integrity, availability and
confidentiality. There are however also other models that can be partially of fully used during
introduction of the process of system of data and information classification:13
1) Graham-Denning model14
2) Discretional access control15
3) Mandatory access control 16
4) Clark-Wilson integrity model of access control 17
5) Multilevel security access control18
6) Biba integrity model19
Discussion of all these models is not further developed as most of these models are a part of
information science technology and practice and more information on them is readily available.20
13
Cf. Ibidem, p. 559.
14
Smith, R.: „Introduction to Multilevel Security“, http://www.cs.stthomas.edu/faculty/resmith/r/mls/index.html
(20.04.2009.)
15
Curphey, M., /et al./: „A Guide to Building Secure Web Applications, The Open Web Application Security
Project (OWASP)“,2002., http://www.cgisecurity.com/owasp/html/ch08s02.html (20.04.2009.)
16
http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
17
Blake, S. Q.: „The Clark-Wilson Security Model“, http://www.lib.iup.edu/comsci-sec/SANSpapers/blake.htm
(20.04.2009.)
18
http://ou800doc.caldera.com/en/SEC_admin/IS_DiscretionaryAccCntlDAC.htm (11.04.2009.)
19
http://www.freebsd.org/cgi/man.cgi?mac_biba (11.04.2009.)
20
for detailed discussion of these models Cf. Aksentijevic, S: “Information security in function of information
capital management”, seminary paper, Economy of University”, Rijeka, 2010., p. 35-37 (not published)
plan is developed in line with internal documentation and processes. This document initially
states what is the dependency between business case of the enterprise and information capital of
the enterprise, and willingness of the enterprise management to implement a documented
procedure that promotes information capital security business function. After all necessary
procedures are identified along with legal requirements, a methodology used to implement
information capital security planning can be implemented gradually. Such a methodology is
shown on fig. 3.
LEGAL REQUIREMENTS OF INFORMATION SEC.
BEST PRACTICE OF INFORMATION SECURITY
INTERNAL DOCUMENTATION
Identification of standards and underlying documentation
Evaluation of achieved level of information security
Defining information security priorities
Identification of responsible functions and operative levels
Identification of possible risks
Suggesting methods for risk mitigation
INTERNAL DOCUMENTATION
BEST PRACTICE OF INFORMATION SECURITY
LEGAL REQUIREMENTS OF INFORMATION SEC.
Source: Aksentijevic, S.: “Integral enterprise security function and information security
management system – Saipem Mediterranean Services LLc, Rijeka”, master thesis, University of
Economy, Rijeka, 2008, p.91. (not published)
Information security plan therefore defines also key organization’s positions. Initially,
needs for confidentiality, availability and integrity of information capital inside the business
context are being established. After that, inside established framework, need to distribute
information on a “need to know” basis and best practices during treatment and utilization of
information capital is being defined. Discretion levels are being created according to Bell-
LaPadulla model that are further used during information classification. After all possible risks
are identified, models to lower them or completely avoid them are implemented. The main tools
used in those models are constant education of employees, setting requirements and checks of
confidentiality towards third parties, and creation of business unit and department information
security plans. At the very end, key users (usually middle management) are identified, and they
are put in charge to execute and follow up information security plans inside their lines of
responsibility and ensure security of that part of enterprise information capital that is under their
control, and considered especially sensitive and confidential.
There are several best practice systems that are used in process of information capital
management. Some of those systems are national, some are connected more with certain sectors
(for example, military complex or pharmaceutical industry) or they are a part of general
management of documentation and information technologies or project management
methodology.
