organizer

35
international convention
May 20-24, 2013, Opatija - Adriatic Coast, Croatia
mipro proceedings
th
mipro - path to knowledge and innovation
I
S
S
N

1
8
4
7
-
3
9
3
8

Lampadem tradere
36
th










MIPRO 2013

3 6
t h
I n t e r n a t i o n a l Co n v e n t i o n

May 20 - 24, 2013
Opatija, Croatia

Pr o c e e di ng s

Conferences:
Microelectronics, Electronics and Electronic Technology /MEET
Distributed Computing and Visualization /DC VIS
Telecommunications & Information /CTI
Computers in Education /CE
Computers in Technical Systems /CTS
Intelligent Systems /CIS
Information Systems Security /ISS
Business Intelligence Systems /miproBIS
Digital Economy - 10
th
ALADIN /DE
Government, Local Government, Public Services /GLGPS
MIPRO Junior - Student Papers /SP


Edited by:
Petar Biljanovi

All papers are published in their original form
For Publisher:
Petar Biljanovi
Publisher:
Croatian Society for Information and Communication Technology,
Electronics and Microelectronics - MIPRO
Office: Kruna 8/II, P. O. Box 303, HR-51001 Rijeka, Croatia
Phone/Fax: (+385) 51 423 984




Printed by:
GRAFIK, Rijeka
ISBN 978-953-233-074-8
Copyright 2013 by MIPRO
All rights reserved. No part of this book may be reproduced in any form, nor may be stored in
a retrieval system or transmitted in any form, without written permission from the publisher.
XXII
PAPERS .............................................................................................................................. 1425

Analysis of World Bank Indicators for Countries with Banking Crises by Subgroup Discovery
Induction ...........................................................................................................................................1427
D. Gamberger, D. Luanin, T. muc

Transformation of OWL Ontology Sources into Data Warehouse .............................................1432
M. Guli

Using Big Data and Sentiment Analysis in Product Evaluation ..................................................1438
L. Bani, A. Mihanovi, M. Brakus

Model of the Business Intelligence System for Credit Risk Analysis...........................................1444
T. Gazdi, Lj. Kaelan

The Integral OLAP-Model of the Emergency Risk Estimation in the Case of Krasnoyarsk
Region................................................................................................................................................1450
A. Korobko, T. Penkova, V. Nicheporchuk, A. Mihalev

Automatizacija generiranja prezentacijskog sloja skladita........................................................1456
S. Pavlek, M. Sori

Upravljanje matinim podacima u suradnji sa skladitem podataka .........................................1462
A. Mati, M. Sekula, D. Udier

Suvremena rjeenja poslovne inteligencije zasnovana na konceptu raunarstva u oblaku ......1468
I. Sekula, M. Frani

Konar MIS - snaan alat za mudra poduzea..............................................................................1474
A. Frani, D. Ferenak, D. Cmuk
DIGITAL ECONOMY 10
th
Alpe Adria Danube Universities
Initiative (ALADIN)

PAPERS ...............................................................................................................................1481

Business Valuation in Oil & Gas Industry: New Challenges........................................................1483
S. Brlei Vali, B. Crnkovi-Stumpf, J. Katunar

Komparativna analiza hrvatskih online novina koje se plaaju..................................................1489
O. Prli, A. Lackovi, F. Lonar

ePrivacy Rules and Data Processing in Users' Terminal Equipment: a Croatian Experience .1495
N. Gumzej, S. Grgi

The Cost of Information Security Management in Offshore SMB ICT Companies..................1502
S. Aksentijevi, E. Tijan, D. ii

ICT Contribution to the Economic Development of Some SEE Countries in Transition .........1507
M. Vidas-Bubanja

Optimizacija ICT kapaciteta po filozofiji modela JIT(UNV).......................................................1513
Z. Buljubai, I. Kapetanovi Serdarevi, N. Buljubai
The Cost of Information Security Management in Offshore SMB ICT Companies


Saa Aksentijevi
1
, Edvard Tijan
2
, Dragan ii
3
1
Saipem SpA Croatian Branch
Alda Colonnella 2, Rijeka, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
2, 3
University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr, dragan@pfri.hr



Abstract - Companies belonging to offshore SMB ICT
segment are subjected to various costs arising from
several sources like legal compliance, alignment with
best practice guidelines and standards, employee
education, basic computer and network infrastructure
security and cost of SaaS/cloud solutions. Furthermore,
such companies usually have very limited financial
resources, yet they are often involved in large projects
working for major offshore installation contractors. In
this paper the authors will outline basic costs of
information security management systems in offshore
SMB companies and propose a simple model to
continuously monitor and control them.

