Paul Chen

Internet security issues

1. Introduction

 Over the years the Internet has established itself to be the most widely accepted form of communication. On the other hand, it has also proved itself to be an extremely insecure network. An issue is whether the insecure nature of the Internet creates a lack of trust or reluctance on the part of individuals and businesses to use Electronic Signatures.(Aashish Srivastava,2005)

 Apart from increased connectivity and a wide range of new services, the Internet has also given technically advanced intruders the opportunity to carry out a variety of attacks, thereby threatening the integrity of its infrastructure and violating the privacy of its users. Despite the current enthusiasm that replace the initial reluctance of business and government users, fear of security breaches on the Internet is forcing most organizations to resort to radical solutions based on physical separation between protected private networks – or intranets – and the public Internet. (Refik Molva,1999)

 Specially over the last three decades the Internet has proved itself to be the most widely accepted means of communication. On the other hand, although it has  proved to be an extremely insecure network. The figures relating to hacking, spam and virus attacks are alarming and increasing year by year. (Sullivan Brendan, Deloitte 2005)The Drug and Crime Prevention Committee Report (2004) submitted to the Parliament of Victoria, Australia stated that ‘[s]eventy-nine percent breach to their electronic commerce system would most likely occur via the Internet or other external access’.These concerns regarding the insecure nature of the Internet creates a lack of trust or reluctance on the part of individuals and businesses. (Markillie Paul,2004)to use the Internet to transmit important and confidential information. However, the question arises whether this lack of trust fostered by security concerns also extends to the reluctance in the use of Internet. (Aashish Srivastava,2005)

 

Protection of personal information in an open digital network

 There are two view of point, privacy in digital network and security for financial organization in internet which we will be discussed about them ,first the question which is raised is that how do we balance free information flow and the protection of personal information in an open digital network? The internet presents a paradox for policymakers. First, the digital landscape established the virtual marketplace that placed commercial transactions beyond geographical boundaries. Second, it became highly contentious to establish a policy standard that incorporates conflicting rules deriving from various nation-states. The paradox is twofold — whether nation-states, in response to the borderless nature of new technology, can maximize global market potentials while addressing democratic interests of citizens or not.(Yong Jin Park,2009).

 

 The impact of Internet security breaches on firms has been a concern to both researchers and practitioners. One measure of the damage to the breached firm is the observed cumulative abnormal stock market return (CAR) when there is announcement of the attack in the public media. To develop effective Internet security investment strategies for preventing such damage, firms need to understand the factors that lead to the occurrence of CAR. The results of our analysis indicate that both attack and firm characteristics determine CAR.

 While each of our results is consistent with that of at least one previous study, no previous single study has provided evidence that both firm and attack characteristics are determinants of CAR. Further, the DT-based analysis provides an interpretable model in the form of understandable and actionable rules that may be used by decision makers. The paper makes contribution to understanding the predictors of damage when a firm is breached. (Francis K. Andoh et al.,2007)

 An Internet security breach can have negative impacts on the firm’s performance including lower sales revenues, higher expenses, decrease in future profits and dividends, and a reduction in the market value (Gordon,Loeb, & Lucyshyn, 2003; Power, 2003). The market value of a firm corresponds to the confidence that investors have in that firm. Measuring the market value of a firm that has been compromised is one way of calculating the impact of Internet security breaches. Hence, firm damage can be operationalized as the observed CAR that is attributed to the announcement of Internet security breach. We are going to use CAR as measure of firm damage.

Several researchers have used the event study methodology to explore the characteristics of Internet security breaches on the market value of breached firms (e.g.,Campbell, Gordon, Loeb, & Zhou, 2003; Gordon & Loeb, 2002; Hovav & D’Arcy, 2004). The event study methodology typically has two goals: (1) to determine whether or not an event, such as the announcement of Internet security breach, leads to CAR, and (2) to examine the factors that influence the observed CAR. While most of the relevant event studies report that Internet security breach leads to negative CAR, they differ on the factors that impact CAR. These inconsistencies hinder the ability of organizations to develop effective investment strategies to minimize Internet security breaches.

 In this study i also use the methodology to explore the characteristics of Internet security breaches on the market value of breached firms. Decision Tree (DT)  provide an interpretable model in the form of understandable and actionable rules that may be used by decision-makers. We present an overview of previous relevant research.

 Literature review

 2. Overview of previous research

2.1. Internet security attack characteristics

 Cohen and his research partners present an extensive list of sets of attacks, defences and effects (Cohen, 1997a;Cohen, 1997b; Cohen et al., 1998). One of their models asserts that ‘‘Causes (also called threats) use Mechanisms. . . to produce Effects (also called consequences). Protective Mechanisms (also called Defenses) are used to mitigate harm by acting to limit the causes, mechanisms, or effects” (Cohen et al., 1998).Cohen’s work complements that of Howard (1997) who presents a theoretical taxonomic framework for classifying Internet security attacks.Howard (1997) used the CERT/CC database to study the characteristics of the attacks that occurred for the period 1989–1995.

 

 He identified different types of attackers each with different objective. Attackers identify vulnerabilities in a firm’s IT system and attack the firm’s network,data and information. The study showed that a greater portion of security incidents were due to Unauthorized Use where individuals or group of individuals such as disgruntled

employees abuse their access privileges to corporate networks and perform illegal activities resulting in security breaches. (Francis K. Andoh et al.,2007)

 An attacker’s capabilities and motivations determine the level of attack severity that an attacker type poses (Gupta,Chaturvedi, Mehta, & Valeri, 2000). It has also been suggested that attackers’ motivation to attack is influenced by their perception of the risk of being caught (Cohen et al., 1998; Gupta et al., 2000). On the other hand, individual’s response and behavior towards risks depend on what they have observed in the past (Bener, 2000). Investors may notice that in the past certain attacks had negative impact on the market value of some firms and formulate ideas on which attacks are likely to influence certain stocks. Thus investors, especially institutional investors would analyze attack and firm characteristics when making a buy or sell decision for a particular firm that has been comprised. (Francis K. Andoh et al.,2007)

 

2.2. The Internet security in financial institutions:

 

The results of the study showed that different types of financial institutions have significantly

different levels of concern in terms of factors such as the concern of software systems, hardware security,executives support, internal Internet system users, organizational characteristics, and organizational security policy.

 

The banking industry has developed from traditional phone banking, to electronic banking, and further to Internet banking As indicated in a previous study (Huang, 2000) on 551 computer crime cases from 1958 to 1973 collected by Stanford Research Center, and the 97 computer crime cases from 1976 to 1983 gathered by EDPACS (the EDP Audit Control and Security Newsletter), financial institutions are the largest victim of computer crimes, which takes 29.6% and 32%, respectively Internet viruses are another major threat to Internet security. New computer viruses are constantly being developed, and it is becoming more difficult for users to detect and remove them. These Internet viruses have often caused great financial loss. In view of the situation, financial institutions that provide various web services have to face the major challenge of how to strengthen their own Internet security measures to provide a more reliable and diversified service.

there are differences in the perspective of different financial institutions on the following three factors: the prevalence of online users, demands of customers, and data transmission speed.

 

Therefore, different financial institutions should have different considerations when it comes to Internet security and the significance of each factor may vary to different types of institutions However, though Internet security is becoming more and more important to financial institutions Consequently, the objective of this study is to explore different concerns of the factors that are important to the implementation of Internet security for different types of financial institutions classified all the financial institutes into five types using the common characteristics such as their size, ownership, financial products, customer, and amount of government support. The names of the five types are Public Banks (PB), Old Private Banks(OPB), New Private Banks(NPB), Local Financial Institutions(LFI), and Other Financial Institutions.

 

The Internet population has been growing constantly with the advancement of information technology. Currently, the Internet is constructed of hundreds of thousands of PCs or mainframe servers around the world. Regarding network security, aside from congenial design defects, the human factor is also one of the significant threats of network security.

 

For example, a programmer of anti-virus software might also produce computer viruses. Likewise, those who design the security system also have the ability to intrude or sabotage the computer system. No matter how good the security system is, if the programmer or authorized system administrator wants, it is likely that legal users will improperly access the data.

 

Therefore, network security is not only a technical issue, but also an administration issue. It is impossible to curb network security problems via technical solutions. The key concept is to defend the network from intruders

Previous study results (Shen, 1999; Lin and Huang, 1999; Ke, 1997) show that in terms of computer security, factors that jeopardize hardware security include:

 

(1) Natural disasters, such as earthquakes, fires, floods, and thunder strokes.

(2) Accidents, such as stealing, vandalism, or incendiarism.

 (3) Malicious intrusion and destruction. An example of this would be, malicious people seeking useful information from disposals so as to intrude the computer system.

There are also ways of using advanced tools to destruct the network circuit to monitor communication contents, etc.

(4) Defects of the hardware itself, such as bugs/errors generated from routers or firewalls and so on.

 

In terms of jeopardizing software security, the types can be divided into operating systems and related applications (Shen, 1999).

 

(1) Operating Systems: The improper design has created security loopholes in the operation

system, plus with improper management, these loopholes could be taken advantage of by intruders.

(2) Applications: The most common threat is to steal or copy software from the Internet.

Software or files could be destroyed with improper usage, setting of the intruder,

or by the introduction of viruses.

 

Furthermore, Blacharski (1998) argued that ‘‘Human Negligence” is another important issue, which is often neglected by information security administrators. Lindup (1995) and Olnes (1994) pointed out that there had been serious security problems caused by the development of information technology. However, business executives often put emphasis only on the security measures of software and hardware, but overlook the security policy and training that should help to eradicate security concerns and reduce the possible loss.

As for the factors influencing Internet security, relevant studies (Chen, 1997; Blacharski, 1998; Norifusa, 1998; Huang, 1999; Galaxy Software Services, 1999) have concluded the following factors:

 

(1) Informs security loopholes of the Internet system. The original focus of Internet lies in the connection of mainframe servers so as to overcome the obstacle of distanceconnections; therefore, it did not have a thorough concern on network security.

(2) Immature security standards. Currently, the network security protocols have not yet reached a mature stage. Many global enterprises with international credentials have launched their own solutions on the market. Since there is no undisputed optimal solution yet, manufacturers and consumers are somewhat confused.

(3) Stealing data. Taking advantage of the security loopholes on the Internet, which were originally designed for military purposes instead of global connection, intruders can steal or sabotage the data in servers or transmitted through the network.

(4) Copying data. After breaking into the system, intruders or so-called ‘‘hackers” could easily copy unauthorized data or files.

(5) Password fraud.

(6) The intrusion of hackers

After summarizing previous research results, this study has broadly defined Internet security as ‘‘management procedure and security techniques such as encryption, authentication, physical security protection & line protection, and firewalls to prevent the Internet system of software, hardware, and network communication from outside invasion”.

Sherwood_s study concluded that Internet security should consider six variables including network connectivity integrity protection, network connectivity control, network domain boundary control, network management application security, network resilience, and network entity authentication and accountability (Sherwood,1997).

 

2.2.1.Information Technologies Dimension

Therefore, in the Information Technologies Dimension, the financial institution should be concerned with the following three factors: software security, hardware security, and network connection security.

 

Factors to be considered as software security variables include user authentication and control, using control security system software, saving confidential data as cipher text, threats of programming bug, risk of unauthorized copy, threats of service denial, threats of Trojan Horses and other programming codes, application system and program development,and enacting a formal control procedure, etc. (Norifusa, 1998; Vaughn et al., 1993;Russell and Gangemi, 1992; Sherwood, 1997).

 

 Factors affecting hardware security variables measurements include threats of natural disaster, artificial intrusion, inferior communication facilities and computer mainframe (Zeng, 1996; Forcht, 1994; Richard, 1986; Weill and Margrethe, 1989). Factors affecting network connection security include user ID authentication, access control, data security, data integrity, and network restoration(Sherwood, 1997).

 2.2.2.Human factors dimension

 Lack of involvement by executives was considered as one of the major obstacles impeding the computer security policy of many companies (Eloff, 1988). Support by executives is able to influence the implementation of network security, because top management support enables the organization resources.

In addition, many scholars consider personnel security (e.g. personnel discipline on data protection, separation of duties and privileges in defining personnel_s access to data on servers, and so on) as one of the critical factors influencing security policies (Wu and Hsieh, 1998; Cohen (1998) all consider the maintenance and system development capability of the IT department and higher authorities as factors influencing Internet security.

 2.2.3. External environment dimension

 Russell and Gangemi (1992) and Cohen (1998) argue that external users will pose a threat to the Internet system and affect organizational Internet security. The suggestion in the research report of Taiwan Computer Crisis Management Center  pointed out that the government should enact relevant regulations on computer crime, IT crime, and Internet crime to effectively curb the illegal behavior. Caminada_s (1998) research shows that most of the security-related incidents are unauthorized intrusions. Therefore, this paper will be based on the conclusion of this reference study and categorizes such external environment variants as external Internet users, law and regulation, and unauthorized intrusion.

Factors concerning external Internet users include the integrity of consultants, integrity

of suppliers, user_s familiarity with the company_s network system, integrity of competitors,

crime organizations, commercial spies, hackers, crackers, and terrorist and military

organizations (Cohen, 1998).

