International Journal of Information Technology and Business Management
29th May 2013. Vol.13 No.1
© 2012 JITBM & ARF. All rights reserved
ISSN 2304-0777
www.jitbm.com
ROLE OF INFORMATION SECURITY IN E-BUSINESS OPERATIONS
Arif Sari
Dept. of Management Information Systems
European University of Lefke
Lefke, North Cyprus
arifsarii@gmail.com
Onder Onursal
Dept. of Computer Information Systems
European University of Lefke
Lefke, Cyprus
onursal@lefke.edu.tr
ABSTRACT
In today’s globalized world, information is one of the most important assets of the companies. Information has become very
important both as input and output. Hence, it provides valuable input into managing IT systems and their development, enabling
risk identification, planning and mitigation. By this way, companies gain competitive advantage in worldwide arena. Information
security becomes very critical issue for those companies, who want to conduct e-business operations since the Internet is not a
completely secure intermediate. The leakage of information during transactions causes trust issues between consumer and
business. For that reason, companies have to design and handle secure transaction methods. A framework for e-business
operations security is presented and compared in terms of speed and reliability. The aim of this paper is to identify e-business
security management issues and provide insight for new methods to provide information security.
Index Terms—Information Security, encryption mechanisms, e-business operations, defense systems.
sniffing, tapping, theft and fraud. The information or data
transferred through the Internet communication channels are
not completely secure and it may captured by an external
intervention. This problem mainly arises from a lack of secure
Internet communication infrastructure. The information
captured or sniffed from the communication line is often
misused. In order to prevent this problem, this paper compares
the existing information security algorithms to provide insight
about capabilities and efficiency of current security mechanism
and presents a new model to provide secure transactions over
the Internet communication protocols.
I. INTRODUCTION
Electronic Business (e-business) is a fact of today’s and
future’s business life and it’s an important and ever growing
aspect. As Companies seek for more profit and discover the
power of information technology (IT) applications,
implementation of new methods and techniques through IT
becomes inevitable to achieve company objectives and goals.
E-business systems cover electronic commerce (e-commerce),
which covers the flow of information and transactions among
third parties, governments and business companies. All these
transactions and flow of information (credit card numbers,
order details, contact details, personal information, and
governmental information) passes through the Internet.
However, since it’s beginnings in the 1970’s, the Internet has
exhibited multifarious vulnerabilities in its underlying
communications network and nodes, protocols and host
systems for secure data transactions. Lack of security on the
Internet entails external interventions which cause leakage of
information through hacking, jamming, cyber vandalism,
II. LITERATURE SURVEY
Large scale of research efforts spent by researchers for
securing the information in e-business operations. The authors
[1] presented an information security mechanism based on
symmetric cryptographic primitives which perform
substantially better than previous constructions. This secure
protocol construction method rose from modification of Diffie
Helman protocol which introduced the concept of the digital
90
International Journal of Information Technology and Business Management
29th May 2013. Vol.13 No.1
© 2012 JITBM & ARF. All rights reserved
ISSN 2304-0777
www.jitbm.com
participants in this research is 60. Participants’ name, surname,
email, title and company information is kept confidential and
not reported in the research results. The results didn’t classify
on company basis in order not to violate confidentiality.
According to the outcomes of the conducted survey the
following information are gathered;
signature which allows anyone to recognize the digital
signature but only legitimate signer to produce [2].
The authors [3] described a protocol proposed for
protecting British government e-mail by GCHQ. This system is
based on the NSA’s Message Security Protocol with a key
escrow scheme inspired by Diffie Helman with some
modifications and extensions. However, this security
communication method does no more than Kerberos protocol
does but at a much higher cost which is also over centralized
and have poor scalability option. In addition to this, signing
keys are distributed under escrowed confidentiality keys so
there is no non-repudiation facility and security labels are sent
in clear form and create network traffic analysis vulnerability
such as sniffing. Another technique proposed by author [4] that
uses decision tree techniques to help users avoid choosing
weak passwords. ProCheck is one of the techniques which use
decision tree methods to achieve high dictionary compression
as well as fast checking speed [5-6]. This proactive password
checking systems use decision trees as password classifiers and
achieve high dictionary compression (up to 1000:1) as well as a
fast checking speed. Another study conducted by the author [7]
who describes an EC project to pilot authentication and
security services; PEM, X.400 and X.500 were implemented
separately by UK, French and German researchers, and this
helped to find and fix ambiguities in the standards documents.
The project has concluded that the PEM certification hierarchy
is unworkable, as it assumes that a single organization can be
trusted to control the entire world’s key distribution system.
Another design presented by authors [8] and discussed how
key certification services can be made robust against
undetected failure. They present a design in which separation
of duty ensures that at least two entities out of the three (user,
certification authority and a separate revocation authority) have
to collaborate to enforce a change in a certificate or in the
evidence.
78% of respondents do not trust current e-business security
solutions,
93% of respondents think that, transmitted information over
e-business are always precious
98% of respondents think that e-business operations will
create positive effect on average revenue per user
65% of respondents believe that, all business operations
will be done on the Internet in 5 or more years
68% of respondents expect e-business revenue will
dominate non internet based services revenue in next 5 years
94% of respondents thinks that more Certification
Authority companies like VeriSign, VISA are required
83% of respondents believe that e-business security
concepts becomes more popular because new generation of
business
23% of respondents believe that open source security
systems threaten e-business operations
82% of respondents think that implementing new security
technologies will make e-business operations more secure
73% of respondents think that, current e-Business security
technologies cannot provide traceback or attack mitigation
facilities
45%
of
respondents
think
that
current
encryption/decryption methods are enough for secure ebusiness operations
78% of respondents think that most powerful encryption
algorithms are Blowfish and DES
81% of respondents think that SSL and The Microsoft
Internet Security Framework (ISF) are widely used and most
popular security protocols.
III. RESEARCH METHODOLOGY
The research conducted for the present study is a qualitative
descriptive research in its nature. In this respect, it aimed at
using systematic procedures in the way to describe a certain
situation and discover non-quantifiable relationships prevailing
in such a situation. The questionnaire is prepared to research
the role of Information security in e-business operations. The
information gathered from this survey would highlight the
insights of people about current e-Business security
mechanisms. The questionnaire designed mostly for IT stuff
and e-business users as they are at the core determinant
position and maintain the secure transactions. Duration of
distribution and completion of the questionnaire is 4 weeks.
Questionnaire contains 18 questions totally and number of
IV. STRUCTURE OF PROPOSED SOLUTION FOR INFORMATION
SECURITY
It is clear that there is no defense better than a
comprehensive security strategy that embraces user education,
crisis-response teams, and technologically sound security
measures including those that relate specifically to the threats
posed by viruses and worms [9]. The author [9] has presented a
strategy for the impacts of the Security threats on e-Business.
The entire system follows sequence of pre-defined processes.
An “Evaluation of Risks” and “Deciding Security
Vulnerabilities” step becomes useless once the survey results
are taken into account. It is a known fact that, e-Business
91
International Journal of Information Technology and Business Management
29th May 2013. Vol.13 No.1
© 2012 JITBM & ARF. All rights reserved
ISSN 2304-0777
www.jitbm.com
transactions contains flow of information which majority of
this information is private. For that reason, companies that
intend to do e-Business must provide security at any reasonable
cost without considering importance of transmitted data. Our
survey results indicate that, 93% of information transmitted
during e-Business is precious. On the other hand, company’s
security system should be able to cope with majority of eBusiness related attacks. In order to provide performance and
reliability, the entire e-Business system must have attack
detection, trace back and attack mitigation mechanism. 73% of
respondents think that, security mechanisms provided by eBusiness companies does not have such facilities.
D. Evaluate and Compare New Technologies
In this step, company shoud conduct a wide range of survey
to gather information about new security mechanisms, and
compare them to define strengths and weaknesses of them.
E. Attack Detection System
The comparison should be done according to some criteria
among different security methods. How the attack will be
detected is one of the major problems. The methods with
fastest detection time should be preferred.
F. Traceback Mechanism
The traceback is another comparative measure among
security mechanisms. The system should have a mechanism to
provide traceback and detect the source of attack and block the
related node.
Defence System for eBusiness Security
Identify Security Plan
Analyze the current system
Design New Security System
Evaluate and Compare New
Technologies
G. Attack Mitigation Mechanism
After the attack, the information may be corrupted or
deleted, or the status of the entire system might be changed.
The security mechanism has be ready to cope with all these
changes and minimize the effects of the attack.
Attack Detection System
Traceback Mechanism
Attack Mitigation
Mechanism
Partial Implementation Prototype
Evaluate and compare the
performance
Conversion
H. Partial Implementation – Prototyping
The new security systems should be implemented partially
on a few branches or few departments of the company. This
allows system designers to check out the reliability and
sustainability of the new design with lower costs and
understand the effectiveness and efficiency of the new system
in a shorter time period.
Educate Employee
Monitoring
Fig.1 Defense System for e-Business Security Model
I. Evaluate and compare the performance
The cost and performance of the new system analyzed at
the prototype stage and this prevents a large-scale of
investment to be wasted.
Each of the steps shown in Fig.1 is described as follows;
A.Identify Security Plan
Identify the security plan before starting.
J. Conversion
Conversion occurs according to the outcomes of the
implementation (whether it is effective and efficient to
implement such a mechanism or not), entire system changes
and converting from the previous old state to new state.
B. Analyze the current system
Analyze the current system status and define points that
require developments and which may cause information
leakage and cannot satisfy the goals-objectives of the eBusiness company.
K Educate Employee
Educate employees continuously to increase know-how
about security issues and receive feedback.
C. Design New Security System
Design the new system in order to satisfy the needs which
defined at the system analysis stage. The new system will have
new security mechanisms, defense features and developments.
L. Monitoring
92
International Journal of Information Technology and Business Management
29th May 2013. Vol.13 No.1
© 2012 JITBM & ARF. All rights reserved
ISSN 2304-0777
www.jitbm.com
[6] F Bergadano et al. “High dictionary compression for
proactive password checking”, ACM trans. on info and
system security Vol.1, No.1, Nov. 1998.
[7] [M. Roe, The European PASSWORD Project: A Status
Report, ISOC 94 p47.
[8] [8] B Crispo, M Lomas, “A Certification Scheme for
Electronic Commerce”, Security Protocols International
Workshop 1996, pp. 19-32
[9] Tyagi, N.K, Srinivasan, S. “Ten-Stage Security
Management Model for the Impacts of Security Threats
on E-business”, International Journal of Computer
Applications, Vol. 21, No.5. May 2011.
It is the step for maintaining the systems against possible
system drawbacks. The proposed system can be applicable
practically and not just theoretically if proposed mechanisms
and systems implemented step by step.
CONCLUSION
Each and every company approaches to security issues in a
different manner. Everyone has different opinions about
security and what levels of risk are acceptable. The key for
organizations to build secure communication channel is to
define what security means according to their goals and
objectives. Once this has been defined, everything goes on with
the network can be evaluated with respect to that policy. It is
very important to design such a flexible system which will not
have complex policies and strict rules that makes people to feel
security pressure around them. The entire system security can
be developed only be user participation. For that reason, our
proposed model contains employee education. In a globalized
world, new encryption models will be developed day by day in
order to create more secure environments for trustable ebusiness transactions. New encryption models provide different
and faster security mechanisms. However, survey results show
us that, people do not relay all transactions to be done over eBusiness because of lack of traceback and mitigation
mechanisms. People will rely on e-Business once the Internet
becomes more secure. Majority of respondents do not trust to
e-Business operations because of current security solutions
while similar majority believes the necessity of traceback and
mitigation mechanisms.
REFERENCES
[1] RJ Anderson, F Bergadano, B Crispo, J-H Lee, C
Manifavas, RM Needham, A new Family of
Authentication Protocols, Operating Systems Review,
32(4) pp 9-20, October 1998.
[2] “New Directions in Cryptography”, W. Diffie, M.E,
Hellman, in IEEE Transactions on Information Theory v
IT-22 no 6 (November 1976) pp 644–654
[3] RJ Anderson, M Roe, The GCHQ Protocol and Its
Problems, Eurocrypt 97 pp 134-148.
[4] F Bergadano, B Crispo, G Ruffo, Proactive Password
Checking with Decision Trees, CCS 97 pp 67-77.
[5] SM Bellovin and M Merritt, “Encrypted Key Exchange:
Password-Based Protocols Secure Against Dictionary
Attacks”, in IEEE Symposium on Research in Security
and Privacy 1992, May 1992. pp.72-84.
93