I. INTRODUCTION
Term offshore is nowadays usually used for oil and
gas drilling operations that are conducted in the ocean [1].
However, they can also relate to such operations conducted
in any large open or closed waters or lakes (for example,
Mediterranean Sea or Caspian Lake). Offshore
construction projects in oil and energy sector are usually
executed by large companies called engineering and
construction companies. In their form, they are usually
corporations, or joint ventures/consortiums of such
companies. Usual services that may be provided by such
companies are engineering, fabrication, transport,
installation, procurement, research, manufacturing,
environmental systems and project management [2].
All these companies use very complex ICT systems in
order to facilitate their core operations. Complexity of
those systems is further compounded by the fact that
operations are usually executed in difficult areas that are
geographically remote, do not provide opportunity for
adequate user support, aboard vessels, where it is difficult
to obtain good quality hardware, data links and skilled
personnel. Offshore ICT systems also include equipment
that is seldom encountered in onshore or conventional ICT
operations, like safety radio location beacon equipment in
case of emergency situations or marine satellite equipment
with self-pointing/auto-acquiring antennas [3].
For reasons that will be discussed in details, offshore
construction companies usually subcontract local ICT
companies belonging to SMB market segment to provide
some of the ICT services required for successful
completion of projects. Large offshore construction
companies usually have well developed formal
Information Security Management Systems (ISMS) [4], so
it is a real challenge for smaller ICT companies working
for them to keep up the pace with their clients
informations security cost. This causes significant rise in
information security costs for such companies and inherent
need for proper management of that particular type of
costs.

II. CHARACTERISTICS OF OFFSHORE
PROJECTS

There are some characteristics of offshore projects in oil
and energy sector, separating them from other large
projects in other sectors, for example, civil engineering,
road construction or dam construction. These
characteristics are very important in order to understand
the specific requirements of offshore ICT security that
needs to be maintained and delivered by relatively smaller
ICT companies belonging to SMB sector.

Some usual characteristics of offshore projects are as
follows:

1. Offshore projects are typically very complex
projects requiring mobilization of large capital
base, human resources and usually, application of
the most modern available technology,
2. They can be very diverse according to their
length, from very short-term to long-term. Very
often, large mega-projects are divided into smaller
projects with different subcontractors,
3. Typically, there are several subcontractors
working on a single installation project and their
cohesion and cooperation is critical for successful
execution of the project. These subcontractors use
different methods, technologies, have diverse
level of development of human capital and
operate in different technical areas,
4. Offshore projects are projects connected with
large risks that have to be properly quantified in
order to be managed,
5. Environmental, health and safety and
sustainability issues are some of the main
considerations all companies operating offshore
have to take into account. These issues are usually
in the way of successful project execution,
6. Contracts for various phases of offshore contracts
are typically stipulated very close to the moment
when the project should start. This puts additional
pressure to the management of projects,
1508 MIPRO 2013/DE
7. Offshore projects are usually executed in very
difficult areas, by one or several of the following
criteria:

Harsh environment: extreme cold or warmth,
deep sea, Arctic conditions
Politically unstable countries, sometimes
even in war-stricken areas
Technically challenging environment:
extreme depth, very shallow water, ice, mud,
etc.
Logistics problems: remote areas that are
typically away from main traffic routes,
posing potential logistics problems
8. Political and sociological content of offshore
projects is very high. Teams working on offshore
projects are usually multinational and
multicultural, which is an additional challenge to
be tackled during long and exhaustive project
planning and execution phases.

Due to all outlined characteristics of offshore projects,
it is clear that they carry a large risk with them. This risk
has to be properly managed. The goals of offshore
project risk management process are the following [5]:

1. Setting realistic but reasonable cost and schedule
contingencies,
2. Understanding the probability of cost overruns
and delays of anticipated schedule,
3. Knowing the probability that the contracted cost
and schedule will be achieved,
4. Understanding the accuracy of a cost estimate or
project schedule, and
5. Ensuring that project teams identify and properly
communicate risks and implement a risk
mitigation plan.

III. SPECIFIC REQUIREMENTS OF
OFFSHORE ICT SECURITY

SMB ICT companies are subject to quite specific
requirements when it comes to ICT security. First and
foremost, as already explained, they are operating on very
complex projects in difficult areas that are geographically
remote. In order to better understand what the specific
requirements of offshore ICT security are, some specifics
will be outlined:

1. Legal framework under which offshore projects are
executed is very complex. It usually transcends a
single nation, and refers to several countries. Also,
considering that offshore projects are usually related
to work conducted at the sea, maritime law is also
applicable.
2. Existing legal requirements imposed in front of ICT
security are very strict for business areas like
financial sector or technical aspects of ISMS
management. However, they are not easily
applicable to ICT offshore operations of SMB
companies due to different business context and
available financial means.
3. Very often, investments in ICT security of SMBs is
based on professional evaluation of cumulative risk
or subjective evaluation of the owner or ICT project
manager about justification of the investment
compared to such risk. Best practice ISMS systems
and frameworks do not evaluate influence of
investments in SMS to companys or project's
financial results.
4. One of very important restrictions for SMS ICT
companies working on offshore projects in oil and
gas sector is lack of internal human resources and
financial strength that could adequately follow up
growing requirements for ICT security solutions.
Neglecting such requests usually results in
increased levels of impact of security incidents and
cost of remediation and opportunity cost.
5. ISMS management in offshore ICT operations is
usually viewed as a technical discipline or as a
minimum cost endeavor with unclear relation
towards project cost or profit margin. Overall, a
clear model does not exist that would put offshore
ICT ISMS management in relation with business
result of the offshore project.
6. One of the most common strategies used
instinctively by small and medium businesses
providing ICT services in offshore projects is
accepting unreasonably high levels of risk and
avoiding investments in offshore ICT security
solutions. Investments in such ISMS solutions are
usually perceived by those businesses as
unnecessary or sunk cost.
7. Business financing sector, and especially banks,
following the work of offshore ICT companies do
not recognize the importance of ICT security for
successful business models of such companies. No
special analysis or economic impact of adopted ICT
measures is required even though they are crucial
for successful completion of offshore ICT projects
and consequentially, both for the clients and ICT
subcontractors success. This way both the banks
and SMB offshore ICT companies are facing
unsorted, implicitly accepted risks.

From the outlined above, it is clear that the usage of
economic criteria in decision making about investments in
ISMS solutions for offshore ICT SMB companies is a very
important factor. Successful ISMS systems of such
companies have to include legal requirements, cost-benefit
analysis of possible ICT security solutions, and risk based
analysis. Such an approach has to be distant from usually
adopted approach that includes only autonomous technical
measures and haphazard risk assessment.

IV. PROPOSED MODEL OF OFFSHORE ICT
COST MANAGEMENT IN SMB SECTOR

In order to propose a viable model of offshore ICT
cost management in SMB sector, it is necessary to think
of all possible requirements related to adopted ICT
MIPRO 2013/DE 1509
security models. From what has already been outlined,
they are divided into three sub-groups:

1. Legal requirements
2. Best practice requirements
3. Risk assessment requirements

As shown in fig 1., a typical SMB ICT offshore
company is subject to various national legal requirements
(for example, requirements related to minimum of
information security measures to be implemented, record
retention, disaster recovery and business continuity).
Furthermore, those SMB ICT companies providing
network, radio or satellite communication hardware very
often have to undergo a very strict process of local
certification (equipment conformity, radio frequencies, and
encryption systems). All these compliance requirements
add up on running costs of a typical offshore ICT
company. Finally, there are also specific requirements
imposed by compliance with laws applicable to maritime
and offshore operations.

Fig 1. Legal requirements of SMB ICT offshore
companies



Typically, there are three sets of requirements related to
best practice of execution of ICT projects. Primarily, they
are technical best practice frameworks that already include
certain levels of ICT security context. Their origins are
usually best practice systems established by hardware or
software manufacturers and specialized associations. Best
practice frameworks for ISMS adoption and management
are formalized and certifiable best practice standards
endorsed by international bodies and typically well spread
in the ICT business community. Last, but not least, best
practices also relate to ICT project management, whose
information security practices might prove to be of utmost
importance for successful project completion.

Fig 2. Best practice requirements


One of the most widespread systems for ICT security
risk management is the one that is risk based. Risk based
approach usually lists all information assets, their
vulnerabilities, matches them with applicable threats and
end result is a matrix of assets, threats and vulnerabilities
that carry certain level of risk that has to be mitigated using
applicable list controls. This process should be endorsed by
the top management in order to demonstrate its willingness
for achievement of goals of excellence. In case of SMB
companies, top management can be a single person, or in
case of smaller companies, even an owner.

Fig 3. Risk assessment approach of SMB offshore ICT
companies


Finally, inputs for baseline SMB offshore ICT security
are cumulative requirements for applicable legal
requirements, best practice requirements and risk
assessment approach requirements, applicable for baseline
operations, as shown in Fig 4.

Fig 4. Cumulative baseline SMB offshore ICT security


Cumulative baseline level of SMB offshore ICT
security presents a set of expenditures, either in form of
investments or costs that has to be maintained
continuously. A similar exercise can be done on a project
basis, where for a specific project, a matrix can be done
with all possible risks related to that project. In that case,
SMB offshore ICT security includes also temporary ICT
security risks and measures that are existing only for the
duration of the project, and after the project, the
requirements for ICT security return to the baseline.
Successful ICT security management in offshore
operations manages to retain all mitigation measures and
expenditures inside the baseline requirements and therefore
avoid multiplication of the same expenditure through
various ongoing projects, as show in Fig 5.
1510 MIPRO 2013/DE
Fig 5. Portfolio structure of information security
requirements and solutions for SMB ICT companies
working on offshore oil and energy projects


Clearly, a portfolio approach [6] would be advisable to
all companies operating in this segment, with well-
developed portfolio analysis on both project, and basic ICT
security foundations.

