International Journal of Information Technology and Business Management 29th May 2013. Vol.13 No.1 © 2012 JITBM & ARF. All rights reserved ISSN 2304-0777 www.jitbm.com ROLE OF INFORMATION SECURITY IN E-BUSINESS OPERATIONS Arif Sari Dept. of Management Information Systems European University of Lefke Lefke, North Cyprus arifsarii@gmail.com Onder Onursal Dept. of Computer Information Systems European University of Lefke Lefke, Cyprus onursal@lefke.edu.tr ABSTRACT In today’s globalized world, information is one of the most important assets of the companies. Information has become very important both as input and output. Hence, it provides valuable input into managing IT systems and their development, enabling risk identification, planning and mitigation. By this way, companies gain competitive advantage in worldwide arena. Information security becomes very critical issue for those companies, who want to conduct e-business operations since the Internet is not a completely secure intermediate. The leakage of information during transactions causes trust issues between consumer and business. For that reason, companies have to design and handle secure transaction methods. A framework for e-business operations security is presented and compared in terms of speed and reliability. The aim of this paper is to identify e-business security management issues and provide insight for new methods to provide information security. Index Terms—Information Security, encryption mechanisms, e-business operations, defense systems. sniffing, tapping, theft and fraud. The information or data transferred through the Internet communication channels are not completely secure and it may captured by an external intervention. This problem mainly arises from a lack of secure Internet communication infrastructure. The information captured or sniffed from the communication line is often misused. In order to prevent this problem, this paper compares the existing information security algorithms to provide insight about capabilities and efficiency of current security mechanism and presents a new model to provide secure transactions over the Internet communication protocols. I. INTRODUCTION Electronic Business (e-business) is a fact of today’s and future’s business life and it’s an important and ever growing aspect. As Companies seek for more profit and discover the power of information technology (IT) applications, implementation of new methods and techniques through IT becomes inevitable to achieve company objectives and goals. E-business systems cover electronic commerce (e-commerce), which covers the flow of information and transactions among third parties, governments and business companies. All these transactions and flow of information (credit card numbers, order details, contact details, personal information, and governmental information) passes through the Internet. However, since it’s beginnings in the 1970’s, the Internet has exhibited multifarious vulnerabilities in its underlying communications network and nodes, protocols and host systems for secure data transactions. Lack of security on the Internet entails external interventions which cause leakage of information through hacking, jamming, cyber vandalism, II. LITERATURE SURVEY Large scale of research efforts spent by researchers for securing the information in e-business operations. The authors [1] presented an information security mechanism based on symmetric cryptographic primitives which perform substantially better than previous constructions. This secure protocol construction method rose from modification of Diffie Helman protocol which introduced the concept of the digital 90 International Journal of Information Technology and Business Management 29th May 2013. Vol.13 No.1 © 2012 JITBM & ARF. All rights reserved ISSN 2304-0777 www.jitbm.com participants in this research is 60. Participants’ name, surname, email, title and company information is kept confidential and not reported in the research results. The results didn’t classify on company basis in order not to violate confidentiality. According to the outcomes of the conducted survey the following information are gathered; signature which allows anyone to recognize the digital signature but only legitimate signer to produce [2]. The authors [3] described a protocol proposed for protecting British government e-mail by GCHQ. This system is based on the NSA’s Message Security Protocol with a key escrow scheme inspired by Diffie Helman with some modifications and extensions. However, this security communication method does no more than Kerberos protocol does but at a much higher cost which is also over centralized and have poor scalability option. In addition to this, signing keys are distributed under escrowed confidentiality keys so there is no non-repudiation facility and security labels are sent in clear form and create network traffic analysis vulnerability such as sniffing. Another technique proposed by author [4] that uses decision tree techniques to help users avoid choosing weak passwords. ProCheck is one of the techniques which use decision tree methods to achieve high dictionary compression as well as fast checking speed [5-6]. This proactive password checking systems use decision trees as password classifiers and achieve high dictionary compression (up to 1000:1) as well as a fast checking speed. Another study conducted by the author [7] who describes an EC project to pilot authentication and security services; PEM, X.400 and X.500 were implemented separately by UK, French and German researchers, and this helped to find and fix ambiguities in the standards documents. The project has concluded that the PEM certification hierarchy is unworkable, as it assumes that a single organization can be trusted to control the entire world’s key distribution system. Another design presented by authors [8] and discussed how key certification services can be made robust against undetected failure. They present a design in which separation of duty ensures that at least two entities out of the three (user, certification authority and a separate revocation authority) have to collaborate to enforce a change in a certificate or in the evidence. 78% of respondents do not trust current e-business security solutions, 93% of respondents think that, transmitted information over e-business are always precious 98% of respondents think that e-business operations will create positive effect on average revenue per user 65% of respondents believe that, all business operations will be done on the Internet in 5 or more years 68% of respondents expect e-business revenue will dominate non internet based services revenue in next 5 years 94% of respondents thinks that more Certification Authority companies like VeriSign, VISA are required 83% of respondents believe that e-business security concepts becomes more popular because new generation of business 23% of respondents believe that open source security systems threaten e-business operations 82% of respondents think that implementing new security technologies will make e-business operations more secure 73% of respondents think that, current e-Business security technologies cannot provide traceback or attack mitigation facilities 45% of respondents think that current encryption/decryption methods are enough for secure ebusiness operations 78% of respondents think that most powerful encryption algorithms are Blowfish and DES 81% of respondents think that SSL and The Microsoft Internet Security Framework (ISF) are widely used and most popular security protocols. III. RESEARCH METHODOLOGY The research conducted for the present study is a qualitative descriptive research in its nature. In this respect, it aimed at using systematic procedures in the way to describe a certain situation and discover non-quantifiable relationships prevailing in such a situation. The questionnaire is prepared to research the role of Information security in e-business operations. The information gathered from this survey would highlight the insights of people about current e-Business security mechanisms. The questionnaire designed mostly for IT stuff and e-business users as they are at the core determinant position and maintain the secure transactions. Duration of distribution and completion of the questionnaire is 4 weeks. Questionnaire contains 18 questions totally and number of IV. STRUCTURE OF PROPOSED SOLUTION FOR INFORMATION SECURITY It is clear that there is no defense better than a comprehensive security strategy that embraces user education, crisis-response teams, and technologically sound security measures including those that relate specifically to the threats posed by viruses and worms [9]. The author [9] has presented a strategy for the impacts of the Security threats on e-Business. The entire system follows sequence of pre-defined processes. An “Evaluation of Risks” and “Deciding Security Vulnerabilities” step becomes useless once the survey results are taken into account. It is a known fact that, e-Business 91 International Journal of Information Technology and Business Management 29th May 2013. Vol.13 No.1 © 2012 JITBM & ARF. All rights reserved ISSN 2304-0777 www.jitbm.com transactions contains flow of information which majority of this information is private. For that reason, companies that intend to do e-Business must provide security at any reasonable cost without considering importance of transmitted data. Our survey results indicate that, 93% of information transmitted during e-Business is precious. On the other hand, company’s security system should be able to cope with majority of eBusiness related attacks. In order to provide performance and reliability, the entire e-Business system must have attack detection, trace back and attack mitigation mechanism. 