Обеспечение информационной безопасности в контексте антикризисного управления машиностроительным предприятием

Under present conditions, no economic sector, as well as no business of any size can expect to survive and compete effectively without embracing information technology. Information comes from a wide variety of sources, which can be used to guide operational planning, strategic management and performance measurement of an enterprise. Understanding the external and internal sources of information and how to access them can help enterprises to stay on the top of emerging trends. Information classification is significant for proper handling, and ultimate enterprise information security. All crisis management procedures are generally based on information technology. On this basis, the issues of interaction of crisis management and information technology are relevant.

The current economic potential of enterprises is determined by the level of their information structure development. The potential vulnerability of these enterprises from the negative impacts of information increases significantly. The progressive development of the machine-building enterprises is hard to imagine without effective production management systems which provide not only comprehensive automation of the information collection, transmission and storage, but also evidence-based decision-making. In this regard, the problem of information security in the context of crisis management of the machine-building enterprises has become an important area of investigation.

The information security issues, facing most enterprises nowadays, have received considerable attention in the economics literature Berezyuk [2], Kamyshev [6], Kovalenko [5], Selyuchenko [8], Tkachenko [9], Yasenev [10]. The analysis of the published works, devoted to the study of this significant problem, showed that there is no methodological framework, necessary for the formation of a holistic view of information security in the context of crisis management of the machine-building enterprises. That is why all of these issues require further study and extension of this scope.

The overall purpose of this paper is to study the theoretical foundations and practical problems of information security in the context of crisis management of the existing machine-building enterprises.

It is envisaged that the emergence of information risk is determined by supply of incomplete information about the financial status and the internal business processes, as well as the lack of information about today’s business environment, information asymmetry, unpredictable changes in legislation and so on. As a result, businesses can make mistakes in the choice of anti-crisis strategy and in the financial resources which can support the economic recovery and enterprise growth. On the basis of theoretical statements of Ukrainian writers [4, 8] we have identified that these mistakes can be also related to the process of the development of technical, organizational, legal and social measures that will make it virtually impossible for removing negative impacts of the crisis on the enterprise.

It seems important to pay attention to the fact that the development of an information security management system should focus on the current concept of management, which requires a combination of process, system and situational or contingency approaches. Process approach is related to the information provision as a series of sequential, continuous, interconnected actions aimed at achieving this goal. Another approach to management, known as the system approach, implies that each enterprise is seen as a complete entity. This entity is made of different subsystems, which are interconnected and influence each other and the entity as a whole. Situation approach indicates that the development of information security management system should provide opportunities for preventive action on the different situations occurring outside and inside the enterprise [9].

The system of crisis management of the machine-building enterprises should provide an effective solution to the following problems: early diagnosis to forestall crisis and its impact on the activities of enterprises, immediate responses to the degree of a real threat to the financial equilibrium of the enterprise, as well as searching for opportunity out of the crisis. The solution of these issues is becoming a prerequisite for successful development of the enterprises. To overcome these challenges, enterprises can adopt the advanced information systems, like financial management and accounting information systems, marketing information systems, personnel information systems and so on. These ones are those that provide the automation of various tasks, which are as follows: the finished goods accounting, common accounting for wage costs and deductions, accounting for property, plant and equipment, accounting for goodwill and intangible assets, as well as production management, inventory management, portfolio management. Despite the fact that the information systems listed above are widely used in crisis management and help to prevent the risk of any enterprise, they often serve as a source of risk. Business processes, because of their heavy reliance on computer technology, can be quite vulnerable. In this regard, there is a need to ensure information security in the context of crisis management of the machine-building enterprises.

Information security is a concept that still lacks of unambiguous definitions. We identified that in recent years a debate has been taking place questioning whether the term “information security” is something new or just a new word for a phenomenon that basically always has existed. In fact, neither a widely accepted information security definition nor standardized critical success factors taxonomy exists. Generally, information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction and disruption.

According to the International Standards Organization (ISO), information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities [4]. In the most general terms, the information security is defined as the inability to harm the security properties of a certain object. This kind of security greatly depends on the information itself, and on the enterprise information infrastructure [10].

It is obvious that information security consists of: the current state of protection of information space, which ensures its formation and development in the interest of citizens, organizations and the country as a whole; the quality of the infrastructure, which guarantees the use of the information exactly as prescribed to maintain success has no negative impact on the system during its practical use; the current state of information, which allows to prevent violations of its properties such as confidentiality, integrity and availability; economic component (the management structure in the economic sphere, including the system of collection, storage and processing of information for production management, the systems of general economic analysis and forecasting of economic development, the management and coordination in the industrial and transportation systems, energy systems management, centralized supply system of decision-making and coordination in emergency situations, information and telecommunication systems and so on); financial component, based on information networks and databases of banks and banking associations, financial exchange system and financial calculations (See Figure 1).