COBIT21 is a framework for management of information technology created by ISACA22 and
ITGI23 in 1992. COBIT provides to managers, auditors and users of information systems a set of
21
Abbreviation for „Control Objectives for Information and related Technology“, for more details cf.
http://www.ezcobit.com/UsingCobit/html/00Intro2.html (19.05.2010.)
generally accepted measures, processes, indicators and rules that can help in maximization of
benefits of information capital, but also ensure adequate management of information resources
and control inside enterprises. It was issued in 1996. and its mission is research, development,
publishing and promoting of international set of accepted control goals used by managers and
auditors of information systems and security levels and controls. COBIT provides a basis for
decision making of investments in information infrastructure. It is based on 34 processes
covering 210 controls in 4 main groups: planning and organization, delivery, support and
delivery and follow up and evaluation. Entire COBIT system contains six publications:24
1) Management report
2) Framework
3) Control goals
4) Audit guidelines
5) Implementation tools
6) Management guidelines
Between years 2000. and 2002., a number of corporate scandals and frauds were
discovered in USA. Among them the most famous were scandals in companies Enron,
WorldCom and Tyco. Lessons learned from those scandals resulted in creation of Sarbanes-
Oxley law. Lack of control mechanisms has caused that enterprise consultants were in the same
time auditors that should provide independent opinion. Full title of Sarbanes-Oxley Law is
„Public Company Accounting Reform and Investor Protection Act of 2002“25. This law sets new
and enhances existing standards in accounting and businesses of American publicly owned
companies. As a consequence of this law, a number of agencies that supervise, regulate, inspect
and punish accounting and consultancy companies that are included in the process of audit.
American SEC defines that methodology used to achieve compliance with Sarbanes-Oxley Law
22
Abbreviation for “ Information Systems Audit and Control“, for more detailed description of the standard, cf.
http://www.isaca.org/ (19.05.2010.)
23
Abbreviation for „IT Governance Institute“, head office is in Rolling Meadows, Illinois, USA, cf.
http://www.itgi.org/ (19.05.2010.)
24
http://www.itsm.hr/itil-itsm-metodologija/metodologija-cobit.php (19.05.2010.)
25
Sarbanes-Oxley Law is mandatory for all enterprises regardless of size. To ensure information security
compliance, the most important are articles 302, 401, 404, 409 and 802, cf. http://www.soxlaw.com/s302.htm,
http://www.soxlaw.com/s401.htm, http://www.soxlaw.com/s404.htm, http://www.soxlaw.com/s409.htm,
http://www.soxlaw.com/s802.htm (18.05.2010.)
is COSO.26 COSO defines five main areas (components) of internal controls that support
requirements set by Sarbanes-Oxley. These five areas are the following:27
1) Risk assessment
2) Control environment
3) Control activities
4) Supervision
5) Informing and communicating
PRINCE 2 is acronym for “Projects In Controlled Environments”, and it is in fact a
methodology for project management. It was developed from previous version of PRINCE
technique issued by CCTA28 as a standard of project management in information sector, but
since then, the methodology was widely adapted and because de facto standard of project
management in United Kingdom and fifty other world countries. It does not provide a direct
framework for evaluation and support of information capital security activities inside enterprises.
PRINCE2 is structured in a way not only to mitigate possible risks, but also to derive benefits
from positive impact of unforeseen events, if applicable.
Another set of techniques used to manage infrastructure of information technologies is
described in ITIL29, a series of publications copyrighted in United Kingdom. It provides a set of
descriptions of important practices in management of tasks and procedures that can be adjusted
to suit needs of particular organizations. Currently valid version (v3) is issued in 2007.
The final concept of security management recognized by ITIL is – information security
and similarly to other standards, its main goal is to guarantee security of the information towards
risk, therefore, security is a way to achieve security from the risk. The main disadvantage of ITIL
information security process is the fact that ITIL controls are enriched by physical security
controls but lack in area of application, program and logical security.
26
Abbreviation for Committee of Sponsoring Organizations of the Treadway Commission, for detailed chart of the
committee, cf. http://www.coso.org (18.05.2010.)
27
The brochures regulating supporting matter are available on the Internet free of charge, cf.
http://www.coso.org/guidance.htm (19.05.2010.)
