A New Model for the E-Commerce Security

Harsha Wijesinghe
Southern Institute of Technology
Harsha.Wijesinghe@sit.ac.nz
Parwaiz Karamat
The Open Polytechnic of New Zealand
Parwaiz.Karamat@openpolytechnic.ac.nz

Abstract
This paper examines the security of business applications in a society, which is in
transition to a full electronic commerce environment. After brief introductory remarks
about the changes in the global commerce environment, the role of the security in the
light of the new technologies and the Internet is discussed. Finally the way in which these
new technologies can be used to support the demands of the new commerce environment
are considered.

Keywords: Commerce, Internet, Security,

Introduction
E-commerce offers lower transactions cos t, more timely execution and improved market
efficiency. Benefit includes increased trade, a wealthier society and a more equitable
distribution. However lack of assurance about security is the greatest barrier currently
affecting the growth of e-commerce. Consumers must have confidence that their
electronic transactions will remain private and unaltered. Consumers must trust the
system to prevent fraud and keep their transactions private. Businesses require assurance
that their systems and digital assets will remain safe from security intrusions, sabotage,
and fraud. For e- commerce to reach its potential confidence in the security of the system
must be assured (Greenstein, 1999).

1.0 Security research

Security measures involve interaction of users, hardware, and software. A good security
system should not only look at hardware and software, it should also cover other areas
such as physical security, human security, business and disaster protection, and legal
implications. Because of the diverse nature of e-commerce, we need to address all these
security issues. For example, we can provide good network security but it might depend
on the particular country’s encryption rules. Even if every other aspect is catered for,
there still might be a security risk if a particular business is located in the war-zone.
Hence, we have to consider all these areas in order to find solutions for e-commerce
security. This research investigates the major factors that influence the type of external
security measures required and implemented by an organization. Factors include:
technical, reputation, societal, legal, and management factors.
2.0 Why is this research important?
Prior to this research there are some work, which has been completed in this area. The
security measurement on most of these previous studies is depending upon computer
systems and data contained within them. The main focus of this research is to identify the
factors that are influential to the measurements of security. They are broken down into
several groups according to the aspect of protection being address, from minimal to
specific. The model used in this research will be able to identify security measurements,
specific to the business requirements, or improve an existing program. The security
system described in this research can be used to avoid overall technical and non-technical
security problems in the organization and how to manage the design process and the
resulting security program. This model will help organization to reduce security
concerns, ensure business continuity and avoid minimize business damage, protect
organization reputation, etc.

3.0 Security standards reviewed

3.1 Information Security Management AS/NZS 4444

AS/NZS 4444 was prepared by the joint standards Australia Standards, New Zealand
Committee IT/12. This standards proposes, recommendations and controls for
information systems design, implementation and operation to safeguard information
resources of organizations from external and internal security, threats, either accidental or
intended and includes a comprehensive list of terms relating to information security
(AS/NZS 4444, 1999).

3.2 Information Security BS 7799

BS 7799 was prepared by the British standards. This document provides a comprehensive
set of controls comprising the best information security practices in current use. This
document intends to serve as a single reference point for identifying the range of controls
needed for most situations where information systems are used in industry and commerce
and may therefore be applied by a wide range of organizations, large to small (BS7799,
1998).

3.3 Gatekeeper
Gatekeeper is the guidelines for public key technology use in the Australian government.
Gatekeeper project provides a structure to ensure quality, integrity, security and
authenticity in the transmission of information and transaction of e-commerce
(Gatekeeper, 1999).

3.4 OECD Guidelines

OECD guidelines provides guidelines on security of IS, survey current practices, legal
and policy analysis, reviews of new IS security studies, and future work on IS security in
the OECD (OECD, 1998).

3.5 NIST Security Handbook

This handbook provides assistance in securing computer-based system by explaining
important concepts, cost considerations and interrelationships of security controls. It does
not provide detailed implementation procedures for security controls, or give guidance
for auditing the security of specific systems (NIST, 1996).
4.0 Building a new solution
Many organizations are insecure not only because of proble ms with the technologies, but
also because of fundamental misunderstanding of right security measurements and
influential security risk factors. This research is to build model, which will identify every
risk and threat that could have impact on organization and will help security
administrators to select the appropriate security measurements for their own specific
needs.

