Browsed by
Author: GapPapers

Self-Analysis Worksheet

Self-Analysis Worksheet

Title

ABC/123 Version X

1
Self-Analysis Worksheet

HUM/115 Version 7

3

Self-Analysis Worksheet

University of Phoenix Material

Becoming a skilled critical thinker takes practice. To improve the level of your critical thinking, it is important to know where you are now. The questions below will guide you through understanding your current level of critical thinking.

1. Do you agree or disagree with the textbook definition of critical thinking? Why or why not? (50 to 100 words)

I agree with the textbook’s definition of critical thinking to be “ the art of thinking about thinking while thinking to make thinking better” (Paul & Elder, 2012). Infact, the definition got me to really think deep into my thoughts. Anything that is critical or vital needs extra attention and focus to deal with it. Focusing on the issue means you are solely thinking about it. According to Paul and Elder (2012) “you must be willing to examine your thinking and put it to some stern test.” When thinking you should be able to reason and judge thoughts.

2. Select your stage of critical thinking in your personal, student, and professional life from the drop-down menu provided. (See pp. 28-37 in Ch. 2, Critical Thinking, Paul & Elder, 2012). Explain why you selected that stage for each area.

Area “Critical Thinking Stage” Menu

(select from stages 1-4)

Why did you place yourself in this stage?

(write 50 to 75 words for each area)

Personal Life “Critical Thinking Stages” Drop-Down Stage 2- challenged thinker

At this stage we usually become aware of problem in our thinking. And through this makes us not to make concrete conclusion. The decision which we make end up having bias and premature that is why many times we end up regretting the step we make in our life. Challenged thinker always have a lot of things to keep in mind in order to make wise answer but this seems not to be a factor any more at this stage.

Student Life “Critical Thinking Stages” Drop-Down Stage 3- The Beginning Thinker

At this stage we try to improve but without regular practice. Student usually tries to figure out if the steps takes are worth it. O agree with Paul and Elder in the since that at this stage yes thinking is considered among individuals. The main hinderance is lack of frequent thinking. And this is evident when compared to stage five of advanced thinker whereby there is advance in accordance with how we practice our stuff and believe. The main factor in this case therefore is practice.

Professional Life “Critical Thinking Stages” Drop-Down Stage 4- The thinking practice

In my professional life, I am a practicing thinker. I understand that may be engaged in a process of trial and error and prepare myself for temporary failure. I understand “success to be willingness to work through a variety of relative failures. I work hard daily to succeed at what I do best. I always rethink on strategies for improvement. At this stage I probably don’t know for sure what will work for me. I have to field-test my ideas. I understand success as the willingness to work through a variety of relative failures. Every day, rethinking my strategies for improvement” (Paul & Elder, 2012,)

3. What ideas do you have about how you can move to the next stage of critical thinking in your personal, student, and professional life? (50 to 100 words)

According to Paul and Elder (2012) the main difference in which one can work out to move from one stage to another is practice. And in this case the following are major contributor when comes to practice; use of wasted time, internalize intellectual standards, keeping an intellectual journal, reshaping our characters, deal with ego, redefine the way we see things, get in touch with our emotion and finally analyze group influence on our life. When above factors are precisely considered we can one has graduated to the next level of thinking critical and is can be able to deal with issues maturely.

(See pp. 37-43 in Ch. 2, Critical Thinking, Paul & Elder, 2012)

4. What changes might you notice in your personal, student, and professional life if you improve your level of critical thinking? (50 to 100 words)

According to description by Paul and Elder (2012) the changes might one notice in personal, student and professional life is awareness of the problem where by personal life mostly we are unware of the problem. But even if we are aware practice is also changed noticed. For instance professional has regular practice and at the end finds it easier to deal with the problem faster than personal and student. On addition, approach of the issue also plays a vital role in ensuring how one is able to tackle the problem.

References

Paul, R., & Elder, L. (2012). Critical thinking: Tools for taking charge of your learning and your life (3rd ed.). Boston, MA: Pearson Learning Solutions.

Copyright © XXXX by University of Phoenix. All rights reserved.

Copyright © 2017 by University of Phoenix. All rights reserved.

Assignment 1: Medicaid Expansion Due Week 3 and worth 300 points

Assignment 1: Medicaid Expansion Due Week 3 and worth 300 points

Imagine that you are a health policy analyst for a state that has not elected to expand Medicaid as part of the Affordable Care Act (ACA). You have just been notified that the state leaders have agreed to reconsider their decision during an upcoming session. Go to the Kaiser Family Foundation Website, at www.kff.org, and The Commonwealth Fund website, at http://www.commonwealthfund.org/publications/blog/2014/mar/medicaid-expansion-alternative-state-approaches, for additional information on Medicaid expansion.

Write a three to four (3-4) page paper in which you:

1. Identify a state that has not elected to participate in the Medicaid expansion initiative under the Affordable Care Act. Critically analyze the implications of the state’s decision to opt out of Medicaid expansion on the citizens of the state.

2. Compare the potential opportunities and challenges of a state’s decision to opt into the Medicaid expansion.

3. Explore two (2) alternate approaches to expanding access to care that have been implemented or considered by states opting out of Medicaid expansion. Compare and contrast the two (2) alternate approaches to the Medicaid expansion initiative.

4. Provide a recommendation to the state legislature on whether or not the state should opt in to the Medicaid expansion. Provide a rationale for your recommendation.

5. Use at least three (3) recent (within the last five [5] years), quality academic resources in this assignment. Note: Wikipedia and other Websites do not qualify as academic resources.

Your assignment must follow these formatting requirements:

· Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.

· Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

The specific course learning outcomes associated with this assignment are:

· Develop policies that ensure compliance of healthcare delivery systems with current legislation.

· Apply decision-making models to address difficult management situations.

· Use technology and information resources to research issues in Health Care Operations Management.

· Write clearly and concisely about Health Care Operations Management using proper writing mechanics.

Information Technology Management

Information Technology Management

RUNNING HEADER: Information Technology Management 1

Information Technology Management 7

Information Technology Management

Crystal Randolph

Colorado Technical University

Noel Broman

Date: July 18, 2018

Information Technology Management

Strategic Information System Assessment

SWOT Analysis

Strengths

1. High Quality StandardsThis is perhaps the major strength of the information system environment. The information system quality standards as adopted by the organization meet the international standards requirement. This compliance is of great benefit to the larger information systems industry as a whole (Wood, Pollard & Turban, 2015).

2. Computerized Machinery: The Company is leveraging on the latest available technology to support its production activities. This in turn ensures that the company produced high quality products while at the same time boosting the production capacity of the company’s staff (Wood, Pollard & Turban, 2015).

3. Competent Management: The Company also benefits from a highly skilled management based on the high quality management information system it has adopted. This creates a very resourceful labor pool to be applied in the company’s management hence increasing the chances of the company’s success (Wood, Pollard & Turban, 2015).

4. A Fully Equipped Management Information System: This allows the organization to ensure inter-connectedness of its various company departments as well as its employees. Consequently, there is easy sharing of data and coordinating of activities within the organization. Also, this MIS adequately reflects the comprehensive picture of the organization and its performance at any point in time. Besides, such a comprehensive MIS enhances the problem solving capabilities within the company (Wood, Pollard & Turban, 2015).

Weaknesses

1. Imperfect updating of information system: The various security gaps that the company faces may be directly or indirectly related to its imperfect updating of its information system. This increases the likelihood of the information system to be corrupted by malware (Castillo, 2016).

2. Staff Infiltration : Some staff may be having unauthorized access to the company’s data as contained in its information system (Castillo, 2016).

3. Weak information structure: This may be caused by the imperfect programming of data flows within the information system. As such, there may be cases of unanticipated data leakages (Castillo, 2016).

4. Weak communication structure : As a consequence of late updating of relevant hardware, security errors may arise. These errors in turn may give room for malware to corrupt the company’s information system via unprotected ports (Castillo, 2016).

Opportunities

1. Flawless information systems: Flawless information systems, couples with great leadership within the company, portend great benefits for the company. For instance, such information systems enhance the accuracy of investment decision-making within the company (Castillo, 2016).

2. More accurate demand forecasting: A well-designed MIS will boost the capability of the organization’s marketing and sales department to forecast demand and sales of the organization’s products and services. As such, production is synchronized in a manner that enhances efficiency within the company (Castillo, 2016).

Threats

1. Monitoring of Network: It is possible that weaknesses in the information system may be detected, and subsequently, data is sourced from the system so as to make preparations for future attacks hence compromising the security of the entire system (Castillo, 2016).

2. Alteration of sent data: Data may be altered with the intention of causing misinformation within the company’s information system (Castillo, 2016).

3. Redundant information: Redundant information may be intentionally introduced within the system so as to cause confusion among the users of the system (Castillo, 2016).

4. Information System Overload: This overload renders the system inaccessible through disconnecting it from the computer networks and communication infrastructure within the organization, ultimately withholding service to users of the system (Wood, Pollard & Turban, 2015).

Forces presently governing competition

The case study organization is by extension in the e-commerce business. Most of its transactions with its target market are carried out via an online platform. In the contemporary world, there are many e-commerce companies while many more seek to move from traditional brick and mortar stores to having an online platform. As such information systems will continue to play a pivotal role in organizations going into the future. However, the e-commerce space has more room for more firms to enter hence threat of new entrants is a major challenge governing competition. This is because setting up an online company requires much less capital requirements and absolute costs. This reduces barriers to entry of new firms and thus the organization may face strong competition due to the increased concertation of firms (Wood, Pollard & Turban, 2015).

The organization also faces a threat of more established rivals in the e-commerce space. These are companies such as Amazon and EBay that increase the level of competition and hence limiting the market share for smaller firms. This is because established rivals have larger advertising budgets and hence a more powerful competitive strategy as compared to smaller firms. Therefore, in such a case, innovation becomes the key to a successful competitive strategy to most of the smaller organizations. The level of innovation exhibited by competing firms goes a long way to determine the distribution of the market share among these firms (Castillo, 2016).

Strategic Thrusts

As per Wiseman’s framework of strategy development, the following strategy thrusts shall prove beneficial for the organization in its plan to implement a successful information management system. They are;

1. Differentiation;

Owing to the potentially high number of competitors, differentiation of the company’s products and services becomes important in creating a competitive edge for the company. Differentiation is facilitated by innovation within the organization. For this innovation to have practical benefits throughout the company, then an information system management plan will coordinate innovative ideas and activities from the various departments and synchronize processes towards creating differentiated products and services (Castillo, 2016).

2. Cost

Ensuring low production costs is one way through which the organization may gain a competitive advantage. Therefore, an information system management plan enhances the level of effectiveness and efficiency of the work processes and activities within the organization (Wood, Pollard & Turban, 2015). These in turn helps in keeping production costs at the minimum.

3. Alliance;

Increasing the market share for the organization may entail alliances with other firms in the same competitive space. Alliances can be realized through inter-firm mergers and acquisitions. For this reason, an integrated information system management plan would prove beneficial to ensure the success of such alliances (Castillo, 2016).

References

Castillo, F. (2016). Managing Information Technology. Springer.

Wood, G., Pollard, C., & Turban, E. (2015). Information Technology for Management; Advancing Sustainable, Profitable Business Growth. Wiley & Sons Publishing.

CASE 1: REGISTRIES AND DISEASE MANAGEMENT

CASE 1: REGISTRIES AND DISEASE MANAGEMENT

UHC’s Care Team Model

Union Health Center (UHC) embraced the patient-centered care team model very early on, which helped ease the transition to new workfl ows, processes, and features that are critical to change management and quality improvement. UHC clinicians and staff members are assigned to clinical care teams, composed of physicians, nurse practitioners, physician assistants, nurses, medical assistants, and administrative staff members. The practice uses a full capitation model with standard fee-for-service and a fee-for-service plus care management payment model. Ten years ago, UHC instituted the California Health Care Foundation’s Ambulatory Intensive Caring Unit (AICU) model, which emphasizes intensive education and self-management strategies for chronic disease patients. The model relies heavily on the role of medical assistants (called patient care assistants or PCAs) and health coaches. Working closely with other members of the care team, PCAs and health coaches review and update patient information in the record, conducting personal outreach and self-management support, and providing certain clinical tasks. For instance, all PCAs have been trained to review measures (e.g., HgbA1C, blood pressure, and LDL cholesterol), provide disease education, and set and review patient health goals. A subset of higher- trained health coaches works more intensely with recently diagnosed diabetic patients or those patients whose condition is not well managed.

UHC’s eHealth Strategies

Patient registries. UHC uses patient registries to identify patients with specific conditions to ensure that those patients receive the right care, in the right place, at the right time. In some instances, they use registries to target cases for chart reviews and assess disease management strategies. For example, patients with uncontrolled hypertension are reviewed to help identify treatment patterns, reveal any need for more provider engagement, and may indicate the need for care team workflow changes. In the future, UHC would like to construct queries that combine diagnosis groups with control groups and stratify patients by risk group. For example, care teams could pull a report of all patients over the age of sixty-five with multiple chronic conditions or recent emergency room admissions.

Maximizing time and expertise. UHC uses technology such as custom EHR templates to support PCAs and free up clinicians for more specialized tasks and complex patients. For example, a PCA or health coach taking the blood pressure of a high-risk diabetic patient has been trained to determine whether or not BP is controlled. If it is not controlled, the health coach checks the electronic chart for standard instructions on how to proceed and may carry out instructions noted in the record. Or, if no information is available he or she will consult with another provider to adjust and complete the note. Following all visits with PCAs or health coaches, the patient’s record is electronically flagged for review and signed by the primary care physician.

Working with medical neighbors. The teams also collaborate with on-site specialists, pharmacists, social workers, physical therapists, psychologists, and nutritionists to enhance care coordination and whole-patient care. UHC has also adopted curbside consultations and e-consults to reduce specialty office visits. For example, if a hypertensive patient has uncontrolled blood pressure, the record is flagged by the PCA for further follow-up with a physician or nurse practitioner, who may opt for an e-consult with the nephrologist to discuss recommendations. UHC also has a specialty coordination team—composed of two primary care physicians, one registered nurse, one PCA, and one health coach—which functions as a liaison between primary and specialty providers.

Customized reporting. With their most recent upgrade to a Meaningful Use–certified version of their EHR, UHC will have the capacity to generate standardized Meaningful Use reports. UHC intends to construct queries that generate reports that group diagnosis groups with control groups and identify and manage subgroups of high-risk patients (or risk stratifi cation). For example, care teams can run a report of all patients with diabetes that have an elevated LDL and have not been prescribed a statin.

Challenges and Lessons

Learned Recruiting staff members with IT and clinical informatics expertise. Over the years, UHC has faced challenges in identifying and recruiting staff members with the right mix of IT and clinical informatics skills. Although effective in troubleshooting routine issues and hardware maintenance, UHC felt there was a clinical data analysis gap. To resolve this, UHC works closely with an IT consultant and also recruited a clinical informatics professional to work with providers and performance improvement staff members.

Consistent data entry. UHC’s lack of consistent data entry rules and structured data fields led to several challenges in producing reports and tracking patient subgroups. The problem stems from UHC’s lack of internal data entry policies as well as the record’s design. For instance, UHC cannot run reports on patients taking aspirin because this information may have been entered inconsistently across patient records. Moving forward, UHC will be implementing data entry rules and working closely with their vendor to maximize data capture.

Real-time data capture. UHC realized that by the time data reach the team, they may no longer be current. As a workaround they considered disseminating raw reports to clinical teams in real time, followed by tabulated, reformatted data. They are exploring the possibility of purchasing report writing software to streamline the process.

Managing multiple data sources. Similar to many practices, UHC pulls data from its billing system and clinical records, causing issues with data extraction. For example, pulling by billing codes does not provide the most accurate data when it comes to clinical conditions, health status, or population demographics. UHC recognized that to reduce errors in identifying patients and subgroups this will require custom reports.

Innovation Impact

• Forty-six percent reduction in overall annual health costs

• Eighteen percent reduction in total cost of care

• Signifi cant decline in emergency room visits, hospitalizations, and diagnostic services

• Signifi cant improvements in clinical indicators for diabetic patients

CASE 2: IMPLEMENTING A CAPACITY MANAGEMENT INFORMATION SYSTEM Doctors’ Hospital is a 162-bed, acute care facility located in a small city in the southeastern United States. The organization had a major fi nancial upheaval six years ago that resulted in the establishment of a new governing structure. The new governing body consists of an eleven-member authority board. The senior management of Doctors’ Hospital includes the CEO, three senior vice presidents, and one vice president. During the restructuring, the CIO was changed from a full-time staff position to a part-time contract position. The CIO spends two days every two weeks at Doctors’ Hospital. Doctors’ Hospital is currently in Phase 1 of a three-phase construction project. In Phase 2 the hospital will build a new emergency department (ED) and surgical pavilion, which are scheduled to be completed in eleven months.

Information Systems Challenge

The current ED and outpatient surgery department have experienced tremendous growth in the past several years. ED visits have increased by 50 percent, and similar increases have been seen in outpatient surgery. Management has identified that inefficient patient flow processes, particularly patient transfers and discharges, have resulted in backlogs in the ED and outpatient areas. The new construction will only exacerbate the current problem. Nearly a year ago Doctors’ Hospital made a commitment to purchase a capacity management software suite to reduce the inefficiencies that have been identified in patient flow processes. The original timeline was to have the new system pilot-tested prior to the opening of the new ED and surgical pavilion. However, with the competing priorities its members face as they deal with major construction, the original project steering committee has stalled. At its last meeting nearly six months ago, the steering committee identified the vendor and product suite. Budgets and timelines for implementation were proposed but not finalized. No other steps have been taken.

CASE 3: IMPLEMENTING TELE-PSYCHIATRY IN A COMMUNITY HOSPITAL EMERGENCY DEPARTMENT

Westend Hospital is a midsize, not-for-profit, community hospital in the Southeast. Each year, the hospital provides care to more than twelve thousand inpatients and sixty thousand emergency department (ED) patients. Over the past decade, the hospital has seen increasing numbers of patients with mental illness in the ED, largely because of the implementation of the state’s mental health reform act, which shifted care for patients with mental illness from state psychiatric hospitals to community hospitals and outpatient facilities. Westend ED has in essence become a safety net for many individuals living in the community who need mental health services. Largely considered a farming community, Westend County has a population of 120,000. Westend Hospital is the third largest employer in the county. However, Westend is not the only hospital in the county. The state still operates one of three psychiatric facilities in the county. Within a fi vemile radius of Westend Hospital is a 270-bed inpatient psychiatric hospital, Morton Hospital. Morton Hospital serves the citizens of thirty-eight counties in the eastern part of the state. Westend Hospital is fiscally strong with a stable management team. Anika Lewis has served as president-CEO for the past fifteen years. The remainder of the senior management team has been employed with Westend for eight to thirteen years. There are more than 150 active or affi liate members of the organized hospital medical staff and approximately 1,600 employees. The hospital has partnered with six outside management companies for services when the expertise is not easily found locally, including HighTech for assistance with IT services. In terms of its information systems, Westend Hospital has used Meditech since the 1990s, including for nursing documentation, order entry, and diagnostic results. The nursing staff members use bar-coding technology for medication administration and have done so for years. CPOE was implemented in the ED four years ago and hospital-wide two years ago along with a certified EHR system.

The Challenge

Westend Hospital has seen increasing numbers of mental health patients in the ED over the past decade. For the past three years, the ED has averaged one hundred mental health patients per month. Depending on the level of patient acuity and availability of state- or community-operated behavioral health beds, the patient may be held in the ED from two hours to eight days before a safe disposition plan can be implemented. The ED mental health caseload is also rapidly growing in acuity. Between 20 percent and 25 percent of the behavioral health patients are arriving under court order (involuntary commitment). The involuntary commitment patients are the most difficult in terms of developing a safe plan for disposition from the ED. The Westend Hospital’s inpatient behavioral health unit is currently an adult, voluntary admission unit and does not admit involuntary commitment patients. The length of stay for involuntary commitment patients in the ED can be quite long. In some cases, it may take three to four days to stabilize the patient on medication (while in the ED) before the patient meets criteria for discharge to outpatient care. Approximately 40 percent of the mental health patients in the ED, both involuntary commitment and voluntary, are discharged either to home or outpatient treatment. The psychiatrists and the emergency medicine physicians have met multiple times during the past six years to develop plans to improve the care of the mental health patients in the ED. Defining the criteria for an appropriate Westend psychiatrist consultation remains a challenge. The daily care needs of the mental health patients boarding in the ED are complex. The physicians have not been able to reach an agreement on this topic. Senior leaders have suggested that tele-psychiatry may be a partial solution to address this challenge.

Tele-psychiatry as a Strategy

Westend Hospital has chosen to consider contracting with a tele-psychiatry hospital network to provide tele-psychiatry services in the ED. The network has demonstrated good patient outcomes and is considered fi nancially feasible at a rate of $4,500 per month. This fee includes the equipment, management fees, and physician fees. The director of tele-psychiatry in the hospital network has verbally committed to work very closely with the Westend Hospital team to ensure a smooth implementation. Technology to support tele-psychiatry uses two-way, real-time, interactive audio and video through a secure encrypted wireless network. The patient and the psychiatric provider interact in the same manner as if the provider were physically present. The provider performing the patient consultation uses a desktop video conferencing system in the psychiatric offi ce. Tele-psychiatry as a solution to the mental health crisis in the ED was not immediately embraced by the medical staff members. They did agree to the implementation of tele-radiology four years previously. However, the most recent revision of the medical staff bylaws to support telemedicine explicitly states that the medical executive committee must approve, by a two-thirds vote, any additional telemedicine programs that may be introduced at the hospital. The medical staff leaders wanted to preserve their ability to maintain a fi nancially viable medical practice in the community as well as protect the quality of care. The idea of tele-psychiatry was introduced to portions of the medical staff. The psychiatrists realized that tele-psychiatry could relieve them of the burden of daily rounds in the ED for boarding patients. They were also concerned about their workload when tele-psychiatry was not available. The emergency medicine physicians immediately verbalized their disapproval on several levels. First, they were concerned about the reliability of the technology based on their experiences over the past several years with video remote interpreting. Then, the emergency medicine physicians were skeptical about the continued support from the psychiatrists when an in- person consultation might be clinically necessary. Physicians outside of the ED and psychiatry could not understand why the current psychiatrists could not meet the needs of the ED. The barriers to adoption of tele-psychiatry crossed three arenas: financial, behavioral, and technical. Subsequently, many conversations were conducted. Eventually, the medical executive committee approved tele-psychiatry as a new patient care service on June 25 of this year.

Implementation Plan

The CEO appointed the vice president of patient services as the executive sponsor. The implementation team includes the IT hardware and networking specialist, IT interface specialists, nursing informatics analyst, ED nurse director, behavioral health nurse director, assistant vice president patient services, physician clinical systems analyst, and the medical staff services coordinator. These individuals represent the major activities for implementation: provider credentialing, physician documentation, equipment and technical support, and patient care activities. Because of competing projects and psychiatry subject matter expertise, the executive sponsor will also serve as the project manager. The mental health crisis affecting the ED is the focal driver for change. Patient safety is at risk. Barriers to implement tele-psychiatry have been well documented. The strategies to overcome the barriers include defi ning the new role for the Westend psychiatrists, developing a process for ease of access and reliability of equipment for the ED physicians, and development of a plan when the tele-psychiatry program is not available. An unexpected barrier has been recently identified. On initiation of the tele-psychiatry provider credentialing process, the medical staff services coordinator discovered that the bylaws do not have a provision for credentialing of physician extenders in the telemedicine category. The tele-psychiatry providers include six board-certified psychiatrists and twelve mental health–trained nurse practitioners. The medical executive committee has agreed to ask the medical staff bylaws committee to convene and revise the bylaws accordingly. The original go-live date of September has been changed to December.