28
Abbreviation for Central Computer and Telecommunications Agency, that became in 2000. godine a part of
British Office of Government Commerce (OGC) agency. For more details on OGC agencys cf.
http://www.ogc.gov.uk/about_ogc_who_we_are.asp (19.05.2010.)
29
Abbreviation for “Information Technology Infrastructure Library”, for formal explanation of meaning cf. official
Internet pages on address http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp (19.05.2010.)
Finally, the most comprehensive norm of implementation of information security is
30
ISO/IEC 27001. It has in 2005. replaced British norm BS 7799-2. It is a standard of
information system security management intended to be used in conjunction with ISO/IEC
27002, formerly known as ISO/IEC 17799, a practical codex defining goals of security controls
and recommending their practical area of influence. It provides a practical model for
establishment, usage, follow up, maintenance and constant improvement of information security
management. Those organizations that use ISO/IEC 27002 during evaluation of their systems are
likely to be compliant to ISO/IEC 27001 norm. 31
Regardless of the formal system of certification or management of information security,
every enterprise or organization is a subject of a set of laws that regulate this area. Usually, the
most developed set of legal regulation relates to financial and banking sector.
Efficiency and productivity are two very distinctive principles, so are macroeconomic
and microeconomic perspective, but nevertheless, investigation into some macroeconomic
aggregates may reveal interesting insight into unexpected behavior of some forms of capital in
economic reproduction. Clearly distinguishing between economic efficiency, analyzed as
microeconomic phenomenon, being a measure of resource utilization in achievement of certain
level of goods and services and economic productivity, as a macroeconomic phenomenon, and a
measure of output of production process in comparison to input (typical input factors being labor
30
Abbreviation for “International Organization for Standardization”, cf. http://www.iso.org/iso/about.htm
(19.05.2010.)
31
For detailed expansion of ISO 27001 topic, Cf. Aksentijevic, S: “Information security in function of
information capital management”, seminary paper, Economy of University, Rijeka, 2010., p. 45-51 (not
published)
and capital), further analysis can be done to establish whether in a macroenomic model,
additional deployment of information capital can be beneficial for overall economy productivity.
To achieve this, Solow32 residual may be deployed. After World War II, mass
industrialization and large investments into capital resources and automated production was
undertaken. Even the Soviet experience of controlled economy that achieved (at least initially)
high growth rates was sometimes cited as a right choice. Even though over-investment into
capital as a production factor may lead to diminishing returns due to equipment depreciation, this
was the path to be followed in many countries. However, other economists have taken the view
that once that marginal rate of return on capital becomes equal to marginal rate of return on
labor, the returns will diminish.
This consideration lead to a conclusion that only those countries that had previously
under-invested into capital stock will benefit greatly from additional investments in
infrastructure but other nations should concentrate on improving labor productivity. It was
Solow`s merit to identify an indicator (per-capita economic growth above the rate of capital
stock growth), named in his honor – Solow`s residual. Real economies data showed that
measured growth in standard of living could not be matched just in the growth or capital/labor
ratio. Solow explained that new technologies and innovation, rather than capital accumulation,
was the way for national economies to achieve growth. Solow`s residual is therefore a useful tool
to show the effect of so called “technology” growth, as opposed to “industrial” growth.
Some economists have over the time developed some major objections to the Solow
33
residual. The influence of technologies and, consequently, information capital, has been a
major source of disputes. In 1982, Nathan Rosenberg said that “economists have long treated
technological phenomena as events transpiring inside a black box....[and]adhered rather strictly
to a self-imposed ordinance not to inquire too seriously into what transpires inside that box.”34
These authors usually consider that such a large gap in unaccounted proportion of growth that is
not explained for by factors of production by itself poses a big problem. Another problem is the
32
Robert Merton Solow (born August 23, 1924) is an American economist particularly known for his work on the
theory of economic growth that culminated in the exogenous growth model named after him.
33
Cf. Francisco Louçã :”The Solow Residual as a Black Box: Attempts at Integrating Business Cycle and
Growth Theories”, History of Political Economy vol. 41, 2009, 334-355.
