GODINA 3, BROJ 3 (2020) ISSN 2566-4522

VISOKA ŠKOLA
“INTERNACIONALNA POSLOVNO – INFORMACIONA
AKADEMIJA” TUZLA

ZBORNIK
RADOVA
Book of Proceedings

3. MEĐUNARODNA NAUČNA KONFERENCIJA O DIGITALNOJ

EKONOMIJI DIEC 2020
3RD INTERNATIONAL SCIENTIFIC CONFERENCE ON DIGITAL
ECONOMY DIEC 2020

TUZLA, JULI 2020.

1
 Programski odbor / Programme committee
dr. sc. Anida Zahirović Suhonjić, predsjednica (Internacionalna poslovno – informaciona
akademija Tuzla)
prof. dr. Enes Osmančević (Univerzitet u Tuzli)
dr. sc. Damir Bećirović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Haris Hamidović (Internacionalna poslovno – informaciona akademija Tuzla)
prof. dr. Almir Peštek (Univerzitet u Sarajevu)
prof. dr. Lazar Radovanović (Univerzitet u Istočnom Sarajevu)
dr. sc. Silvana Tomić Rotim (Zavod za informatičku djelatnost Hrvatske)
doc. dr. Aleksandra Labus (Univerzitet u Beogradu)
doc. dr. Marina Stanić (Sveučilište J. J. Strossmayera u Osijeku)
doc. dr. Dino Arnaut (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Hadžib Salkić (Univerzitet “VITEZ” Vitez)
prof. dr. Jamila Jaganjac (Univerzitet “VITEZ” Vitez)
dr. sc. Nedret Kikanović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Zlatan Begić (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Emir Džambegović (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Željka Pejić Benko (Internacionalna poslovno – informaciona akademija Tuzla)
doc. dr. Damir Šarić (Internacionalna poslovno – informaciona akademija Tuzla)
prof.dr.sc. Katerina Malić Bandur (Ekonomski fakultet Sveučilišta u Mostaru)
doc. dr. sc. Sandra Jelčić (Ekonomski fakultet Sveučilišta u Mostaru)
doc. dr. Katarina Rojko (Fakultet za informacijske študije Novo Mesto)
izv. prof. dr. sc. Ljiljana Zekanović – Korona (Sveučilište u Zadru)
izv. prof. dr. sc. Božena Krce Miočić (Sveučilište u Zadru)
doc. dr. sc. Vesna Kalajžić (Sveučilište u Zadru)
doc. dr. sc. Marijana Ražnjević Zdrilić (Sveučilište u Zadru)

Organizacioni odbor / Organizational committee

dr. sc. Damir Bećirović, predsjednik (Internacionalna poslovno – informaciona akademija
Tuzla)
Emina Šarić, dipl.oec. (Internacionalna poslovno – informaciona akademija Tuzla)
Admir Čavalić, MA ekonomije (Internacionalna poslovno – informaciona akademija Tuzla)
Haris Delić, BA prava (Internacionalna poslovno – informaciona akademija Tuzla)
Adnana Beganlić, MA inž. informatike (Internacionalna poslovno – informaciona akademija
Tuzla)

Dizajn/Design
Katarina Andrejaš

Grafički urednik / Graphic editor

Abdulah Smajić

Urednici / Editors
Damir Bećirović
Haris Delić

Izdavač / Publisher
Internacionalna poslovno - informaciona akademija

ISSN 2566 - 4514 (Print)

ISSN 2566 - 4522 (Online)
2
 SADRŽAJ

1. Zoran Ereiz
RISK MANAGEMENT IN SOFTWARE PROJECTS: HOW RISKS ARE (NOT) MANAGED IN
SOFTWARE DEVELOPMENT PROJECTS.................................................................................. 7

2. Dino Arnaut, Damir Bećirović

EMPOWERING SMES THROUGH BLOCKCHAIN BASED JUNIOR STOCK EXCHANGE ............. 15

3. Božidar Radenković, Artur Bjelica, Marijana Despotović - Zrakić, Zorica Bogdanović,

Dušan Barać, Aleksandra Labus, Tamara Naumović
MODERN COMMUNICATION MODELS WITH STAKEHOLDERS IN HEALTHCARE ECOSYSTEMS
............................................................................................................................................ 29

