From Disaster Response Planning to e-Resilience: A Literature Review

Natural and man-made crises as well as IT-security issues foster the interest in robust and resilient business information systems. Information and Communication Technologies (ICT) are essential for successful e-business. If ICT technologies interrupt, the whole (e-) business continuity is threatened. ICT interruptions causing serious loss in organization’s reputation, trust and revenues. This circumstance should increase manager’s interest in the concepts of disaster recovery planning (DRP), business continuity management (BCM) and, the emerging imperative, resilience. This paper at hand presents the results of a database driven literature review on these concepts and its interrelation

The effect of business continuity management factors on organizational performance: A conceptual framework

This paper reviews the role played by business continuity management (BCM) factors in enhancing the organizational performance.The constructs of this paper are based on a comprehensive review of recent literature on BCM critical success factors, BCM standards and organizational performance.In this study, the organizational performance covers two specific areas of organizational results such as financial performance and non-financial performance.Financial performance which may encompass of revenue, profitability, cost saving, return on investment and other financial measures while the non financial performance may includes effectiveness, efficiency, quality, quality of work life, innovation and productivity. A detailed literature review revealed the importance of effective BCM implementation in ensuring an organization’s survivability and competitiveness. Therefore, the demand to protect the continuity of critical business services in the event of an unforeseen disaster or disruption has become more critical than ever.In Malaysia, among the widely adopted BCM related standards by both the private and public sectors are ISO 22301 and ISO 27001. These certified organizations are selected as the population of the study as they are deemed to possess considerably higher sense of commitment towards embracing BCM best practices to enhance their business resiliency.The international standard certification may also indicate the maturity of the organizations in practicing BCM.Previous study has proven that organizations with matured BCM processes had indicated substantial performance improvements.This paper also highlights the challenges encountered by the BCM professionals in developing and maintaining the BCM infrastructure and activities, which necessitate the support from the senior management.Among the challenges that may cause failure in BCM implementation are lack of financial support and the deployment of BCM initiatives on enterprise wide basis.In summary, this paper is expected to propose the conceptual framework for future researchers to investigate and provide the empirical evidence on the relationship that exist between the BCM factors and organizational performance

Small Business Owners’ Approach to Business Continuity Management

United States (U.S.) small business owners represent an estimated 25% of businesses that do not reopen following a major disaster. Small business owners must prepare because small businesses represent 99.9% of U.S. businesses and experience detrimental effects resulting from disaster-related events. Grounded in Paunescu and Argatu’s adapted business continuity framework, the purpose of this qualitative multiple case study was to explore strategies U.S. small business owners use to create disaster plans for business continuity. The participants were seven U.S. small business owners in the service sector. Data were collected by conducting semistructured interviews through in-person meetings, phone conversations, and documentation review. Yin’s five-step approach was employed to analyze the data. Seven themes emerged: (a) impact from COVID-19, (b) BCP review, (c) type of disasters planned for, (d) use of the U.S. Federal Emergency Management Agency reference for BCP development, (e) succession planning, (f) exercise training, and (g) use of secondary locations. Two core recommendations are for small business owners to review their business continuity plans (BCP) periodically and whenever a vulnerability in their BCP has been identified. The implications for positive social change include the potential to reduce unemployment, related mental illnesses, and homelessness

Application of Computer Simulation Modeling to Evaluate Business Continuity Plans

Business continuity plans (BCP) help organizations plan for and withstand the occurrence of unexpected events that interrupt the normal operation of business. Managers typically develop several alternate plans to minimize the business impact of unexpected events. The problem for decision makers is that comparative evaluation of BCP is typically done using subjective judgments. This research uses a case study approach focusing on a single organization and a single business continuity application to propose the use of computer simulation as a tool for managers to identify and evaluate different BCP prior to committing resources. In the context of an insurance firm, a specific plan was evaluated using simulation methods. A simulation model was used to model the operational aspects of the call center in an insurance company. After the model was validated, it was used to answer questions about what-if scenarios. Results suggest that scenario analysis using simulated model enables managers to ask useful questions that can help evaluate the plan. Managers at the insurance company used the simulation model to determine the level of service required and evaluate business continuity strategies to achieve it

The Risk Mitigation of Water Resources of Jatiluhur Reservoir with Green Business Continuity Management Approach