34
Nathan Rosenberg: “Inside the Black Box: Technology and Economics”, McGraw-Hill, 1983, p. 193-195, 225-
238.
neoclassical approach cultivated by Solow was not able to explain the emergence of crisis (this is
also issue with many other neoclassical – and other – microeconomic models. There is also some
empirical data that proves to be problematic to explain. For example, Plosser's and Mankiw's
panels may elaborate further on this, and they are shown in Fig. 4 and Fig. 5.
Source: Plosser, C.I., "Understanding Real Business Cycles," RCER Working Papers ,
University of Rochester - Center for Economic Research (RCER)., 1989, p. 198.
Fig. 4. shows annualized percentual rate of technology and Plosser’s conclusion was that
residuals are behaving according to the random walk theory. However, Mankiw has, on the other
hand, plotted residuals against the income series and claimed that residual was quite literally a
“leftover”, as shown on fig. 5.
There is also another interesting concept that can be derived from evaluations of Solow
residual. In 1987, after receiving a Nobel prize, Robert M. Solow said “You can see the
computer age everywhere but in the productivity statistics." This has since been known as
„Solow productivity paradox“ – and usually interpreted that the productivity of labour has not
risen after information technology has been introduced in industry and across enteprises.
Empirical evidence is that usage of new technologies boosts output in industry and office
evironments but such evidence cannot be confirmed by growth indicators. It is interesting that
exactly after 1970s, when computerization and usage of information science and capital was
really booming, the productivity has fallen down or at best, stagnated, as shown in table 1.
Table 1: productivity growth (%) in some world countries and associations 1960-2007
Source: calculations are based on The Conference Board and Groningen Growth and
Development Centre, total Economy Database, September 2008.
Let us also evaluate downtrend of annual productivity growth rates in output per hour for EU-
1535 and USA, as shown in Fig 6.
35
EU-15 consists of the following 15 countries of European Union: Austria, Belgium, Denmark, Finland, France,
Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden and the United Kingdom.
Fig. 6: Trend in output per hour for EU-15 and U.S.A. 1981.-2004.
Source:
http://www.metrics2.com/blog/2007/01/24/2006_us_labor_productivity_growth_at_the_lowest_i
n.html (26.01.2011).
It would be interesting to evaluate this paradox, considering that even incidental evidence
show that intensive usage of computer capital should improve productivity and that additional
investments in information technology and accumulation of structural capital (information
capital included) should result in additional growth. Here are several possibilities why is that so:
1. Processes that involve intensive application of information capital are those that are
somewhat remote from “real economy” processes and production (even though
deployed technology in production process necessarily depends both on innovation
and underlying processes). That is why information capital enhances underlying
processes, but that does not translate into real productivity increase, neither in labor
nor in capital sense,
2. Similar analogy has been noted by some other authors. For example, economist Paul
David did not approve Solow’s position on this paradox and claimed that the problem
was a lag in productivity improvements since a new technology is introduced until it
produces tangible results. He underlined his opinion by drawing analogy with
introduction of electric motor in 1880. whose impact in statistics was negligible until
1913.36,
In its simplest form, Pareto efficiency model is a model of multi-criteria optimization that
is often used not only in economy, but also technical and social sciences. It is based around
change of parameters to get the best possible outcome for the set problem. In economics, Pareto
efficient solution is the one where there is no way to further improve the situation of one
participant, without worsening the situation of another. Such a distribution, or input, that satisfies
this requirement is considered to be “Pareto optimal”.Pareto efficiency model can be equally
applied in production of several goods, when outcomes have to be calculated in terms of quantity
of produced goods, or when adequate allocation of production factors like capital and labor has
to be achieved. Possible combinations of production factors that can be combined to create
output make so called Pareto Frontier, where any additional output of a certain product would
inevitably lead to less production of another, thus inevitably leading further away from Pareto
optimum.