Specifically, using the framework of another author [6], who outlined multiple ways of analyzing information security concept, we identified that the essence of this term is indicated through a set of specific actions necessary to determine elimination and neutralization of negative sources, conditions and causes effects on the information.

Fig.1 – The structure of the term “information security”
(Source: according [10])

First of all, it is a condition of security information environment that provides its formation, practical use and development in the interest of citizens, organizations and the state. Secondly, it is a condition of security information needs of a person, society and the state, which will ensure their existence and progressive development regardless of the presence of internal and external IT threats. The current state of access to the important information determines the adequacy of the subject’s perception of reality and, as a consequence, the validity of future decisions and actions.

In a very general sense, information security can be defined as the process of ensuring information confidentiality, integrity and availability [3]. However, it should be mentioned that confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems [7]. In addition, integrity refers to the protection of information from unauthorized modification or destruction [1]. To crown it all, availabilty refers to the protection of information systems from unauthorized disruption [3]. This traditional way to understand information security helps us to handle this complex and dynamic phenomenon in a concrete way.

Synthesis of the various approaches to the organizational information security management has allowed us to develop a strategy for information security in the context of crisis management of machine-building enterprises (see Figure 2).

Fig. 2 – The content of the information security strategy in the context of crisis management of machine-building enterprises (Source: according to authors’ compilation)

The findings from the Figure 2 can be summarized as follows. Information is a strategic asset that is significant to the modern enterprises, especially those which operate in the machine-building industry. Consequently, information needs to be not only protected, but also collected, maintained and disseminated appropriate and in accordance with enterprise internal rules and procedures. This is especially important in the dynamic business environment. Therefore, information is exposed to an increasing number and a wider variety of threats.

Among the reasons for the development of the proposed information security strategy there are some information security threats which can be random in nature, and other threats, which originate in willful human actions. We have identified that the potential threats, concerned with information security of an enterprise may include not only official documentation containing false information, but also untimely or inaccurate information. It is self-evident that threats with a random nature are concerned with a wide range of errors that occur as a result of operation of the available equipment or due to the lack of staff. Unlike them, threats of the intentional actions of people include, above all, theft, disclosure, information leakage, unauthorized access of people to information resources, disabling technical support, and, finally, a computer virus distribution.

The main goal of the proposed strategy is to maintain the confidentiality, integrity and availability of information for effective crisis management of machine-building enterprises. Moreover, the information should be protected from illegal modifications, and always be ready for practical use.  The access to it should be granted to the authorized personnel only.

Among the factors affecting the implementation of the strategy, we distinguished the external and the internal ones. It is clear that, the first group is concerned with human resources (staff and the special structural units, which are responsible for the protection of information security of an enterprise), hardware and software, the financial resources of an enterprise and so on. In turn, the so-called external factors include the competitors and consumers.

In the context of our study we identified the core principles of the information security strategy, which are based on legality, risk minimization, responsibility, cooperation and collaboration, complexity and individuality. The development of an information security strategy, above all, should be guided by the principle of the current legislation, as well as the determination of the specific business conditions at any time, the definition of the responsibility of each employee of the enterprise for adherence to privacy and security of information, and, finally, the promotion of trusting relationships in a work environment between employees who are directly responsible for information security.

One should, however, not forget that all measures necessary to ensure enterprise information security, depending on the method of their implementation, can be divided into the following broad groups: legal, ethical, administrative, physical and technical [10]. A detailed analysis of the scientific literature [2, 5, 10] has allowed us to identify the following methods of enterprise information security: barrier, access control, masking, regulation, motivation, and compulsion. Facilitating access to information provides for the regulation of an enterprise information system through the use of the identification, authentication, authorization check, and feedback. Coercion is a method of information protection, in which users and staff should follow the rules of use of this information under the threat of physical and administrative responsibility.

The above mentioned methods of enterprise information security are implemented by using a certain type of measures: physical, hardware, software, encryption, organizational, legal or ethical. Physical information protection measures are designed to prevent access of potential offenders the places where important information is found. Hardware protection is based on the electronic, electro-mechanical and electro-optical devices, able to protect the structural elements of an internal computer systems of machine-building enterprises. Regarding to software measures of information protection, it should be mentioned that they are used to perform a strictly logical and intelligent protection functions. All in all, cryptographic measures allow converting information into an unreadable form by using an encryption algorithm combined with an encryption key.

Among the strategic directions of information security in the context of crisis management of the machine-building enterprises we have identified the following directions. Organizational information security direction includes an analysis of external and internal threats, the main features of the organization of personnel management, as well as organization of the corporate documents, organization and protection regime and, of course, systematic monitoring of these processes. Another strategic direction of ensuring enterprise information security, which is called as engineering and technical support, provides the use of technical means for collecting, processing and storage of confidential information, information protection and systematic monitoring.

A challenge in the evaluation of the effectiveness of any information security strategy in the context of crisis management engineering enterprises is dealing with the identification of the potential sources of cost-effective opportunities for reducing the property damage from the negative impacts of potential threats to information security. Unfortunately, experience indicates that not all of the damages caused by the implementation of information security threats can be uniquely expressed in monetary terms. For example, harming the intellectual property of the enterprise can lead to such consequences as loss of market position, permanent and temporary loss of competitive advantage or even reducing the cost of the brand. That is why making a right decision should be based on a qualitative assessment of all possible effects.

Through this research we have come to certain conclusions.  Nowadays innovative machine-building enterprises are increasingly aware of the role that information and its related technologies play in the most organizational functions, especially in obtaining the sustainable competitive advantage. In the light of profound and accelerating impact of globalization, confidential information is exposed to a wide range of security risks, which are as follows: leakage of information and prolonged service outages or e-mail disruptions, internet access, which may have a significant impact upon enterprise level performance. To ensure information security in the context of crisis management, the machine-building enterprises must implement an information security strategy through the establishment of an exhaustive framework to enable the development, institutionalization, evaluation, and continuous improvement of the selected information security directions. Furthermore, the information security strategy of any machine-building enterprise must support the approved strategic plan with its content, associated with the higher-level sources.

We must admit that information security supports the enterprise in achieving its overall objectives. To begin the development of a strategic plan for security it is essential to understand the business objectives and the key elements of the information security function. In recognition of the increasing need to protect the critical business, intellectual and computing resources, the necessity of an effective use of information technology in the process of crisis management is proved in the paper.

Finally, it should be mentioned that due to the fact that information technologies themselves are a source of risk, we came to the conclusion that the issue of information security is relevant and appropriate in the context of crisis management of machine-building enterprises. To maintain confidentiality, integrity and availability of information in the implementation of an effective crisis management, the information security strategy of these innovative enterprises was developed by authors. Undoubtedly, the implementation of the strategic directions will enable enterprises to reduce both the potential financial losses and maintain a competitive advantage and market position.

References

1. Alankirta Ladage, T.H. Gurav (2014), A Survey on Integrity Protection Mechanisms for Open Mobile Platform, in: International Journal of Science and Research, Vol. 3, Issue 12, pp. 1391-1393.
2. Berezyuk, L.P. (2008), Ensuring organizational information security, Publishung House of the Far Eastern State University of Railway Transport, Russian Federation, 188 p.
3. Hamid, Nemati (2008), Introductory Chapter, Information Security and Ethics: Concepts, Methodologies, Tools, and applications, Idea Group Reference, 4037 p
4. Kairab, Sudhansu (2005), A practical guide to security assessments, Library of Congress Cataloging-on-Publication Data. 499 p.
5. Kamyshev, E.N. (2009), Information Security and Data Protection, Publishing House of Tomsk Polytechnic University, Russian Federation, 96 p.
6. Kovalenko, U.O. (2010), Ensuring information security of an enterprise, in: Industrial Economics, Ukraine, Vol. 3, pp. 123-129.
7. Sattarova, Feruza Y., Tao-hoon Kim (2007), IT Security Review: Privacy, Protection, Access Control, Assurance and System Security, in: International Journal of Multimedia and Ubiquitous Engineering, Vol. 2, No. 2, pp. 17-31.
8. Selyuchenko, N.Y., Kichor V.P. (2008), Information risk in crisis management, in Visnyk of Lviv Polytechnic National University, Ukraine, Vol. 611, pp. 197-202.
9. Tkachenko, A.M., Livoshko T.V., et al (2009) Economic information as a key element of information security management and business planning industry, Publishing House of Zaporozhye State Engineering Academy, Ukraine, 362 p.
10. Yasenev V.N., (2006), Information Security in economic systems: a tutorial, Publishing House of the Nizhny Novgorod State University, named after N.I. Lobachevsky, Russian Federation, 253 p.