Eben Otuteye, Faculty of Administration, University of New Brunswick, Fredericton, Canada. Email: email@example.com
In the new economy, information is critical both as input and output. Hence information security management is of high priority. In contrast, the Internet, which is the primary medium for conducting e-business is by design an open non-secure medium. Since the original purpose of the Internet was not for commercial purposes, it is not designed to handle secure transactions. This paper first presents an outline and analysis of the security needs of online businesses. This is followed by an evaluation of the current tools and practices for ensuring e-business security. The shortcomings of the present practices are noted. A systematic approach to e-business information security is presented. The key characteristic of this approach is that it is an insurance-based risk management process that encompasses the entire information infrastructure of an organization.
Whereas the original purpose of the Internet was to move files among computers, to enable easy remote access to computers, and to build redundancy into the distributed system that it is, its use for commercial purposes has grown tremendously since the development of the World Wide Web. Simplicity and ease of use were the prime motivation for designing the Internet. Security, both for the Internet and the Web came as a later development, almost an afterthought. This has “led to a simple and scalable network design that offers a best-effort service, in which the network does not guarantee anything, not even delivery of the data.” [Mathy et al, (2000)]. In addition to the Internet being an open system, the rapid rate of development of new software and communication systems has led to a state in which software users are not fully knowledgeable about software and systems architecture. This makes users oblivious to a number of vulnerabilities that can lead to serious security breaches.
Organizations have always regarded information as an important resource. However, in today’s knowledge-based economy, the significance of information both as strategic input and output has been accentuated. At first glance, it appears we have a situation that presents tremendous opportunity for global commerce: a global communication infrastructure that is very conducive for low cost transmission of information and a global economy that is tending to be highly information-based. Along with this opportunity comes the challenge of information security. Protecting online assets and network resources has become a mission critical concern for executives and managers.
This paper is in two parts. The first part presents an outline of the significance and impact of information security for e-business with emphasis on the security threats and potential losses that could arise from those vulnerabilities. E-business security is analyzed as consisting of six dimensions: confidentiality, integrity, availability, legitimate use, auditing and non-repudiation. The consequence of each type of security breach is discussed and various technological solutions are presented. We note that the present approach is inadequate primarily because the solutions tend to be threat-specific, technology centered and rather ad hoc. Furthermore, it is argued, those solutions are subject to a basic flaw, namely, that they are geared primarily toward creating assurance rather than managing risk. In the second part of the paper, it is argued that the current system of focusing on software and hardware systems is inadequate. Instead, we advocate a risk management system coupled with a new type of certification authority.
The primary proposition of this paper is that effective e-business security decisions have to be part of an overall corporate information security and risk management policy. We propose a six-step sequential decision making process as a system for e-business security management. We show that e-business security risk lends itself quite naturally to well-established risk assessment, risk analysis, and risk management methodologies and strategies. The paper concludes that the proposed approach makes the problem amenable to market pricing of the e-business security risk and enables risk transfer, hedging and/or insurance solutions to be applied in the management of information security.
In today’s Internet world, it is relatively easy to create, alter and transmit information. The advancement in computing capacity and interconnectivity has presented a situation where small efforts can cause potentially large losses. Both accidental and intentional breaches are easier and more likely. This is a major challenge to businesses that want to take advantage of the current information technology. Concern for information security is fairly widespread. According to InformationWeek Research's Global Information Security Survey conducted in June, 2000, nearly three-quarters of information security professionals regard security as a top priority, up from 56% two years ago. Those in banking, health care, finance, and telecommunications rate information security as the highest business priority, with retailers a little less concerned. In every sector, security is regarded as a key business driver.[HREF1]
There is almost an uncountable number of ways that an e-business setup could be attacked by hackers, crackers and disgruntled insiders. Common threats include hacking, cracking, masquerading, eavesdropping, spoofing, sniffing, Trojan horses, viruses, bombs, wiretaps, etc. While the list of actual manifestation is long, conceptually, they break down to a few categories. These are spoofing, unauthorized disclosure, unauthorized action, and data alteration. From a business perspective Denial of Service (DoS) attacks appear to be the most serious threat. DoS attacks consist of malicious acts that prevent access to resources that would otherwise be available. Even though data may not be lost, the financial losses that could be incurred from not being able to supply a service to customers could be of much higher value.
In conducting e-business, every organization ought to be able to:
Effective information security policy must have the following six objectives [HREF2]: confidentiality; integrity; availability; legitimate use (identification, authentication, and authorization); auditing or traceability; and non-repudiation. If these objectives could be achieved, it would alleviate most of the information security concerns. Each information security objective is discussed below with emphasis on the specific challenges it poses to Internet mediated businesses.