4. Haris Hamidović, Jasmina Kabil-Hamidović, Edina Šehić

MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES ................................................. 41

5. Ines Grossi, Zlata Berkeš, Antonija Rimac Gelo

THE IMPACT OF NEW MEDIA IN PRACTICING CATHOLICISM: THE CASE STUDY OF
CROATIA’S CATHOLICS ........................................................................................................ 49

6. Siniša Franjić
BITCOIN TRANSACTIONS ..................................................................................................... 59

7. Katarina Rojko
INNOVATIVE LEARNING AND TEACHING IN HIGHER EDUCATION SUPPORTED BY WEB
PLATFORMS AND APPLICATIONS ........................................................................................ 67

8. Benjamin Nurkić
INTRODUCING ELECTRONIC ELECTIONS WITHOUT ENFORCING THE JUDGMENTS OF THE
EUROPEAN COURT OF HUMAN RIGHTS – DIGITIZATION WITHOUT SUBSTANTIAL
DEMOCRATIZATION ............................................................................................................ 81

9. Haris Hamidović, Amra Hamidović

THE ISSUE OF POSSIBLE USE OF CLOUD COMPUTING SERVICES BY BANKING SYSTEM
ENTITIES IN BOSNIA AND HERZEGOVINA ............................................................................ 89

10. Vjenceslav Arambašić, Josipa Živić, Ivan Sarić

MONEY LAUNDERING, TERRORIST FINANCING AND TAX EVASION USING
CRYPTOCURRENCIES ........................................................................................................... 95

11. Antonija Rimac Gelo, Zlata Berkeš, Ines Grossi

THE ROLE AND IMPACT OF SOCIAL MEDIA IN COMMUNICATION BY STATE INSTITUTIONS –
THE CROATIAN PARLIAMENT (SABOR).............................................................................. 103

12. Kasim Bajramović, Irhad Bajramović, Amar Bajramović

SYSTEM OF RADIO VOICE CONNECTIONS USING IN MINE ZD RMU "KAKANJ" D.O.O.
KAKANJ ............................................................................................................................. 109

3
13. Edina Zahirović Vilašević, Haris Delić
SHARING ECONOMY LEGISLATION FROM A RENTAL REAL ESTATE PERSPECTIVE IN THE
FEDERATION OF BOSNIA AND HERZEGOVINA ENTITY ...................................................... 119

14. Zlata Berkeš, Ines Grossi, Antonija Rimac Gelo

E-SERVICES IN THE PUBLIC AND LOCAL GOVERNMENT OPERATIONS: THE BUDGET
PAYMENT APPLICATION IN THE CITY OF BJELOVAR .......................................................... 129

15. Enaida Bejdić

DIGITAL TRANSFORMATION ............................................................................................. 137

16. Edib Smolo, Mirzet Šeho, Admir Čavalić

FINTECH AND ISLAMIC FINANCE: A CRITICAL APPRAISAL ................................................ 149

17. Robert Andrejaš, Sunčica Oberman Peterka, Jerko Glavaš

RANGE AND POSSIBILITIES OF MEDIA CONVERGENCE IN THE EXISTING ORGANIZATIONAL
DESIGN OF BIH CANTONAL RADIO-TELEVISIONS CASE STUDY - PROPOSAL FOR THE
REDESIGN OF THE ORGANIZATION OF TUZLA CANTON RADIO - TELEVISION ................... 159

18. Ines Popovac, Mario Kordić

THE PLACE AND ROLE OF NEW INFORMATION TECHNOLOGIES IN THE HEALTHCARE
SECTOR ............................................................................................................................. 177

19. Emin Mešić

ANALYSIS OF THE POTENTIAL RISKS OF MAINTAINING ONLINE TEACHING AND
DEVELOPING DEDICATED SOFTWARE ............................................................................... 183