The executive sponsor along with the implementation team will be responsible for managing the organizational changes necessary to support the introduction of technology and new patient care flow processes. Managing organizational change will be essential to the success of this project. Some items in the project will be viewed as incremental change and other items will be viewed as step-shift change. Communication strategies will be developed to support the change

Assignment :

Select one of the listed above case studies in Case 1 – Registries and Disease Management in the PCMH, Case 2 – Implementing a Capacity Management Information System, or Case 3 – Implementing Tele-psychiatry in a Community Hospital Emergency Department.

-Discuss how this case can be applied to the goals of the Kingdom of Saudia Arabia Vision 2030.

Requirments :

· Two pages

· Cite a minimum of three articles to support your statements.

· APA writing style

· No plagiarism

Lab Assessment #5 – Lab Report File

Lab Assessment #5 – Lab Report File

You must complete the assignment in a Word document and then upload it to the assignment area for grading. Remember, you must cite and reference sources. Your answer must be a minimum of 2 full pages in length following APA guidelines.

Review the below case study on issues related to sharing consumers’ confidential information.

https://www.eff.org/about

https://www.eff.org/cases/hepting

https://www.eff.org/nsa/hepting

1. What is EFF’s mission statement?

2. Explain in detail, privacy issues related to the case study.

3. Identify the U.S. citizen privacy law violations in the case study and the implications of those violations have on privacy and confidential information.

An Overview on Web Security Threats and Impact to E-Commerce Success

An Overview on Web Security Threats and Impact to E-Commerce Success

Hatoon Matbouli Faculty of Computer Science

Dalhousie University Halifax, Canada

Ht367439@dal.ca

Qigang Gao Faculty of Computer Science

Dalhousie University Halifax, Canada qggao@cs.dal.ca

Abstract—E-commerce has made great strides in providing a convenient, fast and secure shopping experience for consumers. However, there is still a significant portion of shoppers whose security fears impact how they spend their money online. Because of this, security issues associated with e- commerce and customer sites must be constantly reviewed and updated with appropriate countermeasures. As web security threats detrimentally affect the success of electronic consumerism, it is imperative to educate both consumers and businesses on the issues and how to eliminate or minimize the risks of security breaching in an e-commerce environment. This paper presents a survey and analysis on e-commerce related security issues, the impact to E-commerce success, and the available integrated security strategies. We attempt to offer a simple guide how to properly deal with the security threats that detrimentally affect e-commerce. In addition, this paper provides an analysis on the barriers that prevent many developing countries from adopting e-commerce. Some recommendations on how to overcome these problems will also be provided.

Keywords-e-commerce; web security issues; security threats; protection strategies; developing countries.

I. INTRODUCTION The World Wide Web popularity leads to a

revolution towards electronic commerce. Network transactions, electronic payments and on-line receipts are changing the traditional ways of doing business. Many companies take benefits of the e-commerce chances and other institutions will follow. The rapid growth of e-commerce is attracting the attention of businesses with its characteristics high-efficiency, low- cost, high-profitability and global application. However, Security fears cause million dollars loss for e-commerce retailers [21].

Lack of trust is one of the main reasons which can make e-commerce less attractive because of the fear of credit card number/or sensitive information being stolen. The increasing number of the web security attacks causes fears to consumers that resulted in lack of trust. Hence, many businesses and internet users are reluctant to use the new technology. According to the

largest internet security company McAfee [1], almost half of consumers had terminated an order or due to security fears. Even in an attempt to get a good deal, 63% consumers will refuse to purchase from a Web site that does not show a Trustmark or security policy. Usually, e-commerce firms seek to get trust of their users by creating and advertising new security strategies, but the security threat is still growing and affecting e-commerce firms negatively. The issues of available reliable security technology and exploitation are not only limited to e- commerce technologies, but also broadly impacting computer and information systems throughout the world especially in developing countries because there are many gaps and lack of awareness as they are still at the exploratory stages.

In focusing on internet security issues and their impact on e-commerce, this paper presents a survey and analysis on e-commerce related security issues and the available integrated security strategies. We attempt to offer a simple guide how to properly deal with the security threats that detrimentally affect e-commerce’s success. In addition, this paper provides an analysis on the barriers that prevent many developing countries from adopting e-commerce more quickly. Some recommendations on how to overcome these problems will also be provided. The rest of the paper is organized in the following sections. Section 2 provides the definition of electronic commerce and the components of E-commerce system. Section 3 gives an overview on web security. In section 4, the concepts and the technologies of the security threats on e-commerce are presented. Section 5 is about the barriers for adopting e-commerce in the developing countries and the recommendations how to deal with the issues in developing countries. Section 6 is the conclusion of the research.

978-1-4673-1166-3/12/$31.00 ©2012 IEEE

2012 International Conference on Information Technology and e-Services

II. E-COMMERCE & SECURITY ISSUES

A. E-commerce Transactions E-commerce) is defined as exchange transactions which

take place over the Internet primarily use digital technology [2]. These exchange transaction including buying, selling, or trading for goods, services and information. There are four categories of electronic commerce: Business to Business, Business to Consumer, Consumer to Consumer, and Consumer to Business. E-commerce has enabled companies to build a market presence or to improve an already larger market position by allowing for a less expensive and more efficient distribution chain for their products or services. From consumers’ perspective, e-commerce is mostly conducted on the internet. Many people nowadays find shopping online much more convenient and cheaper.

Online banking (e.g., online bill payments, buying stocks, transferring funds from one account to another, and initiating wire payments to another country) is another example of e-commerce. All these activities can be done with a few strokes of the keyboard. On the organizational level, many financial institutions and companies use the World Wide Web to exchange financial data to facilitate domestic and international business.

B. E-commerce System Components

There are four major components of e-commerce, the Merchant Account, Security System, the Shopping System and the Payment Gateway (for real-time-processing). Merchant account: Bank authorized account which allows the acceptance of Payment Transaction Software – Software that processes customer order information, address, credit card number, etc. Then credit card authorization network verifies that the credit card is applicable and confirm the matching between shipping and billing address. However, if the card and the billing and shipping addresses do not match that might be a sign of stolen credit card. Secure server connection: ‘https://’ connects to a special computer which encrypts confidential ordering data for clients protection. The “s” on the end of https in the URLs or the lock in the lower part of a browser which will

look something like this are signs that shows that the page is secured if ordering information is not sent through a secure server it can be intercepted by computer hackers. Shopping cart: Software which facilitate accepting product orders for several products from a certain website. This software automatically calculates orders for customers. Some setup must be done in the html code of that website, and the shopping cart software must be installed on the server which hosts the site or on the secure server which accepts sensitive ordering information.

Payment gateway: Payment of different business transactions has taken a new direction due to the introduction of e-commerce. Increased use internet and growth of information have led to use electronic money thereby bringing an easier way of settling commercial transactions. This mode of payment though has brought many security threats, which threatens this ingenuity. The transaction starts when the user sends his or her order and transfers the information from his browser to the shop-cart. The Secure Socket Layer protects the message during the transfer of this data to the Payment Gateway. This gateway is the connection between the website and the banking networks. It has both the gateway and the processor where the former provides access to the banking network ATM, the later handles financial information and communicates with shop-cart and transfer the same to the ATM network where it is like a normal credit transaction. The ATM network is the one that now connects to the Customers Credit Card Issuer, where a yes or no notification appears after reception of the data. This shows the approval or disapproval of the transaction. The whole process now starts again in reverse order to give the user feedback on the status of his transaction. When the order is confirmed to be genuine, it will then charge amount on the customer’s account and send the Gateway an authorization code and the customer bank settles the rest of the transaction later at the end of each business day during batch settlement.

III. E-SECURITY ISSUES AND TRUST “A security threat has been known as a situation, or event with the potential to effect economic adversity to data or network resources in the form of destruction, disclosure, modification of data, denial of service, and/or fraud, waste, and abuse Security, then, is the protection against these threats”[4]. Under this definition, threats can be made either through network and data transaction attacks, or via unauthorized access by means of defective authentication. This definition must be tailored in order to be appropriate to consumer transactions to acknowledge that consumer information has value. For customers, it must be recognized that economic hardship encompasses damages to privacy as well as theft, of credit information and authentication issues for consumers will be overturned; as in whether the Web site is ‘real’ rather than whether the purchaser’s identity is real. This modified definition explains the security threats from a consumer’s point of view. Security in B2C electronic commerce is reflected in the technologies used to secure costumer data. Security concerns of consumers may be addressed by many of the same technology protections as those of businesses, such as encryption and authentication [4]. The enormous increase in the uptake of ecommerce has led to a new generation of related security threats, but any ecommerce system must meet four integral requirements as defined below[5].

Confidentiality: Data is protected and cannot be accessed during transition. Integrity: The system does not corrupt information or allow accidental changes to information except by an authorized agent. Availability: The computer system’s hardware and software maintain to work efficiently and the system is able to recover quickly and completely if a disaster happen. Authenticity: The capability to find out who is responsible for the result of an action. Also, the role of consumer awareness and education on risks and protective measures, the limitation of consumer liabilities in case of fraud, the provision of redress mechanisms, and the use of merchant trust marks as trust building. With increased cyber crimes, trust has become a critical in creating business relations. Trust enables consumers to be able to transact business freely even in a uncertain environment as they believe the seller can keeps his or her words. It is important for vendors to build exchange relationship with consumers so that they can trust the web vendor. This is a great aspect which takes time before it establishes itself, just as it has been in traditional business transactions. [6]

• People feel more comfortable to order products by phone, as they do not have full control of the data via their transfer.

• The parties of the operation may be in different regions and then follow different legalization.

• In most cases, both parties are unknown to each other.

It is vital for the trust to be build during the first transaction and there after maintained trust will enhance the continuation of transactions with the website. If the first purchase faces some problems, the consumer may not be willing to get involved with the web vendor again. There are various factors such as reputation of the brand, and other interface information like web design, site information, and usability of the web that determines the consumer decision. The payment method, pricing, security policy, data protection, seller information, and seals of approval also inform the consumer decision. [7].

IV. THREATS CATEGORIZATION AND SOLUTION STRATEGIES

A. Security threats Studies have shown that prominent attacks on online

commerce are increasing at an alarming level. A study conducted by Ponemon Institute and commissioned by NetWitness shows that online threats are on the rise. The research investigated 591 IT and IT security practitioners and showed that 83% of them believe their companies has experienced some attacks, with 71% reporting a growth of

threats over the past 12 months. These attacks aim mainly at stealing sensitive data including source code, non-financial business information, confidential information, and financial information [8].

Investigating the whole process of e-commerce can help in identifying security requirements, starting with the consumer, and ending with the commerce server. In view of each connection in the “chain of e-commerce,” the system must protect the assets to ensure secure e-commerce does not comprise the customer computer system and the data transmitted via the communication channels, the website and the e-commerce servers.

B. Threats Categorization A hacker can target different points during an e- commerce transaction such as: [10] • Trick an online shopper • Sniff the network connection between an e-

commerce website server and a shopper • Attack a website’s server

Tricking Online Shopper: Hackers will often get access to sensitive information. They try to access the information during login session by hacking the system. The data they usually steal includes the customer’s usernames and their passwords, hijacking into customer databases of large corporations, and using confidential and personal information belonging to the user. Phishing is a common method to trick a user; the attacker sends an e-mail message pretending it is from a trusted web. The message connects the recipient to another website, which is “spoofed” and looks like original web but is not genuine. It asks the user to update his/her login and personal data such as details of the customer bank account, a billing address, Social Security number. By doing this, malicious people are able to steal credit information [10]. Sniffing the Network: Packet sniffers are pieces of software that monitor network traffic. When data transfers from the shopper’s computer to the e-commerce website, it needs to pass through multiple connections. Hence, the data can be read by any computer it passes through and an attacker can sniff the network easily and steal personal information such as credit card numbers and passwords.

Attack a Website’s Server: Denial of service (DoS) attacks and Distributed Denial of Service (DDoS) attacks is an example of impact site availability. It is a well-known strategy attacker’s use in e-commerce with a malicious intent [8].Use of a few machines ‘spoofing’ where many computer systems are hacked with software known as “bot” which is in a robot form. The software simultaneously connects to a server website. The number of concurrent connections is so numerous that it overloads the e-

Fig 1: DOS Attack [10].

commerce servers making it hard for them to cope and finally they fail [9], as illustrated in Fig. 1.

C. E-commerce Security Solutions A company-wide understanding of e-commerce security

features, methods and threats will enable both users and security administrators to trust the system that they are working with. If accurate methods are utilized to secure and use a system, it is almost impossible for an unauthorized user to gain access. At the same time, the multitude of hacking and cracking applications available can cause a serious threat to e-commerce applications. Hence it is essential to understand security risks and find the best solutions to minimize the threats they impose. Fig. 2 shows available defenses against attacks.

Education: It is important to raise the awareness of web

security. Educate people of how to choose strong password and keep their password confidential, is an easy way to minimize the risk of hacking attack. Users need to use good judgment when giving out information, and have knowledge about possible phishing schemes and other social engineering attacks [10].

Secure Socket Layer (SSL): This is the most common

security method, public key encryption; it ensures confidentiality, authentication, data integrity, and non- repudiation of origin and return [17]. The technology used encloses transactions into encrypted envelopes and electronically seals where only people with the encryption key can view the contents of the envelopes that are sent securely over the internet [18]. However, partners must install the same software and coordinate their upgrade of their systems. Electronic Data Interchange(EDI) are used as wrappers to alter conventional EDI software into secure formats, such as Secure socket layer (SSL) encryption protocol which are good in protecting online transactions [19].

Fig 2: Attacks and their defenses.

Sensitive data, such as credit card details, health records, sales figures, etc, should be in encrypting form before transmission across the open internet via email or the web [11]. A 128-bit encryption protects the data from decryption by hackers easily in case they intercept it along the network. Digital certi�cates can be used here to encrypt email or establish a secure HTTPS connection with a web-server. For extra security, data can also be stored long-term in an encrypted format [11].

Personal Identification Number (PIN): This is another technique used in the payment system for internet users is on email callbacks. It uses a high-level protocol is instead of using cryptography. It entails looking for a Personal Identification Number in database and then finds the email address of the consumer. [19]. An email message is then sent asking the payer to confirm the commitment whether he or she will pay a “yes,” “no” or “fraud.” Only when a receipt of a “yes” confirmation is the financial transaction actually initiated. Even “sniffings” cannot be used since the PIN is useless off internet and also other simple attacks.” Personal and sensitive data such credit card information never appears in internet messages and is linked to the virtual PIN after retrieval from database [17].

Personal firewalls: When a computer is connected to a

network, it becomes vulnerable to attack. A firewall is a program that helps protect a computer by monitoring and blocking the types of traffic initiated by and directed to the computer. The intruder can also scan the hard drive to detect any stored passwords [10].

Security Policy: Making security policies is a very

important step to secure an e-commerce business enterprise.

The policy should clearly state the requirements for each element of the system the way of their interaction. An organization’s security policy define its position on the protection of its physical and IT assets. Security policy identifies physical, technological, legal and intellectual property assets and indicate how they should be protected 11].

When one gets a digital certificate from a trusted source it usually demand real proof and authentication identity and therefore, it is difficult to create a similar one. Digital signatures from sources such as VeriSign go through the web browser software of the client successfully since the software will note fake, digital signatures immediately.

V. ISSUES IN DEVELOPING COUNTRIES According to the Organization for Economic Co- operation and Development (OECD), the major barriers for e-commerce adoption in developing countries are lack of legal mechanism to handle electronic related transactions. There is also lack of awareness about security issues and the IT security professionals. The initial set up cost is high and therefore, most companies in the developing countries cannot afford it. Pricing is also tricky and the fact that most of the population is unbanked and with limited knowledge on e-business and low penetration of using internet. In developing countries, e-commerce is encountering problems, as people have not been experiencing to the e- business culture. This calls for urgent address of issues that are hindering the take off e-commerce in those countries. Agencies with legal credibility have to develop models and proper procedures. Business in developing countries has used a relatively developed, accessible, and affordable infrastructure. The cost, quality, availability, and accessibility of such infrastructure may hinder adoption of e-commerce. The lack of information and communications technology (ICT) transmission in an economy can also limit the level of e-commerce awareness which people in developed countries take for granted. Internet use has yet to reach a large population in developing countries and this has led to slow uptake of e-commerce. There are not even enough legal measures to ensure regulation of e-business and no institutions have been set. Lack of trust in the business has also led to large organizations to run the business failing to get involved. Communication infrastructure must be in good condition for e-commerce to thrive in a business environment. For developing countries, initial investment is one of the main obstacles since most countries do not have the necessary resources to fund such an infrastructure. In addition, training and internet services must be accessible to the majority population in rural settings. To facilitate the diffusion of e- commerce there is the need for responsible government agencies to develop e-policies. Telecommunication

infrastructure is clearly a necessary but not a sufficient requirement for the development and entry of a developing country into the cyber marketplace. The developing countries must also encourage investment and partnerships with vendors, suppliers, and telecommunications companies outside their borders. This requires a well-developed approach using the tools and strategies of an open and fair marketplace. In addition to the hard resources considerations made by many developing countries, a host of soft resources has to into play. The first of these is the establishment of national policies dealing with the information and telecommunication sector. This soft factor necessary so there can be a smooth adoption and penetration of e-commerce in these growing economies. Proper legal mechanism must also be set to protect e-business from loopholes brought about by legal issues. The laws dealing with consumer protection, privacy protection, and intellectual property rights are essential for the successful implementation of e-commerce programs. Privacy and security of user information continue to be the most contentious topic in online transactions. The number of times security breaches such as data theft, file corruption, or web page shut down continues to rise as the number of online transactions rises. Telecommunication and e-commerce activities may face challenges if people in e- commerce cannot guarantee safety of their private information. In many developing countries use of security measures such as trusted third parties, data encryption, and secure telecommunication able to provide protection is needs to grow for e-commerce to thrive. The relations and confidence the e-e-business will create will determine the level of e-commerce diffusion in these countries.

VI. CONCLUSION With today’s high tech business and E-commerce

environment, it is crucial to have the capability to protect information assets by implementing security measures. Losses of huge amounts of money and system damage are examples of the negative effects resulting from weak security measures. Security threats cause serious incident to e-commerce firms such as revenue loss, reputation damage, legal consequence and loss of market share. Therefore, e-commerce companies should use proper techniques to secure their system and increase user awareness of those threats. To defeat the security obstacle for adoption in e-commerce in developing countries, decision-makers and IT Professionals should enhance the security of online payment and assure and educate the people about conducting online transactions. The government also should implement laws and procedures that allow businesses to function well and protect information. Dealing with the security issue will build and strengthen the trust in online transactions and lead to have a safe e-payment gateway for businesses and

citizens. This will increase confidence in public and business to conduct online payment safely.

REFERENCES [1] McAfee study: online security fears affect online shopping.

Ecommerce Journal. June29,2009.[Cited:0114,2011.] [http://ecommercejournal.com/news/16510_mcafee_study_online_sec urity_fears_affect_online_shopping]

[2] M. J. Schniederjans, Qing Cao. e-commerce Operations Management. s.l. : World Scientific Publishing Co., 2002.

[3] BOILARD, ROBERT. HOW EXACTLY DOES ECOMMERCE WORK? I4Market. [http://www.i4market.com/articles/d347.html] Last retrived on March 15,2011

[4] F.Belanger, Janine S. Hiller, Wanda J. Smith. Trustworthiness in electronic commerce: the role of privacy, security, and site attributes. 2002, The Journal of Strategic Information Systems, pp. 254- 270.Scientific Publishing Co., 2002.

[5] L. Clemer. Information Security Concepts: Confidentiality, Integrity, Availability, and Authenticity. May, 2010

[6] S.M. Furnell, and Karweni, IT Security implications of electronic commerce: a survey of consumers and businesses.., Internet Research: Electronic NetworkingApplications and Policy, 1999, pp. 372-382C.

[7] Centeno. Building Security and Consumer Trusting Internet Payments. April 2002.

[8] Advanced security threats are growing in their scale. July, 2010 E- COMMERCE Journal[http://www.e-commerce-journal.com]

[9] Protecting Online Banking from Denial of Service Attacks. Intru Guard. [http://www.intruguard.com]

[10] Darshanad, Khusial & Ross, McKegny. IBM Developer Works. IBM. April, 2005. [http://www.ibm.com/developerworks/websphere/library/techarticles/ 0504_mckegney/0504_mckegney.html.]

[11] Mazumdar, C, Barik, M and Sengupta, A. e-Commerce security – A life cycle approach. Kalkota, India : s.n., April/June 2005.

[12] Lawson, M. Kapurubandara & Robyn. Barriers to Adopting ICT and e-commerce with SMEs in . 2006.[http://www.scribd.com/doc/23874427/Barriers-of-e-commerce- and-e-government-in-Saudi-Arabia.]

[13] Kapurubandara1*, Mahesha and Lawson, Robyn.Availability of E- commerce Support for SMEs in Developing Countries. The International Journal on Advances in ICT for Emerging Regions, 2008, pp. 3-6.

[14] Al-Gharbi, Khamis and Ashrafi, Rafi Factors Contribute To Slow Internet adoption in Omani sector.. IBIMA Publishing, 2010, pp. 7-8.

[15] Alyabis. Examining the impact of Internet electronic commerce on commercial organizations in Saudi Arabia. Ph.D. Dissertation. University of Northern IOWA, December 2000.

[16] A.Fahad.Scribd.2005/2006.[Cited:Feb23,2011.] [http://www.scribd.com/doc/23874427/Barriers-of-e-commerce-and- e-government-in-Saudi-Arabia.]

[17] A.Sanayei and Rajabion, Lila. E-Commerce and Security Governance in Developing . Isfahan, Iran : s.n., 2008.

[18] Herrmann, G. Herrmann and Peter Security and Trust in Electronic Commerce.. Business and Economics, 2004,pp. 1-2.

[19] P.Prashant. The role of trust in e-commerce relational exchange: A uni�ed model. Information & Management,2009, pp. 213-220.

[20] J. Sheila. What Security Fears Cost E-Commerce. Ecommerce Times.[Cited: 01 24, 2011.][http://www.ecommercetimes.com/story/smb/69667.html?wlc= 1270740395&wlc=1271103816]

[21] Keizer, Gregg. Consumer Security Fears Cost E-Commerce $2Billion. Information Week2006.