Confidentiality involves making information accessible to only authorized parties, or restricting information access to unauthorized parties. Confidentiality concerns did not originate with the Internet. However, conducting business over the Internet has exacerbated the situation. As an example, one context in which this issue has been addressed extensively is the area of confidentiality of electronic health data. There have always been concerns about confidentiality in health care. Online intermediation has complicated the problem and heightened the misgivings that already exist. For example, recent surveys reported by the Georgetown University Institute for Health Care Research and Policy contain some rather revealing statistics about people’s concern for confidentiality:
Sixty-three percent of Internet ‘health-seekers’ and sixty percent of all Internet users oppose the idea of keeping medical records online, even at a secure, password-protected site, because they fear other people will see those records. … An overwhelming majority of Internet users are worried about others finding out about their online activities: eighty-nine percent of Internet users are worried that Internet companies might sell or give away information and eighty-five percent fear that insurance companies might change their coverage after finding out what online information they accessed. [HREF3]
To maintain the confidentiality of Web users’ information, organizations have to find ways to keep the information from unauthorized view. From an operational point of view, that means information that is stored has to be secured in a way that it can only by accessed by authorized parties. Similarly, information in transit has to be kept from the view of unauthorized parties and that it is retrieved only by a legitimate entity.
Transmitting information over the Internet (or any other network) is similar to sending a package by mail. The package may travel across numerous trusted and untrusted networks before reaching its final destination. It is possible for the data to be intercepted and modified while in transit. This modification could be the work of a hacker, network administrator, disgruntled employee, government agents or corporate business intelligence gatherer; it could also be unintentional.
The need for accuracy of information in an information-driven society cannot be over stated. Typically, information is either stored at a given location or being passed from one point to another. Either way, the primary concern for information integrity is that it remain intact so that nothing is added nor taken from it that is not intended or authorized. The extreme cases of lack of information integrity are when a whole database is lost or replaced with something else. Between these extreme cases are situations where data is corrupted either minimally or significantly such that major repairs have to be done to make it useable again.
Availability means that systems, data, and other resources are usable when needed despite subsystem outages and environmental disruptions. [HREF4] Lack of availability is essentially loss of use. The most commonly known cause of availability problems is Denial of Service (DoS) attacks even though there are other common causes such as outages, network issues, or host problems. The goal is to ensure that system components provide continuous service by preventing failures that could result from accidents or attacks. From a security point of view, availability is enhanced through measures to prevent malicious denials of service.
Closely related to availability and very important to e-businesses are reliability and responsiveness. Reliability implies that a system performs functionally as expected. Responsiveness is a measure of how quickly service could be restored after a system failure. In other words, it is a measure of system survivability. This does not necessarily mean that the failed system is revived, just that service is restored or not lost at all despite the failure. One advantage for e-businesses is that the Internet, being a distributed system, affords a greater opportunity for building redundancy into systems so as to mitigate denial of service problems. In fact, system survivability is at the heart of the design of the Internet and appropriate use of it should result in minimal availability problems. Nevertheless, there are still real threats to availability.
Legitimate use has three components: identification, authentication and authorization. Identification involves a process of a user positively identifying itself (human or machine) to the host (server) that it wishes to conduct a transaction with. The most common method for establishing identity is by means of username and password. The response to identification is authentication. Without authentication, it is possible for the system to be accessed by an impersonator. Authentication needs to work both ways: for users to authenticate the server they are contacting, and for servers to identify their clients. Authentication usually requires the entity that presents its identity to confirm it either with something the client knows (e.g. password or PIN), something the client has (e.g. a smart card, identity card) or something the client is (biometrics: finger print or retinal scan). Biometric authentication has been proven to be the most precise way of authenticating a user's identity. However, biometric processes such as scanning retina or matching fingerprints to one stored in a database are often considered intrusive, and there always exists some measure of fear that this information will be misused. [HREF5]
The approach to authentication that is gaining acceptance in the e-business world is by the use of digital certificates. A digital certificate contains unique information about the user including encryption key values. These public/private encryption key pairs can be used to create hash codes and digitally sign data. The authenticity of the digital certificate is attested to by a trusted third party known as a "Certificate Authority." The entire process constitutes Public Key Infrastructure.
Once an entity is certified as uniquely identified, the next step in establishing legitimate use is to ensure that the entity’s activities within the system are limited to what it has the right to do. This may include access to files, manipulation of data, changing system settings, etc. A secured system will establish very well defined authorization policy together with a means of detecting unauthorized activity.
