Adrian Munteanu | Universitatea Alexandru Ioan Cuza Iasi (original) (raw)

Uploads

Papers by Adrian Munteanu

The aim of our article is to provide arguments for a poly-contextual and dynamic approach to info... more The aim of our article is to provide arguments for a poly-contextual and dynamic approach to information security risk culture. We consider the correlation of memes as DNA (DeoxyriboNucleic Acid) of the mind with knowledge and the organizational context. Our approach is interpretivist, reflective and dialectic (Cecez-Kecmanovic, 2011). It seeks to overcome the limits of knowledge induced by the highly mathematical models that are featured in specialized literature and often taken over in software applications.

Yet we have to consider the subjectivism of the information that we process (Von Bayer, 2004). Depending on the country or the region, we can notice that there are discrepancies between our own perceptions and the perceptions of our fellows. Human behaviour adjusts depending on our own experiences that are also specific to the environment in which we live (Lorenz, 1969).

Can actual information security risk assessment models provide objective, sci-entific information on a wide range of social and technological risks? Can indi-viduals develop unique and precise judgments that can be limited only to math-ematic forms and calculus? “Risk does not exist ‘out there’, independent of our minds and cultures, waiting to be measured” (Slovic,1992). As early as the 1950s opera-tional risk theoreticians stated that risk cannot be defined beyond human per-ceptions (Rappaport, 1953).

The starting point of this research essay is a critical review of two methods to conduct a quanti... more The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them.

The starting point of our article is the performance criteria required to be tenured as professor... more The starting point of our article is the performance criteria required to be tenured as professor and to obtain habilitation in Romania and two articles written 11 years apart from each other: An IS Research Relevance Manifest [1] and Memorandum on design-oriented information systems research [2], respectively. We subscribe to the view expressed by [3]: • "IS faculty members do not have a monopoly on IS research; • IS research obviously has had an impact by informing practice and teaching; • Like customers of any product, practitioners (and many IS faculty members) should be expected to avoid journals directed to a different audience; • There is a way to make academic research more relevant (on average) and academic journal more approachable." Discussion about rigor in the world of scientific research and its practical applicability or relevance is not new, as stated in [4], [5], [6],[7], . There is evidence that the subject is one that grinds the academic world. Our goal is not to go further into this debate but to present how it can position a faculty member's development in Romania, in the context of international research in the field of information systems.

This paper presents main security risk assessment methodologies used in information technology. T... more This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.

Abstract This paper emerges from research by (Alter, S. et al., 2004),(Dillard, K. et al., 2004),... more Abstract This paper emerges from research by (Alter, S. et al., 2004),(Dillard, K. et al., 2004),(Landoll, DJ, 2006) and (Soliman, K., 2006), and it draws on real-world examples so as to underline some limits of quantitative risk assessment. The paper is a case study and ...

The aim of our article is to provide arguments for a poly-contextual and dynamic approach to info... more The aim of our article is to provide arguments for a poly-contextual and dynamic approach to information security risk culture. We consider the correlation of memes as DNA (DeoxyriboNucleic Acid) of the mind with knowledge and the organizational context. Our approach is interpretivist, reflective and dialectic (Cecez-Kecmanovic, 2011). It seeks to overcome the limits of knowledge induced by the highly mathematical models that are featured in specialized literature and often taken over in software applications.

Yet we have to consider the subjectivism of the information that we process (Von Bayer, 2004). Depending on the country or the region, we can notice that there are discrepancies between our own perceptions and the perceptions of our fellows. Human behaviour adjusts depending on our own experiences that are also specific to the environment in which we live (Lorenz, 1969).

Can actual information security risk assessment models provide objective, sci-entific information on a wide range of social and technological risks? Can indi-viduals develop unique and precise judgments that can be limited only to math-ematic forms and calculus? “Risk does not exist ‘out there’, independent of our minds and cultures, waiting to be measured” (Slovic,1992). As early as the 1950s opera-tional risk theoreticians stated that risk cannot be defined beyond human per-ceptions (Rappaport, 1953).

The starting point of this research essay is a critical review of two methods to conduct a quanti... more The starting point of this research essay is a critical review of two methods to conduct a quantitative analysis of information systems security risks: 1) Management of Risk: Guidance for Practitioners and 2) a cost model based on annual loss expectancy. We are focusing on these methods with a perspective that highlights the limits of both empiricism and the theoretical elements that underlie them.

The starting point of our article is the performance criteria required to be tenured as professor... more The starting point of our article is the performance criteria required to be tenured as professor and to obtain habilitation in Romania and two articles written 11 years apart from each other: An IS Research Relevance Manifest [1] and Memorandum on design-oriented information systems research [2], respectively. We subscribe to the view expressed by [3]: • "IS faculty members do not have a monopoly on IS research; • IS research obviously has had an impact by informing practice and teaching; • Like customers of any product, practitioners (and many IS faculty members) should be expected to avoid journals directed to a different audience; • There is a way to make academic research more relevant (on average) and academic journal more approachable." Discussion about rigor in the world of scientific research and its practical applicability or relevance is not new, as stated in [4], [5], [6],[7], . There is evidence that the subject is one that grinds the academic world. Our goal is not to go further into this debate but to present how it can position a faculty member's development in Romania, in the context of international research in the field of information systems.

This paper presents main security risk assessment methodologies used in information technology. T... more This paper presents main security risk assessment methodologies used in information technology. The author starts from and research, bringing realworld examples as to underline limitations of the two risk assessment models. After a critical review of standards that reveal lack of rigour, a practical comparison of the quantitative information security risk assessment models with the qualitative models shows that we can introduce two new factors which have an impact on risk assessment: time constraint and moral hazard of the analyst. Information technology managers know that in information systems long-term security is an ideal situation and that financial impact of poor information security policies, procedures and standards are in most cases very difficult to be calculated. These calculations rarely will be accurate and universal and ready for use by any security analyst.

Abstract This paper emerges from research by (Alter, S. et al., 2004),(Dillard, K. et al., 2004),... more Abstract This paper emerges from research by (Alter, S. et al., 2004),(Dillard, K. et al., 2004),(Landoll, DJ, 2006) and (Soliman, K., 2006), and it draws on real-world examples so as to underline some limits of quantitative risk assessment. The paper is a case study and ...