Tietojärjestelmien riskit osana liiketoiminnan jatkuvuuden hallintaa

Tietojärjestelmät ovat kehittyneet kriittisiksi tekijöiksi yritysten liiketoiminnassa. Niitä on vaikea tai lähes mahdoton korvata. Toisaalta tietojärjestelmät ovat edesauttaneet yrityksiä tehostamaan toimintaansa. Yrityksen toimialalla tai koolla ei nykyään ole merkitystä erilaisten tietoteknisten järjestelmien ja sovellusten hyödyntämisessä. Riskienhallinnan avulla yritys pyrkii ennaltaehkäisemään tunnettuja riskejä. Liiketoiminnan jatkuvuudenhallinta pyrkii puolestaan varautumaan riskin aiheuttamaan liiketoiminnan häiriöön ja siitä toipumiseen. Tietojärjestelmien ollessa korvaamattomia tulee yrityksen kohdistaa resursseja ennaltaehkäiseviin toimiin, lisäksi sen on pyrittävä lyhentämään häiriöstä toipumisen aikaa. Tutkimuksen tarkoituksena oli tunnistaa kohdeyrityksen tietojärjestelmien merkittävimmät riskit, jotka uhkaavat oleellisesti liiketoiminnan jatkuvuutta. Liiketoiminnan jatkuvuuden tarkastelussa hyödynnettiin yrityksen käyttämää suorituskykymittaristoa (Balanced Score Card). Työllä tuetaan yrityksen laatujärjestelmän vaatimuksia liiketoiminnan turvaamisessa. Tutkielma toteutettiin pääasiassa teemahaastatteluiden muodossa, laadullista tutkimusmenetelmää hyödyntäen. Tutkimuksessa todettiin yrityksen tietojärjestelmien ja niiden ylläpidon olevan hyvällä tasolla. Muutamia kriittisiä vikaantumispisteitä kuitenkin havaittiin, joiden pohjalta laadittiin kehitysehdotuksia tietojärjestelmien vikasietoisuuden parantamiseksi liiketoiminnan jatkuvuudenhallinnan näkökannalta.

Information exchange and disruption risk in multimodal maritime supply chains

Supply chains are becoming increasingly dependent on information ex-change in today’s world, and any disruption can cause severe repercus-sions to the flow of materials in the chain. The speed, accuracy and amount of information are key factors. The aim in this thesis is to address a gap in the research by focusing on information exchange and the risks related to it in a multimodal wood supply chain operating between the Baltic States and Finland. The study involved interviewing people engaged in logistics management in the supply chain in question. The main risk the interviewees identified arose from the sea logistics system, which held a lot of different kinds of information. The threat of breakdown in the Internet connection was also found to hinder the operations significantly. A vulnerability analysis was carried out in order to identify the main actors and channels of infor-mation flow in the supply chain. The analysis revealed that the most important and therefore most vulnerable information-exchange channels were those linking the terminal superintendent, the operative managers and the mill managers. The study gives a holistic picture of the investigated supply chain. Information-exchange-related risks varied greatly. One of the most frequently mentioned was the risk of information inaccuracy, which was usually due to the fact that those in charge of the various functions did not fully understand the consequences for the entire chain.

Parasitic Order Machine. A Sociology and Ontology of Information Securing

This study examines information security as a process (information securing) in terms of what it does, especially beyond its obvious role of protector. It investigates concepts related to ‘ontology of becoming’, and examines what it is that information securing produces. The research is theory driven and draws upon three fields: sociology (especially actor-network theory), philosophy (especially Gilles Deleuze and Félix Guattari’s concept of ‘machine’, ‘territory’ and ‘becoming’, and Michel Serres’s concept of ‘parasite’), and information systems science (the subject of information security). Social engineering (used here in the sense of breaking into systems through non-technical means) and software cracker groups (groups which remove copy protection systems from software) are analysed as examples of breaches of information security. Firstly, the study finds that information securing is always interruptive: every entity (regardless of whether or not it is malicious) that becomes connected to information security is interrupted. Furthermore, every entity changes, becomes different, as it makes a connection with information security (ontology of becoming). Moreover, information security organizes entities into different territories. However, the territories – the insides and outsides of information systems – are ontologically similar; the only difference is in the order of the territories, not in the ontological status of entities that inhabit the territories. In other words, malicious software is ontologically similar to benign software; they both are users in terms of a system. The difference is based on the order of the system and users: who uses the system and what the system is used for. Secondly, the research shows that information security is always external (in the terms of this study it is a ‘parasite’) to the information system that it protects. Information securing creates and maintains order while simultaneously disrupting the existing order of the system that it protects. For example, in terms of software itself, the implementation of a copy protection system is an entirely external addition. In fact, this parasitic addition makes software different. Thus, information security disrupts that which it is supposed to defend from disruption. Finally, it is asserted that, in its interruption, information security is a connector that creates passages; it connects users to systems while also creating its own threats. For example, copy protection systems invite crackers and information security policies entice social engineers to use and exploit information security techniques in a novel manner.