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles false /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 1 /Optimize false /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Arial-Black /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /ComicSansMS /ComicSansMS-Bold /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FranklinGothic-Medium /FranklinGothic-MediumItalic /Garamond /Garamond-Bold /Garamond-Italic /Gautami /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /Impact /Kartika /Latha /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaConsole /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSansUnicode /Mangal-Regular /MicrosoftSansSerif /MonotypeCorsiva /MSReferenceSansSerif /MSReferenceSpecialty /MVBoli /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Raavi /SABAEN44 /SAKURAalp /Shruti /SimSun /STSong /Sylfaen /SymbolMT /Tahoma /Tahoma-Bold /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /Vrinda /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /ColorImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 200 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /GrayImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description << /CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002> /CHT <FEFF4f7f752890194e9b8a2d7f6e5efa7acb7684002000410064006f006200650020005000440046002065874ef69069752865bc666e901a554652d965874ef6768467e5770b548c52175370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c4f86958b555f5df25efa7acb76840020005000440046002065874ef63002> /DAN <FEFF004200720075006700200069006e0064007300740069006c006c0069006e006700650072006e0065002000740069006c0020006100740020006f007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400650072002c0020006400650072002000650067006e006500720020007300690067002000740069006c00200064006500740061006c006a006500720065007400200073006b00e60072006d007600690073006e0069006e00670020006f00670020007500640073006b007200690076006e0069006e006700200061006600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020004400650020006f007000720065007400740065006400650020005000440046002d0064006f006b0075006d0065006e0074006500720020006b0061006e002000e50062006e00650073002000690020004100630072006f00620061007400200065006c006c006500720020004100630072006f006200610074002000520065006100640065007200200035002e00300020006f00670020006e0079006500720065002e> /DEU <FEFF00560065007200770065006e00640065006e0020005300690065002000640069006500730065002000450069006e007300740065006c006c0075006e00670065006e0020007a0075006d002000450072007300740065006c006c0065006e00200076006f006e002000410064006f006200650020005000440046002d0044006f006b0075006d0065006e00740065006e002c00200075006d002000650069006e00650020007a0075007600650072006c00e40073007300690067006500200041006e007a006500690067006500200075006e00640020004100750073006700610062006500200076006f006e00200047006500730063006800e40066007400730064006f006b0075006d0065006e00740065006e0020007a0075002000650072007a00690065006c0065006e002e00200044006900650020005000440046002d0044006f006b0075006d0065006e007400650020006b00f6006e006e0065006e0020006d006900740020004100630072006f00620061007400200075006e0064002000520065006100640065007200200035002e003000200075006e00640020006800f600680065007200200067006500f600660066006e00650074002000770065007200640065006e002e> /ESP <FEFF005500740069006c0069006300650020006500730074006100200063006f006e0066006900670075007200610063006900f3006e0020007000610072006100200063007200650061007200200064006f00630075006d0065006e0074006f0073002000640065002000410064006f00620065002000500044004600200061006400650063007500610064006f007300200070006100720061002000760069007300750061006c0069007a00610063006900f3006e0020006500200069006d0070007200650073006900f3006e00200064006500200063006f006e006600690061006e007a006100200064006500200064006f00630075006d0065006e0074006f007300200063006f006d00650072006300690061006c00650073002e002000530065002000700075006500640065006e00200061006200720069007200200064006f00630075006d0065006e0074006f00730020005000440046002000630072006500610064006f007300200063006f006e0020004100630072006f006200610074002c002000410064006f00620065002000520065006100640065007200200035002e003000200079002000760065007200730069006f006e0065007300200070006f00730074006500720069006f007200650073002e> /FRA <FEFF005500740069006c006900730065007a00200063006500730020006f007000740069006f006e00730020006100660069006e00200064006500200063007200e900650072002000640065007300200064006f00630075006d0065006e00740073002000410064006f006200650020005000440046002000700072006f00660065007300730069006f006e006e0065006c007300200066006900610062006c0065007300200070006f007500720020006c0061002000760069007300750061006c00690073006100740069006f006e0020006500740020006c00270069006d007000720065007300730069006f006e002e0020004c0065007300200064006f00630075006d0065006e00740073002000500044004600200063007200e900e90073002000700065007500760065006e0074002000ea0074007200650020006f007500760065007200740073002000640061006e00730020004100630072006f006200610074002c002000610069006e00730069002000710075002700410064006f00620065002000520065006100640065007200200035002e0030002000650074002000760065007200730069006f006e007300200075006c007400e90072006900650075007200650073002e> /ITA (Utilizzare queste impostazioni per creare documenti Adobe PDF adatti per visualizzare e stampare documenti aziendali in modo affidabile. I documenti PDF creati possono essere aperti con Acrobat e Adobe Reader 5.0 e versioni successive.) /JPN <FEFF30d330b830cd30b9658766f8306e8868793a304a3088307353705237306b90693057305f002000410064006f0062006500200050004400460020658766f8306e4f5c6210306b4f7f75283057307e305930023053306e8a2d5b9a30674f5c62103055308c305f0020005000440046002030d530a130a430eb306f3001004100630072006f0062006100740020304a30883073002000410064006f00620065002000520065006100640065007200200035002e003000204ee5964d3067958b304f30533068304c3067304d307e305930023053306e8a2d5b9a3067306f30d530a930f330c8306e57cb30818fbc307f3092884c3044307e30593002> /KOR <FEFFc7740020c124c815c7440020c0acc6a9d558c5ec0020be44c988b2c8c2a40020bb38c11cb97c0020c548c815c801c73cb85c0020bcf4ace00020c778c1c4d558b2940020b3700020ac00c7a50020c801d569d55c002000410064006f0062006500200050004400460020bb38c11cb97c0020c791c131d569b2c8b2e4002e0020c774b807ac8c0020c791c131b41c00200050004400460020bb38c11cb2940020004100630072006f0062006100740020bc0f002000410064006f00620065002000520065006100640065007200200035002e00300020c774c0c1c5d0c11c0020c5f40020c2180020c788c2b5b2c8b2e4002e> /NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken waarmee zakelijke documenten betrouwbaar kunnen worden weergegeven en afgedrukt. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.) /NOR <FEFF004200720075006b00200064006900730073006500200069006e006e007300740069006c006c0069006e00670065006e0065002000740069006c002000e50020006f0070007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e00740065007200200073006f006d002000650072002000650067006e0065007400200066006f00720020007000e5006c006900740065006c006900670020007600690073006e0069006e00670020006f00670020007500740073006b007200690066007400200061007600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020005000440046002d0064006f006b0075006d0065006e00740065006e00650020006b0061006e002000e50070006e00650073002000690020004100630072006f00620061007400200065006c006c00650072002000410064006f00620065002000520065006100640065007200200035002e003000200065006c006c00650072002e> /PTB <FEFF005500740069006c0069007a006500200065007300730061007300200063006f006e00660069006700750072006100e700f50065007300200064006500200066006f0072006d00610020006100200063007200690061007200200064006f00630075006d0065006e0074006f0073002000410064006f00620065002000500044004600200061006400650071007500610064006f00730020007000610072006100200061002000760069007300750061006c0069007a006100e700e3006f002000650020006100200069006d0070007200650073007300e3006f00200063006f006e0066006900e1007600650069007300200064006500200064006f00630075006d0065006e0074006f007300200063006f006d0065007200630069006100690073002e0020004f007300200064006f00630075006d0065006e0074006f00730020005000440046002000630072006900610064006f007300200070006f00640065006d0020007300650072002000610062006500720074006f007300200063006f006d0020006f0020004100630072006f006200610074002000650020006f002000410064006f00620065002000520065006100640065007200200035002e0030002000650020007600650072007300f50065007300200070006f00730074006500720069006f007200650073002e> /SUO <FEFF004b00e40079007400e40020006e00e40069007400e4002000610073006500740075006b007300690061002c0020006b0075006e0020006c0075006f0074002000410064006f0062006500200050004400460020002d0064006f006b0075006d0065006e007400740065006a0061002c0020006a006f0074006b006100200073006f0070006900760061007400200079007200690074007900730061007300690061006b00690072006a006f006a0065006e0020006c0075006f00740065007400740061007600610061006e0020006e00e400790074007400e4006d0069007300650065006e0020006a0061002000740075006c006f007300740061006d0069007300650065006e002e0020004c0075006f0064007500740020005000440046002d0064006f006b0075006d0065006e00740069007400200076006f0069006400610061006e0020006100760061007400610020004100630072006f0062006100740069006c006c00610020006a0061002000410064006f00620065002000520065006100640065007200200035002e0030003a006c006c00610020006a006100200075007500640065006d006d0069006c006c0061002e> /SVE <FEFF0041006e007600e4006e00640020006400650020006800e4007200200069006e0073007400e4006c006c006e0069006e006700610072006e00610020006f006d002000640075002000760069006c006c00200073006b006100700061002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400200073006f006d00200070006100730073006100720020006600f60072002000740069006c006c006600f60072006c00690074006c006900670020007600690073006e0069006e00670020006f006300680020007500740073006b007200690066007400650072002000610076002000610066006600e4007200730064006f006b0075006d0065006e0074002e002000200053006b006100700061006400650020005000440046002d0064006f006b0075006d0065006e00740020006b0061006e002000f600700070006e00610073002000690020004100630072006f0062006100740020006f00630068002000410064006f00620065002000520065006100640065007200200035002e00300020006f00630068002000730065006e006100720065002e> /ENU (Use these settings to create PDFs that match the “Required” settings for PDF Specification 4.01) >> >> setdistillerparams << /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice

A Curriculum Design for E-commerce Security

A Curriculum Design for E-commerce Security

Journal of Information Systems Education, Vol. 16(1)

A Curriculum Design for E-commerce Security

Hyunwoo Kim Younggoo Han

Sehun Kim Department of Industrial Engineering

KAIST, 373-1 Guseong-dong Yuseong-gu, Daejeon, 305-701, Korea

hwkim@tmlab.kaist.ac.kr yghan@tmlab.kaist.ac.kr shkim@kaist.ac.kr

Myeonggil Choi National Security Research Institute, 161 Gajeong-dong

Yuseong-gu, Daejeon, 305-350, Korea mgchoi@etri.re.kr

ABSTRACT The low cost and wide availability of the Internet have revolutionized electronic commerce (e-commerce) and its applications. Security, then, has become one of the most important issues that must be resolved first to ensure its success. To protect an e-commerce system from existing threats, there must be e-commerce security experts who can help ensure its reliable deployment. This paper presents a curriculum design for e-commerce security in which the Delphi method and the Analytic Hierarchy Process (AHP) method were used. The AHP method determines the priorities of the e-commerce security courses, and the results of the study provide useful guidelines in the design of the e-commerce security curriculum. Keywords: Electronic commerce, security, curriculum development, e-commerce security expert, AHP method.

1. INTRODUCTION The low cost and wide availability of the Internet have sparked a revolution in electronic commerce (e-commerce) and its applications. Many organizations have begun exploiting the opportunities offered by Internet-based e- commerce, and many more are expected to follow. Exemplary applications include online shopping, telebanking and Internet banking, teleteaching and distance education, online gambling, and virtual casinos, as well as Pay-TV and video-on-demand services (Oppliger, 1999). While this offers convenience for both consumers and vendors, many consumers are concerned about security and their private information when purchasing products or services over the Internet (Wang, Cao, and Kambayashi, 2002). Recently, there have been attacks on popular websites that resulted in the possible theft of credit card numbers of several thousand customers (He and Wang, 2001). Indeed, security is a major factor in e-commerce services. Recently, courses in e-commerce have been offered in many schools and departments. These courses can be classified as technical and non-technical courses. Non-technical courses

frequently focus on the changes in the business and in the industry due to e-commerce, the development of e- commerce, marketing practices, the processes in marketing research, etc. In technical courses, many academic units provide the contexts to understand the technology, and its applications such as web page design and associated programming languages, linking of databases to the website, customer data collection, catalog development, etc. (Jenkins, 2001). However, courses in e-commerce security are not enough despite the priority on security to ensure the success of e- commerce. Many schools and academic departments on e- commerce have only one or two courses that deal with e- commerce security. When considering the importance of security in e-commerce, there is a further need to train e- commerce security experts who can help ensure its reliable deployment. To produce e-commerce security experts, e-commerce security education should be treated more significantly, and sound curricula in e-commerce security are required. In this paper, we suggest a curriculum design for e-commerce security that would be useful in training e-commerce

55

Journal of Information Systems Education, Vol. 16(1) security experts. An e-commerce security curriculum is designed in consideration of existing e-commerce threats and current information security curricula. To analyze the designed e-commerce security curriculum, the Delphi method and the Analytic Hierarchy Process (AHP) method are applied. The AHP method determines the relative importance of e-commerce security courses (Nam and Kim, 2003; Saaty, 1995). By using the AHP method, we can determine the priorities in e-commerce security courses. To produce e-commerce security experts, these priorities provide useful guidelines in the selection of e-commerce security courses. The rest of the paper is organized as follows. Section 2 analyzes e-commerce threats and current e-commerce curricula. In Section 3, the e-commerce security curriculum is designed. Section 4 introduces the methodology. Section 5 shows the results of the Delphi and AHP methods. The conclusions are then discussed in Section 6.

2. RELATED WORKS 2.1 E-commerce Security Without question, security is one of the most important issues that must be resolved to ensure the success of e- commerce. Researchers have studied how to protect e- commerce systems from threats. A number of papers have dealt with threats and related security issues in e-commerce applications (Oosthuizen, 1998; Wright, 2001). Customer privacy is becoming the most common security issue in e-commerce (Udo, 2001). No customer wants to use a business that distributes sensitive customer data, such as credit card information, without his knowledge or permission. Encryption technologies are widely used to protect customers’ privacy. Encryption algorithms and digital signatures support secure applications in E-mail and electronic payment schemes. Public key infrastructure (PKI) also plays an important role in secure e-commerce transactions (Gollmann, 2000). Hacking and distribution of viruses are also serious threats to e-commerce. They mostly attack networks or e- commerce sites to render e-services unavailable. Businesses mainly use firewalls to protect their internal networks. Firewalls have now become the main points of defense in the business security architecture. Various complementary systems, such as Intrusion Detection System (IDS), Virtual Private Network (VPN), Information Retrieval System, etc., have also been applied (Marchany and Tront, 2002). Even if the security technologies are applied well, non- technology factors, such as human errors, can make e- commerce system unstable. The individuals operating systems have become the most obvious vulnerable avenues of attack for internal and external threat (Arce, 2003). To minimize the damage caused by human errors, social engineering technology must be applied adequately. To protect e-commerce systems from existing threats, all

the security factors mentioned above should be considered. Additionally, e-commerce managers and engineers who have expert knowledge on security are required to manage these factors adequately. However, there are still very few researches on e-commerce education that focus on e- commerce security. 2.2 E-commerce Curriculum Nowadays, e-commerce education is one of the most common courses in many educational institutions. Many colleges, graduate schools, and MBA programs include e- commerce education in their curricula. To investigate the current state of e-commerce education, we surveyed the curricula of e-commerce programs in 14 undergraduate schools, seven graduate schools, and five MBA courses. Those curricula differed in the number and depth of subjects, but there have been many structural similarities. From a brief survey of those e-commerce curricula, e- commerce programs are classified into technical and non- technical courses. Technical courses are mainly related to the development and management of e-commerce systems. These courses focus on educational issues, like web and database technologies, telecommunication and networking, programming methods, and other technical concerns. Non- technical courses include the basic concepts of e-commerce, finance, accounting, marketing, public policy, leadership, and social engineering. Technical courses mainly focus on e-commerce system development, while non-technical courses are more related to the training of e-commerce managers. The current e-commerce system requires an e-commerce professional to have a thorough knowledge of both technical and non-technical courses. In particular, the e- commerce professional must obtain an expert knowledge in e-commerce security. However, security-related courses have not been sufficiently organized to meet such demands. Among the examined 26 e-commerce programs, only 14 programs include related courses to e-commerce security in their curricula. In addition, those programs have, at most, one or two security courses, whose contents are inconsistently constructed. This shows that there are not enough courses that deal with e-commerce security, and e- commerce security guidelines or standards barely exist. Therefore, sound curricula must be required to ensure e- commerce security, based on well-organized guidelines to produce e-commerce security experts.

3. E-COMMERCE SECURITY CURRICULUM DESIGN

In this paper, we suggest an e-commerce security curriculum, which is designed to train e-commerce security experts. A number of factors have contributed to the design of a new curriculum in e-commerce security education. In the previous section, many threats to the success of e- commerce have been detected, and the current e-commerce curricula have been found insufficient in training e- commerce professionals. Therefore, the information

56

Journal of Information Systems Education, Vol. 16(1) security curricula must be used to develop an e-commerce security curriculum. Materials that were related to e- commerce threats from information security curricula were chosen, and were utilized in the construction of e-commerce security education courses (Armstrong and Jayaratna, 2002; Kim and Surendran, 2002; Kim and Choi, 2002). An e-commerce security curriculum should include fundamental security knowledge, security management, and system development. Encryption technologies and knowledge about hacking and viruses are classified as fundamental security knowledge because they are basic knowledge about e-commerce threats that are mentioned in section 2.1, and should be considered in the development of every e-commerce system. The contents about security management consist of e-commerce standards, laws, ethics, and security management and evaluation. These are partly related to human factors. The knowledge about system development concerned system technology, including web and database design, firewall, IDS, etc. A total of 27 courses are developed conclusively for e- commerce security education. They are classified into three types: eight security managerial courses, five fundamental security courses, and 14 technology-based courses. The courses on e-commerce security education are as follows. Security Managerial Courses Introduction to E-commerce Security, Privacy and Ethics, Laws and Regulations, E-commerce Security Policy, E- commerce Standards, Security Projects for E-commerce, E- commerce Security Evaluation, and Risk Analysis Management Fundamental Security Courses Mathematical Cryptography, Encryption Technology, Public Key Infrastructure (PKI), Analysis of Hacking Techniques, and Handling Computer Viruses Technology-Based Courses Database Concept and Design, Database Management and Security, Website Design and Management, Web Server Implementation and Management, Web Programming Language, Server Authentication System, Firewall Technology, Network Security, Mobile Computing Security, Virtual Private Network, Information Retrieval System Design, Electronic Payment and Security, Intrusion Detection System, and Distributed Computing Security The detailed explanation of these courses is provided in Appendix A. Although these courses consist of the essential components related to e-commerce security, it is difficult to cover all of them in e-commerce education because e- commerce education should also cover general subjects about e-commerce, including finance, marketing, etc. Therefore, it is recommended that more important courses for e-commerce security must be selected and taken with general e-commerce subjects. We evaluate the relative importance of e-commerce security courses to provide guidelines in creating an e-commerce curriculum that would

be useful in producing e-commerce security experts.

4. METHODOLOGY In this paper, we use a phase of the Delphi method and the Analytic Hierarchy Process (AHP) method to determine the relative importance of e-commerce security courses. The outcome from using the Delphi method is used as input for the hierarchical processing procedure in AHP. The AHP method is a flexible multiple-criteria decision-making (MCDM) technique (Saaty, 1995). It helps set priorities and make the best decision qualitatively and quantitatively. It serves as a framework in structuring complex decision- making problems and in providing judgments based on knowledge, experience, or feeling. The AHP method has been successfully applied in software and computer selection (Maiden and Ncube, 1998; Zviran, 1993), and some applications of AHP have been introduced in books (Golden, Wasil, and Harker, 1989; Saaty and Vargas, 2000). The research process of this paper consists of three steps. Step 1: Creating a full list of e-commerce security cou-rses

and developing the hierarchical model of the list to apply AHP.

Step 2: Gathering relational data to compare alternatives by using the Delphi method.

Step 3: Estimating the priorities of e-commerce security courses.

The detailed research procedure performed in each step is as follows. In step 1, we create a full list of 27 e-commerce security courses. (The full list was already mentioned in the previous section.) To apply AHP, the components of the list are further divided into a three-level hierarchy. Figure 1 shows the hierarchy of the e-commerce security courses. In step 2, we use the Delphi method in gathering relational data to determine the order of importance of each of the e- commerce security courses. The outcome of the Delphi approach is used as input for the hierarchical processing procedure in AHP. In this step, we prepare a questionnaire based on the hierarchy of e-commerce security courses. In the questionnaire, pairwise comparisons are made among all the factors at each level in the hierarchy. The pairwise comparison process elicits qualitative judgmental statements that indicate the strength of the decision maker’s preference in a particular comparison. Saaty suggests the use of a 1-9 scale to quantify the strength of the decision maker’s feelings between any two alternatives with respect to a given attribute (Saaty, 1995). An explanation of this scale is presented in Table 1. In step 3, the relative weights of the e-commerce security courses are estimated, and the survey results are analyzed. To use the AHP, a judgment matrix should be obtained from the input data collected through the Delphi method.

57

Journal of Information Systems Education, Vol. 16(1)

Security Managerial Course

Fundamental Security Course

Technology-based Course

Fundamental

Security Strategy

Environmental Analysis

Introduction to E-commerce Security

Privacy and Ethics

Laws and Regulations

E-commerce Standards

Security Projects for E-commerce

E-commerce Security Evaluation

Risk Analysis Management

Mathematical Cryptography

Encryption Technology

Public Key Infrastructure

Analysis of Hacking Techniques

Handling Computer Viruses

Database Concept and Design

Database Management and Security

Website Design and Management

Web Server Implementation and Management

Web Programming Language

Server Authentication System

Network Security

Mobile Computing Security

Virtual Private Network

Firewall Technology

Intrusion Detection System

Electronic Payment and Security

Distributed Computing Security

Information Retrieval System Security

E-commerce Security Policy

Encryption

Threat Analysis

Database Security

Web Security

Network Security

System Security Management

Security Managerial Course

Fundamental Security Course

Technology-based Course

Fundamental

Security Strategy

Environmental Analysis

Introduction to E-commerce Security

Privacy and Ethics

Laws and Regulations

E-commerce Standards

Security Projects for E-commerce

E-commerce Security Evaluation

Risk Analysis Management

Mathematical Cryptography

Encryption Technology

Public Key Infrastructure

Analysis of Hacking Techniques

Handling Computer Viruses

Database Concept and Design

Database Management and Security

Website Design and Management

Web Server Implementation and Management

Web Programming Language

Server Authentication System

Network Security

Mobile Computing Security

Virtual Private Network

Firewall Technology

Intrusion Detection System

Electronic Payment and Security

Distributed Computing Security

Information Retrieval System Security

E-commerce Security Policy

Encryption

Threat Analysis

Database Security

Web Security

Network Security

System Security Management

Figure 1. Hierarchy of E-commerce Security Courses

58

Journal of Information Systems Education, Vol. 16(1)

Intensity of importance Definition Explanation

1 Equal importance

Both factors contribute equally to the

objective or criterion

3

Weak importance

of one over another

Experience and judgment slightly favor

one factor over another

5 Essential or

strong importance

Experience and judgment strongly favor

one factor over another

7

Very strong or

demonstrated importance

A factor is favored very strongly over

another, its dominance demonstrated in

practice

9 Absolutely importance

The evidence favoring one factor over

another is unquestionable Table1. Scale used in Pairwise Comparisons

Saaty’s eigenvalue method is the most preferred approach in this estimation (Saaty, 1995). In this section, no attempt is made to prove the mathematical founda-tions for AHP.

5. ANALYSIS OF THE E-COMMERCE SECURITY CURRICULUM

To determine the relative importance of e-commerce security courses, a questionnaire was sent to research groups, e-business managers, system engineers, etc. Participants were asked to check relative importance in pairwise comparisons, which are shown in Appendix A. The questionnaire was sent via E-mail to 500 professionals in universities, research institutes, e-businesses, and IT companies. A total of 67 professionals returned the questionnaires for a response rate of 13.4%, which is normal for a mail survey. Some participants might have refused to respond to the questionnaire due to unfamiliarity with the subject. The respondents’ classification by job is shown in Table 2.