First step in building the model is the methodical assessment of security risks on
operational environment and organizational type. Based on these assessments basic
security measures are formed and will be recommended.

The second step is to identify specific organizational requirements and risk associated
with them. Based on this data, the final recommendation will be made.

5.0 Model
The Figure 1 shows the security model that is basis of this study. Model consists of four
Independent variables, which are organizational environment, organizational type,
Technology and law and privacy. Hypotheses of this study are derived from those four
independent variables. Then model explains the basic security measurements that can be
taken for the independent variables. Finally model describes specific security
measurements.

Organizational Organizational Technology

Environment Type

Law and Privacy

Measuring basic security Measuring

Specific
Security

Specific security Requirements

 Figure 1: Model

Organizational Environment has links with other entities such as “Organization Type”,
“Technology” and “Law & Privacy”; which will directly influence the basic security
measures. This considers the environment in which the organization’s assets are located,
which may affect the level of protection required. Location may indicate, risk of
vandalism, war, theft, fire, natural disasters, and distance from emergency services. Basic
security measures will depend on the operational location of the organization. For
example, if the organization is located in a level of high civil unrest or war zone, the
basic measurements are stronger, also if it is situated in area prone to natural disasters,
the basic security measurements could be different.

“Organizational type” is depending on the type of industry and the type of sensitivity.
Organization type is directly influenced by the basic security measurements and it also
has a strong link with “Organization Environment”, “Technology” and “Law & Privacy”.
The nature of an organization type has a close relationship with the operational
environment. For example, if it is a defense orientated organization, they always select a
trouble free Organizational Environment to locate their equipment. The basic security
measures also vary on the type of organization. If an organization is a hospital or defense
unit it requires a lot stronger basic security measure than if the organization is a
supermarket.

The next component of the model is Technology. The basic security measurement will
vary depending on the technology used in the type of organization. For example two
hospitals (same type of organization) can have different types of technology to store their
patients records. One can have an automated system and the other can have a manual
system. Hence there is big difference with the basic security measurements for these two
organizations.

The last component of the model deals with “Law and Privacy”. Which has close links
with Organization Environment, Organizational type, and Technology. Law and Privacy
factors will be different from area to area and country to country. Hence Law & Privacy
has influence on Organization Environment, Organizational type, and Technology
factors.

Basic security measures will be decided upon by the information gathered by each
component: Operational Environment, Organization Type, Technology and Law &
Privacy and the level of exposure to threats from external sources for each of these
components. Middle management or technical management makes us ually basic security
measurement decisions.

Specific organization requirements are decided after careful consideration of basic

security measurements. Both top management and technical management should make
this decision. Specific security measures are the final output of this model, which will be
decided upon through the information of basic security measurements and specific
organization requirements.
6.0 Hypotheses

H1: Organizational Environment

The basic security measurements are varied upon the organizational environment or the
location of the organization. The type of the organization influences, organization’s
environment. Higher the sensitivity of type organization, an organization environment is
extremely important than the lower sensitivity type origination.
H2: Organizational Type:
Organizational type depends on the sensitivity of the industry. Each different industry
needs different levels of protection. Basic security measurements are customized to these
different types of organizations. This relates to the different organizational types that
exist within a business sector.
H3: Technology
Technology being adopted in the organization also influences the basic security
measurements. The basic security measurements will be varied even for the same type of
organization as they have adopted two different types of technologies.
H4: Legal and privacy issues
Privacy is an important issue for the organization’s basic security measurements. Privacy
is about protecting confidential and personal information. These are set of legal, statutory
and contractual requirements that an organization and its trading partners have to satisfy.
7.0 Methodology

In this research, case study approach will be used as main methodology. The information
will be drawn from a representative sample of organizations, which are involved in the e-
commerce. By using a structured questionnaire both qualitative and quantitative
information will be gathered.

We are proposing a three steps approach as follows:

Step 1: Identifying security threats and risks in the organization

The first step is the methodical assessment of security risks. Expenditure on controls
achieving information security needs to be balanced against, and appropriate to the
business value of the information and other assets at risk, and the business harm likely to
result from security failures. Risk assessment techniques can be carried out for the whole
organization as well as for the involved third parties to the organization information
systems and specific systems components or any other services where it is practicable.
The collected data will be put into the following matrix.
E.g.:
Risk Impact
Malicious Software High/Fatal
Step 2 Prepare specific organizational requirements and controls

In order to prepare Specific Organizational Requirements and Controls, we will take two
organizations, and then setup a case study for each independent variable in the model to
find out existing security controls and the guidelines followed by both the organization.
These Case studies will also help us to identify variation between these controls or
guidelines between each independent variables and variations between same independent
variable in the different organizations.

With the help of the information gathered through these case studies, we will be able to
prepare an organizational requirement and security control. Organization requirements
are a set of controls to ensure the risks are reduced to an acceptable stage. Selection of
control should be based on the cost of implementing these controls in relation to the risks
being reduced and potential cost of realisation of that risk. The matrix will be completed
with the following information.
E.g.:
Risk Policies and Controls
Failure to do access control Systems should be monitored to ensure
conformity to access policy and
standards

Step 3: Quantitative and Qualititative approach

This research will utilize a number of methodologies to complete the research. Initially it
will begin with a qulititative methods followed by the simulation.

First we will approach two organizations that have adopted popular security
measurements and guidelines. Once initial trust is established with these organizations,
we will arrange set of interviews and focus groups with them.
Focus Group:
Primary aim of this focus group is to find out threats and risks associated with each
organization, and what is impact of these threats and risks on each independent variable.
Information are gathered through these interviews will be arranged as a matrix. Target
audience of this focus group is everyone in the organization. Focus groups are divided
into the departmental and hierarchal levels.

Interview:
Then we will arrange specific interviews with selected people to find out basic security
measurements they have taken against those possible risks. Also we will find out
effectiveness and defects of those measurements or steps. In these interviews we would
able to understand organization’s basic security measurements. Next step is to study these
basic security measurements and find out strength and weaknesses. Once this information
is available we would be able to recommend specific security measures.

The building of a virtual system (simulation) for demonstration will be outlined, we will
then proceed to set- up an experiment which will attempt to break into the system and
commence without knowledge of the security strength of the simulation system. This
simulation will include known popular security mechanisms. Based on the outcome of
this process, final security requirements will be suggested.

8.0 Benefits
The main benefit is to reduce risks and vulnerabilities that affect the overall operation of
these computer systems. This research is not about hardware and software, but also
covers other areas such as physical security, human security, and business and disaster
protection.
These benefits include:
· Minimize cost of security incidents;
· Save money and time to research and write policies;
· Eliminate the need for consultants;
· Prepare organizations for audits;
· Help to avoid legal problems;
· Assure consistent product selection and implementation;
· Give expert technical advice;
· Demonstrate quality control processes;

Conclusion

The recommendations made in this paper are based on a new approach in the field of
information security. This model will help electronic commerce to reach its full potential,
while seeking to achieve a high level security. Once the technology is introduced it is
expensive to modify and it is even more expe nsive to rectify the damages resulting from
poor quality security systems. . This model has been proposed to overcome these
negative aspects

References

1. British Standards Institution (1998), British Standard Code of Practice: Information

Security Management BS7799.

2. Greenstein, Marilyn Todd Feinman (1999), Electronic Commerce: Security, Risk

Management and Control, McGraw-Hill, USA

3. NIST (1996), An Introduction to Computer Security: The NIST

Handbook/Publication 800-12.

4. Office for Government Online (1999) Project Gatekeeper: Security Working Group
Terms of Reference, AGPS Press, and Canberra.

5. OECD (1998), Review of the 1992 Guidelines for the Security of Information
Systems, Paris
.
6. Standards Australia (1999), Information Security Management - Part 1: General:
AS/NZS 4444" Draft Version.

7. Yin, R.K., (1994), Case Study Research – Design and Methods, 2nd Edition, Sage
Publications, Thousand Oaks