From an accounting perspective, auditing is the process of officially examining accounts. Similarly, in an e-business security context, auditing is the process of examining transactions. Trust is enhanced if users can be assured that transactions can be traced from origin to completion. If there is a discrepancy or dispute, it will be possible to work back through each step in the process to determine where the problem occurred and, probably, who is responsible. Order confirmation, receipts, sales slips, etc. are examples of documents that enable traceability. In a well-secured system, it should be possible to trace and recreate transactions, including every subcomponent, after they are done. An effective auditing system should be able to produce records of users, activities, applications used, system settings that have been varied, etc., together with time stamps so that complete transactions can be reconstructed.
Non-repudiation is the ability of an originator or recipient of a transaction to prove to a third party that their counterpart did in fact take the action in question. Thus the sender of a message should be able to prove to a third party that the intended recipient got the message and the recipient should be able to prove to a third party that the originator did actually send the message. This requirement proves useful to verify claims by the parties concerned and to apportion responsibility is cases of liability. Obviously, this is a crucial requirement in any business transaction when orders are placed and both buyers and sellers need to be confident that not only are they dealing with the appropriate parties but also that they have proof to support the claims of any action taken in the process. Non-repudiation protocol is also useful in forensic computing where the goal is to collect, analyze and present data to a court of law. [HREF6]
One of the problems of the current e-business security implementation is that components of e-business infrastructure tend to be looked at individually and separately for security purposes. The current common “security policy” implemented by most e-businesses runs like this: assemble a catalogue of threats and vulnerabilities and then shop for technology tools that alleviate those concerns. Security solutions are targeted at counteracting specific groups of threats and vulnerabilities. However, what is needed are comprehensive solutions that will produce peace of mind to the business and trust and confidence in customers and partners. A typical three-tier e-business architecture comprises the client, web and commerce servers, and database servers. A systematic implementation of e-business security must ensure that each of these components is secure. This requires security policy and implementation at three levels: network security, system level security and transaction level security.
The current common e-business security practice translates into acquiring sophisticated servers, firewall software, intrusion detection systems, and obtaining digital certificates. We refer to this as the “latest gizmo” driven approach. While there is nothing wrong with installing these devices, the implicit false assumption is that security risk problems can be minimized by that approach. We contend that regardless of how sophisticated the software and hardware devices might be, risk cannot be fully addressed without a systematic risk assessment and risk management process.
All security solutions need to begin with a policy. Some basic security policy questions that must be answered are:
A viable security policy should have the following characteristics:
The main thesis of this paper is that e-business security can only be effective if it is regarded as part of an overall corporate information security risk management policy. For that purpose a six-stage security management strategy is proposed: [HREF7]
|Stage 1:||Develop a corporate risk consciousness and risk management orientation.|
|Stage 2:||Perform a thorough risk assessment of the whole business. Identify and rank|
|risks based on threats, vulnerabilities, cost and countermeasures.|
|Stage 3:||Devise a systematic risk-management based e-business security policy.|
|Stage 4:||Put risk control mechanisms in place. Implement technological best practices|
|with regard to e-business infrastructure components: clients, servers,|
|networks, systems and applications, and transport mechanism. These|
|“best-practices” security measures will be validated and certified by a security certification authority.|
|Stage 5:||Follow systematic risk assessment and risk management procedures to|
|determine the level of risk after implementing the best practices on each component. Insure residual risk of low probability but high cost events and manage the rest.|
|Stage 6:||Monitor and audit diffusion of risk management culture,policy|
|implementation and enforcement, and revise policy and procedures as needed.|
In order for any security policy to work, there has to be a strong organizational foundation. The goal is to create a systemic organization-wide risk consciousness and responsibility. Both top-down and bottom-up strategies need to deployed so as to generate a collective sense of mission. Both management and employees must have a keen sense of how their interests and the fortune of the organization depend very strongly on their ability to safeguard their information resources.
Risk Assessment is based on identifying threats, vulnerabilities and cost. A simple equation can be used to represent this process:
Risk = (Threat x Vulnerability x Cost of business disruption) / (Cost of Countermeasure)
Threat is simply the probability of an attack (or possibly, inadvertent misuse). Vulnerability is 1 minus system effectiveness (which is a number less than 1). That means 100% system effectiveness will produce zero risk. Cost of disruption is a measure of what it costs to restore the system to full function plus any loss of revenue that may occur during the disruption period. One way to mitigate this cost is to build in redundancies. For the sake of simplicity, this model assumes that the effectiveness of a countermeasure is directly proportional to the cost of the measure.