20. Amina Duraković

INTERNET ADDICTION – WHAT HAVE WE DISCOVERED SO FAR? ..................................... 193

21. Robert Andrejaš, Sunčica Oberman Peterka, Jerko Glavaš

THE EFFECTS OF MULTIMEDIA ON THE VISIBILITY OF CULTURAL AND ART PROJECTS:
THREE CASE STUDIES ........................................................................................................ 201

4
dr.sc. Haris Hamidović, dipl.ing.el.27 Review Paper / Pregledni rad
mag. iur. Amra Hamidović28

THE ISSUE OF POSSIBLE USE OF CLOUD COMPUTING SERVICES BY BANKING SYSTEM

ENTITIES IN BOSNIA AND HERZEGOVINA

Abstract
The applicable laws and regulations in Bosnia and Herzegovina do not specifically prescribe direct
restrictions relating to the establishment and use of cloud computing services by banking system entities in
Bosnia and Herzegovina. However, the use of this type of service is a segment of the outsourcing of business
activities that supports the core business. According to the decisions of the entity banking agencies in Bosnia
and Herzegovina on outsourcing management, banks in Bosnia and Herzegovina are obliged to provide the
process of implementing and managing outsourcing and risks that can result from the outsourcing. In
addition to banks, other entities of the banking system in Bosnia and Herzegovina should consider the
provisions of the outsourcing decisions when considering the arrangements for outsourcing. A large part of
the requirements of outsourcing decisions are what any conscientious and prudent cloud computing client,
whether regulated or not, should take in any case. In this paper, we outline some of the requirements that
banking system entities in Bosnia and Herzegovina should ensure in the process of implementing and
managing outsourcing and the risks that may arise from outsourcing.
Keywords:Cloud computing, outsourcing, banking system entities, exit strategy, cyber security.

1. Introduction
According to the decisions of the entity banking agencies in Bosnia and Herzegovina on outsourcing
management, banks in Bosnia and Herzegovina are obliged to provide the process of implementing and
managing outsourcing and risks that can result from the outsourcing. Other Banking System Entities (BSEs),
such as microcredit organizations, leasing companies etc., should also have regard to provisions of these
decisions as if they were guidance not a requirement (Marchini, 2010). Among other things, banks are
required to develop a plan for unpredictable situations and an exit strategy for the bank, including the
continuation of the outsourced activities by a different service provider, or returning the activities to the
bank, and ensure their implementation.
The European Banking Authority (EBA) in its guidelines on outsourcing arrangements states that „financial
institutions should have a documented exit strategy when outsourcing critical or important functions that is
in line with their outsourcing policy and business continuity plans, taking into account at least the possibility
of:
a) the termination of outsourcing arrangements;
b) the failure of the service provider;
c) the deterioration of the quality of the function provided and actual or potential business disruptions caused
by the inappropriate or failed provision of the function;
d) material risks arising for the appropriate and continuous application of the function.“ (EBA, 2019)

27doc.dr., Visoka škola „Internacionalna poslovno-informaciona akademija“ Tuzla,

mr.haris.hamidovic@ieee.org
28Pravna savjetnica u Misiji OSCE-a u BiH, amrahamidoviciur@gmail.com

89
This paper addresses termination issues that banking system entities to a cloud services arrangement should
consider and address in their agreements, especially in the case of outsourcing critical or vital services.

