Computers & Electronics

A Security, Trust and Assurance Research Framework for Electronic Commerce

Description
This paper addresses important issues of electronic commerce (e-commerce) such as security, trust between the trading partners, and assurance. While e-commerce is expected to become the dominant means by which business will conduct transactions, it
Published
of 12
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  1 A Security, Trust and Assurance ResearchFramework for Electronic Commerce Narciso Cerpa and Rodger Jamieson University of New South Wales, Sydney Australia NSW 2052 Abstract : This paper addresses important issues of electronic commerce (e-commerce)such as security, trust between the trading partners, and assurance. While e-commerce is expected to become the dominant means by which business willconduct transactions, it is also predicted that Internet based fraud may becomethe largest type of white-collar crime. Current Internet crime has eithercustomers or businesses as main actors in the guise of perpetrators,impersonators, or just non-genuine businesses. Therefore, it is essential toimprove e-commerce security, build trust between the participants, andprovide assurance. This paper provides a research framework for investigatingthese issues within e-commerce and suggests research methods and directionsthat may be valuable to the research community. Key words : Electronic Commerce, Security, Trust, Assurance, Research Framework  1.   INTRODUCTION The advent of electronic commerce (E-commerce) has marked asignificant change in the way businesses now approach the implementationof their sales and marketing strategies, and hence E-commerce is here to stay(Kalakota and Whinston, 1996). The population of online business hadexpanded by a thirty percent to 550,000 online operations by mid-2000. Asbarriers to Web entry disintegrate and the means to Web access rises, theWeb becomes increasingly accessible to the mainstream of the world'spopulation. The online commerce activity for the year 2000 was estimatedto increase to $132 billion world wide, more than double the year before(ActivMedia Research).One of the many reasons for industry adopting e-commerce is its abilityto greatly lower entry barriers, which was one of the main problem for new  2 Narciso Cerpa and Rodger Jamieson  companies in traditional, well defined, and established markets (Dertouzos,2000). 2.   WEAKNESSES OF E_COMMERCE Despite the obvious benefits presented by e-commerce to the worldcommunity its weaknesses cannot be ignored. E-commerce, being arelatively new area in computing technology is vulnerable to the strain of day to day running of business transactions, usually involving large volumesof data. This makes e-commerce particularly prone to security attackscosting companies millions of dollars in loss revenue. Researchers havealready highlighted incidents of Internet fraud and abuse and note thenumerous risks in the e-commerce environment, such as the vulnerability totransactions fraud because of the inability to verify the author (Baker, 1999;Plavsic et al., 1999). The possibility of fraud is seen as the major reasonwhy businesses spent an estimated $6.4 billion on computer security in 1999(Mertl, 2000).Another weakness is a lack of consumer and business confidence ormutual trust. Customers are also worried about credit card misuse, theprivacy of their personal information and slow network performance(CommerceNet report). As for business-to-business systems, the issues areless emotional but still serious. There are not yet fully proven architecturemodels for setting up business-to-business systems and integrating them withthe rest of their business applications. Many companies continue to be afraidof the idea of sharing proprietary business information with customers andsuppliers, an important component of many business-to-business e-commerce systems.The advantages presented by e-commerce coupled with the fear expressedby consumers and businesses require of a well-founded e-commerceframework to overcome the security and confidence problems and toenhance the current benefits presented by e-commerce. To achieve such aframework, it is essential to draw knowledge and experience from a varietyof disciplines such as Information Systems, Computer Science, Commerce,Auditing and Assurance, Law, Cognitive Science, and Criminal Justice toname a few. For example, an implementation of e-commerce requirestechnical disciplines (e.g. Computer Science) to address those issuesconcerning the efficient set up and use of the digital environment. Designingand implementing the e-business (electronic business) may rely onCommerce, Information Systems, Computer Science, and Cognitive Sciencedisciplines. The operation and protection of e-business may need knowledgefrom Auditing and Assurance, Law, Criminal Justice, etc. These disciplinesor areas of research and/or practice present different support to, or  ¡Error! Estilo no definido.   3   perspective of e-commerce, although in some cases they may also overlap.Nevertheless, many other disciplines may also contribute to the success of e-commerce to some degree, therefore, it is essential to be aware of and takeinto account their views when required. 3.   