The focal point for any viable e-business security strategy is a sound well-articulated security policy. Documented security policy is the first tangible evidence of a credible and operational security system. Every organization that is serious about security must have a comprehensive and coherent security policy. The policy must address each system component, internal and external threats, human and machine factors, managerial and non-managerial responsibility. The security policy has to have as its foundation, the six objectives of e-business security: confidentiality; integrity; availability; legitimate use, auditing, and non-repudiation.
This aspect of security policy is where vulnerabilities are handled. Vulnerability is often the first thing to address, since that is where the organization and the system administrator tend to have the most control. This is the area of security risk management that is principally a technology issue. Each component has to be addressed with a view to implementing a complete e-business secure infrastructure. Notable elements in that strategy will include cryptography, PKI and digital signature technology. This is where the system information security officer can go over a checklist of what is necessary and what the organization has. A typical checklist will include:
At the moment, businesses are using various (sometimes very poor) proxies for best practices as substitute for overall security strategy. There is no systematic industry standard of best practices for organizations to model their strategies. So far the closest that one comes to best practices are the practices of so-called “leading organizations”. These are organizations that are significantly ahead of the rest in terms of implementing robust security systems [HREF8]. While those practices may be exemplary, they may not necessarily earn the title of best practices when subjected to an objective rigorous analysis. The type of best practices that is advocated here is one that is not only impressive in its design and implementation or even adopted by most organizations, but one that can be analytically proven to be optimal. A best practice will be a cost-effective security policy that is commensurate with the perceived information security risk of the organization. In order to create a common set of standards (not necessarily identical implementation), we advocate the setting up and use of a “Security Certification Authority” that will certify that best practices procedures have been effectively deployed.
Once the best practices are in place and certified, any risk that is not covered must be addressed by means of an insurance mechanism. Those risks need to be further assessed in terms of the probability of the events and the subsequent financial impact on the organization. A simple matrix commonly used for insurance decisions can be developed to classify the sources of risk as in Table 1 below. The events in Quadrant I are risks and vulnerabilities that have low probability and low impact if they occur. The traditional way for dealing with those items is to handle them on event-by-event basis. The organization needs to monitor the risk in those items without necessarily taking any immediate proactive measures. They need to be watched in the background. Quadrant II contains events with high probability but low impact. These are events whose management will be incorporated into the daily routine of the organization to ensure that actions are in place to curb the probability of occurrence of such events. By definition, there will not be insurance market for events in Quadrant IV. Events that fall in Quadrant IV are dealt with by preventing their occurrence much like those in Quadrant II except the organization should be willing to devote more resources to avoiding Quadrant IV events. Events in Quadrant III are those that will normally be handled by insurance – either one that is explicitly traded in the financial market or an equivalent intra-organization device. Already, the market for this is beginning to develop. [HREF9] However, because of lack of information with regard to what constitutes best practices, we conjecture that this market is highly inefficient right now.
Keep in Mind and Monitor
Contain and Control
Insure and/or Have Backup Plan
Avoid/Prevent using Risk Management Strategies
Table 1: Probability vs. Impact Matrix
Implementing effective e-business security is a dynamic process. The technology is changing very fast and so are the threats and vulnerabilities. Creating a security and risk management culture is a slow process. It is necessary to establish an effective monitoring and feedback system in order to determine the efficacy of each of these aspects of the security policy.
This proposed framework for information security immediately brings into focus some challenges together with some corresponding opportunities. The main challenge is that at this present time we do not have all the building blocks in place yet for an organization that wants to implement this framework to do so. In particular, the following issues have to be dealt with:
The present challenge is that none of these components is currently in place. In particular, there is an urgent need for further research into issues such as the optimal investment in security mitigation technology and strategies; the appropriate pricing of information security risk for the purposes of making sound insurance management decision; and how to systematically incorporate the behavioural component into a systematic risk management strategy.
The problem of information security in today’s networked world is presented together with current common solutions applied to solve it. It is argued that the purely technological approach is not sufficient to produce trust or minimize risk so as to cause companies and their clients to conduct e-business with confidence. A risk management approach is presented. With the implementation of this approach, new financial security markets will emerge to handle the pricing and trading of this type of risk. Demand and supply of e-business risk insurance will lead to price discovery and market efficiency.
Two conditions are necessary for this new approach to become effective: an industry standard needs to be set for what constitutes best practices in e-business security, and a new type of “Certification Authority” will have to be instituted to certify that an organization conforms to a set of best practices. These best practices and their certification will then become the standard upon which market prices for e-business insurance will be set. In the meantime, the onus is on business leaders to take the necessary initiative towards a comprehensive e-business security policy for their organizations because the current technical oriented ad hoc approach is fraught with high business risk.
