The Tri-Dimensional Role of Information Security in E-Business: A Managerial Perspective

ABSTRACT

The effective management of information and its associated infrastructure is critical in electronic business. Failure to exercise due diligence in information assurance and security may lead to lost revenue or business opportunities, brand and reputation erosion, adverse media publicity, scrutiny from consumer advocates and even lawsuits.

Traditionally, information security was approached in terms of goals. Yet, the goals-oriented approach may be a flawed one. In this paper, we adopt a conceptual analytical approach and propose a tri-dimensional understanding of information security in electronic business. Our approach can help managers better understand and communicate the information security’s role in e-business and the inter-dependencies between business and legal requirements, for devising the goals, objectives and policies relevant to their organization.

INTRODUCTION

Rapid developments in information technology (IT) have affected all aspects of business (Shapiro, 2001). The growth in connectivity (Nugent and Raisinghani, 2002) has been remarkable and created for organizations possibilities to establish distinctive strategic positioning (Porter, 2001), to transact electronically and to gain entry to markets which were previously unattainable, to streamline operations and to reduce costs through electronic business (e-business) initiatives.
E-business refers to a business model that is heavily enabled by IT (Weill and Vitale, 2002). Information in electronic form is essential to these e-business initiatives, on both strategic and operational levels. Therefore, the effective management of information and its associated infrastructure is critical. One key subset of information management is information security.
As technology constantly evolves, and as the modern business world expands to take advantage of the new technology, organizations face new and more sophisticated information security challenges (Labuschagne and Eloff, 2000). The more complex the e-business system, the more security problems are raised. The difficulties involved in the management of distributed systems on a global level and the modularity of the system exacerbates the potential security weaknesses (Schneier, 2000).
Traditionally, security in computing was discussed in terms of goals: confidentiality, integrity and availability of information (Pipkin, 2000; Lichtenstein and Swatman, 1997; Pfleeger, 1997; Swanson and Guttman, 1996; Pernul, 1995; Neumann, 1995), and authentication and non-repudiation (Landwehr, 2001). Yet, the goals-oriented approach may be a flawed one (Bort, 2002). In this paper, we adopt a conceptual analytical research approach and discuss information security’s role in e-business on three high-level, organization-independent, interrelated dimensions:

• Safeguarding organizations’ information; 
• Complying with e-business legal requirements; and  
• Enabling trusted and secure electronic transactions (e-transactions).

 THE ROLE OF INFORMATION SECURITY IN E-BUSINESS


In this section, we outline factors that we consider to have increased the information security problem. Next, we discuss the three high-level, inter-related dimensions of information security in e-business.

Preliminary considerations

Information has high economic value and has become a means by which competitive advantage might be established. Many factors can be considered to have increased the information security problem in modern computing environments—from within and from outside an organization. These factors include:

• Greater globalisation;
• Increased difficulties involved in computer security (Landwehr, 2001; Loscocco et al., 1998);
• Insufficient information security awareness and education (Siponen, 2000);
• Users’ attitudes and behaviours with regard to policies or practices (AusCERT et al., 2002; Schneier, 2000);
• Availability of hacker information; and 
• Unclear regulatory and law enforcement jurisdiction (Wardlaw, 1999).

Leveraging information can make the difference between organizations (Pipkin, 2000), therefore information security must be a very important management issue (Panko, 2002; Dutta and McCrohan, 2002; Swanson
and Guttman, 1996).

Safeguarding information
Numerous researchers have written on the need to protect the electronic assets of organizations (Landwehr, 2001; Pipkin, 2000; Parker, 1999; Straub and Welke, 1998; von Solms, 1998; Pernul, 1995; Neumann, 1995; Landwehr, 1993).
According to Ware (2001), most organizations’ critical business information is stored electronically. Information can be very sensitive (e.g. financial, payroll, marketing or customers’ personal information), therefore it is a natural target for compromise. As surveys show (e.g. AusCERT, 2002; Power, 2001), the hacker threat is very real, whatever the motivation of perpetrators (Pipkin, 2003; Schneier, 2000; Icove et al., 1995).
With an inreased understanding of computer systems, perpetrators can determine vulnerabilities in computer systems and exploit them to obtain privileges that will allow them to do anything on the system (Kumar, 1995). Furthermore, the crime can be automated (Schneier, 2000; Parker, 1999; Icove et al., 1995), and repeated testing under various circumstances can make it become the perfect crime.
Kumar (1995) argues that a good information security design starts with a threat model— what the system is designed to protect, from whom, and for how long. Threat modeling involves thinking about the system as a whole and imagining the vulnerability landscape (Schneier, 2000), and must take into account the information to be protected and the people who will use the system and how they will use it.
Whether external or internal, threats are opportunities that have the potential to cause harm or loss to organizations (Landwehr, 2001; Pfleeger, 1997; Castano et al., 1995; Neumann, 1995), and come in different forms. Threats must be well understood before effective information security measures are devised (Sanderson and Forcht, 1996).
Castano et al. (1995) classifies threats according to the way they can occur: non-fraudulent (accidental) and fraudulent (intentional). Buffam (2000) proposes a more elaborated classification of threats: fundamental—which represent what an attacker really wants to do: information disclosure, information tampering, denial of service, repudiation, and illegitimate use—, enabling (e.g. masquerade, malware or authorization violation), and underlying threats (e.g. eavesdropping or administrative error).
In safeguarding organizations’ information, information security also safeguards organizations’ capacity for doing business, reputation and market valuation.