A FRAMEWORK FOR IMPROVING SECURITY,TRUST AND ASSURANCE IN E-COMMERCE Figure 1. Model of e-Commerce Security, Trust and Assurance TransactionBusiness X CustomerBusiness Y   Legal & Regulatory FrameworkBanks and Credit CardsOrganizations •   Prevention •   Detection •   Investigation   •   Correction   Accounting andAuditing BodiesPolice andEnforcementAgenciesAccountingFirmsE-CommerceSecurityConsultants  Designing DevelopingOperating Managing Monitoring Building Trust    e-Commerce SystemE-CommerceDevelopersAssuranceServices(AICPA,CICA ICAA)  4 Narciso Cerpa and Rodger Jamieson  Our model includes those entities (e.g. Banks, Credit Card Organizations,Regulatory Bodies, Police and Enforcement Agencies, Accounting andAuditing Bodies, Assurance Services, E-Commerce Consulting, and/orSoftware Development Organizations) that may contribute with knowledgeand information for reducing fraud in e-commerce. The knowledge andinformation provided by these organizations will allow us to determineprocedures for designing, developing, operating, managing, and monitoringsecure e-commerce applications, as well as building trust between the partsinvolved in e-commerce systems. There are four main actions to be takenthat are part of our model, and which play an important role in improvingsecurity and also confidence between the partners involved in e-commerce.These actions are prevention, detection, investigation and correction. Thesuccessful implementation of these actions will be essential for providingsecure e-commerce systems. The following sub-sections explain our viewand current research in these topics. 3.1   Prevention Prevention requires a good understanding of the business risks andthreats with the aim of defining an appropriate model with security, controland audit mechanisms required by e-commerce systems. E-commercepresents management challenges such as establishing: good managementpractices in geographically dispersed environments and yet being able tocontrol organisational operations; security policies and procedures reflectingthe new business processes; correct structures of responsibilities; andappropriate information technology recoveries (Dhillon, 2001). Planningsecurity requires assessing and understanding organisational risks,vulnerabilities and exposure to threats (Woodward, 2000). Establishingethical policies that support trusted transactions should form a vital part of the security/trust equation (Storey et al., 2001).We have addressed prevention by taking a combined approach (i.e.theoretical and practical) with the aim of validating our model. Weinvestigated a set of business risks and threats as defined by the currentliterature and also based on previous research about Security and Audit of Electronic Data Interchange (Jamieson, 1994). These risks were classifiedas:–   Business Risks (e.g. privacy, fraud, denial of service, authentication, etc.)–   Internet Risks (e.g. monitoring/interception, modification/destruction,etc.) or–   Customer related risks (e.g. identity, verification, virtual con, duress, etc.)These risks and threats were subsequently validated in focused interviewswith expert developers, security consultants and both internal and external  ¡Error! Estilo no definido.   5   auditors (Jamieson, 1999). The results of these interviews helped to build aframework for managing e-commerce security, control and facilitated theidentification of e-commerce future audit techniques. This framework consists of the following types of e-commerce management controlmechanisms:–   Strategic controls (e.g. audit participation in e-commerce steering/ projectcommitees, security and fraud control policy, etc.)–   Development controls (e.g. selection of a secure and reliable e-commerceplatform and infrastructure, effective change control for e-commercesystems, etc.)–   Operational controls (e.g. regular security reviews, e-commerce disasterrecovery planning, access control policy for customers, etc.)This framework also provides guidelines for operational, Internet andcustomer controls as follows:–   E-commerce Operational controls (e.g. customer validation,acknowledgment of transactions, e-commerce audit trails and logs, de-militarised zone, etc.)–   E-commerce Internet controls (e.g. secure payment gateway, firewalss,encryption, etc.)–   E-commerce Customer controls (e.g. digital certificates/signatures, twophase authentication, etc.)This framework is currently being validated by the use of a Web-basedsurvey addressed to people involved in the e-commerce field.Although the detection mechanisms above will undoubtly improve trustbetween the e-commerce participants, consumers may still sometimes lack confidence in e-comerce since they may not be sure if there is a genuinebusiness behind the Web site they are interacting with (Yankelovich Partnersstudy). In such cases, e-commerce assurance services will play an importantrole in verifying the credentials of e-commerce businesses and certifyingthem with the aim of giving confidence to the online user when carrying oute-business. While certification seems to be the common approach forassurance, some assurance services encourage customer faith in the onlinebusiness by simply insuring the transactions and covering the customer of any losses due to fraud or delivery problems (Rao et al., 2001).We have currently compare assurance service providers in Australia, andwe intend to provide a framework for comparison of these services. Furtherresearch in this topic will require surveying customers trading withorganisations bearing the Electronic Commerce Assurance Service (ECAS)seals (i.e. certified organizations) to obtain their perception of the role of theECAS organisations. We will be also interested in customers’ satisfactionwith the service provided by certified e-commerce organisations, with the
Search
Similar documents
View more...
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks