Abstract
Management Information Systems (MIS) help managers integrate data, communicate, and receive relevant information for better decision-making. Ensuring cyber security of such systems is crucial; however, many possible threats are recognized, including accidental failures and intentional attacks. To improve cyber security for their MIS, organizations should classify threats, manage risks, apply the newest technologies, and follow industry standards and recommendations. As a result, the risks of losing important information or money, or the risks of hindering or suspending the operation of an organization will be lower.
Introduction
With the growing role of technologies and information exchange in virtually every area today, the issue of cyber security has been gaining more attention and more importance. It is recognized that crucial interactions and transactions, including those that involve money and confidential information, are performed through information systems that may turn out to be vulnerable. Vulnerabilities occur either in the form of accidental failures or intentional attacks.
A particular area to be addressed in this regard is management information systems (MIS) that are used in organizations to improve managerial practices and decision-making by enabling managers to have easier access to relevant information, enhancing communication between managers and employees, and providing tools for improving existing procedures and interactions. Such systems can fail or be attacked, which is a threat to entire organizations.
To discuss MIS and cyber security, four topics will be addressed: the concept of cyber security and its application to the context of MIS, the practice of information risk management, the emergence of new digital service models, and the contribution that can be made to improving cyber security.
Cyber Security
One of the major issues of cyber security recognized by researchers and practitioners today is that not all vulnerabilities are properly understood by organizations, which results in the lack of proper security measures. Security breaches do not always occur in the form of attacks that shut computers down and paralyze the operation of an organization entirely. There are small breaches that may occur regularly due to employees’ activities associated with sharing and retrieving information from sources and networks that they all use or due to deliberate attacks from outside an organization (Jouini, Rabai, & Aissa, 2014); these breaches may be unnoticed and cause minor losses, such as information losses or financial losses; however, over considerable periods of time, such losses sum up into rather serious damage.
Vulnerabilities are weaknesses of information systems that enable attackers to penetrate those systems in either a targeted manner or as a result of contacting malicious software or other threats. The penetration may occur in the form of information theft, virus, or unauthorized access. Two major types of damage should be recognized: financial loss, which is the most direct and self-evident kind of damage, and information loss, which may have a delayed effect but can eventually damage an organization to an even larger extent because, by having other parties (whose intentions may be malicious) access confidential information on the organization’s finances, internal operation, and employees, the organization creates risks for its performance and even for its existence in some cases.
To minimize those risks, it is necessary to strengthen information systems. The first step in providing cyber security is to classify potential threats. As it was mentioned above, not being aware of certain threats or not understanding them fully are factors that let attacks pass unnoticed and cause undetected damage. In their classification of threats, Jouini et al. (2014) used five considerations: “source, agent, motivation, intention[,] and impacts” (p. 492).
By these criteria, the threats were primarily divided into internal and external ones; further, human-caused, environmental, and technological threats should be distinguished. Threats can be malicious and non-malicious and both intentional and accidental. Seven types of threats to which this classification applies are “[d]estruction of information, corruption of information, theft or loss of information, disclosure of information, denial of use, the elevation of privilege[,] and illegal usage” (Jouini et al., 2014, p. 492).
This classification can be particularly helpful in designing cyber security measures for cloud computing systems; in such systems, security is enhanced through the centralization of data and using security instruments that may be unavailable to cloud users separately.
In MIS, cyber security is particularly important because these systems play the role of coordinating the efforts of different members and elements of organizations; besides, for decision-making purposes, such systems contain a lot of important information. Such information should be preserved, and the systems should be protected because attacks on them can disrupt the entire operation.
Most importantly, organizations should use regularly updated antivirus software and insert firewalls; also, the activities of employees should be monitored in any outward communication. However, there is also the necessity to keep the balance between security and access. Overusing security measures can lead to overload and troubled access, which will hinder operation and decelerate information exchange as an integral part of work; granting unrestricted access, however, is not an option either because the threats are still there.
Information Risk Management
Risk management is an integral component of management because any weaknesses in managerial systems should be recognized and properly addressed. However, an organization may fail to recognize the difference between risk detection and risk management. The former explicitly deals with the analysis of existing systems and processes for the purpose of revealing parts and elements in which something can go wrong.