V. EXPECTED DEVELOPMENTS IN
OFFSHORE SMB ICT SECURITY SYSTEMS
IN NEAR FUTURE
There are several trends that can already be well
identified and that have already started having impact on
ICT security requirements of SMB companies providing
services to offshore engineering and construction
companies, and especially to their cost efficiency. These
trends are the following:
1. Shift towards cloud based solutions as a cost
enhancing solution is not always or easily
applicable to offshore area. Data links that are
usually satellite based do not allow for usage of
public cloud based solutions as a viable option
[7].
2. Offshore companies and large contractors
typically prefer standard and well-proven
solutions and measures to achieve goals of ICT
security.
3. Host countries are likely to continue
implementing more and more strict measures for
control of information flow as the operations
continue to move to more difficult and dangerous
areas in terms of political, social and economic
risk.
4. Local infrastructure in host countries that is often
lacking in technology (hardware and software)
used to achieve goals of ICT security and in
lifeware will probably in the future present even
bigger challenge for SMB ICT companies
providing ICT project delivery offshore. This
means additional pressure on profit margins and
timely delivery as most solutions will have to be
imported from other countries and not be obtained
in host countries.
5. Cost of local certification of information security
solutions and their maintenance continues having
a big impact on the cost side of SMB companies
providing ICT solutions to big contractors.
6. There is a number of hidden costs that have a
large impact on operations too. These costs are
typically constantly rising. Some of these costs
are cost of equipment transport, import, storage,
expediting, installation, cost of visas for the
technicians, accomodation and personnel security,
etc..
Therefore, there are a number of factors exerting
influence on increase of cost of operations of information
security of SMB ICT companies operating on offshore
projects. In the near future, it cannot be expected that
percentage of these costs in total operation costs will
decrease. Also, major driver in enhancement of
competitiveness of such companies will be portfolio
approach to information security solutions that are
applicable on various projects and regional orientation to
certain areas that are more homogenous in requirements
imposed on SMB ICT companies providing solutions.

VI. CONCLUSION
Offshore projects in oil and energy sector are very
diverse, but are typically midterm to long term projects
executed in remote and difficult areas. Engineering and
construction companies and their assets are contracted to
develop certain phases of the project, and they usually
contract other companies for some phases of the project.
Various companies belonging to SMB segment of the
market are often contracted to provide specific services
and installations of hardware, software and network
infrastructure.

These companies are faced with large legal
requirements, national and those in the territory where
operations and installations are being executed, best
practice and technology requirements and those arising
from internal professional risk assessment. On the other
hand, these companies usually have limited resources,
financial and human; they can dedicate to this additional
information security requirements. The number of such
requirements is constantly rising.

The most appropriate approach to create and maintain
solid ICT security systems for SMB ICT companies is to
analyze its baseline requirements and create a portfolio
satisfying both baseline requirements and project portfolio
specific requirements. This will ensure that there is no
duplication of costs and implementation of unnecessary
solutions correlated with cost increase.

Near future will bring even more requirements for
certifications, offshore ICT security solutions and locally
imposed restrictions on the ways ICT companies may
approach those issues. Only close following of the fixed
and operative costs of ICT security solutions will prove to
be a positive driver for cost optimization and improvement
of provided services.



MIPRO 2013/DE 1511
REFERENCES

[1] http://www.investopedia.com/terms/o/offshore.asp
(15.12.2012.)
[2]
http://www.offshoreguides.com/cptron/contact_engineerin
g_construction.htm (15.12.2012.)
[3] "SENTINEL Auto Acquire Antenna Mobile Satellite
Internet System", Owner's manual, General Dynamics,
4096-745 Rev. F, September 21, 2009.
[4] http://www.bsigroup.com/en-GB/iso-27001-
information-security/ (15.12.2012.)
[5] Westney, E. Richard, Managing the Cost & Schedule
Risk of Offshore Development Projects, Westney Project
Services, Inc., Offshore Technology Conference, Houston,
Texas, 30 April-3 May 2001.
[6] "Risk Management in International ICT Project
Management",Global Sustainable Information and
Communication Technology Management, University of
East London, 2012., p. 12
[7] Armbrust, M; Fox, A., Griffith, R., Joseph, A., Katz,
R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A.,
Zaharia, "A view of cloud computing.".
Communication of the ACM 53 (4), 2010., p. 50.58.
1512 MIPRO 2013/DE