Arbaugh, W.A., Fithen, W.L., McHugh, J. (2000), Windows of Vulnerability: A Case Study Analysis, Computer, (December), 52-58.
Bellovin, S. M (1989), "Security Problems in the TCP/IP Protocol Suite," Computer Communication Review, (April), http://www.ja.net/CERT/Bellovin/TCP- IP_Security_Problems.html. [April 20, 01].
Breidenbach, S. (n.d.), “How Secure Are You?” http://www.informationweek.com/800/prsecurity.htm
Carnegie Mellon University (CERT) (1999), “Deploying Firewalls”, http://www.cert.org/security-improvement/modules/m08.html, [April 19, 2001].
Chambers, C., Dolske, J., and Iyer, J. (n.d.), "TCP/IP Security," http://www.linuxsecurity.com/resource_files/documentation/tcpip- security.html [April 19, 01].
DTI Information Security Breaches Survey 2000 http://www.infosec.co.uk/page.cfm?Calling=/page.cfm/Link=35&HyperLink=http://www.infosec.co.uk/g/logos/dtiGREEN/ [May 9, 2001].
Felten, E. W., Balfanz, D., Dean, D., Wallach, D. S. (1997), “Web Spoofing: An Internet Con Game”, 20th National Information Systems Security Conference (Baltimore, Maryland), (October), http://www.cs.princeton.edu/sip/pub/spoofing.html [April 23, 2001].
IBM (1998), “S/390 Security Advantage for e-business”, http://www-1.ibm.com/servers/eserver/zseries/ebusiness/security.html [April 19, 01].
Longstaff, T.A., Chittister, C., Pethia, R. and Haimes, Y.Y. (2000), “Are We Forgetting the Risk of Information Technology?”, Computer, (December), 43-51.
Mathy, L., Edwards, C. and Hutchison, D. (2000), “The Internet: A Global Telecommunications Solution?”, IEEE Network Magazine, (July/August), http://www.comsoc.org/pubs/surveys/ [April 21, 2001].
Microsoft Corporation (2000), “Security Management for ASPs”, Microsoft Enterprise Services White Paper, http://www.microsoft.com/technet/ecommerce/aspsec.asp#e, [April 21, 2001].
Morris, R. T. (n.d.), "A Weakness in the 4.2BSD Unix[+ ]TCP/IP Software,": http://www.ja.net/CERT/Morris/r.t.morris-TCP.html [April 19, 01].
Neumann, P. G. (1995), Computer Related Risks, (Addison-Wesley).
PBS (n.d.) “Life on the Internet”, http://www.pbs.org/internet/timeline/ [April 21, 2001].
Rubin, A. D. and Geer Jr., D. E. (1998), “A Survey of Web Security”, Computer, Vol. 31, No. 9, (September) pp. 34-41.
Shumway, R. M. (1998), "Common-Sense: An Alternative Approach to Web
Security", Proceedings of the 21st National Information Systems Security Conference, 142-153.
Sieglein, W. (2000), “Authentication: What You Have vs. Who You Are”, http://www.planetit.com/techcenters/docs/security-defensive_tools/expert/PIT20001220S0006 [April 19, 2001].
Slade, R.M. (1998), “REVIEW: ‘Web Security Sourcebook’”, The Risk Digest, Volume 19, Issue 97, (Fri. Sept. 18), http://catless.ncl.ac.uk/Risks. [April, 23, 01].
Tan, Yao-Hua; Thoen, Walter (2000), “A Logical Model of Trust in Electronic Commerce”, in Schmid, Beat F.; Lechner, Ulrike; Stanoevska-Slabeva, Katarina; Tan, Yao-Hua; Buchet, Brigette: EM - Communities & Platforms. EM - Electronic Markets, Vol. 10, No. 4, 10/2000, http://www.electronicmarkets.org/netacademy/publications.nsf/all_pk/1812. [April 23, 2001].
Verisign (2000), “Securing Your Web Site For Business”, http://www.verisign.com/server/rsc/gd/secure-bus/ [April 21, 2001].
Yankee Group (2001), "Where the Investment Dollars Will Go in 2001: The Top Seven Wonders of the Internet Security World", The Yankee Report, Vol.1 No.6 - March 2001, reported by Security Advisor at http://www.advisor.com/Articles.nsf/aid/SMITT184 [April 20, 2001].
Zakon, R.H. (2001), “Hobbes’ Internet Timeline”, http://www.zakon.org/robert/internet/timeline/ [April 21, 2001].