This analysis itself is complicated because, for its success, it is needed to have detailed, accurate, and complete information on how an organization works and which parts of it, such as departments, groups, or certain employee positions, play which roles. Inadequate information leads to poor risk management, which can leave an organization defenseless in front of many threats that could otherwise be avoided. Therefore, the lack of proper understanding and insight into an organization’s operation is the first risk that risk management should consider; moreover, according to Dionne (2013), poor risk detection is a risk itself.
The latter concept—risk management—incorporates risk detention as its integral element but also goes further to assessing how detected risks can be minimized. An important component of this process is feedback. The difference between evaluation and feedback is that the former assesses something on the basis of certain scales and measurements, which is why it can be seen as quantitative, while the latter explains what should be changed to receive a better evaluation, which is why it can be seen as qualitative.
Therefore, successful risk management should transform risk assessment into the planning of how risks should be addressed. In this context, risk management can deal with every aspect of an organization’s operation and propose modifications to make an organization less vulnerable. It is important to acknowledge that, in real markets, there are no situations in which risks are fully ruled out, which is why the elimination of risks is unattainable, and resources should not be spent on that. However, minimization of risks is a real goal, and organizations should pursue it.
Assessing a risk primarily refers to calculating the probability of a certain threat and estimating the damage that will be caused in case the predicted threat occurs. In the context of information technologies and cyber security, risk management should be largely based on existing experience of the industry’s organizations, but at the same time, it should take into consideration that information technologies constantly develop, bringing new benefits as well as new challenges.
Alhawari, Karadsheh, Talet, and Mansour (2012) propose a knowledge-based framework, which relies on knowledge tools and techniques in designing risk management processes. Instead of solely creating a separate risk management department, it is suggested that the entire organization should be involved in the process. Brainstorming sessions among executives and between the management and employees are an example of communication that should be constantly encouraged for the purpose of contributing to identifying and addressing risks.
Upon calculating how certain probable threats are, such as loss of information or a cyber attack, and estimating what damage they can cause, the management should pay specific attention to those risks that are the most likely and the most potentially dangerous. Therefore, prioritizing risks is as important as approaching risk management through the knowledge-based framework.
Emerging Digital Service Models
As the information technologies industry is transforming due to expanding markets and technological advancements, business models are changing along with processes and infrastructures. As a tool for addressing newly arising challenges in terms of security and development, new digital service models are emerging. A general direction in their development is toward centralized, accumulated, and integrated data.
The three processes of data centralization, accumulation, and integration have a number of benefits in terms of servicing MIS. First of all, the availability of relevant data is a topical issue. In the information world, access to information is a smaller concern than before because information can be exchanged despite distances, but the abundance of information has made it particularly difficult to find what is relevant. Many poor business decisions are made every day due to the lack of relevant knowledge or information despite the fact that such information may be two clicks away from a decision-maker. Having “pools” of relevant data can “unearth deeper insights” (Albrecht, 2017, p. 5) into how systems should be managed.
Many services are being developed or tested today that are promising in terms of changing the future of management. Another major direction in these processes is using artificial intelligence. In the context of management, the main area in which artificial intelligence is employed is analytics. For example, Banjo, an innovative company launched in 2011, is currently working on the creation of a disaster prediction engine that will become the world’s first such system.
Danger prediction is planned to be performed through extensive data collection, signal processing, and computing with the most advanced available digital capacities. Another example is sales prediction, on which many hi-tech companies work, too, such as Infer and Sense. One more direction that can be seen in emerging digital services is making processed information more intelligible for decision-makers.
For example, the Automated Insights company develops services that will “translate” complicated documentation, such as financial statements, into narratives. Also, the Arria company is building an analytical tool to process various structured technical reports, including financial information, and provide reports that can be read by people more easily (Albrecht, 2017). Therefore, the general idea shared by these and many similar projects and the general model proposed is to enhance the capacity of analytical tools, integrate them into information systems, including MIS, and make them output information in the most convenient way so that readers who base their decisions on this analytics do not have to deal with too much technical data that one person can hardly process.