Pareto efficiency is devoid of moral dilemmas. This means that all situations where one
person has all the riches in the world and some persons have none; or when a certain product is
36
Paul A. David: “The Dynamo and the Computer: An Historical Perspective on the Modern Productivity
Paradox”, The American Economic Review, Vol. 80, No. 2 , p.355-357
37
Stephen D. Oliner, Daniel E. Sichel, Kevin J. Stiroh: “Explaining a Productive Decade”, FEDS Working Paper
No. 2007-63, p.17
fully produced just by labor almost no capital; or when a quantity of certain product is produced
“at the expense” of another – may be on the Pareto Frontier and Pareto optimal and/or efficient.
Despite popular belief, as it was the case with the relation between information and
macroeconomic productivity, information capital within enterprises behaves as a fix investment
cost and a sunk cost, many analysts believe that ICT investments have no or little value for the
price of a firm (despite the fact that analysts themselves use expensive ICT tools!) and while
information and knowledge have positive connotations in sciences, traditional economic
perspective relates information to inefficient markets, with few exceptions.39 Usual economic
model calls for perfect knowledge, information and convexity of preferences while those markets
that are associated with information are typically limited and information is in fact present in
shortage, not allowing market mechanisms to match demand and supply, as shown on Fig. 8.
Fig 8.: Classical supply-demand model under inefficient conditions of information capital market
Source: George A. Fodor: “The Value of Information”, Short version of the Milano University
presentation, ABB AB, Sweden, Milano, October 2008., p/ 28.
38
The New Oxford American Dictionary, Erin McKean, 2005.
39
Cf. Margaretha Levander,” Så gör analitikerna när de värderar ditt bolag” (Translation from Swedish: This is
how analysts are evaluating your company), CIO Sweden, http://cio.idg.se/2.1782/1.181573, 27.01.2011.
Orthodox evaluations of classical forms of capital, therefore, cannot answer the dilemma
posed by general behavior of information capital in economic reproduction. The key resource is
therefore not anymore information capital itself, but ownership over information capital that
prevents others from gaining access to it; it is a barrier for entry of competition. Additional
difficulty in this evaluation is present because of duality in information nature: information that
has convex properties is already embedded in equilibrium price, while information that is not
convex (for example, future markets and patents) is not included in the equilibrium, bit will
appear in future in the market. Therefore, enterprises are typically interested only in value of
non-convex type of information.
5. CONCLUSION
On the microeconomic level, there are serious problems present in evaluation of information
capital as it behaves differently than physical of financial capital. Main trait of information
capital in that scenario are expectations and scarcity and its main property is unavailability to
other market players. This makes information capital elusive for analysis as it is typically
considered to function in non-efficient strata of the market.
On the macroeconomic level, surprisingly, increased levels of information capital are not
significantly correlated with higher productivity. It remains to be seen what exactly is the source
of this phenomenon as new forms of capital caused by technical progress typically required
several decades in order to be statistically measurable.
Maintenance of information capital stock is technically very demanding and financially very
expensive business function, both in terms of investments and running costs, therefore,
enterprises should aim to optimize what is the productive part of their information stock through
methods of data classification and information lifecycle management, in line with their own
needs and procedures and legislative requirements and maintain and manage only that part of
overall information capital in order to achieve goals of cost efficiency.
LITERATURE
BOOKS
1. Canzer, B.: „E-Business: Strategic Thinking and Practice“, McGill University, and
Concordia University, 2006.
2. Louçã, Francisco :”The Solow Residual as a Black Box: Attempts at Integrating
Business Cycle and Growth Theories”, History of Political Economy vol. 41, 2009.
3. Rosenberg, Nathan: “Inside the Black Box: Technology and Economics”, McGraw-
Hill, 1983.
ARTICLES
OTHER SOURCES
INTERNET SOURCES
ILLUSTRATIONS
1. Table 1: productivity growth (%) in some world countries and associations 1960.-2007.