2. Access to data on exit

When we talk about cloud computing arrangements, as a kind of outsourcing arrangement, for all businesses
one of the most important considerations when selecting a cloud provider concerns is how organization’s
data will be managed or handled when organization exit the services of one cloud provider and move to
either another provider or back to organization’s own environment (Burtzel, 2019).
Marchini states that there are a couple of related issues, such as:
• How does the customer get the data back, if at all?
• Is the data going to be in a format which the customer can use? (Marchini, 2010)
For example, in the example of contractual provisions relating to termination of the contract, which is stated
below, clause does not address data turn back or assistance to be provided at the end of the relationship.
There also is no data retention or retrieval period specified. No termination assistance and no process for
retrieval of organization’s data at the end of the contract is addressed, nor is destruction of organization’s
data (Burtzel, 2019).
Term. The term of this agreement will commence on the effective date and will remain in effect until
terminated under this section. Any notice of termination of this agreement by either party to the other must
include a termination date that complies with the notice periods below.
Termination for convenience. You may terminate this agreement for any reason by providing us notice and
closing your account for all services. We may terminate this agreement for any reason by providing you at
least 30 days' advance notice.
Termination for cause. (i) Either party may terminate this agreement for cause if the other party is in material
breach of this agreement and the material breach remains uncured for a period of 30 days from receipt of
notice by the other party. No later than the termination date, you will close your account. (ii) We may also
terminate this agreement immediately upon notice to you (a) for cause if we have the right to suspend as
otherwise provided in these terms, (b) if our relationship with a third-party partner who provides software
or other technology we use to provide the service offerings expires, terminates or requires us to change the
way we provide the software or other technology as part of the services, or (c) in order to comply with the
law or requests of governmental entities.
Note: Previously cited clauses are taken from actual, publicly available terms and conditions appearing on
the webpages of cloud services providers (Burtzel, 2019).
Burtzel warns that some cloud services agreements contain termination clauses that condition the cloud
vendor's return of data upon payment of cloud vendor fees and other' obligations. In the cloud services arena,
these clauses frequently provide that the cloud vendor may terminate the agreement at any time payment is
not timely received, and that no access to services or organization’s data will be provided (Burtzel, 2019).
She further states that some clauses even go to the extreme of providing that the customer's data will be
deleted immediately or within a short time period upon the customer's failure to timely pay for services.
Cloud providers vary considerably in their handling of this issue in the termination of cloud arrangements.
Careful review of termination clauses and other provisions is required to determine what model is used in
the specific cloud services arrangement proposed (Burtzel, 2019). Burtzel suggests that typical strategies for
mitigating the impact of a data hostage clause might include the negotiation of terms requiring that the cloud
vendor provide access to organization’s data pending resolution of a dispute upon payment or any other
dispute that arises under the contract (Burtzel, 2019).
With regard to the above suggestions, it is necessary to state the opinion expressed by Marchini that it is not
sufficient only to have an obligation upon the provider to deliver a copy of the data, as that is something
which may well be very difficult to enforce for two main reasons:
• First, the relationship may not at the time of exit be particularly amicable. This could be because
the termination is through an allegation of breach (by either the customer or the provider against
the other). It may be because the customer simply wants to move away from the particular solution
90
 with an inevitable disappointment for the provider of a loss of a potentially lucrative revenue
stream.
• Secondly, the provider could be insolvent and may immediately cease trading. A contractual
obligation will be of little use as there might be immediate staff losses and no one to assist in an
orderly exit. Even if there is not an immediate cessation of business (say where an administrator
is appointed to try and save a going concern), the priority for staff and management (who might
be under threat of job losses themselves) will be to do what they can to win new business, cut
costs, and look after those customers who are not terminating. A customer that is terminating
might expect little assistance in practice even when there is a contractual entitlement (Marchini,
2010).
For these reasons, Marchini recommends, that a customer should not want to leave it until a termination
event to test its ability to obtain the data. It may be that a feature of the service simply allows the customer
the ability to download the data at any time and without recourse to the provider, and if so there seems little
that can go wrong (other than the servers ceasing operation on termination). It will be prudent for the
customer to ensure that the functionality does work and to do so on a regular basis (with a full download),
and that it is possible to receive the data in the correct format (Marchini, 2010).
In the case of BSE in Bosnia and Herzegovina, the contractual right to access data in the event of termination
of the contract with the cloud computing service provider is not sufficient. Especially in the case of critical
(vital) business processes, the bank must have daily access to up-to-date copies of data that can enable it to
recover or re-establish critical (vital) business processes in the required time. In the Decision on the
management of the information system in the bank this is explicitly required by Article 26 of the Decision:
Article 26
Copies
1) The Bank shall establish a backup process that includes procedures for making, placing, testing copies of
data, and restoring data from copies of data, as well as adequate transportation and submission of copies, to
ensure the availability of data in case of need, and enabled the recovery or reinstatement of critical (vital)
business processes in the required time.
2) As part of the copy management process, the bank shall prescribe for all information system resources
the type, method of production, frequency of production, frequency of depositing to a remote location, and
period of keeping copies.
3) Copies should be kept up-to-date and kept in an appropriate manner at one or more secondary locations,
at least one of which must be sufficiently distant from the primary site where the original data is located,
based on the risk analysis performed.
4) The bank shall be obliged to back up the data on one of the media (for example, an external hard disk,
tapes, etc.) at one or more secondary locations, and to adequately protect the backup data during the transfer
and keep up-to-date records thereof.
In addition, it is necessary for banks to ensure compliance with the requirements of Article 32 of the present
decision, which relates to the obligation to establish a backup data center:
Article 32
1) In case of outsourcing of all or part of the information system outside the territory of Bosnia and
Herzegovina, the bank shall be obliged to:
a) to define critical (vital) processes from the point of view of business continuity and operation in the
country,
b) to provide a local information center in the territory of Bosnia and Herzegovina in order to ensure the
availability of data and the possibility of carrying out critical (vital) processes in the country defined under
paragraph (1) item a) of this Article;
c) to carry out testing of the functionality of the local information center at least on an annual basis, and to
ensure that the test results report is approved by the bank's management;
d) to keep the information in the local information center up to date on a daily basis; and
91
e) to provide information in the local information center, in accordance with applicable legal regulations.