Position Total Number Percentage

(%) Faculty in University 6 9.0

Researcher in Security Institute 15 22.4

E-business Consultant 7 10.4 E-business Manager 15 22.4 E-commerce System

Developer 12 17.9

Security Manager in IT Company 12 17.9

Total 67 100.0% Table 2. Classification of Respondents by Job

By multiplying the weights of the first, second, and third levels in the hierarchy, the overall rankings of the e- commerce security courses could be determined. Table 4

shows the priority rankings of e-commerce security courses based on the results of Table 3. The Intrusion Detection System course is considered the most important course among e-commerce security courses. Many technology-based courses show high priorities – 1st, 2nd, 5th, 7th, and 10th. The E-commerce Security Policy course is ranked 3rd, the highest rank among security managerial courses. The security policy influences security management infrastructure, training of employees, security documentations, etc., which are closely related to the human factors in a company. The fact that security policy is ranked relatively high means people think that the human factor is important in the success of e-commerce security. Among fundamental security courses, the Analysis of Hacking Techniques course is ranked highest. On the contrary, all encryption courses received low priorities compared to other e-commerce security courses. The Mathematical Crypto-graphy course is ranked lowest, and the Encryption Technology and PKI courses are ranked 24th and 18th, respectively. This shows that people view that theoretical studies on encryption technology are not significant in e- commerce security education. The priorities of e-commerce security courses can be used to develop an e-commerce security curriculum in e- commerce education institutes. When designing a practical and efficient e-commerce curriculum in training e- commerce security experts, the priorities given in Table 4 provide useful guidelines in the selection of e-commerce security courses.

6. CONCLUSIONS In e-commerce environments, security should be considered as an essential factor in their success. In this paper, a curriculum design on e-commerce security was provided to train e-commerce security experts. The 27 e-commerce security courses were constructed by considering existing e- commerce threats, current e-commerce courses, and information security curricula. The Delphi method and the AHP method were used to determine the relative importance and the overall rankings of the designed e- commerce security courses. The current e-commerce system requires an e-commerce professional to have a thorough knowledge of security issues in e-commerce. However, it is difficult to cover all of them in e-commerce education because e-commerce education should also cover general subjects about e- commerce. Therefore, more important courses for e- commerce security should be selected. The research results can serve as useful guidelines in the development of secure e-commerce curricula. To improve the validity of our achievements, the proposed work needs to be verified by further studies. There are very few researches on e-commerce security requirements. A further study on e-commerce security requirements may contribute to designing a more suitable curriculum in e- commerce security. Additionally, our work can provide

59

Journal of Information Systems Education, Vol. 16(1)

Course Classification Courses Weight

Introduction to E-commerce Security 0.75 Fundamental

(0.105) Privacy and Ethics 0.25

Laws and Regulations 0.275

E-commerce Security Policy 0.475

E-commerce Standards 0.158

Security Strategy

(0.637)

Security Projects for E-commerce 0.092

E-commerce Security Evaluation 0.25

Security

Managerial

Course

(0.281)

Environment Analysis

(0.258) Risk Analysis Management 0.75

Mathematical Cryptography 0.086

Encryption Technology 0.297 Encryption

(0.25) Public Key Infrastructure (PKI) 0.618

Handling Computer Viruses 0.25

Fundamental

Security

Course

(0.135) Threat Analysis

(0.75) Analysis of Hacking Techniques 0.75

Database Concept and Design 0.167 Database Security

(0.086) Database Management and Security 0.833

Website Design and Management 0.185

Web Server Implementation and Management 0.283

Web Programming Language 0.211

Web Security

(0.292)

Server Authentication System 0.321

Firewall Technology 0.305

Network Security 0.528

Mobile Computing Security 0.061

Network Security

(0.292)

Virtual Private Network 0.106

Information Retrieval System Design 0.275

Electronic Payment and Security 0.158

Intrusion Detection System 0.475

Technology-

Based

Course

(0.584)

System Security

Management

(0.331) Distributed Computing Security 0.092

Table 3. Weights of E-commerce Security Courses

60

Journal of Information Systems Education, Vol. 16(1)

Rank Course 1 Intrusion Detection System

2 Network Security 3 E-commerce Security Policy 4 Analysis of Hacking Techniques

5 Server Authentication System 6 Risk Analysis Management 7 Information Retrieval System Design

8 Firewall Technology 9 Laws and Regulations

10 Web Server Implementation and Management 11 Database Management and Security

12 Web Programming Language 13 Website Design and Management 14 Electronic Payment and Security

15 E-commerce Standards 16 Handling Computer Viruses 17 Introduction to E-commerce Security

18 Public Key Infrastructure (PKI) 19 E-commerce Security Evaluation 20 Virtual Private Network 21 Distributed Computing Security 22 Security Projects for E-commerce 23 Mobile Computing Security 24 Encryption Technology

25 Database Concept and Design 26 Privacy and Ethics

27 Mathematical Cryptography Table 4. Priority Rankings of E-commerce Security

Courses more reliable results if we apply our method to larger and more various respondents.

7. ACKNOWLEDGEMENTS This work was sponsored in part by the Korean Ministry of Information and Communication under the University IT Research Center Project.

8. REFERENCES Arce, I. (2003), “The Weakest Link Revisited.” IEEE

Security & Privacy Magazine, Vol. 1, Issue 2, March- April 2003, pp. 72-76.

Armstrong, H., N. Jayaratna (2002), “Internet Security Management: A Joint Postgraduate Curriculum Design.”

Journal of Information Systems Education, Vol. 13, No. 3, 2002, pp. 249-258.

Golden, L. B., E. A. Wasil, and P. T. Harker (1989), The Analytic Hierarchy Process: Applications and Studies. Springer-Verlag, Berlin.

Gollmann, D. (2000), “E-commerce Security.” Computing & Control Engineering Journal, Special Feature on E- commerce, Vol. 11, No. 3, June 2000, pp. 115–118.

He, J. and M. Wang (2001), “Cryptography and Relational Database Management Systems.” 2001 International Symposium on Database Engineering & Applications, July 16-18, pp. 273-284.

Jenkins, A. M. (2001), “Meeting the Need for E-commerce and E-business Education: Creating A Global Electronic Commerce Concentration in the Master of Business Administration (MBA) Program.” 9th European Conference on Information Systems, June 27-29, pp. 1081-1086.

Kim, K., K. Surendran (2002), “Information Security Management Curriculum Design: A Joint Industry and Academic Effort.” Journal of Information Systems Education, Vol. 13, No. 3, 2002, pp. 227-236.

Kim S., M. Choi (2002), “Educational Requirement Analysis for Information Security Professionals in Korea.” Journal of Information Systems Education, Vol. 13, No. 3, 2002, pp. 237-246.

Maiden, N. A., C. Ncube (1998), “Acquiring COTS Software Selection Requirements.” IEEE Software, Vol. 15, No. 2, March 1998, pp. 46-56.

Marchany, R. C., J. G. Tront (2002), “E-commerce Security Issues.” Proceedings of the 35th Hawaii International Conference on System Science, January 7- 10, pp. 2500-2508.

Nam, C., B. Kim (2003), “A Study on E-commerce Firms’ Selecting Criteria for Small Package Express Service Provider by Using the Analytic Hierarchy Process.” The Journal of Internet Electronic Commerce Research, Vol. 3, No. 1, February 2003.

Oosthuizen, G. (1998), “Security Issues Related to E- commerce.” Network Security, No.5, 1998, pp.10-11.

Oppliger, R. (1999), “Shaping the Research Agenda for Security in E-commerce.” Proceedings of the 10th International Workshop on Database & Expert Systems Applications, 1999, pp. 810-814.

Saaty, T. L. (1995), Decision-Making for Leaders: The Analytical Hierarchy Process for Decisions in a Complex World. RWS Publications.

Saaty, T. L., and L. Vargas (2000), Models, Methods, Concepts, and Applications of the Analytic Hierarchy Process. Kluwer Academic Publishers, Boston.

Udo, G. J. (2001), “Privacy and Security Concerns as Major Barriers for E-commerce: A Survey Study.” Information Management & Computer Security, Vol.9, No.4, 2001, pp. 165-174.

Wang, H., J. Cao, and Y. Kambayashi (2002), “Building a Consumer Scalable Anonymity Payment Protocol for Internet Purchases.” Proceedings of RIDE-2EC, February 24-25, pp. 159-168.

61

Journal of Information Systems Education, Vol. 16(1) Wright, A. (2001), “Controlling Risks of E-commerce

Content.” Computers & Security, Vol.20, No.2, 2001, pp. 147-154.

Zviran, M. (1993), “A Comprehensive Methodology for Computer Family Selection.” Journal of System Software, Vol. 22, No. 1, July 1993, pp. 17-26.

AUTHOR BIOGRAPHIES

Hyunwoo Kim received the B.S. degree in industrial

management and M.S. degree in industrial engineering from Korea Advanced Institute of Science and Technology (KAIST) in 1999 and 2001, respectively, where he is pursuing the doctoral degree in industrial engineering. His research interests are in the areas of information system security evaluation, e-commerce security,

and optimal design and analysis of intrusion detection systems in ad hoc networks. Younggoo Han received the B.S. degree and M.S. degree

in industrial engineering from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, in 2002 and 2004, respectively, where he is pursuing the doctoral degree in industrial engineering. His research interests are topics in e-commerce security, secure communication in wide-band

networks, and intrusion detection system. Sehun Kim received the B.S. degree in physics from Seoul

National University, Seoul, Korea, in 1972, and the M.S. and Ph.D degrees in operations research from Stanford University in 1978 and 1981, respectively. In 1982, he joined the faculty of the Korea Advanced Institute of Science and Technology (KAIST). He has published a number of papers in IEEE Trans. on Vehicular

Technology, Computer Networks, Telecommunication Systems, IEICE Transactions on Communications, International Journal of Satellite Communications, and Journal of KIISC (Korea Institute of Information Security and Cryptology). He served as the chief editor of the Journal of KIISC from 1990 to 1993.

Myeonggil Choi is a senior engineer at National Security Research Institute, Electronics and Telecommuni-cations Research Institute (ETRI) in Korea. He received the M.S. degree from Pusan National University and Ph.D. degree in Management Information Systems from Korea Advanced Institute of Science and Technology (KAIST) in 2004. He worked at Agency for

Defense Department (ADD) as researcher and has worked for National Security Research Institute, Electronics and Telecommunications Research Institute (ETRI) in Korea. His recent research issues include Network Security, Information System Security Evaluation, E-Commerce Security and Information Security Management.

62

Journal of Information Systems Education, Vol. 16(1)

Appendix A Pairwise Comparison Form of the Top Levels in the Curriculum Hierarchy

← Left side is more important Right side is more important →

Component

Absolute Very Strong Strong Weak

Equal

Weak Strong Very Strong Absolute

Component

Security Managerial

Course

Security Fundamental

Course Security

Managerial Course

Technology-

Based Course

Security Fundamental

Course

Technology- Based Course

63

Journal of Information Systems Education, Vol. 16(1)

Appendix B Topics covered in the E-commerce Security Curriculum

Course Name Course Focus

Introduction to E-commerce Security General information on e-commerce security

Privacy and Ethics Issues and examples of privacy and ethics in e-commerce

Laws and Regulations E-commerce and security laws and regulations, laws on privacy, electronic payment, and criminology

E-commerce Security Policy Strategy, documentation, adoption, analysis and management, and education of e-commerce security policies E-commerce Standards Standardization in e-commerce, security issues in e-commerce standards

Security Projects for E-commerce Practical project in the e-commerce security design, building, and testing

E-commerce Security Evaluation Evaluation method of e-commerce security, design, and management of the e-commerce security evaluation system Risk Analysis Management Risk assessment, risk analysis methods, and risk management Mathematical Cryptography History, concept, and mathematics of cryptography

Encryption Technology Symmetric and asymmetric key distribution, protocols and key management, and digital signatures and certificates

Public Key Infrastructure (PKI) Architecture of PKI, function of PKI components, authentication, and procedure in PKI

Handling Computer Viruses Types and evolutions of worms and viruses, and protection and response methods Analysis of Hacking Techniques Types and examples of hacking, protection, and response and tracking methods

Database Concept and Design Database theory, models, normalization, physical storage, record access paths, design, performance evaluation, and database integrity and inference Database Management and

Security Security controls, transaction schedules and protocols, recovery techniques,

and encryption in databases

Website Design and Management Webmaster functions, Internet strategy, information architecture formulation, and security Web Server Implementation and

Management Architecture, function of the client-server system, web server design, strategy,

security, and application

Web Programming Language XML programming, Java programming, HTML, SQL, TCL programming, and Oracle applications

Server Authentication System Encryption methods, electronic keys, encryption protocols, and secure payments in client-server systems

Firewall Technology Concept, architecture of a firewall, design and implementation, network and PC firewall, and applications

Network Security TCP/IP, Net BIOS, RTS, network management protocols, network statistical analysis, debugging, routing, and managing network security

Mobile Computing Security Wireless Internet theory, wireless communication security, security design, and applications in mobile computing environments

Virtual Private Network Concept, architecture, components of VPN, VPN design, encryption of VPN, and implementation Information Retrieval System

Design Data recovery, network reconstruction, website, and server retrieval

Electronic Payment and Security Type of electronic payment systems (digital cash, e-check, smart card, etc.), and security of electronic payment tools

Intrusion Detection System Host-based and network-based intrusion detection, anomaly and misuse

detection, detection and response methodologies, tracking, and implementation of IDS

Distributed Computing Security Design of distributed computing, distributed computing model, and the security design of distributed environments

64

An Investigation of the Preparation of e-Commerce Professionals

An Investigation of the Preparation of e-Commerce Professionals

MARCELLINE FUSILIER and CHARLIE PENROD College of Business, Northwestern State University of Louisiana,

Natchitoches, Louisiana, USA

As e-commerce revenues have mounted in recent years, so have losses from security breaches and legal problems. The present study conceptualized e-commerce activities focused on gains versus loss prevention in terms of regulatory focus theory. Professional preparation provided in 163 e-commerce master’s programs worldwide was investigated using propositions derived from the theory. Data were collected using extensive Web searches of master’s program curricula. Results suggested that a majority of the programs lacked courses in the prevention-focused topics of law, security, or ethics. As e-businesses increasingly face the threat of costly legal and security incidents, it appears necessary for e-commerce education programs to place greater emphasis on prevention-focused topics.

KEYWORDS business law, e-commerce, e-commerce education, e-crime, regulatory focus theory, security

INTRODUCTION

E-crime has immense financial impact on e-commerce (2008 Information Security Breaches Survey; Silver-Greenberg 2009). The e-commerce Times reported that the cost of customer data breaches increased 5.3 percent from 2007 to 2008. Now, the average total cost per incident is $6.65 million (Meisner 2009). Despite the cost and pervasiveness of e-crime, a survey of over 7,000 business and technology executives indicated that 42 percent of the respondents could not identify the sources of their security incidents

Address correspondence to Marcelline Fusilier, PhD, College of Business, Northwestern State University of Louisiana, 125 Central Ave., Natchitoches, LA 71497, USA. E-mail: fusilier@nsula.edu

Journal of Internet Commerce, 8:2–22, 2009 Copyright # Taylor & Francis Group, LLC ISSN: 1533-2861 print=1553-287X online DOI: 10.1080/15332860903341281

2

(Nash 2008). Indeed, 35 percent of the executives did not even know whether they had experienced a security incident. The rapid growth of e-crime and apparent lack of security awareness suggest that education programs for e-commerce professionals do not provide sufficient preparation for preventing e-commerce legal and security problems. Research has documented inadequate coverage of security (Kim et al. 2005; Morrison and Oladunjoye 2002) and legal (Mykytyn, Mykytyn, and Harrison 2005) issues in e-commerce education programs. The present study addresses the apparent gap between the seriousness of e-commerce risks and the prepara- tion provided to those planning careers in the field. Theory from cognitive and motivational psychology is used to explain why the gap has developed and to identify potential remedies from an educational standpoint.

Regulatory Focus Theory and e-Commerce

Regulatory focus theory suggests that situational and individual factors can engender motivation to pursue gain or avoid loss (Crowe and Higgins 1997). Concern with gains is called a promotion focus. Concentration on avoiding loss is called a prevention focus. Promotion focus concerns achieve- ment while prevention focus emphasizes security. Situational characteristics can prime individuals or groups to collectively take a promotion or preven- tion focus (Brazy and Shah 2006).

The field of e-commerce began with stories of wildly successful startups and overnight millionaires. Those attracted to e-commerce and its associated educational programs are likely to be concerned with achieving financial and career gains. Results of a survey of almost 2,000 MBA students suggested that they deemed maximization of shareholders’ value as the primary business responsibility (Aspen Institute 2008). It seems plausible to describe the field of e-commerce as having a collective regulatory focus on promotion. If this is the case, one would expect to find fewer courses in e-commerce programs that are oriented toward preventing loss and more courses that emphasize skills associated with achieving gains.

The apparent emphasis of e-commerce education on gain contrasts with evidence suggesting that for e-commerce consumers, risk perceptions are a main barrier for online shopping (van Noort, Kerkhof, and Fennis 2007). In terms of regulatory focus theory, consumers tend to take a prevention focus when shopping online (van Noort et al. 2007) while the providers of e-commerce likely take a promotion focus. Van Noort, Kerkof, and Fennis (2008) suggested that ‘‘Although the natural tendency of a marketer might be to advertise positive features of products and services . . . individuals [consumers] are more easily persuaded by safety-oriented online informa- tion’’ (p. 70). Safety and protective features tend to fit with the prevention focus of consumers but may be overlooked by e-commerce providers because they appear to take a promotion focus. It is therefore essential that

e-Crime Prevention 3

e-commerce education includes emphasis on prevention topics. The present study builds on the literature to identify prevention topics concerning e-commerce: law (Gueldenzoph 2006; Mykytyn et al. 2005); ethics (Adam, Aderet, and Sadeh 2007; Bruce and Edgington 2008), and security (Gunasekaran and Ngai 2004; Kim et al. 2005; Ragothaman, Lavin, and Davies 2007). Certainly, other activities in e-commerce may contribute to loss preven- tion. However, many specific topics associated with loss prevention are sub- sumed in one of the larger prevention subjects addressed in the present study. For example, risk analysis is typically considered to be a security issue.

The remainder of this article’s Introduction section proceeds as follows: (1) arguments are presented concerning the importance of law, security, and ethics for successful e-commerce; (2) literature is reviewed on coverage of law, security topics, and ethics in e-commerce education programs; and (3) research questions are specified.

Law, Security, Ethics, and e-Commerce

Law has recently gained attention as a critical driver of world e-commerce diffusion (United Nations 2003). In its 2007 e-readiness country rankings, the Economist Intelligence Unit added a new ‘‘Legal Environment’’ aspect to recognize the importance of the role of law in encouraging technology adoption. With regard to e-commerce, the report contends that a legal envir- onment can support e-readiness effectively by (1) protecting consumer and intellectual property rights, (2) fostering digital security enablers such as authentication of online transactions, and (3) allowing new businesses to register quickly and easily. On the basis of an analysis of e-commerce in 30 countries, Shih, Dedrick, and Kraemer (2005) found that various business enablers promoted e-commerce activity only when laws were supportive.

A large body of literature suggests that e-commerce security is an impor- tant component of customer trust (e.g., Angriawan and Thakur, 2008; van Noort et al. 2007). Kraemer, Dedrick, and Melville (2006) reported that con- cern about privacy=security and inadequate legal protection for Internet pur- chases were the biggest firm barriers worldwide to e-commerce use. These authors noted that such protections were believed at one time to restrict e-commerce activity, but this has not been the case. The law appears to create a more secure environment for e-commerce.

Maury and Kleiner (2002) indicated that there is an overwhelming need to build ethical values into e-commerce in order to improve consumer confidence. Likewise, Creed, Zutshi, and Ross (2009) argued that ethics is central to the success of e-commerce due to its global and anonymous nat- ure. The specific moral recommendations for e-commerce practitioners developed by Kracher and Corritore (2004) include the topics of security and intellectual property. Of various ethical factors investigated by Adam and colleagues (2007), privacy and security had the greatest impact on

4 M. Fusilier and C. Penrod

e-commerce customers’ intention to purchase. Bruce and Edgington (2008) reported that ethics education in MBA programs can influence students’ beliefs and behaviors toward the ethical culture of prospective employers. This suggests that ethics education may be basic to achieving the goals of improved security practices, legal compliance, and customer trust.

Law, Security, and Ethics Topics in e-Commerce Education Programs

Given the importance of law, security, and ethics for enabling e-commerce, it seems reasonable to ask (1) to what extent are they covered in e-commerce degree programs? And (2) to what extent should they be covered? The litera- ture that addresses each question is reviewed in the following sections.

DESCRIPTIVE LITERATURE ON e-COMMERCE EDUCATION

Results of studies that investigated the types of courses in e-commerce master’s programs are presented in Table 1. Of these studies, Novitzki (2002) coded law and ethics courses into the same category. The other stu- dies did not report on ethics courses. In addition to the results summarized in Table 1, Kim and colleagues (2005) found that only 54 percent of the sampled graduate and undergraduate programs included courses related to e-commerce security. Dunning and colleagues (2001) noted that 40 percent of the e-commerce programs that they studied included law courses. Burkey (2007) tracked a decrease in the percentage of MBA programs that included e-commerce law courses from 2001 (40 percent) to 2005 (18 percent). No security or ethics courses were evident in the MBA programs analyzed. Two additional studies coded the contents of e-commerce course syllabi (King, Frank, and Platt 2001; Rezaee, Lambert, and Harmon 2006). To sum- marize the descriptive findings concerning courses and syllabi, fewer than half of the programs in most of the studies offered a law or ethics course or covered legal issues, ethics, or privacy in the syllabus. The studies

TABLE 1 Summary of Studies Reporting Law and Security Courses in MBA and Master of Science in e-Commerce Programs

Percentage of programs in which law course(s)

were present

Percentage of programs in which security course(s)

were present

Study MBA MS e-commerce MBA MS e-commerce

Mechitov, Moshkovich, and Olson (2002)

50% 70% 4% 70%

Novitzki (2002) 31% 46% 12% 13% Ethridge, Hsu, and Wilson (2001)- Required courses only

10% 22% Not reported Not reported

e-Crime Prevention 5

concerning security courses reported that from 70 percent (Mechitov, Moshkovich, and Olson 2002) to none (Burkey) of the programs appeared to offer them, although slightly over half of the syllabi included security as a topic. No previous studies were found that reported the existence of courses on prevention of e-crime.

PRESCRIPTIVE LITERATURE ON e-COMMERCE EDUCATION

Research on stakeholder recommendations for e-commerce curricula has focused on employers and industry representatives (Gueldenzoph 2006; Ragothaman et al. 2007), students (Gunasekaran and Ngai 2004; Petrova and Claxton 2005), and faculty (Brookshire, Williamson, and Wright 2002; Metha, Shah, and Morgan 2005; Mitchell and Strauss 2001; Morrison and Oladunjoye, 2002). According to Downey, McMurtrey, and Zeltman (2008), a sample of employers and industry representatives did not designate ethics, privacy, security, or legal issues as top critical skills for an e-commerce track program. Contrary to these results, Gueldenzoph reported that a sample of employers and educators rated legal, ethical, privacy, and security issues as ‘‘absolutely necessary’’ topics for e-commerce education. Ragothaman and colleagues likewise noted a high level of concern about e-commerce security issues among accounting practitioners.