In terms of cybersecurity, efforts are made by the developers of emerging digital services to, first of all, make it easier to detect attacks and, second, to make it harder for attacks to cause serious damage. A major topic in this regard is cyber situation awareness. Managers should develop profound understandings of what their MIS are connected to and how interactions occur. With such widespread channels of communication as social networking services, the way cyberspace behaves today is changing, and managers should monitor how the system which they use become affected by various activities of their employees in other systems or online.
Contribution
One of the purposes of MIS is to integrate data into information that enables effective managerial decision-making. From this perspective, the two trends identified above (see Emerging Digital Service Models) are particularly relevant to the modern context. With the abundance of information, it is paramount that data are pooled and analyzed by highly intelligent digital services and further translated into intelligible forms that humans can read without having to deal with overwhelming amounts of technical data. New ideas in the industry revolve around the intention to collect as much relevant data as possible and integrate into reports that invite action.
A particular area that can be addressed to discuss cyber security in MIS is emergency management. In this area, the speed of responding to events and developments is crucial, and the success largely relies on the uninterrupted operation of information systems. It is recognized that there are threats of both accidental failures and intentional attacks. Solutions proposed by Loukas, Gan, and Vuong (2013) suggest that emphasis should be put on prevention, not reaction.
Encrypting communication and limiting access to information systems are two primary measures to be taken within organizations in terms of increasing cyber security. At the same time, the authors stress “a remarkable lack of relevant EM-specific defense solutions that have progressed beyond the level of conceptual analysis” (Loukas et al., 2013, p. 226). It does not mean, however, that companies that adopt MIS are defenseless in most aspects.
Types of attacks are constantly perfected, and failures cannot be fully ruled out, but managers can take measures to ensure that possible damage is minimal. In this regard, the old rule of not putting all the eggs in one basket fully applies; organizations should ensure that someone who gains access to their information systems (with malicious intentions) does not gain access to entire systems. The separation of traffics, therefore, is one of the solutions.
Another suggestion for those who operate MIS is to ensure that all the functions provided by such systems are interoperable, for which purpose inherent trust models should be employed. A moment at which MIS are particularly vulnerable is the moment of accepting new members, which is why MIS users should follow guidelines on “admitting new agencies in the virtual team and [regulating] a coordinator web service for each member to authenticate users, share information, create roles[,] and enforce access control policies” (Loukas et al., 2013, p. 222).
In terms of data confidentiality, it is recognized that there may be a conflict between security and privacy, as enhancing one of them in information systems seemingly weakens the other one. However, it is evaluated that “privacy-by-design” technologies are capable of eliminating the dichotomy and creating systems in which confidentiality of private data is not only protected, but the systems are a built-in way that makes disclosure significantly less possible.
Conclusion
For improving cyber security in MIS, it is primarily needed to classify possible threats; this will improve detection and will not let attacks or losses pass unnoticed. Second, it is important to detect risks, i.e., the weaknesses of information systems, the probability of the threat, and the extent of possible damage. Based on risk assessment, measures should be taken to minimize risks; the most dangerous ones should be addressed first.
It is suggested to employ digital services that increase the effectiveness of MIS; major trends in this area are designing better tools for analyzing available data and transforming it into plans of action. Finally, practical recommendations to MIS operators include limiting access, protecting confidentiality, ensuring interoperability, and tracking the activities of users. Although many challenges persist in the area of cyber security, there are things that can be done in organizations to enhance the security of their MIS.
References
Albrecht, S. (2017). Facing the complexity of emerging digital service models. Web.
Alhawari, S., Karadsheh, L., Talet, A. N., & Mansour, E. (2012). Knowledge-based risk management framework for information technology project. International Journal of Information Management, 32(1), 50-65.
Dionne, G. (2013). Risk management: History, definition, and critique. Risk Management and Insurance Review, 16(2), 147-166.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32(1), 489-496.
Loukas, G., Gan, D., & Vuong, T. (2013). A review of cyber threats and defence approaches in emergency management. Future Internet, 5(2), 205-236.