3. Data format issue

Burtzel states that data portability is a significant concern for most cloud service customers, and therefore
agreement with a cloud services provider should address the following issues at minimum:
1) In what format will the data be returned to customer?
2) What cost, if any, will apply to exporting organization’s data at the end of the agreement?
3) What timelines apply to the return of organization’s data? (Burtzel, 2019)
The format of the data as stored on the cloud service is important for the future use of the data in another
provider' environment or in organization’s own IT environment. The data should be provided to
organization, or at least be made accessible to organization in a commonly used format that is accessible
and useful to organization regardless of the platform. Unless organization has specified the format in which
the data will be returned, it is likely that a cloud provider will supply organization’s data in a proprietary or
otherwise inaccessible format, states Burtzel (Burtzel, 2019). To illustrate, an example contract item from
the actual Cloud Vendor Services Agreement is provided below:
Return of customer content during td term. Without prejudice to the data processing addendum, customer
may request in writing during the td term that cloud vendor return to customer any customer content stored
on the product. Following receipt of such request, cloud vendor will (at customer's expense) use
commercially reasonable efforts to return (in cloud vendor's standard format or any other format selected by
cloud vendor) such customer content within sixty (60) days after receipt of such request.
Marchini recommends that the contract could specify a fairly standard non-proprietary format, which will
clearly have the attraction for the provider of being consistent across all customers. Some providers, for
example, specify that data will be returned in the ubiquitous ‘comma-separated values’ (CSV) format (which
is supported by many database-based applications). After all, any replacement provider should be able to
import data from a standard non-proprietary format (Marchini, 2010).

4. Contractual chains of cloud providers issue

Marchini draws attention to another risk associated with how cloud services work, which may affect data
access. The risks of a provider’s insolvency or breach as it relates to the customer having reliable access to
its own data is compounded when the data is not actually in the hands of the provider but instead in the
hands of one of its subcontractors (Marchini, 2010).
To begin with, let's consider different cloud computing service delivery models, according to the US
National Institute of Standards and Technology (Mell, Grance, 2011):
• Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are accessible from various client
devices through either a thin client interface, such as a web browser (e.g., web-based email), or a
program interface. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, storage, or even individual application capabilities,
with the possible exception of limited user-specific application configuration settings.
• Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud
infrastructure consumer-created or acquired applications created using programming languages,
libraries, services, and tools supported by the provider. The consumer does not manage or control
the underlying cloud infrastructure including network, servers, operating systems, or storage, but
has control over the deployed applications and possibly configuration settings for the application-
hosting environment.
• Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision
processing, storage, networks, and other fundamental computing resources where the consumer is
able to deploy and run arbitrary software, which can include operating systems and applications.
The consumer does not manage or control the underlying cloud infrastructure but has control over
92
 operating systems, storage, and deployed applications; and possibly limited control of select
networking components (e.g., host firewalls).
The SaaS space is full of small(ish) companies entering into the market by building their offerings on one
of the principal PaaS offerings. Large SaaS providers also use outsourced hosting services. Whilst the data
may well be safely secured behind state-of-the-art security deployed by the PaaS provider (or its
subcontractor) or the hosting company, it is at the SaaS level where the real risk is. The issue is compounded
if there are more than two providers in the chain, said Marchini (Marchini, 2010). See Figure 1 for an
example.
Figure 1. Cloud providers in the chain