Two studies (Davis, Siau, and Dhenuvakonda 2003; Li, Yen, and Cheng 2008) compared courses in e-commerce curricula with Internet job postings as an indicator of industry demand. Although the percentage of total courses for legal, security, and ethics was well under 5 percent of the total courses offered, few of the job listings called for these skills. The authors concluded course offerings in these areas were balanced with industry demand.

With regard to student input, Petrova and Claxton (2005) and Gunasekaran and Ngai (2004) reported contradictory results. Students in New Zealand (Petrova and Claxton) indicated that a business law course was generally not helpful in their e-business undergraduate program. How- ever, Gunasekaran and Ngai reported that a sample of students in Hong Kong perceived the following topics as necessary in e-commerce education: computer virus protection, privacy, security, and confidentiality.

To summarize the prescriptive studies’ findings, stakeholders did not appear to agree on the extent and methods for covering legal, ethics, and security topics in e-commerce programs. Some of the results suggested high levels of concern among stakeholders for these issues (Gueldenzoph 2006; Gunasekaran and Ngai 2004; Mitchell and Strauss 2001; Morrison and Oladunjoye 2002), while other findings indicated that the stakeholders involved did not view a legal or security course as necessary for all students in an e-commerce program (Brookshire et al. 2002; Mehta et al. 2005).

Independent curriculum prescriptions have also been proposed by accrediting agencies such as the Association to Advance Collegiate Schools

6 M. Fusilier and C. Penrod

of Business (AACSB). AACSB requires an ethics component in business curricula (AACSB 2008). The Computing Curricula 2005 Report (Association for Computing Machinery [ACM], Association for Information Systems [AIS], Computer Society [IEEE-CS] 2006) identifies legal, ethics, and security as knowledge areas to be covered across all computer and technology degrees. Mykytyn and colleagues (2005) took a prescriptive approach, advocating more extensive incorporation of intellectual property (IP) concepts into e-commerce education. These authors surveyed management information systems (MIS) faculty to identify barriers to including IP material in courses. Findings suggested that the faculty felt they lacked appropriate knowledge and time, and perceived a problem of fit between legal and IT course material.

Navarro (2008) suggested that functional areas in business schools form competing coalitions that result in inadequate coverage of legal and ethical topics in MBA curricula. Stronger coalitions such as finance and marketing claim more of the core courses. Regulatory focus theory might suggest that these power differentials are consistent with the general promotion focus of business. Functional areas more closely associated with a promotion focus such as marketing may have greater power because their purpose is consis- tent with the general focus of the school as a whole. Areas such as business law may claim less power and fewer core courses because they are focused on prevention, which may be inconsistent with the general emphasis of business schools.

Research Questions

Although there is considerable literature on e-commerce curricula, none has applied regulatory focus theory to understanding the composition of the pro- grams. The present study applies regulatory focus theory to organizational rather than individual decisions and behavior. Application of the theory may clarify why e-commerce curricula are structured as they are and also provide direction for effective methods for modifying preparation for e-commerce professionals. This appears essential given the apparent preva- lence of e-crime and the importance of establishing trust in e-commerce relationships.

The present study examines the extent of prevention-focused courses in master’s degree e-commerce curricula for programs worldwide. Prevention- focused courses as defined here include law, ethics, and security topics. The extent of this coverage is further compared to marketing course offerings because marketing is a ubiquitous business school course (Navarro 2008) and appears to be promotion focused. For example, the marketing term promo- tions is common in the field. Specific questions addressed are as follows:

1. To what extent are law, ethics, and security courses represented in e-commerce master’s programs? Kim and colleagues (2005) recommended

e-Crime Prevention 7

that at least three types of security courses be incorporated into an e-commerce program: (a) security management, (b) fundamental security, and (c) technology-based security. As noted in the present study’s litera- ture review, accrediting agencies (AACSB 2008; ACM, AIS, IEEE-CS 2006) focus on the need for coverage of legal, ethics, and security topics.

2. What is the relative representation of law, ethics, and security courses in relation to marketing courses in e-commerce programs? It is hypothesized that more marketing courses will be evident because this topic is consis- tent with the general promotion focus of e-commerce programs.

3. Does the prevalence of prevention- (law, security, and ethics) and promotion-focused (marketing) courses vary according to world regions? This is an exploratory analysis. Lee, Aaker, and Gardner (2000) suggested that an independent, achievement-oriented self-view characteristic of American culture is consistent with a regulatory focus of promotion. An interdependent self-view that emphasizes fulfillment of social obligations is characteristic of Asian culture and consistent with a regulatory focus of prevention. With regard to the present study, more prevention-focused courses might be expected in e-commerce programs based outside of North America. However, Chen, Ng, and Rao (2005) demonstrated that Asians could be primed to take a promotion focus in an online purchase situation. In the present case, if e-commerce programs have a collective regulatory focus on promotion, differences should not be apparent across world regions.

METHOD

Web Searches

Data were collected from April to July, 2007. Exhaustive Web searches were conducted to find Web page descriptions of e-commerce master’s-level degree programs by institutions of higher education around the world. A variety of search and metasearch engines was employed in the Web searches: Google, Lycos, MSN, AskJeeves, Yahoo, Dogpile, Netscape Search, About. com, and Snap.com. Prior evidence suggests that Web sites are a valid data source on e-commerce education programs: Burkey (2007) compared 33 e-commerce program curricula displayed on Web sites to hardcopy catalogs published by the colleges and universities and found the information to be 100 percent consistent.

Programs were considered e-commerce if their titles and=or the degree awarded contained the words e- (or electronic, Internet, or network) commerce or business, or any e-functional business area, such as e-marketing. Some programs that did not have any of these terms in their titles were included in the study if the curricula suggested that they were in fact e-commerce programs. Some established e-commerce programs did

8 M. Fusilier and C. Penrod

not have a clear Web presence or one that the researchers were able to locate. In such cases, the schools were contacted by e-mail or phone in an effort to obtain information on their curriculum. Programs were included in the study only when a detailed curriculum description was available. Web sites in languages other than English were either translated by the authors or by an Internet translation site.

The programs took the form of (1) e-commerce concentrations in master’s programs or (2) master’s degrees in e-commerce. Concentrations typically entail fewer e-commerce courses than do e-commerce degree pro- grams. Nondegree programs and those that involved certificates or diplomas in e-commerce were excluded from the present study’s sample. Diploma programs were excluded from the North American sample because they tended not to be graduate degrees. The graduate diploma programs were included in the sample of programs based outside of North America because in other parts of the world this term is synonymous with a master’s degree. For the present study’s analyses, graduate diploma programs were consid- ered degrees in e-commerce as opposed to concentrations.

Course Coding

Course titles and descriptions in e-commerce program curricula were ana- lyzed to place courses in the following categories: (1) business law, (2) e-business law, (3) ethics, (4) security, (5) marketing, and (6) e-marketing. Consistent with many previous studies, the present research used course titles as a measure of topic coverage (Burkey 2007; Dunning et al. 2001; Kim et al. 2005; Novitzki 2002). This approach was chosen as opposed to coding topics covered in course syllabi for the following reasons: (1) Course titles typically indicate that a topic will be addressed. Topics listed on a course syllabus are sometimes not covered due to time constraints or other problems. (2) Course titles were always available on program Web sites that contained a curriculum listing. Course syllabi were not always available. Reliance on syllabi would have considerably reduced the present study’s sample size.

Course titles by themselves were frequently adequate for determining assignment to the categories. In many cases, however, course descriptions were examined in detail to determine the most appropriate category. The present study’s authors independently coded the courses. The few disagree- ments that arose were resolved upon discussion. All courses were also clas- sified as required or elective. The specific procedure used for coding is:

1. Business Law: General business law courses were included in this cate- gory. Example titles include ‘‘Survey of Business Law’’ and ‘‘Legal Environ- ment of Business.’’ Legal issues and ethics were sometimes included in the same course (12 incidents). Based on the course descriptions, these

e-Crime Prevention 9

combination approaches appeared to emphasize legal topics. In order to be consistent, the legal and ethics combination courses were coded as business law, or if they had an e-commerce focus, as e-commerce law. An example title of a combination course is ‘‘Legal, Regulatory, and Ethical Environment of Business.’’ No courses were counted in more than one coding category. This was done to avoid inflation of the measures of topic coverage. A course titled ‘‘Law and Ethics’’ could at best provide the student with half of a course on each topic. If this were counted as two courses, it would not be com- parable to programs at other schools that included an entire course on one or both subjects.

2. e-Business Law: This classification pertained to legal topics courses that focused on e-business. Example course titles were ‘‘Cyber Law’’ and ‘‘Legal Aspects of Electronic Businesses.’’ E-commerce intellectual property courses were coded into this category.

3. Ethics: All courses with a title that concerned ethics were coded into this category. Included were courses on general business ethics or business and society, as well as those that concerned ethics of information, technol- ogy, or marketing. Typical example course titles are ‘‘Business Ethics and Society’’ and ‘‘Applied Ethics.’’ Very few courses pertained specifically to e-commerce ethics, therefore no separate category was established.

4. Security: Security courses encompassed a range of course titles including privacy, any title that included the term security, cryptography, encryption technology, risk analysis, firewall technology, intrusion detection system, handling computer viruses, etc. Example security course titles are ‘‘Compu- ter Security for e-Commerce’’ and ‘‘Electronic Payment and Security.’’

5. Marketing: Courses that concerned the functional area were included in this classification. Example course titles included ‘‘Marketing’’ and ‘‘Strategic Marketing Management.’’

6. e-Commerce Marketing: This designation was used for courses that used marketing and Internet or e-commerce in their titles. Example course titles are ‘‘e-Business Marketing’’ and ‘‘e-Marketing.’’

RESULTS

Web searches yielded 163 e-commerce master’s programs with complete curriculum listings, of which 88 were degree programs and 75 were concen- trations. Ninety-one programs were based in North America (Canada [3], USA [87], and Mexico [1]), 27 in Australia=New Zealand (24 and 3 respectively), 33 in Europe, and 12 in Asia.

Research question 1 concerned the extent to which prevention-focused courses, for example, law, security, and ethics, were represented in the master’s e-commerce curricula. Table 2 shows that for each type of course,

10 M. Fusilier and C. Penrod

fewer than half of the programs included even one course, required or elec- tive. Nearly 90 percent of the programs did not include a course focused solely on ethics. Only 6.1 percent of the programs included three or more security courses. This suggests that 93.9 percent had fewer security courses than recommended by Kim and colleagues (2005). Figure 1 graphically dis- plays the numbers of each type of course.

Research question 2 concerned comparisons of the prevention-focused courses to a representative promotion-focused type of course, marketing. Table 3 shows the results of t-tests comparing the average number of total (required and elective) marketing and e-marketing courses to the average total number of each other course: law (includes business law and e-business law), security, and ethics. In each case, results are statistically significant with the average number of marketing courses per program greater than for each of the other courses.

FIGURE 1 Frequencies of e-commerce master’s programs according to the numbers of law, security, and ethics courses offered.

TABLE 2 Frequencies and Percentages of e-Commerce Master’s Programs According to the Numbers of Law, Security, and Ethics Courses Offered

Number of courses in the program of each type

Law (includes all required

and elective business law and e-business law)

Security (includes required

and elective security courses)

Ethics (includes required

and elective ethics courses)

Programs Percentage Programs Percentage Programs Percentage

0 86 52.8 109 66.9 146 89.6 1 56 34.3 30 18.4 16 9.8 2 15 9.2 14 8.6 1 0.6 3 4 2.5 7 4.3 0 0 More than 3 2 1.2 3 1.8 0 0 Total Programs 163 100% 163 100% 163 100%

e-Crime Prevention 11

It is possible that some master’s programs may have many available electives, and this could affect the results obtained for these comparisons when tested with total numbers of courses. Therefore, these hypotheses were also tested using only the average number of required courses in each area. Results are shown in Table 4 and are similar to those for the total num- bers of courses: the significant t-statistics suggest that there are more required marketing courses on average than each of the other course types. The results again appear to support the notion that on average there are more marketing (promotion-focused) courses than prevention-focused courses. Figure 2 graphically displays the mean comparisons for total marketing and required marketing versus the prevention-focused courses.

The exploratory analysis (research question 3) investigated the preva- lence of each type of course across the programs based on major continents represented in the data set: Asia, Australia=New Zealand, Europe, and North America. A one-way ANOVA was employed for each type of course (law,

TABLE 4 Comparisons of Average Required Number of Marketing Versus Law, Security, and Ethics Courses for e-Commerce Master’s Programs

Course type Mean SD t (df¼ 162)

Marketing (includes all required marketing and e-marketing) 0.92 1.13 Versus Law (includes all required business law and e-business law)

0.30 0.55 6.61��

Marketing (includes all required marketing and e-marketing) 0.92 1.13 Versus Security (includes all required security courses) 0.26 0.55 6.28��

Marketing (includes all required marketing and e-marketing) 0.92 1.13 Versus Ethics (includes all required ethics courses) 0.10 0.33 9.01��

�p< .05; ��p< .01.

TABLE 3 Comparisons of Average Total Number of Marketing Versus Law, Security, and Ethics Courses for e-Commerce Master’s Programs

Course type Mean SD t (df¼ 162)

Marketing (includes all required and elective marketing and e-marketing)

1.71 1.80

Versus Law (includes all required and elective business law and e-business law)

0.66 0.90 7.29��

Marketing (includes all required and elective marketing and e-marketing)

1.71 1.80

Versus Security (includes all required and elective security courses)

0.60 1.19 6.07��

Marketing (includes all required and elective marketing and e-marketing)

1.71 1.80

Versus Ethics (includes all required and elective ethics courses)

0.11 0.33 11.33��

�p< .05; ��p< .01.

12 M. Fusilier and C. Penrod

security, ethics, and marketing) as the dependent variable and continent as the independent variable. ANOVAs involving the total numbers of each type of course did not yield significant results except in the case of marketing. Results appear in Table 5a. To explore the nature of the differences, Bonferroni post hoc tests were performed. Results suggested that the North American pro- grams hadmoremarketing courses, on average (mean¼ 2.12, SD¼ 1.86), than programs in Europe (mean¼ 0.76, SD¼ 1.09). No further course differences were apparent between any other pair of continents as represented in the sample. Descriptive statistics by continent appear in Table 5b.

Again, to avoid potential undue influence of elective courses, the ANOVAs were also conducted using only the required courses in each area as the dependent variable. Results suggested significant findings for business law and marketing and appear in Tables 6a and 7a respectively. Descriptive statistics by continent are presented in Tables 6b and 7b. For the required business law variable, variances appeared to be unequal across continents (Levene statistic¼ 16.67�� df¼ 3, 159), therefore a Dunnett T3 post hoc test was applied. Results suggested significant differences with more required business law courses, on average, in North America (mean¼ 0.23,

TABLE 5a Comparison of Total Marketing Courses Across Continents Using One-way ANOVA

Sum of squares df Mean square F

Between Groups 50.13 3 16.71 5.59��

Within Groups 475.31 159 2.99 Total 525.45 162

Note. Includes all required and elective marketing and e-marketing. �p< .05; ��p< .01.

FIGURE 2 Average number of marketing versus law, security, and ethics courses.

e-Crime Prevention 13

TABLE 6a Comparison of Required Business Law Courses across Continents Using One-way ANOVA

Sum of squares df Mean square F

Between Groups 1.412 3 0.47 3.15�

Within Groups 23.753 159 0.15 Total 25.166 162

�p< .05; ��p< .01.

TABLE 5b Descriptive Statistics for Total Marketing Courses across Continents

Continent n Mean SD

Asia 12 1.08 0.90 Australia=New Zealand 27 1.78 2.12 Europe 33 0.76 1.10 North America 91 2.12 1.86 Significant difference between sample means for Europe and North America (p< .01)

Note. Includes all required and elective marketing and e-marketing.

TABLE 6b Descriptive Statistics for Required Business Law Courses across Continents

Continent n Mean SD

Asia 12 .17 .39 Australia=New Zealand 27 .04 .19 Europe 33 .03 .17 North America 91 .23 .47 Significant differences (p< .01) between sample means for: . Europe and North America . Australia=New Zealand and North America

TABLE 7a Comparison of Required Marketing Courses across Continents Using One-way ANOVA

Sum of squares df Mean square F

Between Groups 13.86 3 4.62 6.73��

Within Groups 109.22 159 0.69 Total 123.08 162

�p< .05; ��p< .01.

14 M. Fusilier and C. Penrod

SD¼ 0.47) than in those programs in Europe (mean¼ 0.03, SD¼ 0.17) or Australia=New Zealand (mean¼ 0.04, SD¼ 0.19). Likewise, for required marketing courses, Bonferroni post hoc test results suggested that North American programs had more required marketing courses, on average (mean¼ 0.86, SD¼ 0.95), than those programs in Europe (mean¼ 0.33, SD¼ 0.69) or Australia=New Zealand (mean¼ 0.19, SD¼ 0.62). No other differences were apparent.

DISCUSSION

Since its emergence in the 1990s, e-commerce has been characterized by overall expansion in terms of both its revenues and universities’ offerings of e-commerce educational programs and their associated enrollments. Attention to this growth may have overshadowed the importance of legal and security considerations as components of the foundation for e-commerce success. The present study applied regulatory focus theory to conceptualize the e-commerce emphasis on expansion as a promotion focus and avoidance of legal and security problems as a prevention focus. The pre- sent study’s finding of more marketing than law, security, or ethics courses supports the notion of a predominant promotion focus in the e-commerce programs. This is consistent with the general emphasis on gain in business schools. This result also appears to support the contention derived from regulatory focus theory that an organization with a promotion focus will make decisions and behave in a manner that is more consistent with attain- ment of gain than loss prevention, in this case, prevention of e-crime. The decisions and behavior in the present case took place at the organizational level and concerned the structure of the curriculum and the numbers of each type of course actually offered.

Representation of Law, Security, and Ethics Courses in e-Commerce Programs

The present results suggest a relative neglect of the prevention-focused courses of law, security, and ethics in e-commerce master’s programs. This

TABLE 7b Descriptive Statistics for Required Marketing Courses across Continents

Continent n Mean SD

Asia 12 0.33 0.49 Australia=New Zealand 27 0.19 0.62 Europe 33 0.33 0.69 North America 91 0.86 0.95 Significant differences (p< .01) between sample means for: . Europe and North America . Australia=New Zealand and North America

e-Crime Prevention 15

crucial omission is inconsistent with the admonition of Taylor and colleagues (2005) that legal considerations and prevention of e-crime are necessary first steps in e-commerce activities. Without such preparation, it is unlikely that e-commerce professionals will fully understand the legal boundaries and opportunities of cyberspace. On one hand, a risk-averse e-commerce profes- sional may forfeit important e-commerce legal rights simply because he=she is unaware of the full menu of rights available to professionals in cyberspace. On the other hand, the risk taker may unwittingly stray beyondwhat is allowed by law and thereby subject him=herself to civil or even criminal penalties.

The present study utilized a larger sample of e-commerce programs than previous studies in an attempt to obtain representative data. The relatively extreme previous findings concerning law courses tended to be associated with smaller sample sizes: Ethridge, Hsu, and Wilson (2001) reported that 10 percent of MBA programs included at least one law course (n¼ 31) and Mechitov and colleagues (2002) indicated that 70 percent of their master’s in e-commerce programs included law (n¼ 10). The present study’s results corroborated most of the earlier reports suggesting that under half of e-commerce programs include a law course. This consistency lends confi- dence to the conclusion that subject coverage may be insufficient to provide students with the necessary legal knowledge for e-commerce success and e-crime prevention. And the need for such education is likely to increase with the worldwide growth of jurisdiction-specific cyber laws (Edappagath 2004).

Kim and colleagues (2005) concluded that because only 54 percent of their sample of e-commerce programs included a security course, ‘‘there are not enough courses that deal with e-commerce security’’ (p. 56). The present study’s results suggested that only 32.5 percent of the programs had one or more security courses, coverage that is even less adequate according to the standard of Kim and colleagues. It should therefore not be surprising that secur- ity problems are common in e-commerce today (Nash 2008) because providers are apparently not prepared to prevent and cope with security imperatives.

Dedicated ethics courses were present in only 10.4 percent of the pro- grams investigated in the present study. Given that accrediting agencies require ethics coverage in degree programs (AACSB 2008; ACM, AIS, IEEE-CS 2006) this appears to be a startling underrepresentation. It is possible that ethics is incorporated into courses with other titles. This would cause ethics coverage to be underestimated by the present study’s data collection method. However, studies that coded the contents of e-commerce course syllabi did not identify ethics as a topic in any of the syllabi examined (King et al. 2001; Rezaee et al. 2006). The ethics-related topics of privacy issues in e-commerce were included in 31 percent and 41 percent of these studies’ samples of syllabi, respectively, and trust was included in 6 percent (King et al. 2001). This evidence suggests that ethics coverage is also sparse in courses that were not titled as ethics. A potential problem with incorporating a topic into different courses is the difficulty of assessing the extent of its

16 M. Fusilier and C. Penrod

actual coverage. Bruce and Edgington (2008) reported that inclusion of a required ethics course in the curriculum was positively associated with MBA students’ views of the effectiveness of ethics coverage.

In the present study, the comparison of promotion- and prevention- focused courses was tested with only one representative promotion-focused course: marketing. Other business areas can also take on a promotion focus, such as certain aspects of finance, operations management, etc. The overall numbers of such courses may constitute a much larger proportional represen- tation than prevention-focused courses if the entire curriculum were taken into account. This suggests that if all promotion-focused courses in an e-commerce curriculum were considered, the number of prevention-focused courses would be dwarfed. Future research might investigate such an analysis.

Exploratory Analysis

The exploratory investigation examined differences in the representation of each type of course across the continents in which the programs were based. Results suggested more total and required marketing courses on average in the North American programs than in those in Europe or Australia=New Zealand. The notion that American culture may be promotion focused (Lee et al. 2000) could explain this finding. Furthermore, the United States is the largest capitalistic economy in the world, with greater advertising expendi- tures than Europe (Macleod 2008) or Australia (Sinclair 2007). These charac- teristics of the economies could also contribute to the apparently greater number of marketing courses in the North American programs.

No significant differences were apparent for the programs in Asia versus those based on any of the other continents. This might be explained by draw- ing on the research of Chen and colleagues (2005), which suggested that an Asian sample could be primed to take a promotion focus in a situation of gain. The general promotion focus of e-commerce programs may have primed decision makers in the Asian programs to take a promotion focus and there- fore offer as many marketing courses and as few prevention-focused courses as are available in North American programs. Another potential explanation for the finding is that Asian e-commerce programs were not adequately repre- sented in the present study’s sample. This could be due to Asian programs either not having a generally available Web site or the Web site not appearing when English language search terms were used with search engines. Also, evidence suggests that e-commerce certificate and other non-degree pro- grams are more common in Asia than master’s programs (Zhang, Li, and Lin 2005). In an effort to obtain a larger sample from all parts of the world, future research should examine other types of e-commerce education programs and master’s programs focused on regional enrollment.