73% of respondents think that, security mechanisms provided by eBusiness companies does not have such facilities. D. Evaluate and Compare New Technologies In this step, company shoud conduct a wide range of survey to gather information about new security mechanisms, and compare them to define strengths and weaknesses of them. E. Attack Detection System The comparison should be done according to some criteria among different security methods. How the attack will be detected is one of the major problems. The methods with fastest detection time should be preferred. F. Traceback Mechanism The traceback is another comparative measure among security mechanisms. The system should have a mechanism to provide traceback and detect the source of attack and block the related node. Defence System for eBusiness Security Identify Security Plan Analyze the current system Design New Security System Evaluate and Compare New Technologies G. Attack Mitigation Mechanism After the attack, the information may be corrupted or deleted, or the status of the entire system might be changed. The security mechanism has be ready to cope with all these changes and minimize the effects of the attack. Attack Detection System Traceback Mechanism Attack Mitigation Mechanism Partial Implementation Prototype Evaluate and compare the performance Conversion H. Partial Implementation – Prototyping The new security systems should be implemented partially on a few branches or few departments of the company. This allows system designers to check out the reliability and sustainability of the new design with lower costs and understand the effectiveness and efficiency of the new system in a shorter time period. Educate Employee Monitoring Fig.1 Defense System for e-Business Security Model I. Evaluate and compare the performance The cost and performance of the new system analyzed at the prototype stage and this prevents a large-scale of investment to be wasted. Each of the steps shown in Fig.1 is described as follows; A.Identify Security Plan Identify the security plan before starting. J. Conversion Conversion occurs according to the outcomes of the implementation (whether it is effective and efficient to implement such a mechanism or not), entire system changes and converting from the previous old state to new state. B. Analyze the current system Analyze the current system status and define points that require developments and which may cause information leakage and cannot satisfy the goals-objectives of the eBusiness company. K Educate Employee Educate employees continuously to increase know-how about security issues and receive feedback. C. Design New Security System Design the new system in order to satisfy the needs which defined at the system analysis stage. The new system will have new security mechanisms, defense features and developments. L. Monitoring 92 International Journal of Information Technology and Business Management 29th May 2013. Vol.13 No.1 © 2012 JITBM & ARF. All rights reserved ISSN 2304-0777 www.jitbm.com [6] F Bergadano et al. “High dictionary compression for proactive password checking”, ACM trans. on info and system security Vol.1, No.1, Nov. 1998. [7] [M. Roe, The European PASSWORD Project: A Status Report, ISOC 94 p47. [8] [8] B Crispo, M Lomas, “A Certification Scheme for Electronic Commerce”, Security Protocols International Workshop 1996, pp. 19-32 [9] Tyagi, N.K, Srinivasan, S. “Ten-Stage Security Management Model for the Impacts of Security Threats on E-business”, International Journal of Computer Applications, Vol. 21, No.5. May 2011. It is the step for maintaining the systems against possible system drawbacks. The proposed system can be applicable practically and not just theoretically if proposed mechanisms and systems implemented step by step. CONCLUSION Each and every company approaches to security issues in a different manner. Everyone has different opinions about security and what levels of risk are acceptable. The key for organizations to build secure communication channel is to define what security means according to their goals and objectives. Once this has been defined, everything goes on with the network can be evaluated with respect to that policy. It is very important to design such a flexible system which will not have complex policies and strict rules that makes people to feel security pressure around them. The entire system security can be developed only be user participation. For that reason, our proposed model contains employee education. In a globalized world, new encryption models will be developed day by day in order to create more secure environments for trustable ebusiness transactions. New encryption models provide different and faster security mechanisms. However, survey results show us that, people do not relay all transactions to be done over eBusiness because of lack of traceback and mitigation mechanisms. People will rely on e-Business once the Internet becomes more secure. Majority of respondents do not trust to e-Business operations because of current security solutions while similar majority believes the necessity of traceback and mitigation mechanisms. REFERENCES [1] RJ Anderson, F Bergadano, B Crispo, J-H Lee, C Manifavas, RM Needham, A new Family of Authentication Protocols, Operating Systems Review, 32(4) pp 9-20, October 1998. [2] “New Directions in Cryptography”, W. Diffie, M.E, Hellman, in IEEE Transactions on Information Theory v IT-22 no 6 (November 1976) pp 644–654 [3] RJ Anderson, M Roe, The GCHQ Protocol and Its Problems, Eurocrypt 97 pp 134-148. [4] F Bergadano, B Crispo, G Ruffo, Proactive Password Checking with Decision Trees, CCS 97 pp 67-77. [5] SM Bellovin and M Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks”, in IEEE Symposium on Research in Security and Privacy 1992, May 1992. pp.72-84. 93