Source: (Marchini, 2010)

Marchini details the associated risks as: If the SaaS provider is insolvent, whilst the data may well be very
safe indeed, it isin the hands of a PaaS (or IaaS) provider (or, worst, one of its subcontractors). Thecustomer
will have real difficulty in retrieving the data from anyone lower downthe chain. In the first place, the
customer may simply not know where the data is(although this does of course depend on the extent of its
diligence). Even when the customer does know where the data is, the PaaS or IaaS provider may simply not
be interested in assisting the customer (who was not its customer) (Marchini, 2010).

5. Conclusion
Cloud computing attracts banking system entities for the same reasons that cloud computing attracts
organizations in other industries - by offering increased flexibility and efficiency at lower costs than on-
premises computing solutions. However, cloud computing for banking system entities creates increased
security risks and regulatory and legal scrutiny.
It is essential in any adoption of cloud that the customer ensure that they have ready access to data on an
ongoing basis. Every organization needs to carefully consider whether the risk of having only one copy of
their data with one cloud provider is a risk that they are willing to take. For the banking system this is not
just a matter of good practice, but also a legal obligation when it comes to critical business services.
Cloud computing users have significant and ongoing concerns about the risks inherent in cloud computing.
Unfortunately, these issues are not adequately addressed in the standard contract terms offered by most
cloud computing service providers. Cloud computing users today lack sufficient bargaining power to
negotiate more balanced agreements. There is little indication that bargaining power has begun to change in
favor of customer empowerment. From the perspective of the service provider, customers cannot claim the
cheapest service and, in addition, significant guarantees and assumption of responsibility. There is little
incentive, especially for large cloud computing providers, to create and offer customer-friendly contracts.
One possible solution is for banking industry sectors to form coalitions and thus increase their bargaining
93
power for more favorable contracts with cloud computing providers. In addition, given the requirements of
domestic regulators, consideration should also be given to developing appropriate national models, which
would benefit both cloud computing service providers, regulated industry users, and regulators who could
exercise appropriate oversight.

References:
1. Burtzel, C. M. (2019). Negotiating the Exit – Ensuring Successful Transition in Cloud Contracts,
at Rothchild, J., Lifshitzed, L. R., (2019). Cloud 3.0: Drafting and Negotiating Cloud Computing
Agreements, American Bar Association.
2. EBA, (2019). Guidelines on outsourcing arrangements.
3. Hamidović, H. (2019). Računarstvo u oblaku i rizici zaštite podataka. Pravo i finansije. No. 12.
Pp. 25-27.
4. Marchini, R. (2010). Cloud Computing: A Practical Introduction to the Legal Issues, British
Standards Institution.
5. Mell, P., Grance, T., (2011). The NIST Definition of Cloud Computing - NIST Special
Publication 800-145. National Institute of Standards and Technology.
6. Official Gazette of the Federation of Bosnia and Herzegovina, (2017). Decision on the
Management of Externalization at the Bank (“Official Gazette of the Federation of Bosnia and
Herzegovina”, No. 81/17).
7. Official Gazette of the Federation of Bosnia and Herzegovina, (2017). Decision on the
Management of the Information System in the Bank ("Official Gazette of the Federation of
Bosnia and Herzegovina", No. 81/17).
8. Official Gazette of Republika Srpska, (2017). Decision on outsourcing (“Official Gazette of
Republika Srpska”, No. 75/17).
9. Official Gazette of Republika Srpska, (2017). Decision on information system management in
banks (“Official Gazette of Republika Srpska”, No. 116/17).

94