Results of the exploratory analysis also suggested more required business law courses on average in the North American programs than in

e-Crime Prevention 17

those in Europe or Australia=New Zealand. This finding is consistent with Mechitov and colleagues (2002), who reported lower representation of law courses in e-commerce programs based in world regions outside of the Uni- ted States. As conceptualized here, law is a prevention-focused course. Its greater prevalence in North America is contrary to America’s ostensibly pro- motion-focused culture (Lee et al. 2000). Law in the United States may be of greater importance than other prevention-focused courses due to the rela- tively unique position law takes in American society. This finding might be explained by evidence that the United States is more litigious than European, Australian, Asian, or other North American nations (Li 2007). The strong environmental threat of costly lawsuits may present an imperative for some prevention-focused behavior, in this case, offering more business law courses. However, although North American degree programs might involve more business law courses, coverage of this topic may still not be sufficient to stanch the losses that businesses apparently experience due to litigation (Dutcher 2006).

Limitations of the Study and Directions for Future Research

The course coding was based on course titles and descriptions that may not adequately represent course content. If prevention-focused topics are being incorporated into courses with traditional business titles, coverage may be underrepresented by the present study’s results. Future research should investigate course content in a variety of course titles to determine the extent to which law, ethics, and security might be infused into other areas. King and colleagues (2001) and Rezaee and colleagues (2006) have developed coding procedures for e-commerce syllabi. These procedures could be applied in future studies of course content.

It is possible that law, ethics, or security courses may have been prere- quisites for entry to some of the master’s programs, which could account for lower levels of curriculum coverage found in the present study’s data. If this is the case, student knowledge and awareness could be underestimated. Future research might investigate program entrance requirements and count them as a component of what the master’s program requires to be covered.

CONCLUSIONS

A. The present findings suggest that more law, security, and ethics courses should be included in e-commerce master’s programs. Given the state and administrative limitations placed on many master’s programs con- cerning the numbers of courses that they can include, curriculum design may be a challenge. However, even one course in each area would be an improvement for a majority of the programs and would be a step toward a better balance of promotion- versus prevention-focused activities in the

18 M. Fusilier and C. Penrod

preparation of future e-commerce professionals. Offering courses dedicated to each topic could assure coverage and also streamline program assessment. A majority of a curriculum’s courses should probably be promotion focused to ensure that students have the skills to attain the primary business goals of gain and growth. However, strong preparation in prevention areas appears essential to confront the increasingly costly security and legal complexities of e-commerce and the threat of e-crime.

B. Regulatory focus theory was used in the present study as a framework to conceptualize collective organizational decision making and behavior. Much of the previous research on this theory has targeted individual behavior (Brazy and Shah 2006). Institutional-level application of the the- ory may have implications for assessing the effectiveness of collective trends and decisions. Future research should extend experimental tests of the theory to organizational decisions.

REFERENCES

Information Security Breaches Survey. 2008. Department for Business, Enterprise & Regulatory Reform (BERR). http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml). pdf (accessed July 29, 2009).

Adam, A. M., A. Aderet, and A. Sadeh. 2007. Do ethics matter to e-consumers? Journal of Internet Commerce 6 (2): 19–34.

Angriawan, A., and R. Thakur. 2008. A parsimonious model of the antecedents and consequence of online trust: An uncertainty perspective. Journal of Internet Commerce 7 (1): 74–94.

Aspen Institute. 2008. Where will they lead? MBA student attitudes about business and society. http://www.aspencbe.org/documents/ExecutiveSummaryMBA StudentAttitudesReport2008.pdf (accessed July 29, 2009).

Association to Advance Collegiate Schools of Business (AACSB). 2008. Eligibility procedures and standards for business accreditation. http://www.aacsb. edu/accreditation/process/documents/AACSB_STANDARDS_Revised_Jan08.pdf (accessed July 29, 2009).

Association for Computing Machinery (ACM), Association for Information Systems (AIS), Computer Society (IEEE-CS). 2006. Computing curricula 2005: The over- view report. http://www.acm.org/education/curric_vols/CC2005-March06Final. pdf (accessed July 29, 2009).

Brazy, P. C., and J. Y. Shah. 2006. Strength and safety in numbers: Considering the social implications of regulatory focus. Journal of Personality 74 (6): 1647–1672.

Brookshire, R. G., K. C. Williamson, and N. C. Wright. 2002. An interdisciplinary undergraduate degree program in electronic commerce. Information Technol- ogy, Learning, and Performance Journal 20 (2): 25–30.

Bruce, G., and R. Edgington. 2008. Ethics education in MBA programs: Effectiveness and effects. International Journal of Management and Marketing Research 1 (1): 49–69.

Burkey, J. 2007. The evolution of electronic commerce education. Journal of Education for Business 82 (5): 276–281.

e-Crime Prevention 19

Chen, H. A., S. Ng, and A. R. Rao. 2005. Cultural differences in consumer impatience. Journal of Marketing Research 42 (3): 291–301.

Creed, A., A. Zutshi, and J. Ross. 2009. Relational ethics in global commerce. Journal of Electronic Commerce in Organizations 7 (1): 35–49.

Crowe, E., and E. T. Higgins. 1997. Regulatory focus and strategic inclinations: Promotion and prevention in decision making. Organizational Behavior and Human Decision Processes 69 (2), 117–132.

Davis, S., K. Siau, and K. Dhenuvakonda. 2003. A fit-gap analysis of e-business curricula vs. industry needs. Communications of the ACM 46 (12): 167–177.

Downey, J. P., M. E. McMurtrey, and S. M. Zeltmann. 2008. Mapping the MIS curriculum based on critical skills of new graduates: An empirical examination of IT professionals. Journal of Information Systems Education 19 (3): 351–363.

Dunning, K. A., B. S. Vijayaraman, R. Krovi, and P. S. Kahai. 2001. Graduate e-business program design and evaluation. Journal of Computer Information Systems 42 (1): 58–64.

Dutcher, J. S. 2006. Caution: The Superman suit will not enable you to fly—Are consumer product warning labels out of control? Arizona State Law Journal 38 (633): 657–658.

Economist Intelligence Unit. 2007. The 2007 e-readiness rankings. http://a330.g. akamai.net/7/330/25828/20070420195432/graphics.eiu.com/files/ad_pdfs/ 2007Ereadiness_Ranking_WP.pdf (accessed July 29, 2009).

Edappagath, A. 2004. Cyber-laws and enforcements to optimize benefits of ICT. I-Ways, Digest of Electronic Commerce Policy and Regulation 27 (3=4): 167–173.

Ethridge, H. L., K. H. Y. Hsu, and T. E. Wilson. 2001. E-business education at AACSB-affiliated business schools: A survey of programs and curricula. Journal of Education for Business 76 (6): 328–331.

Gueldenzoph, L. E. 2006. E-commerce topics for business education: Perceptions of employers and educators. Delta Pi Epsilon Journal 48 (1): 19–27.

Gunasekaran, A., and E. W. T. Ngai. 2004. Attitude toward e-commerce and educa- tion: An empirical analysis. Journal of Electronic Commerce in Organizations 2 (2): 95–112.

Kim, H., Y. Han, S. Kim, and M. Choi. 2005. A curriculum design for e-commerce security. Journal of Information Systems Education 16 (1): 55–62.

King, C. G., S. L. Frank, and R. G. Platt. 2001. E-commerce courses: Overview of nature and content. Journal of Education for Business 76 (6): 332–337.

Kracher, B., and C. L. Corritore. 2004. Is there a special e-commerce ethics? Business Ethics Quarterly 14 (1): 71–94.

Kraemer, K. L., J. Dedrick, and N. P. Melville. 2006. Globalization and national diver- sity: E-commerce diffusion and impacts across nations. In Global e-Commerce: Impacts of National Environment and Policy, ed. K. L. Kraemer, J. Dedrick, N. P. Melville, and K. Zhu, 13–60. Cambridge, UK: Cambridge University Press.

Lee, A. Y., J. Aaker, and W. L. Gardner. 2000. The pleasures and pains of distinct self-construals: The role of interdependence in regulatory focus. Journal of Personality and Social Psychology 78 (6): 1122–1134.

Li, E. Y., H. J. R. Yen, and C. Y. J. Cheng 2008. A fit-gap analysis of e-business curricula and job demand in Taiwan and the U.S. Computers & Education 51 (3): 969–987.

20 M. Fusilier and C. Penrod

Li, J. 2007. From ‘‘See you in court!’’ to ‘‘See you in Geneva!’’: An empirical study of the role of social norms in international trade dispute resolution. The Yale Journal of International Law 32 (485): 485–511.

Macleod, C. 2008. Global economy and adspend prospects. International Journal of Advertising 27 (3): 483–485.

Maury, M. D., and D. S. Kleiner. 2002. E-commerce, ethical commerce? Journal of Business Ethics 36 (1=2): 21–31.

Mechitov, A. I., H. Moshkovich, and D. L. Olson. 2002. The master’s degrees in e-commerce: A survey study. Journal of Computer Information Systems 42 (4): 29–34.

Mehta, M. R., J. R. Shah, and G. W. Morgan. 2005. Merging an e-business solution framework with CIS curriculum. Journal of Information Systems Education 16 (1): 65–73.

Meisner, J. 2009. Customer data breach costs head skyward. E-Commerce Times, February 3. http://www.ecommercetimes.com/story/66055.html (accessed July 30, 2009).

Mitchell, T., and J. Strauss. 2001. Practitioner and academic recommendations for Internet marketing and e-commerce curricula. Journal of Marketing Education 23 (2): 91–102.

Morrison, J. L., and G. T. Oladunjoye. 2002. E-commerce infusion into business education—encompassing the realities of an emerging business model. Journal of Education for Business 77 (5): 290–295.

Mykytyn, P. P., Jr., K. Mykytyn, and D. A. Harrison. 2005. Integrating intellectual property concepts into MIS education: An empirical assessment. Decision Sciences Journal of Innovative Education 3:1–27.

Nash, K. S. 2008. The global state of information security. CIO Magazine. http:// www.pwc.com/extweb/insights.nsf/docid/0E50FD887E3DC70F852574DB005D E509/$File/PwCsurvey2008_cio_reprint.pdf (accessed July 29, 2009).

Navarro, P. 2008. The MBA core curricula of top-ranked U.S. business schools: A study in failure? Academy of Management Learning & Education 7 (1): 108–123.

Novitzki, J. E. 2002. E-business education: A quantitative review of program attributes and offerings. Proceedings of the 17th Annual Conference of the Inter- national Academy for Information Management, December 13–15, Barcelona, Spain.

Petrova, K., and G. Claxton. 2005. Building student skills and capabilities in informa- tion technology and e-business: A moving target. Journal of Information Systems Education 16 (1): 27–42.

Ragothaman, S., A. Lavin, and T. Davies. 2007. Perceptions of accounting practi- tioners and educators on e-business curriculum and web security issues. College Student Journal 41 (1): 59–68.

Rezaee, Z., K. R. Lambert, and W. K. Harmon. 2006. Electronic commerce education: Analysis of existing courses. Accounting Education: An International Journal 15 (1): 73–88.

Shih, C., J. Dedrick, and K. L. Kraemer. 2005. Rule of law and the international diffusion of e-commerce. Communications of the ACM 48 (11): 57–62.

Silver-Greenberg, J. 2009. A field day for cyber-fiends. BusinessWeek February 9, 2009, 56.

e-Crime Prevention 21

Sinclair, J. 2007. Globalisation and regionalization of the advertising industry in the Asia-Pacific. Asian Studies Review 31 (3): 283–300.

Taylor, M. J., J. McWilliam, D. Gresty, and M. Hanneghan. 2005. Cyber law: Case studies in the SME environment. Systems Research and Behavioral Science 22 (3): 261–267.

United Nations. 2003. E-commerce and development report 2003: United Nations Conference on Trade and Development (UNCTAD=SIDTE=ECB=2003=1). http://yaleglobal.yale.edu/about/pdfs/unctad.pdf (accessed July 30, 2009).

van Noort, G., P. Kerkhof, and B. M. Fennis. 2007. Online versus conventional shopping: Consumers’ risk perception and regulatory focus. CyberPsychology & Behavior 10 (5): 731–733.

van Noort, G., P. Kerkhof, and B. M. Fennis. 2008. The persuasiveness of online safety cues: The impact of prevention focus compatibility of web content on consumers’ risk perceptions, attitudes, and intentions. Journal of Interactive Marketing 22 (4): 58–72.

Zhang, X., Q. Li, and Z. Lin. 2005. E-commerce education in China: Driving forces, status, and strategies. Journal of Electronic Commerce in Organizations 3 (3): 1–17.

22 M. Fusilier and C. Penrod

A Management Perspective on Risk of Security Threats to Information Systems

A Management Perspective on Risk of Security Threats to Information Systems

Information Technology and Management 6, 203–225, 2005 c© 2005 Springer Science + Business Media, Inc. Manufactured in The Netherlands.

A Management Perspective on Risk of Security Threats to Information Systems

FARIBORZ FARAHMAND ff@cc.gatech.edu SHAMKANT B. NAVATHE sham@cc.gatech.edu College of Computing, Georgia Institute of Technology, Atlanta, Georgia 30332-0280

GUNTER P. SHARP gsharp@isye.gatech.edu School of Industrial and Systems Engineering, Georgia Institute of Technology

PHILIP H. ENSLOW enslow@cc.gatech.edu College of Computing, Georgia Institute of Technology, Atlanta, Georgia 30332-0280

Abstract. Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO’s and IT managers: it outlines the current state of the art for security in e-commerce, the important issues con- fronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organiza- tions, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.

Keywords: business, cost, information system, management, security, threat

Introduction

The vast growth potential of Internet-based commerce is tempered by legitimate con- cerns over the security of a system that has a large number of potentially vulnerable components. Despite the potential rewards of conducting business on the Internet, some corporations have been slow to embrace this technology. Perhaps the most important reason for both businesses and consumers to refrain from establishing and participat- ing in electronic commerce (e-commerce) is the potential for loss of assets and pri- vacy due to potential security breaches in such systems. For example, a single, highly- publicized security breach can erode confidence in the business and not only damage the reputation of the firm, but can cause widespread repercussions in the e-commerce industry.

204 FARAHMAND ET AL.

Commerce always involves payers and payees who exchange money for goods or services. Building trust between the payer and the payee on the Internet, intellectual property rights, and interactions between the payers and the payee are the new issues of commerce of our age. Security is essential in establishing this trust and interaction. These issues as well as some special considerations for the mobile e-commerce are addressed in the next part of this paper.

A very large amount of time and money has been spent to provide secure networks and many good practices have been developed to implement security measures. However, there is always the possibility of a breach of security. A list of possible attacks to the network, security measures at the database and network levels and some models for access control are presented in the Section 3 of the paper.

Regardless of all the existing countermeasures, statistics show that chances of computer security system failure are still very high. The Internet Fraud Complaint Center, IFCC (a partnership of the National White Collar Crime Center and the Fed- eral Bureau of Investigators) reports 16,775 complaints of fraud for the Jan. 1, 2001– Dec. 31, 2001 period. The majority of these frauds were committed over the Internet or similar online services. These frauds have caused serious tangible and intangible losses to the companies and e-commerce industry as a whole. The authors believe that to have a systematic study of e-commerce security issues, we first need an or- ganized classification that helps our understanding of threats. After highlighting the literature review on existing classifications, we propose a comprehensive classification for threats and countermeasures at the end of Section 4. Then we discuss the implica- tions of security incidents, review some of the existing methods to quantify their costs, and propose a risk management system to evaluate the threats and countermeasures. We also provide some recommendations to assist managers in facing the challenges of e-commerce.

1. Electronic commerce security issues

The recent burgeoning of new communication technologies and, in particular, the In- ternet explosion has brought electronic commerce to the early stages of a widespread deployment. However, businesses are concerned about trading beyond this stage, largely because of concerns about trust, intellectual property management, and security of trans- actions, and possible attacks to the network.

1.1. Trust in electronic commerce

Traditional commerce is different from electronic commerce for several reasons: (1) In traditional businesses, the location of the business, the physical inventory of goods etc., is known. (2) In most of situations, there is a personal contact between the seller and the buyer, (3) There is a clear legal framework. Lack of these can highly impact trust in electronic commerce business. Several researchers have studied trust in electronic

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 205

commerce [2,21,23,24]. Among the important factors mentioned by Manchala [23], the following stand out:

Transaction cost: The risk of a transaction could be a function of the cost of goods and services: a careful buyer gives more thought to expensive purchases. Similarly, a vendor might not worry about losing revenue on a single micro-transaction of negligible value, but the risk increases with the cost of a single transaction or the number of transactions, and so does the vendor’s attention to revenues and expenses.

Transaction history: Transaction history is similar to a person’s credit history. Just as a bank checks a person’s credit history before issuing a loan or increasing a credit limit, a customer’s transaction history can be a base for measuring trust.

Indemnity: The trust level of a transaction is increased when a trusted intermediary makes a guarantee against loss. This is especially true for new customers or vendors without transaction histories: they cannot perform expensive transactions unless guaranteed by a trusted intermediary.

McKnight et al. [24] in perhaps the most comprehensive analysis of trust in e-commerce, develop a multidisciplinary, multidimensional “web trust model” that includes four high- level constructs: disposition to trust, institution-based trusts, trusting beliefs, and trusting intentions. These are further subdivided into 16 measurable sub-constructs. The approach is demonstrated and compared with other trust constructs for e-commerce via a hypo- thetical Web site for legal advice.

1.2. Intellectual property management

Intellectual property (IP) is a legal term that refers to copyright and related rights. It is expected to play an increasing role in coming years.

There are several reasons why IP is important to e-commerce and e-commerce is important to IP. E-commerce, more than other business systems, often involves selling products and services that are based on IP and its licensing. Music, pictures, photos, software, designs, training modules, systems, etc., can all be traded through e-commerce, in which case, IP is the main component of value in the transaction. It is important because the things of value that are traded on the Internet must be protected, using technological security systems and IP laws, or else they can be stolen or pirated and whole businesses can be destroyed.

Also, IP is involved in making e-commerce work. The systems that allow the Internet to function—software, networks, designs, chips, routers and switches, the user interface, and so on—are forms of IP and often protected by IP rights. Trademarks are an essential part of e-commerce business. Similarly, branding, customer recognition and goodwill are essential elements of Web-based business, and as such are protected by trademarks and unfair competition law.

Finally, e-commerce based businesses usually hold a great deal of their value in IP; so the valuation of an e-commerce business can be affected by whether managers have protected their IP. Many e-commerce companies, like other technology companies, have

206 FARAHMAND ET AL.

patent portfolios and trademarks that enhance the value of their business. The World Intellectual Property Organization (WIPO) has also published some useful information on its homepage http://www.wipo.org/ about intellectual property and e-commerce.

1.3. Special considerations for mobile e-commerce

In the past few years there has been an explosive growth in the popularity and availability of small handheld devices like mobile phones, PDAs, etc. It is predicted that these devices will soon outnumber traditional Internet hosts like PCs and workstations. Strategy analytics, among other market research groups, predict that by 2004 there will be over one billion (109) wireless device users, some 600 million wireless Internet subscribers, and a $200 billion ($200 × 109) mobile e-commerce market [13].

In addition to contending with the usual Internet security threats in online applica- tions, wireless devices introduce new hazards specific to their mobility and communica- tion medium. They include:

• Bandwidth and memory limitations • Limited scope of the hardware due to the battery life and size limitations • Reestablished connections without re-authentication • Excellent cover for malicious users • Risk of theft of mobile devices • Likelihood of inputting private information into mobile devices The security of the Wireless Application Protocol (WAP), the protocol, which is used by many wireless applications, is also a matter of controversy. The WAP advocates argue that the Wireless Transport Security Layer (WTLS) provides a secure infrastructure for mobile e-commerce applications. However, critics believe that in the process of translating one protocol to another, WTSL to Secure Socket Level (SSL), when the data is decrypted and re-encrypted, an attacker might be able to compromise the WAP gateway by simply capturing the data when it is decrypted.

2. Network attacks and control measures for electronic commerce

In any large organization today, the corporate strategic, tactical, and operational data resides in multiple databases that are continually updated to reflect the transaction ac- tivity in the e-commerce-based applications. Networks are used to connect the users to databases (in B2C commerce) and the computer systems among themselves (in B2B commerce). Most security breaches involve accessing unauthorized data or accessing a network illegally. Security for e-commerce thus broadly translates to security of networks and databases.

To confront the threats to electronic commerce transactions, and in general to networks, the ISO (International Organization for Standardization) recommends some

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 207

security services and mechanisms in its Standard 7498-2. In the next subsection we first provide a list of network attacks which are primary threats to e-commerce. Then we consider the security measures from two aspects: database security and network security.

2.1. Network attacks

Before a manager can determine how much time and money needs to be spent on the security strategy, one should know what type of attacks may jeopardize the network and the company which is connected to that network. The most common types of attacks are:

IP spoofing attacks A hacker steals an authorized Internet Protocol (IP) address, which is a unique address for a node on a communication network. Typically, it is done by determining the IP address of a computer and waiting until there is no one using that computer, and then using the temporarily inactive IP address.

Packing sniffs The hacker listens to Transmission Control Protocols/Internet Protocol (TCP/IP) packets, which come out of the network and steal the information in them. Typical information includes user logins, e-mail messages, credit card numbers, etc.

Password attacks This is a common weak-point in any system. Hackers generally find a user with an easy password or use a special program which cycles through a range of words from a dictionary. The worst nightmare of this type of attack is when a hacker determines the system administrator password (or that of a user who has system privileges).

Sequence number prediction attacks Initially, in a TCP/IP connection, the two computers exchange a startup packet which contains sequence numbers. These sequence numbers are based on the computer’s system clock and then run in a predictable manner, which often can be determined by the hacker.

Session hi jacking attacks The hacker taps into a connection between a client and a server. The hacker then simulates the connection by using its IP address.

Shared library attacks Many systems have an area of shared library files. These are called by applications when they are required for input/output, networking, graphics, and so on. For example, a hacker may replace standard libraries for ones that have been altered, which allows the hacker to access system files and to change file privileges.

Social engineering attacks The attack is aimed at users who have little understanding of their computer system. A typical attack is where the hacker sends an e-mail message to naı̈ve users, asking for their password.

208 FARAHMAND ET AL.

Technological vulnerability attacks These normally involve attacking some part of the system (typically the operating sys- tem), which allows a hacker to access the system. A typical one is for the user to gain access to a system and then run a program which reboots the system or slows it down by running a processor-intensive program.

Trust-access attacks These allow a hacker to add their system to the list of systems which are allowed to log into the system without a user password.

2.2. Database security measures

The Requirements for security of database systems can be listed as follows.

Physical database integrity: ensures that the database is immune to physical problems such as power failures and that someone can reconstruct the database if it is destroyed through a catastrophe. Well-designed database systems use automatic recovery mech- anisms to recover from unprocessed transactions in times of failures.

Logical database integrity: ensures that the structure of the database is preserved. With logical integrity of a database, a modification to the value of one field does not af- fect other fields, for example. Today’s database systems are incorporating elaborate semantic safeguards to maintain the semantic consistency and validity of a database.

Data integrity: typically a function of two parameters: correct generation of data and correct storage and transmission.

Auditability: to be able to track who has accessed (or modified) the elements in the database

Access control: this allows the user to access only authorized data so that different users can be restricted to different modes of access (such as read or write).