Complying with e-business legal requirements
Managing the risk of exposure for electronic information assumes also legal importance— organizations that fail to show due diligence in protecting their information assets face a real risk of legal problems (Vijayan, 2002; Gamertsfelder et al., 2002). Protecting personal information privacy is a legal requirement (Vasiu et al., 2002) and adherence to a strict information security policy reduces the chance of legal exposures and liabilities due to negligent protection of personal or other information or due to damage caused to contractors, partners, customers or other entities.
A major e-business issue is the enforceability of e-transactions. According to Smedinghoff (2002), ensuring enforceability requires that the parties focus on the following questions:

• Notice and consent: have the parties consented to conduct this transaction in electronic form and have the requisite notices been provided?
• Signature: have the signature formalities required for the transaction (where applicable) been satisfied with a legally recognized form of electronic signature (esignature)?
• Record accessibility: are copies of the electronic records comprising the transaction available to all parties?
• Record keeping: will the electronic records of this transaction satisfy applicable legal record-keeping requirements?

Signing a document is a fundamental legal act—almost every commercial document of any importance is signed (Reed, 2000). Through information security means, an electronic document can meet the business and legal requirements of authenticity, integrity, nonrepudiation, signature, and confidentiality, imposed by a variety of statutes and regulations.
According to Smedinghoff (1996), for paper documents, security is achieved using letterheads, handwritten signatures, special inks, sealed envelopes, and couriers. For electronic documents, security can be achieved through the use of e-signatures, encryption, acknowledgment procedures and various access controls.
E-signatures can provide evidence of the identity of the signatory (UNCITRAL, 2001), their intention to sign, and their intention to adopt the contents of the document as his own (Reed, 2000). Moreover, since an e-signature is unique to its message, the integrity of the message can also be assured (Smedinghoff and Bro, 1999)—a prerequisite for its admissibility in court proceedings (Tenhunen, 1997). Although not free from problems (Jøsang et al., 2002; McCullagh et al., 2001; Gelbord, 2000), e-signatures are arguably the only technology currently available that satisfies the requirements of the e-transactions legislation (Gamertsfelder et al., 2002).
Where there is a requirement to keep a written record of information, it can be met electronically if the method of retention is reliable (Allen, 2002). Failure to implement and maintain a proper record retention can harm organizations, result in fines (Computer Fraud & Security, 2002), or in organizations’ inability to successfully prosecute or defend a legal claim. Even organizations that are not party to litigation can be compelled, by subpoena, to produce records to the courts, and failure to comply can render organizations liable for being in contempt of court (Allen, 2002).
Another important aspect of e-transactions is time (Hosmer, 2002). Secure and auditable time stamping to digital evidence eliminates the possibilities for fraud and unintended errors, and can provide evidence of
priority for financial records and other business documents.

Enabling trusted and secure electronic transactionsIn addition to assuring protection against threats and compliance with certain legal requirements, information security has evolved into a powerful tool for developing business solutions. Effective information security promotes business objectives and expands business opportunities, therefore information security can be viewed as a business enabler.
Information security can deliver a competitive edge by generating new markets and revenue streams and leveraging new distribution channels. The wider information is distributed—to suppliers and other trading partners—the more important the role information security plays.
Regarding the e-transactions, the Commission of the European Communities (1997:19) considers that


The first objective is to build trust and confidence… both consumers and businesses must be confident that their transaction will not be intercepted or modified, that the seller and the buyer are who they say they are, and that transaction mechanisms are available, legal, and secure… trust and confidence is the prerequisite to win over businesses and consumers. 
Information security in e-business means first assuring that the system will be available for use and will deliver uncorrupted information (Landwehr, 2001)—this is critical to organizations’ ability to earn revenue (AusCERT, 2002). Trade practices statutes contain various non-excludable warranties, which potentially apply to e-transactions and may have implications for the availability of servers, security of transactions and the allocation of responsibility for loss from unsuccessful or incomplete transactions (Gamertsfelder et al., 2002). Further, if a security breach renders the commercial situation radically different (e.g. latency in transmissions or significant server downtimes), and the parties are incapable of discharging their contractual performance obligations with the applicable standard of duty, this may lead to the dissolution of the contract by frustration (Gamertsfelder et al., 2002).
Second, e-business might require authentication and authorization (Lampson et al., 1992), key aspects inherently linked to confidentiality and non-repudiation. Third, communications security is required: integrity, and confidentiality of the packet's payload data while over networks.

CONCLUSIONS AND FUTURE RESEARCH
To achieve the benefits offered by e-business, organizations must find ways to effectively address the associated information security implications (GAO, 1998). Traditionally, security in computing was approached in terms of goals. In this paper, we have adopted a conceptual analytical approach and discussed information security’s role in e-business on three highlevel, organization-independent, inter-related dimensions:

• Safeguarding organizations’ information; 
• Complying with e-business legal requirements; and
• Enabling trusted and secure e-transactions.

The nature and degree of threats faced by organizations vary, therefore a risk assessment of the likelihood that security will be compromised is needed (Dutta and McCrohan, 2002). An acceptable level of information security can be introduced and maintained only if the set of security controls, procedural and technical, is correctly identified, implemented and maintained (von Solms, 1998). These activities must be seen as a never-ending process.
Information security must be approached as an integrated whole, and not viewed narrowly and incompletely, in terms of isolated component parts. A systemic (Schneier, 2000) or comprehensive and integrated approach (Swanson and Guttman, 1996), that takes into account the three dimensions of information security identified and discussed in this paper is needed for successful e-business initiatives.
Further, organizations should aim to gain an understanding of the specific characteristics of the emerging environment that may generate new threats. The consequences of failure to do so may severely impair their ability to carry out their business and may even lead to legal exposures and liabilities.
A sound information security strategy and implementation can also be an important differentiator in the marketplace leading to organizations gaining a competitive advantage and other business opportunities.
Future research suggestions include:

• An analysis of the spillover effect of information security breaches in a supply chain environment; and
• An analysis of information security’s role in leveraging new distribution channels.