Jatiluhur Reservoir is the multipurpose reservoir functioning as water resources for irrigation,  hydroelectric power plant, home and industry usages for the area of DKI Jakarta (capital city of Indonesia with the status of most densly populated city in the nation) and its surrounding regencies.  Its existence bears other benefits to many communities such as inland fishing, tourism and water sport recreation.  Last but not least important purpose, the reservoir  flood has a significant role for flood control management in the area of Karawang District and its adjacent areas.  Despite the many social welfares the reservoir can produce, the quality and quantity of water resources from Citarum River to the Jatiluhur reservoir bear some  problems that affect some challenges in the water management.  This research attempts to identify the real critical pulse of the problems by analyzing its business process in the water resources management along with their risk and impact that may affect the vitality of the business outcomes.  The analysis approach for this study is using the standard of green business continuity management (GBCM) where all the of environmentally polluted/harming items are considered.  Respondents are experts in the reservoir along with its business process and environmentalists.  As for the technique of analyses itself, it employs descriptive analysis, decomposition trend analysis and business impact analysis (BIA).  The outcome of this qualitative and quantitative research indicates that the strategic positioning of Jatiluhur as the national function to serve all the precedings turns out to be at critical stage.  There are some discouraging signs that are found to be significant in this study such as 1) secondary disruption in the irrigation channel, 2) poor water quality,3) conflict of water use, 4) sedimentation, 5) damaged floodgates 6) absence of pipeline at the open channel, causing an alarming deterrent to the normal flow of water discharge.  Hence, the status of the reservoir can be concluded as clear and present danger.  The GBCM recommendation offered to counter measure the degradation of water quality and quantity is by having the participation of community stakeholders involved in reaching a uninamous future maintenance standard that meets enviromentally sound ordinance. Keywords: Jatiluhur Reservoir, GBCM, Risk Management, Water resource

Towards Optimal IT Availability Planning: Methods and Tools

The availability of an organisation’s IT infrastructure is of vital importance for supporting business activities. IT outages are a cause of competitive liability, chipping away at a company financial performance and reputation. To achieve the maximum possible IT availability within the available budget, organisations need to carry out a set of analysis activities to prioritise efforts and take decisions based on the business needs. This set of analysis activities is called IT availability planning. Most (large) organisations address IT availability planning from one or more of the three main angles: information risk management, business continuity and service level management. Information risk management consists of identifying, analysing, evaluating and mitigating the risks that can affect the information processed by an organisation and the information-processing (IT) systems. Business continuity consists of creating a logistic plan, called business continuity plan, which contains the procedures and all the useful information needed to recover an organisations’ critical processes after major disruption. Service level management mainly consists of organising, documenting and ensuring a certain quality level (e.g. the availability level) for the services offered by IT systems to the business units of an organisation. There exist several standard documents that provide the guidelines to set up the processes of risk, business continuity and service level management. However, to be as generally applicable as possible, these standards do not include implementation details. Consequently, to do IT availability planning each organisation needs to develop the concrete techniques that suit its needs. To be of practical use, these techniques must be accurate enough to deal with the increasing complexity of IT infrastructures, but remain feasible within the budget available to organisations. As we argue in this dissertation, basic approaches currently adopted by organisations are feasible but often lack of accuracy. In this thesis we propose a graph-based framework for modelling the availability dependencies of the components of an IT infrastructure and we develop techniques based on this framework to support availability planning. In more detail we present: 1. the Time Dependency model, which is meant to support IT managers in the selection of a cost-optimal set of countermeasures to mitigate availability-related IT risks; 2. the Qualitative Time Dependency model, which is meant to be used to systematically assess availability-related IT risks in combination with existing risk assessment methods; 3. the Time Dependency and Recovery model, which provides a tool for IT managers to set or validate the recovery time objectives on the components of an IT architecture, which are then used to create the IT-related part of a business continuity plan; 4. A2THOS, to verify if availability SLAs, regulating the provisioning of IT services between business units of the same organisation, can be respected when the implementation of these services is partially outsourced to external companies, and to choose outsourcing offers accordingly. We run case studies with the data of a primary insurance company and a large multinational company to test the proposed techniques. The results indicate that organisations such as insurance or manufacturing companies, which use IT to support their business can benefit from the optimisation of the availability of their IT infrastructure: it is possible to develop techniques that support IT availability planning while guaranteeing feasibility within budget. The framework we propose shows that the structure of the IT architecture can be practically employed with such techniques to increase their accuracy over current practice

The moderating effect of information technology capability on the relationship between business continuity management factors and organizational performance

Despite the enormous acknowledgement of the importance of Business Continuity Management (BCM) in sustaining organization survival, very limited studies have focused on the effects of BCM on organizational performance. Hence, the purpose of this study is to provide the empirical evidences that support the relationships that exist between BCM Factors and Organizational Performance with the moderating effects of Information Technology Capability (IT Capability) in organizations from various sectors in Malaysia. Based on the existing literature, BCM Factors are operationalized by Management Support, External Requirement, Organization Preparedness, and Embeddedness of Continuity Practices. A combination of selfadministered and mail survey was deployed involving 147 ISO 27001 and ISO 22301 certified organizations representing both public and private sectors. These organizations were selected as they are deemed to possess a considerably higher sense of commitment towards embracing BCM best practices to enhance their business resilience. At the end of the data collection phase, the study managed to obtain 77 usable responses constituting an effective response rate of 55 percent. The findings indicate that BCM Factors namely External Requirement and Embeddedness of Continuity Practices are significantly related to Overall Organizational Performance and Non-Financial Performance. However, only External Requirement is found significantly related to Financial Performance. The results also reveal that fully supported relationships are found between IT Capability and all Organizational Performance dimensions. In addition, the findings show that IT Capability moderates the relationship between BCM Factors and Organizational Performance. These results provide valuable insights to both practitioners and academia for further understanding the effects of BCM Factors and IT Capability on Organizational Performance. Finally, the research limitations are discussed and suggestions on extended area of research are recommended for future researchers

Determining the Cost of Business Continuity Management - A Case Study of IT Service Continuity Management Activity Cost Analysis

This single organisation case study discusses the cost of business continuity management in IT services. Information technology (IT) expenses can amount to a substantial part of operational costs in a company, and IT leaders tend to aim for thorough IT cost management to meet financial targets. Thus, information security activities such as business continuity management (BCM) rank among the most important concerns for IT leaders. Despite the concerns of IT management, senior management appears to be hesitant to spend on BCM as much as IT management would hope for. Senior management may struggle with the question of how to justify spending on an activity that proves its usefulness only when a rare event occurs. The challenge for measuring costs of sociotechnical activities was the inspiration for this work – to find out whether the cost of business continuity management (BCM) could be explained better to help decision making. Two main paradigms emerged from literature – BCM activities in the context of organisational routines, and IT cost and information security cost classifications. The theoretical assumption was that the relationship between IT costs and BCM activities emulates the activity- based costing theory (ABC) – the premise of cause-and-effect relationship between activities and costs. The key question is “How to determine the cost of BCM activities in IT services?” To find out, I used comprehensive archival data set from a case company and designed a retrospective quantitative model to analyse the association between BCM activities and IT costs. By employing causal-comparative method and multiple linear regression analysis, I compared distinct groups of IT services to determine how much of the variation in IT costs could be explained by BCM activities. In addition, I measured the relative effect of each independent variable towards the total cost of BCM. As both statistical and practical significance test results were supported, several interesting results were observed between BCM activities and IT costs – namely human, technology and organisational resources, as well as IT service designs. The research presents two theoretical contributions and one empirical contribution to the theory. The first and primary contribution is the BCM activity cost model. This is the final product for the main research question of determining the cost of BCM in IT services. The second contribution is the total cost of BCM framework. This framework contributes to the broader academic discussion of information system (IS) cost taxonomies in IT services and information security. The third contribution is empirical confirmation how to observe unknown cost effects by multiple regression analysis. Learnings from this research can contribute IS researchers focused on the economic aspects of IS and IT. The research also introduces three practical contributions. The first one considers the observation of overall BCM cost effects on IT services. Although the results of a single case study cannot be generalized directly to every organization, information herein may aid companies to evaluate BCM impact on their budgets. The second practical contribution considers the challenges regarding measurement of activity costs that can be difficult to observe directly. Within the limitations of this research, nothing here suggests that the BCM activity cost model could not be productized and integrated into other cost appraisal tools in a company or applied in other IT service management areas. The last important practical contribution are the definitions of BCM activity cost variables. Confirming the cost association between theoretical and empirical BCM frameworks can help BCM professionals to promote BCM process.Tämä yhden organisaation tapaustutkimus pohtii jatkuvuudenhallinnan kustannusten osuutta tietojärjestelmäpalveluissa. Informaatioteknologian (IT) kustannukset saattavat muodostaa merkittävän osa yrityksen menoista, ja IT-johtajat pyrkivät yleensä tarkkaan kulujenhallintaan saavuttaakseen yrityksen taloudelliset tavoitteet. Siksi tietoturva-aktiiviteetit kuten jatkuvuudenhallinta (business continuity management, BCM) ovat heidän olennaisimpia huolenaiheitaan. IT-johtajien huolista huolimatta ylin johto ei yleensä ole kovin innokas panostamaan BCM:ään niin paljon kuin IT-johto toivoisi. Ylin johto saattaa tuskailla sen kanssa, miten perustella kulut toimiin, joita kaivataan vain harvinaisissa poikkeustilanteissa. Sosioteknisten kulujen mittaamisen haaste antoi inspiraation tälle tutkimukselle; tavoite oli selvittää, olisiko mahdollista selittää BCM-kustannuksia paremmin päätöksenteon tueksi. Kirjallisuudesta nousee esiin kaksi keskeistä aihepiiriä: BCM organisaation toimintatapojen kontekstissa sekä IT-ja tietoturvakulujen luokittelu. Teoreettinen oletus oli, että IT-kulujen ja BCM- toimenpiteiden suhde emuloi toimintolaskennan (activity-based costing, ABC) teoriaa – se, että toimenpiteiden ja kulujen välillä on syy-seuraussuhde. Avainkysymys on ”Miten määritellä BCM- toimenpiteiden kulut IT-palveluissa?” Tämän selvittämiseksi käytin kattavaa arkistodataa caseyhtiöstä ja kehitin retrospektiivisen kvantitatiivisen mallin analysoidakseni BCM-toimenpiteiden ja IT-kulujen suhdetta. Kausaalis-komparatiivisen metodin ja lineaarisen regressioanalyysin avulla vertailin erilaisia IT-palvelujen ryhmiä selvittääkseni missä määrin BCM-toimenpiteet voisivat selittää IT-kulujen vaihtelua. Lisäksi mittasin jokaisen muuttujan suhteellisen vaikutuksen BCM:n kokonaiskustannuksiin. Kun sekä tilastolliset että käytännölliset testitulokset huomioitiin, BCM- toimenpiteiden ja IT-kulujen suhteesta ilmeni useita kiinnostavia tuloksia: sekä inhimillisiä että teknologia- ja organisaatioresursseihin ja IT-palvelujen muotoiluun liittyviä. Tutkimus tuotti kaksi teoreettista kontribuutiota sekä yhden empiirisen todistuksen teorialle. Ensimmäinen ja olennaisin näistä on BCM-toimenpiteiden kustannusmalli. Tämä lopputuotos vastaa tutkielman avainkysymykseen BCM-kuluista IT-palveluissa. Toinen kontribuutio on BCM-kehyksen kokonaishinta. Tämä voi ruokkia laajempaa akateemista keskustelua tietojärjestelmien (information system, IS) kustannustaksonomioista IT- palveluissa ja tietoturvassa. Kolmas kontribuutio, empiirinen todistus, osoittaa epäsuorien kulujen mittaamisen olevan mahdollista regressioanalyysiä hyödyntäen. Tutkimuksen havainnoista voi olla hyötyä IS:n ja IT:n taloudellisiin aspekteihin keskittyneille IS-tutkijoille. Tutkimuksesta nousee esiin myös kolme käytännön kontribuutiota. Ensimmäinen liittyy siihen, miten BCM-kokonaiskulujen vaikutuksia IT-palveluihin seurataan. Vaikka yhden tapaustutkimuksen tuloksia ei voida yleistää, tutkimuksen havainnot voivat auttaa yrityksiä arvioimaan BCM:n vaikutuksia budjetteihinsa. Toinen käytännön kontribuutio liittyy haasteisiin siinä, kuinka mitata toimenpidekustannuksia, joita on hankala tarkkailla suoraan. Tämän tutkimuksen rajoissa ei ilmennyt mitään syytä sille, etteikö BCM-toimenpiteiden kustannusmallia voitaisi tuotteistaa ja integroida yrityksen muihin kustannusarviotyökaluihin tai etteikö sitä voisi soveltaa muille IT-palvelujen hallinnon alueille. Viimeinen merkittävä käytännön kontribuutio on BCM-toimenpiteiden kustannusmuuttujien määrittely. BCM-ammattilaiset voivat helpommin edistää BCM-prosessia, kun teoreettisten ja empiiristen BCM-kehysten kulujen vastaavuus vahvistetaan

Security aspects of SCADA and DCS environments

Abstract SCADA Systems can be seen as a fundamental component in Critical Infrastructures, having an impact in the overall performance of other Critical Infrastructures interconnected. Currently, these systems include in their network designs different types of Information and Communication Technology systems (such as the Internet and wireless technologies), not only to modernize operational processes but also to ensure automation and real-time control. Nonetheless, the use of these new technologies will bring new security challenges, which will have a significant impact on both the business process and home users. Therefore, the main purpose of this Chapter is to address these issues and to analyze the interdependencies of Process Control Systems with ICT systems, to discuss some security aspects and to offer some possible solutions and recommendations