Database user authentication: to ensure that every user is positively identified, both for the audit trail and for permission to access certain data.

Availability: ensures that users can access the database in general at any time and have all the data available to them for which they are authorized. For a general discussion of security issues in databases, (see Chapter 23 [6]).

2.3. Encryption and access control as security measures

Some controls to protect networks are encryption and access control:

Encryption: provides confidentiality for data. Encryption is one the most fundamental building block of secure computing and a means of maintaining secure data in an insecure environment. Two of the most important encryption algorithms are: (1) Rivest- Shamir-Adelman (RSA), and (2) Data Encryption Standard (DES) proposed by the

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 209

National Bureau of Standards in 1977 [26]. RSA was developed in 1978 [31] and since that time reigned supreme as the most widely accepted and implemented approach to public key encryption. With a public key encryption system, each user would have a key that does not have to be kept secret. The public key transformation is essentially a one-way encryption with a secret (private) way to decrypt. DES is another encryption system developed by the U.S. government in 1977. It has been officially accepted as a cryptographic standard both in the United States and abroad. Many hardware and software systems have been designed using the DES. However, recently its adequacy has been questioned [29].

Network user Authentication (or access control): assures that communication is authentic. For example, in the case of a single message, such as warning or alarm signal, it assures the recipient that the message is from the source that it claims to be from.

Among the above security measures, access control is a popularly known and heavily used technique from the managerial perspective, so we will elaborate further. Access control mechanisms must ensure that users of an Open Systems Interconnection (OSI) network can only access resources in a predefined way.

Several models have been proposed to address the access control requirements of distributed applications. Traditional access control models are broadly categorized as discretionary access control (DAC), (all the subjects and objects in a system are enumerated and the access authorization rules for each subject and object in the system are specified), and mandatory access control (MAC), (all subjects and objects are classified based on predefined sensitivity levels that are used in the access decision process) models. New models such as role-based access control (RBAC), or task-based access control (TBAC) have been proposed to address the security requirements of a wider range of applications. In TBAC models the roles represent organizational responsibilities and functions; a role-based model directly supports arbitrary, organization-specific security policies.

The DAC and the MAC models lack capabilities needed to support security re- quirements of emerging enterprises and Web-based applications [16]. For example, DAC cannot be used where classification levels are needed; MAC, although it provides high level of security, and hence high assurance, is less flexible. The RBAC models have several desirable features such as flexibility, policy-neutrality, better support for security management and administration, the principle of least privilege, and other aspects that make them attractive candidates for developing secure Web-based applications. The Na- tional Institute of Standards and Technology, (NIST) has also proposed a standard for RBAC that is organized into the RBAC Reference Model and the RBAC System and Administrative Functional Specification [11]. The reference model defines the scope of the features that the standard comprises and provides a consistent vocabulary in support of the specification. The RBAC System and Administrative Functional Specification de- fines functional requirements for administrative operations and queries for the creation, maintenance, and review of RBAC sets and relations, as well as for specifying system

210 FARAHMAND ET AL.

level functionality in support of session attribute management and an access control decision process.

In conclusion, although the DAC models are currently prevalent in private industry, and MAC is popular in the government, the RBAC models are expected to provide a viable framework for adding a wide range of security requirements for large enterprises. However, several extensions to the existing RBAC models are needed to develop workable solutions to adequately address such needs.

3. Classification of security threats in e-commerce

In general, categorizing a phenomenon makes systematic studies possible. In particular, an organized classification of threats to e-commerce can help managers to build systems that are less vulnerable. An established classification would also be useful when reporting incidents to incident response teams. Lindqvist [20] recommends the following properties for the classification for information security:

• The categories should be mutually exclusive (every specimen should fit in at most one category) and collectively exhaustive (every specimen should fit in at least one category).

• Every category should be accompanied by clear and unambiguous criteria defining what specimens are to be put in that category.

• The taxonomy should be comprehensible and useful not only to experts in security but also to users and administrators with less knowledge and experience.

• The terminology of the taxonomy should comply with established security terminology (something that is not always easy to define).

3.1. A review of existing taxonomies

Literature review has identified many attempts in the classification of security threats.

Taxonomy by the Naval Research Laboratory: Landwehr [17] classifies each secu- rity flaw according to genesis (caused intentionally or inadvertently), time of intro- duction (during development, maintenance, or operation), and location (software or hardware).

The ISO has listed five major security threats and services as a reference model [15]: (1) Destruction of information and/or other resources, (2) Corruption or modification of information, (3) Theft, removal or loss of information and/or other resources, (4) Disclosure of information; and (5) Interruption of services.

Taxonomy by Neumann and Parker [25]: These authors have categorized computer misuse techniques into nine classes that are ordered from the physical world to the hardware and software and from unauthorized use to misuse of authority, etc. This

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 211

classification seems to cover most of the known techniques, covering external attacks as well as unauthorized users misusing their privileges. However, it has some shortcomings in assigning an intrusion to one class or another, or both.

DARPA’s Intrusion Detection Evaluation: Lipmann et al. [22], classified attack types into four groups: (1) Denial of Service, (2) Remote to Local (an attacker who does not have an account on a victim machine sends packets to that machine and gains local access), (3) User to Root (a local user on a machine is able to obtain privileges normally reserved for the UNIX root or super user), and 4 Surveillance/Probing. This evaluation used a reasonable, but not exhaustive, set of attacks with a limited set of actions performed as a part of each attack and also a simple network topology, and a non-restrictive security policy.

Schummacher and Ghosh [32] have defined eight pillars as the components of the information security: systematic, communication, physical, personnel, application, performance, design correctness; and nine attributes: privacy, integrity, accountability, reliability, connectivity, recovery, liability, and uncertainty. Pfleeger [29] also groups the potential threats to a network into eight categories: wiretapping, impersonation, message confidentiality violations, message integrity violations, hacking, code integrity, and denial of service.

The Authors believe that these taxonomies, although they address the most important computer security threats, either do not cover all of them or do not allow them to be considered independently.

3.2. A model for threat classification and control measures

We consider threats to a network system from two points of view: (1) Threat agent, and (2) Penetration technique. A threat is manifested by a threat agent using a specific penetration technique to produce an undesired effect on the network.

Threat agents Threat agents are classified into environmental factors, authorized users, and unautho- rized users.

Environmental Factors: Although it is common sense, one should remember to account for environmental factors. Some areas are more prone to certain environmental influ- ences and natural disasters than others. Some types of disasters, such as fire, are not geographically dependent, while others, such as tornadoes and floods, can be antic- ipated on a more regular basis in specific areas. In addition to the natural disasters, attention should be paid to the danger of mechanical and electrical equipment failure and the interruption of electrical power.

Authorized users: Authorized users and personnel engaged in supporting operations can be considered as potential threats when they exceed their privileges and authorities or commit errors, thus affecting the ability of the system to perform its mission.

212 FARAHMAND ET AL.

Personnel granted access to systems or occupying positions of special trust and having the capability or opportunity to abuse their access authorities, privileges, or trusts should be considered as potential threats.

Unauthorized users: An unauthorized user can be anyone not engaged in supporting operations who, by design, attempts to interrupt the productivity of the system or operation either overtly or covertly. Overt methods could include outright acts of sabotage affecting hardware and associated equipment, as well as subtle efforts of destruction, which could be accomplished through the manipulation of software, both systems and application.

Techniques

We classify techniques into physical, personnel (related), hardware, software, and pro- cedural.

Physical: Physical penetration implies use of a physical means to gain entry into restricted areas such as building, compound room, or any other designated area.

Personnel: Penetration techniques and methods generally deal with the subverting of personnel authorized some degree of access and privilege regarding a system, ei- ther as users or operators (operators would include system-analysts, programmers, input/output schedulers, etc.). They can be recruited by a threat agent and used to penetrate the system, operation or facility, or they themselves can become disaffected or motivated to mount an attack.

Hardware: Attacks can be mounted against hardware for the purpose of using the hard- ware as a means of subverting or denying use of the system. A physical attack against the equipment, a bug implanted within a hardware controller, or an attack against the supporting utilities, are means of subverting the system by using the char- acteristics of the hardware. Hardware, as used in this category, generally includes any piece of equipment that is part of the system, (i.e., the mainframe, peripher- als, communications controllers, or modems). It also includes indirect system sup- port equipment, such as power supplies, air conditioning systems, backup power, etc.

Software: Software penetration techniques can be directed against system software, ap- plication programs, or utility routines. Software attacks can range from discreet al- terations that are subtly imposed for the purpose of compromising the system, to less discreet changes intended to produce results such as destruction of data or other important systems features.

Procedural: Authorized or unauthorized users can penetrate the system due to lack or inadequacy of controls, or failure to adhere to existing controls. Examples of pro- cedural penetration include former employees retaining and using valid passwords, unauthorized personnel picking up output, and users browsing without being detected due to failure to diligently check audit trails.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 213

Figure 1. Combination of agents, techniques, and security measures.

At a more detailed level, the ISO 7498-2 Standard [15], lists five security con- trol measures to combat these threats: (1) Authentication, (2) Access Control, (3) Data confidentiality, (4) Data integrity, and (5)Non-repudiation. This classification is widely accepted among computer security experts, and the authors also recommend them as good control measures.

These security measures along with agents and techniques are shown in figure 1. One can use this figure to classify threats (agents and the techniques) to e-commerce and security measures to confront these threats. For example, access control is one of the security measures to confront the threats that may be caused by an unauthorized user through software. In total, there are 5 × 3 × 5 combinations of threat technique, agent, and security measure; however not all of these combinations are applicable. For example, non repudiation cannot be a security measure for the threats caused by environmental factors or by a procedural technique. We are using this three-dimensional view of threat agents, techniques, and security control measures for a better quantitative assessment and management of security risk.

4. Implication of security incidents

Every company, no matter what size, must be able to understand the financial costs involved when its security is breached. But what is a loss? Cohen [5] states that: “A complete list of things that can go wrong with information systems is impossible to

214 FARAHMAND ET AL.

create. People have tried to create comprehensive lists, and in some cases have produced encyclopedic volumes on the subject, but there are potentially infinite number of different problems that can be encountered, so any list can only serve a limited purpose”

The authors believe that the cost of a computer security incident to an organization has to be measured in terms of the impact on the business; hence identical incidents in two different organizations of the same industry or business type could have different costs. The impact may well be financial, in forms of immediate costs and losses as was briefly explained before, but much more serious are the hidden costs. For example, a computer security incident might damage an organization in terms of the following intangibles:

• The brand image, public reputation and goodwill in the market place • The financial value of business transactions • Public and customer confidence in the accuracy of business transactions • Public and customer confidence in the fraud-resistance of business transactions • The ability to maintain revenue cash flow in a timely manner • The ability to resolve disputes beyond reasonable doubt • The ability to meet the requirements of regulators

Evaluating these impacts is controversial and often extremely difficult. We sug- gest qualitative and quantitative approaches for these kinds of evaluations. However, qualitative or quantitative risk analysis in information security has its pros and cons. For example quantitative risk analysis supporters explain that the results of a quan- titative risk analysis approach are substantially based on independent objective pro- cesses and metrics and they can be expressed in a management-specific language (e.g., monetary value, percentages, probabilities). On the other hand, opponents argue that calculations can be complex (assigning costs to security risks and benefits of counter- measures is difficult) and it requires much preliminary work. Qualitative risk analysis proponents believe that in their approach the calculations are simple, it is not necessary to quantify threat frequency, and many non-technical issues are easily accounted for. The opponents of the qualitative approach argue that this method is subjective in nature and the results depend heavily on the quality of the risk management team assembled. The next sections deal with subjective assessment and quantifying the costs of security incidents.

4.1. Subjective probability assessment

In practical terms, the evaluation of security risks eventually leads to subjective as- sessment supported by guidelines or some risk assessment models. In our research, we attempt to provide a methodology by which the process can be made more systematic.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 215

Estimating the probability of attack by human threat actors using subjective evalu- ation can be complex. One should consider the following factors:

1. Motive. How motivated is the attacker? Is the attacker motivated by political concerns? Is the attacker a disgruntled employee? Is an asset an especially attractive target for attackers?

2. Means. Which attacks can affect the critical assets? How sophisticated are the attacks? Do likely attackers have the skills to execute the attacks?

3. Opportunity. How vulnerable is the computing infrastructure? How vulnerable are specific critical assets.

4.2. Possible pitfalls of subjective analysis

The authors wish to warn managers of some cognitive biases that stem from the reliance on judgmental heuristics, which may occur in subjective analysis. We classify the origins of these pitfalls into three types:

Representativeness: In the representativeness heuristic, the probability that for example Bob is a hacker, is assessed by the degree to which he is representative of, or similar to, the stereotype of a hacker. This approach to the judgment of probability can lead to serious errors, because similarity, or representativeness, is not influenced by several factors that should affect judgments of probability.

Availability: There are situations in which people access the frequency of a class or the probability of an event by the ease with which instances or occurrences can be brought to mind. For example, one may access the risk of disclosure of information among financial institutions by recalling such occurrences among one’s acquaintances. Availability is a useful clue for assessing frequency or probability, because instances of large classes are usually recalled better and faster than instances of less frequent classes. However, availability is affected by factors other than frequency or probability. Consequently, the reliance on availability can lead to biases.

Adjustment & anchoring: In many situations, people make estimates by starting from an initial value that is adjusted to yield the final answer. The initial value, or starting point, may be suggested by the formulation of the problem, or it may be the result of a partial computation. In either case, adjustments are typically insufficient. That is, different starting points yield different estimates, which are biased toward the initial values.

In spite of these pitfalls, the authors believe that subjective analysis can be employed usefully in information security assessment, even when quantitative data is not available or a formal process description is not required. Previous attempts by Pate-Cornell and Guikemma [28] as well as by Tarr [35] to quantify the likelihood of attacks provide examples of the ability of subjective thinking function without quantitative data.

216 FARAHMAND ET AL.

4.3. Scope of subjective analysis

Among information security experts there appears to be no agreement regarding the best or the most appropriate method to assess the probability of computer security incidents. There does exist, however, a hierarchy of approaches such as checklists and scenario generation techniques that require the user to have only a minimum knowledge of in- formation system security [36]. To have a well-defined scope for the checklist, one can follow the formats that are provided by British Standards, (British Security Standards 1999), or the National Security Agency, NSA.

The National Security Agency, NSA [14] suggests the following areas for infor- mation security assessment, which is more comprehensive than British Standards: (1) Information security documentation, (2) Identification and authentication, (3) Account management (establishment, deletion, expiration), (4) Session control management (ac- cess control lists, files, directions, servers, remote dial up, Internet services), (5) External connectivity, (6) Telecommunications, (7) System security administration, (8) Auditing, (9) Virus protection, (10) Contingency planning, (11) System maintenance procedures, (12) Configuration management, (13) Back up policies, (14) Labeling, (15) Media saniti- zation/Disposal, (16) Physical/Environmental controls, (17) Personnel security, and (18) Training and awareness.

4.4. Probability assessment

To derive an overall likelihood rating that a potential vulnerability may be exploited these governing factors should be considered: (1) Threat-source motivation and capability, (2) Nature of the vulnerability, and (3) Existence and effectiveness of current controls.

The likelihood that a potential vulnerability could be exploited by a given threat- source can be described as high, medium, or low. In defining these likelihoods we follow the likelihood determination by NIST [33]:

High likelihood. The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being penetrated are ineffective.

Medium likelihood. The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low likelihood. The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

One can also use these qualitative ratings to assign values for a quantitative eval- uation to use in the checklist. For example; High likelihood as 0.9, medium likelihood as 0.5, and low likelihood as 0.1. We can also use a more detailed scale such as: Very high, high, medium, low, and very low, and use 0.9, 0.7, 0.5, 0.3, and 0.1, respectively, for these likelihoods.

The checklist can be written in a question form and should allow three possible answers: “yes”, “no”, or “not relevant”. Questions should be asked in a way that a “yes”

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 217

answer mean that the control exists and a “no” answer means that the control does not exist. A control is relevant when both the asset to be protected and the threat exist.

For example, one critical element to evaluate data integrity can be, “Is virus detection and elimination software installed and activated?” A subordinate question for the above question could be, “Are virus scans automatic?” The answer to this question might be “yes”, “no”, or “not relevant”. A metric for this evaluation can be the percentage of systems with automatic virus scanning, which can help gauge the risk exposure caused by known viruses.

Assessing probability In this section we propose a procedure by which quantitative answers to a detailed se- curity questionnaires can be compiled into an overall vulnerability measure. Conducting the survey with the checklist, we can assess the vulnerability of each system under examination by defining the following parameters and calculations:

N (VH): Number of questions with very high importance, N (H): Number of questions with high importance, N (M): Number of questions with medium importance, N (L): Number of questions with low importance, N (VL): Number of questions with very low importance, NR (VH): Number of relevant questions with very high importance, NR (H): Number of relevant questions with high importance, NR (M): Number of relevant questions with medium importance, NR (L): Number of relevant questions with low importance, NR (VL): Number of relevant questions with very low importance; NN (VH): Number of “no” answers to relevant questions with very high importance, NN (H): Number of “no” answers to relevant questions with high importance, NN (M): Number of “no” answers to relevant questions with medium importance, NN (L): Number of “no” answers to relevant questions with low importance, NN (VL): Number of “no” answers to relevant questions with very low importance, NP: Normalized probability, IP: Index of probability, SWP: Sum of probability weights, JP: Justified probability, MW: Maximum weight, and AP: Assessed probability,

We would have:

NP = [NR(VH)/N (VH) × 0.9 + NR(H )/N (H ) × 0.7 + · · · + NR(VL)/N (VL) × 0.1] (0.9 + 0.7 + 0.5 + 0.3 + 0.1)

IP = 1/NP SWP = NN(VH) × 0.9 + NN(H ) × 0.7 + NN(M) × 0.5 + NN(L) × 0.3 + NN(V L)

218 FARAHMAND ET AL.

× 0.1 JP = SWP × IP

MW = N (VH) × 0.9 + N (H ) × 0.7 + N (M) × 0.5 + N (L) × 0.3 + N (VL) × 0.1 AP = JP/MW

For example, the checklist for the area of integrity may include 20, 40, 50, 30, and 15 questions in importance scale of very high, high, medium, low, and very low, and only 10, 30, 40, 24, and 12 may be relevant to the specific vulnerability regarding integrity. If we have 7, 25, 36, 20, and 9 “no” answers (meaning control does not exist), respectively, following the proposed method we obtain an assessed probability of AP = 0.88. This would imply that there is an 88% chance of success of data integrity incidents. The assessed probability is a number between zero and one, with zero representing an incident that definitely will not occur and one representing an incident that definitely will occur.

5. Quantifying the cost of security incidents

Before quantifying the damage that can be caused by an incident, managers should know the values of assets of the organization that are exposed to the threat. Logical and physical assets can be grouped into the following categories:

(1) Information—documented (paper or electronic) data or intellectual property used to meet the mission of an organization.

(2) Software—Software applications and services that process, store, or transmit infor- mation.

(3) Hardware—information technology physical devices.

(4) People—The people in an organization who posses skills, knowledge, and experience that are difficult to replace.

(5) Systems—Information systems that process and store information (systems being a combination of information, software, and hardware assets and any host, client, or server being considered a system).

For example, the cost of downtime per hour caused by a denial of service attack can be computed by measuring the loss as follows:

(a) Productivity (Number of employees impacted) × (hours out) × (burdened hourly rate)

(b) Revenue Direct loss, lost future revenues

(c) Financial Performance Credit rating, stock price

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 219

Table 1 Example of a scoring table for intangible damages.

Intangible damage Valuation score

Embarrassment restricted to within the project or work site 1 Embarrassment spread to other work areas of operating 1–3 group or division Embarrassment spread throughout the enterprise 3–5 Public made aware through local press coverage 5–7 Adverse national press 7–9 Major stock price impact/bankruptcy 10

(d) Damaged Reputation Customers, suppliers, financial markets, banks, business partners, etc.

(e) Other Expenses Equipment rental, overtime costs, extra shipping costs, travel expenses, etc

One approach to combining tangible and intangible losses is to use scoring tables, as shown in Tables 1 and 2.

Table 1 defines valuation scores for intangible damages that might be caused by an incident and Table 2 shows the financial loss table for these valuation scores. The values found in the tables could be the result of meetings with various departments and business units within the company and getting their expert input.

Calculating the expected cost of an incident The expected cost of an incident can be defined as:

EC = n∑

i=1 APi × Ci

where EC is the total expected cost of the incidents, APi the assessed probability of the occurrence of incident i, and Ci the cost for damage caused by incident i . For example, an unauthorized person might access the credit card numbers of clients of a financial

Table 2 Example of a scoring table for financial losses.

Intangible Damage Valuation score

Under $1M 1 Between $1M and $5M 1–3 Between $5M and $10M 3–5 Between $10M and $15M 5–7 Between $20M and $25M 7–9 Between $25M and $30M 10

220 FARAHMAND ET AL.

institution. This can cause total tangible and intangible losses of 15 million dollars to the institution. A probability of 5 percent for the occurrence of this threat results in an expected damage of: $15,000,000 × 0.05 = $750,000

We have outlined a procedure for evaluating possible losses due to security incidents based on use of questionnaires and answers given on scales of “very high” to “very low.” This procedure can form part of an overall risk assessment model that enables security managers to allocate resources in the most effective manner, as presented in the next section.

6. A risk management model

A comprehensive evaluation system is currently under development at the College of Computing, Georgia Institute of Technology incorporating the aspects of electronic com- merce and vulnerability assessment to develop a framework for addressing security risk assessment issues in organizations [8–10]. To contain the complexity and maintain focus and relevance, we will restrict ourselves to issues related to database and information system security. This system of five stages is aimed at helping managers to identify the vulnerabilities of their companies, evaluate the existing security measures in place, and to select the most appropriate and cost-effective countermeasures. This risk management model is shown in figure 2. The five stages of our risk management model are:

(1) Resource and application value analysis: This can be done in two phases: First, determine the sensitivity of information handled. The objective is to relate each application to sensitivity level based upon the most sensitive type of data processed (e.g., privacy, asset/resource, proprietary). This analysis provides the framework for subsequent analysis, so its detail and accuracy are important. Second, estimate the asset value of automated resources providing support such as physical facility, equipment and supplies, software.

Figure 2. The proposed risk management model.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 221

(2) Vulnerability and risk analysis: This analysis is in three parts: 1: Identification of vulnerabilities. Weakness or flaws in the design, implementation, or operation of the security controls of a facility, system or operation must be identified, whether through analysis of the security controls alone, or as causal factors directly related to a previ- ously identified threat. 2: Weighting of vulnerabilities: Vulnerabilities just identified should be considered in relation to another and arrayed according to seriousness and potential degree of exploitability. And, finally, 3: Assess threat probabilities: In this step, probabilities of threats are documented. This has been discussed in Section 5.4.

(3) Computation of losses due to threats and benefits of countermeasures: Losses due to threats and benefits of countermeasures can be computed by defining coun- termeasure at appropriate levels. For a countermeasure at a given level, there is the cost of the countermeasure, its effectiveness, expected damage caused by threat, probability that the threat occurs, assessing changes in threat probabilities expected benefit of countermeasure, expected loss attributed to the countermeasure set, etc.

(4) Selection of countermeasures: At this stage, the model chooses a countermeasure and level to minimize total cost. Enumerating search procedures and mathematical programming approaches can be used at this stage.

(5) Implementation of alternatives: This stage can be done in three phases. The first phase is developing and approving a plan. To develop a plan it is necessary to establish priorities for implementation. Generally, countermeasures should be implemented according to severity of the undesirable effect being countered, as determined by pre- ceding analysis. Using this as the basic criterion, other influences can be brought into consideration. Once the plan is developed, it must be reviewed and approved by se- nior management, who must be given the opportunity to review it. The second phase is implementation of countermeasures. Once the planning documents have been completed, action can commence on implementation of countermeasures. The third phase is testing and evaluation of countermeasures. Sensitive systems with strongest security requirements should have a formal test and evaluation of significant coun- termeasures immediately prior to and during initial implementation. The purpose of testing and evaluation is to ascertain, with reasonable assurance, that the proposed countermeasure produces the desired effect and will not result in undesirable side effects. This model is intended to help managers in: identifying business assets, rec- ognizing the threats, assessing the level of business impact that would ensue if the threats were to materialize, analyzing vulnerabilities, and, finally, selecting the coun- termeasure and suggesting an implementation plan. The model is our first attempt at defining this rather complex problem. The following extensions are under consider- ation: (a) incorporating more robust solution techniques for large, real-life problems, (b) differentiating countermeasures by implementation techniques, (c) considering the effects resulting from combinations of countermeasures (d) and performing sen- sitivity analysis with respect to the inputs, such as probabilities of expected threats. Current work includes a refinement of the model to incorporate actual field data collected from security-conscious e-commerce companies and further validation.

222 FARAHMAND ET AL.

7. Some recommendations

In this paper we addressed some of the security issues that a manager may face in dealing with information systems that are at the heart of e-commerce applications. However e- commerce security is an extensive area and under continuous and rapid development. We recommend that managers look at the current trends in technology, and Internet crime. We also recommend that companies have a clear understanding of their risks and the best technologies that can serve as possible countermeasures. One of the approaches to achieve these goals an e-commerce security management program. This program should include policies, procedures, and audits, as well as technological safeguards such as firewalls, encryption algorithms, authentication devices, intrusion detection systems, and network security management tools.

Managers should continue this evaluation by asking questions such as:

• What could happen and what failures might be expected if the company relies too heavily on e-commerce (as opposed to a “brick-and-mortar” approach to business)?

• What are the possible risks of losing valuable data and failure of the e-commerce information infrastructure?

• What impact would such a failure have on the business on the whole? • What are the consequences of such failures in qualitative and quantitative terms? The more the security management becomes aware of such issues, the better would be the prospects of actually using the decision models of the types that we have presented in this paper. Some of these concerns have been addressed in other papers [9,10].

8. Summary of contributions

This paper provides a summary of the security issues faced by an organization engaged in e-commerce as well as some useful information for managers to deal with these issues. The paper makes a contribution in several areas.

The first area is an introduction e-commerce security and some of its issues. We highlighted the role of trust and intellectual property management in e-commerce as well as some special considerations for the mobile e-commerce. We highlighted security measures and techniques for e-commerce and provided some technical information about security measures at the database and network level, and about access control methods.

The next area is an overview of the existing classifications of threats to e-commerce and some of their shortcomings. Then we discussed a more comprehensive classifica- tion of the threats and some security measures to confront them. In this classification, threats are considered from two points of view: 1: threat agent, and 2: threat tech- nique. Threat agent could be environmental factors, authorized users, and unauthorized users; threat (penetration) technique could be personnel, physical, hardware, software, or procedural.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 223

This paper also discusses implication of security incidents and risk analysis for e- commerce companies. It explores some methods to assist managers to evaluate the cost of security incidents. Qualitative and quantitative risk analysis methods, tangible and intangible damages, and methods for quantifying these losses have also been reviewed in this part. The classification of assets and a systematic approach to identify costs based on assessed probabilities was presented. We discussed subjective analysis for the probability assessment of threats to information systems, some possible pitfalls of this method, and a possible approach for using subjective assessment.

We believe that the cost of a computer security incident to an e-commerce company has to be measured in terms of the impact on their business; hence identical incidents in two different companies could have different costs. To evaluate these costs and measure the impact of a security incident on a company, we need a systematic approach and a comprehensive risk management system. Such a comprehensive evaluation model and system is currently under development at the College of Computing, Georgia Institute of Technology. This five-stage system is aimed at helping managers to identify the vulnerabilities of their companies and to select the most effective countermeasures. The system includes: (1) Resource and application value analysis, (2) Vulnerability and risk analysis, (3) Computation of losses due to threats and benefits of countermeasures, (4) Selection of countermeasures and (5) Implementation of alternatives. Last, we provide some recommendations to help managers in dealing with e-commerce issues in their companies.

Acknowledgment

The authors would like to express their sincere thanks to Dean Richard DeMillo of the College of Computing, Georgia Tech, Professor Gene Spafford of Purdue University, Mr. William Malik CTO of Waveset, Mr. Chris Klaus, CTO, and Mr. Tom Noonan, CEO of ISS for providing valuable advice related to this work.

References

[1] British Security Standard, BS 7799 (British Standards, 1999). [2] V. Ahuja, Building trust in electronic commerce, IT Professional 2(3) (2000) 61–63. [3] T. Bui and T.R. Sivasankaran, Cost-effectiveness modeling for a decision support system in computer

security, Computers and Security 6 (1987) 139–151. [4] R.P. Campbell and G.A. Sands, A modular approach to computer security risk management, in: AFIPS

National Computer Conference (1979) 293–303. [5] Cohen (1997) http://citeseer.nj.nec.com/lee00toward.html [6] R. Elmasri and S.B. Navathe, Fundamentals of Database Systems, ed. 4 (Addison Wesley,

2004). [7] G. Eschellbeck, Active security a proactive approach for computer security systems, Journal of Network

and Computer Applications 23 (2000) 109–130.

224 FARAHMAND ET AL.

[8] F. Farahmand, S.B. Navathe and P.H. Enslow, Electronic commerce and security—A management perspective, in: ISS/INFORMS Seventh Annual Conference on Information Systems and Technology (San Jose, 2002).

[9] F. Farahmand, S.B. Navathe, Gunter P. Sharp and P.H. Enslow, Managing vulnerabilities of information systems to security incidents, in: ACM International Conference on Electronic Commerce, ICEC 2003 (Pittsburgh, Sept. 2003) 348–354.

[10] F. Farahmand, W.J. Malik, S.B. Navathe and P.H. Enslow, Security tailored to the needs of business, in: ACM Workshop on Business Driven Security Engineering (BIZSEC) (2003).

[11] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn and R. Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC) 4(3) (2001) 224–274.

[12] R.L. Field, Issues in the law of electronic commerce, Networker (ACM Press) 1(3) (1997) 28–37. [13] A.K. Ghosh and T.M. Swaminatha, Software security and privacy risks in mobile e-commerce, Com-

munications of the ACM 44(2) (2001) 51–57. [14] R. Henning, Security service level agreements: Quantifiable security for the enterprise? in: ACM

Proceedings of the 1999 Workshop on New Security Paradigm (Sept. 1999) 54–60. [15] ISO, Information Processing Systems—Open Systems Interconnection-Basic Reference Model, Part 2:

Security Architecture, ISO 7498-2 (1989). [16] J. Joshi et al., Security models for web-based applications, Communications of the ACM 44(2) (2001)

38–44. [17] C.E. Landwehr et al., A taxonomy of computer program security flaws, with examples, Naval Research

Laboratory (Nov. 1993). [18] C.E. Landwehr and D.M. Goldschlag, Security issues in networks with Internet access, in: Proceedings

of the IEEE 85(12) (1997) 2034 –2051. [19] S. Lichtenstein, Internet risks for computers, Computers & Security 17 (1998) 143–150. [20] U. Lindqvist and E. Jonsson, How to systematically classify computer security intrusions, IEEE Sym-

posium on Security and Privacy (1997) 154–163. [21] N. Linketscher and M. Child, Trust issues and user reactions to e-services and e-marketplaces: a

customer survey, IEEE 12th International Workshop on Database and Expert Systems Applications (2001) 752–756.

[22] R. Lipmann, et al., The 1999 DARPA off-line intrusion detection evaluation, Computer Networks 34 (2000) 579–595.

[23] D.W. Manchala, E-commerce trust metrics and models, IEEE Internet Computing 4(2) (2000) 36–44. [24] D.H. McKnight, C. Choudhury and C. Kacmar, Developing and validating trust measures for e-

commerce: An integrative typology, Information Systems Research 13(3) (2002) 334–359. [25] P.G. Neumann and D.B. Parker, A summary of computer misuse techniques, in: Proceedings of the

12th National Computer Security Conference (Oct. 1989) 396–407. National Institute of Standards and Technology/National Computer Security Center.

[26] National Bureau of Standards (NBS), Data Encryption Standards (FIPS Publ. 46, Jan 1977). [27] E. Orlandi, The cost of security, in: IEEE International Carnahan Conference on Security Technology

(1991) 192–196. [28] E. Pate-Cornell and S. Guikema, Probabilistic modeling of terrorist attacks: A system analysis approach

to setting priorities among countermeasures, Military Operation Research (Oct. 2002). [29] C.P. Pfleeger, Security in Computing (Prentice Hall, 1997). [30] R. Power, Computer security issues & trends, 2002 CSI/FBI Computer Crime and Security Survey

VIII(1) (2002). [31] R.L. Rivest, A. Shamir and L.M. Adleman, A method for obtaining digital signatures and public-key

cryptosystems, CACM 21(2) (1978) 120–126. [32] H.J. Schummacher and S. Ghosh, A fundamental framework for network security, Journal of Network

and Computer Applications (1997) 305–322.

A MANAGEMENT PERSPECTIVE ON RISK OF SECURITY THREATS TO INFORMATION SYSTEMS 225

[33] G. Stonebumer, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems (NIST Special Publications 800–30, 2001).

[34] M. Swanson, et al., Security Metrics Guide for Information Technology Systems (NIST Special Publi- cations 800-55, 2002).

[35] C.J. Tarr, Cost effective perimeter security, security and detection, European Convention on Security and Detection (1995) 183–187.

[36] C.C. Wood, et al., Computer Security: A comprehensive Control Checklist (John Wiley & Sons, 1987).

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

RESPONSE TO SECURITY THREATS: APPRAISAL OF PROTECTION AND AVOIDANCE ACTIONS

RESPONSE TO SECURITY THREATS: APPRAISAL OF PROTECTION AND AVOIDANCE ACTIONS

Noushin Ashrafi, Jean-Pierre Kuilboer and One-Ki (Daniel) Lee University of Massachusetts Boston

100 Morrissey Blvd., Boston MA 02125 – USA

ABSTRACT

At the age of Big Data, security and privacy issues are magnified and dealt differently from traditional tactics. However, the traditional security threats have become a source of constant fear and costly to individuals and organizations. Security experts have explored the intertwined role of technology and human behavior concerning security protection actions. This research offers an integrated model building on existing theories such as Protection Motivation Theory (PMT), Health Behavior Model (HBM), and Extended Parallel Processing Model (EPPM). We address the impact of the users’ awareness of security threats on their protective actions while taking into consideration the mediation influence of fear.

We also examine moderation effects of intrinsic as well as extrinsic factors such as users’ perception of self-efficacy and the benefits and barriers of protective actions respectively. Structure Equation Modeling (SEM) is used to measure the proposed mediation and moderation effects. Our integrated theoretical model evolves around the assumption that security protection actions are formed by complex human behavior, rather than mere deployment of protective technology. The proposed model will be tested on data gathered from the US and Europe targeted population. This context-specific dimension will allow examination of cultural differences between US and Europe. Our results may shed light on the problem that despite advances in security protection technology, the deployment of such technologies is governed by human behavior and influenced by cultural background of the individuals.

KEYWORDS

Security Threat, SEM, PMT, HBM, EPPM

1. INTRODUCTION

Since the privatization of the Internet for e-commerce in the 1990s, which lead to an exponential growth of

the flow of information, information security has become a source of trepidation. Information security is the

protection of personal data against unauthorized access or modification while ensuring its availability to

legitimate users, confidentiality, and integrity. There is no question that the Internet has become a ubiquitous

platform for social and business activities. Although the public, at large, is aware of its cost/benefit tradeoffs,

a potential downside such as breach of security is often talked about, but hardly reflected on end-users’

behavior. What is telling is that with the increasing outcry by the public as well as the advancement of security related technology, there is no notable reduction in number of breaches (Barker, 2014) and they are

becoming costlier. Researchers contribute the continuing occurrence of security breaches to end users’

negligence to adopt security protection measures (Williams et al. 2014; Herath and Rao 2009). The

ambiguity persists as end-users and businesses jointly spend billions of dollars on products and upgrades to

address new threat categories and set of exploits, yet, there is little evidence that protective solutions are

actually used as safeguards to battle increasingly incoming threats. This paradox has drawn researchers’

attention leading to a number of studies addressing the end-users’ mental status such as their fears, attitudes,

and motivations, and the end-users’ specific behaviors such as their security actions and avoidance.

Each study has its own interpretation of security protection orthodoxy, but mostly they have relied on two

well-known theories from health care and psychology, Health Belief Model (HBM) and Protection

Motivation Theory (PMT) respectively. PMT was originally proposed by Rogers (1975) suggesting fear as an effective mental condition protecting one against threat and consequently leading the individual away from

International Conferences ICT, WBC, BIGDACI and TPMC 2016

251

threat. The assumption is that protection motivation arises from fear appraisal that an event will occur. The

extent of fear, however, is influenced by the belief regarding the effectiveness of a recommended coping

response. A revision of PMT (Rogers, 1983; Maddux and Rogers, 1983) has provided support for the

importance of sources of information initiating the coping process and added self-efficacy as an intrinsic factor. Self-efficacy theory suggests that psychological change is processed through an individual’s

expectancies of personal mastery or efficacy. The revised PMT incorporates self-efficacy as a cognitive

mediating process. The seminal work of Bandura et al. (1980) and Condiotte and Lichtenstein (1981) have

established that changes in behavior and changes in self-efficacy expectancy are positively correlated.

Leventhal (1970) proposed a parallel response model that stressed the importance of differentiating

emotional responses from cognitive responses (fear control versus danger control). Witte (1994) further

developed an Extended Parallel Processing Model (EPPM) by adopting the original PMT’s explanation of

“danger control processes that lead to message acceptance (one side of the parallel process model), and

defines and expands the fear control processes which lead to message rejection (the other side of the parallel

process model)” (Witte 1994, p.337). EPPM explains the possible responses people may have to a fear appeal

message and places them into three broad categories: non-responses, danger control responses, and fear control responses. The theory makes predictions about which of these three response types individuals will

demonstrate depending upon the interaction between their perceptions of the threat and their perceptions of

efficacy to avert the threat.

Another relevant model used in information systems (IS) literature to study user’ behavior regarding

computer security protection is Health Belief Model (HBM). The theory was developed in the 1950’s by a

social psychologist Hochbaum (1956) and was adopted by Rosenstock (1966) to explain the failure of people

participating in programs to prevent and detect disease. Since then, HBM has been evolved and applied to a

broad range of population behavior.

These theories were modified or combined by researchers to adapt to security threat protection

phenomenon. Boss et al. (2015) constructed a complete overview of IS articles that use portions of PMT. Ng

et al. (2009) successfully operationalized and extended primarily HBM to study user’s computer security

behavior. They focused on “understanding of user computer security behavior in the context of the organization” (p.823). Liang and Xue (2010) deployed a modified version of HBM to assess avoidance

behavior of the users. They focused on Spyware as security threat and defined avoidance behavior as using

and updating anti-spyware software regularly. Tu et al. (2015) and Williams et al. (2014) proposed a security

belief model where they drew information from PMT as the reference theory and leveraged the HBM to

examine users’ cognitive behavior when confronted with security threats. Tu et al. (2015) integrated PMT

with the social learning theory to assess users’ coping appraisals in the specific context of mobile device loss

or theft. Chen and Zahedi (2016) added a new dimension to security threat research by comparing cognitive

behavior when it comes to security actions. They drew on “two complementary theoretical bases: (1) the

contextualization of PMT to online security behavior and (2) a polycontextual lens for the cross-national

comparison of users’ security behaviors in the United States and China” (p.205).

The existing research, however, falls short of providing a clear picture of individuals’ conduct driven by fear. In the context of security threat, the user’s response, whether it is taking a protective action or avoiding

online transactions, has consequences on solutions for security threats. This research examines the impact of

the users’ awareness of security threats on their protective behaviors. We draw on three theoretical models to

fill the gap mentioned above and show a clear path from knowledge to fear to possible actions. The

organization of the paper is the following: next section presents out integrated theoretical model followed by

research method including a brief conclusion.

2. THEORETICAL MODEL

This research offers an integrated model building on existing theories such as PMT, HBM, and EPPM. Our

integrated theoretical model takes into account the powerful features of PMT such as fear as the central

motivation factor for taking protection actions against security threats. To emphasize the atmosphere of

digital age where information about security threats could easily become a personal experience or cause

tremendous fear by media exposure, we added awareness as the independent variable and fear as mediating

factor. We consider the awareness of security threat as the combination of personal experience and

ISBN: 978-989-8533-54-8 © 2016

252

knowledge induced by social media leading to fear and noxiousness. Our interpretation of EPPM, in the

context of security threat is also different. The theoretical scope of the EPPM is limited to explaining and

predicting reactions to fear appeals only. This study, however, draws on HBM and takes into consideration

the interaction effects of the positive and negative outcomes. We take into consideration the intrinsic factor such as self-efficacy to manipulate the association between awareness and fear. In the context of security

threat, self-efficacy, as an interaction effect, portrays an individual’s confidence in her or his competency to

deal with security threat. It impacts the degree of association between awareness and fear. Figure 1 depicts

our research model.

The model depicts that fear of security threat is shaped by knowledge and prior experience of threats

while self-efficacy moderates the intensity of the effect. Furthermore, we are postulating that the effect of

fear on protection actions is moderated by perceived degree of effectiveness as well as undesirable attributes

of the outcome. The assumption is that belief about potential positive and negative aspect of protective

actions could intensify the level of fear, which in turn impacts the probability of taking actions or avoiding

activities online. We consider two possible responses; (1) taking action to protect threat security and (2)

avoiding to get engaged in sensitive transactions online.

Figure 1. Moderation and mediation model

These new perspectives allude to the possibility of examining concerns such as ‘why despite the

availability of cyber security protection technology, does security threats remain as an unresolved problem?”

Our future research will look into the impact of the types of platforms (e.g., Apple versus Windows) to assess

the influence of technology type on users’ perception and anxiety level of security threats. Finally, this

work-in-progress will incorporate a cross-national comparison of users’ security behaviors in the United

States and Europe – we are in the process of data collection both in the United States and a European

country.

2.1 Methods

The proposed model will be tested through a large-scale multi-national field survey by conducting the

following steps: (1) measurement development, (2) pilot study, (3) survey translation (if necessary), (4)

multi-national field survey, (5) model test and group comparison, and (6) implication development. First, in

developing our survey measurements, every attempt will be made to use existing validated measurements

that have good psychometric properties. In cases where there are no existing measurements appropriate to the

context of our study, new measurements will be developed based on definitions of the variables and their relevant literature.

Second, the existing and new measurements will be validated through a pilot study. We are planning to

conduct a pilot study in the United States. About 50 samples will be gathered for this pilot test. Based on the

validity test results of the pilot study, some necessary changes will be made for the original measurements.

International Conferences ICT, WBC, BIGDACI and TPMC 2016

253

Third, to gather data from multiple countries having different cultural backgrounds and user behavior

patterns, the original measurements will be translated into local languages if necessary. In particular, we will

use a translation committee approach, i.e., committee of bilinguals (van de Vijver and Leung 1997).

Next, the data gathered from the multi-national field survey will be used to test proposed model. Considering the proposed multi-stage and causal relationships in our research model, we believe a structural

equation modeling (SEM) approach is best fitting to our model test. In particular, the multi-national

differences will be tested a sub-group analysis and other relevant techniques, such as a path comparison and a

cluster analysis (Chin 2003; Sia et al. 2009). The results will also be reflected on some well-adopted cultural

dimensions, such as different levels of uncertainty avoidance and long-term orientation (Hofstede and Bond

1988).

3. CONCLUSION

Upon completion of the research, based on our findings through our model test using multi-national data,

both theoretical and practical implications will be developed. For academics, our findings will be used to

validate and justify the proposed extension of existing theories. The practical implications will provide useful

guidance regarding end-users’ behavior to install necessary security measures and minimize their avoidance

of the security-concerned transactions. The context-specific dimension will allow examination of cultural

differences between the United States and Europe regarding individual protection behavior against security

threat. Last, but not least, our overall results may shed light on the problem that despite advances in security

protection technology, the deployment of such technologies is governed by human behavior and influenced

by cultural background of the individuals.

REFERENCES

Bandura, A., 1982. Self-efficacy Mechanism in Human Agency. In American Psychologist, Vol. 37, No. 2, pp.122-147.

Barker, K. 2014. The Gap between Real and Perceived Security Risks. In Computer Fraud & Security, Vol. 4, pp. 5-8.

Boss, S. R. et al., 2015. What do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors. In MIS Quarterly, Vol. 39, No. 4, pp. 837-864.

Chen, Y. and Zahedi, F. M., 2016. Individuals’ Internet Security Perceptions and Behaviors: Polycontextual contrasts between the United States and China. In MIS Quarterly, Vol. 40, No. 1, pp. 205-222.

Chin, W. W., 2003. A Permutation Procedure for Multi-group Comparison of PLS Models. Proceedings of 2003 PLS International Symposium: PLS Related Methods, Lisbon, Portugal.

Condiotte, M. M. and Lichtenstein, E., 1981. Self-efficacy and Relapse in Smoking Cessation Programs. In Journal of Consulting and Clinical Psychology, Vol. 49, No. 5, pp. 648-658.

Herath, T. and Rao, H. R., 2009. Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. In European Journal of Information Systems, Vol. 18, No. 2, pp. 106-125.

Hochbaum, G. M., 1956. Why People Seek Diagnostic x-rays. Public Health Reports, Vol. 71, No. 4, pp. 377-380.

Hofstede, G. and Bond, M. H., 1988. The Confucius Connection: From Cultural Roots to Economic Growth. In Organizational Dynamics, Vol. 16, No. 4, pp. 5-21.

Leventhal, H., 1970. Findings and Theory in the Study of Fear Communications. In Advances in Experimental Social Psychology, Vol. 5, pp. 119-186.

Liang, H. and Xue, Y., 2010. Understanding Security Behaviors in Personal Computer Usage: A threat Avoidance Perspective. In Journal of the Association for Information Systems, Vol. 11, No. 7, pp. 394-413.

Maddux, J. E., and Rogers, R. W., 1983. Protection Motivation and Self-efficacy: A Revised Theory of Fear Appeals and Attitude Change. In Journal of Experimental Social Psychology, Vol. 19, No. 5, pp. 469-479.

Rogers, R. W. 1975. A protection motivation theory of fear appeals and attitude change. The journal of psychology, 91(1), 93-114.

ISBN: 978-989-8533-54-8 © 2016

254

Copyright of IADIS International Journal on Computer Science & Information Systems is the property of International Association for Development of the Information Society (IADIS) and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.