 

2.2.4. Internal organization dimension

Grover and Goslar (1933) have pointed out that organizational characteristics are a critical index on the adoption of a new information system, while Caminada (1998) consider how the execution of an organizational security policy will affect organizational Internet security. Therefore, this study has categorized internal organizational variants as organizational characteristics and organizational security policies.

 3. Discussion

 Study limitations While this proposed research model is proved to be useful in indicating that different types of financial institutions which have different Internet security concerns in terms of information technology, human, and internal organizational dimensions, three limitations should be noticed. Firstly, the respondent might have a tendency to appreciate the technology in this IT explosion and growth era and as a result, were more willing to mail back the questionnaire. Another limitation was that all the variables in the proposed model were selected from the IS related literatures. In other words, the important variables about financial industry might not be included completely in this study. Lastly, this study utilized a static cross sectional approach which may not reveal the dynamics of the technology adoption processes. From the discussion above, more rigorous studies are needed to further explore issues uncovered by this study.

 

3.1. Findings analysis

 

In the information technology dimension, different types financial institution have significant

difference in concerning software and hardware, and to barely significant difference in concerning network security. The highly computerized institutions have higher security concern of IT. The Public Bank have the longest operating history and support from the government while OPB and NPB are aggressive in obtaining market share, and therefore emphasize on network security issues. PB also considers network connection very important.

Executives in PB and OPB pay relatively higher attention about Internet security issues while LFI pay less because most LFI are connected to computer centers through dedicated lines and the therefore Internet security concerns are not in the executives_ priority list. OFI have an average of shorter company history and are not mature enough to maintain the Internet security. Most of the OFI information systems are outsourced, which means that executives pay less attention in this area.

 

All the financial institutions value the IT staff_s capability almost equally high. As more and more publicity of the threaten of external Internet users, unauthorized intrusion, and the related legal regulations of Internet security from government on the broadcast media, all types of financial institutions have consistent concern about this dimension. Meanwhile, the size, market share, the degree of computerization, and the related policy of an institution influence its concern of the Internet security. As mentioned, most OFI have no information system department and outsource their information systems and network security.

 

 Therefore, OFI value organizational characteristics and security policy lower than other types of financial institutions do.The OFI include investment trust companies, life insurance companies, and general insurance companies and may concern differently from regular banks. As for OPB, after privatization, they aggressively adopted new knowledge and new technology to improve their competitiveness. Therefore, it is concluded that organization structure re-engineering and different business scope may lead to different concerns of Internet security.

 Most financial institutions budgeted more money to information systems than to Internet security. Only few of the financial institutions interviewed said that their budget for Internet security is included in the budget for the IT department. This finding may lead to conclude that financial institutions have put much less emphasis on Internet security than on IT systems. In addition, most financial institutions with websites adopt Microsoft IIS for their web servers. However, according to the survey on Internet server security conducted by TWCert (1999), the Microsoft IIS system is the most unsafe web server system.

With many prior studies placing an emphasis on the security issues of internet banking, this paper took the organizational instead of an individual perspective to further explore the different concerns in factors that influence Internet security by different financial institutes.

 

 Conclusion

 As a result we found that different type of institutes have a different type of security and although In the information age, several businesses use the Internet to drive organizational performance and survivability but the Internet opens and exposes organizational networks to security attacks, and in recent times several organizations have been hit with security breaches (i.e. confidentiality, integrity, or availability of a firm’s network,computers or information resources is compromised)and it happens because of some factors like information technology, human factors ,external environment and internal organization and if we want to have secure system we should take in our consideration all of this factors. (Francis K. Andoh et al.,2007)

 

References:

Aashish Srivastava.(2005). Is internet security a major issue with respect to the slow acceptance rate of digital signatures?

 Blacharski, D., 1998. Network Security in a Mixed Environment. Kings Information, California, USA.

 

Bener, A. B. (2000). Risk perception, trust, and credibility: A case in Internet Banking. London: London School of Economics and Political Sciences

 

Cohen, F. (1997a). Information system defences: a preliminary classification scheme. Computers and Security, (16), 94–114.

 

Cohen, F. (1997b). Information systems attacks: a preliminary classification scheme. Computers and Security, (16), 29–46.

 

Cohen, F., Phillips, C., Swiler, L. P., Gaylor, T., Leary, P., Rupley, F., & Isler, R. (1998). A cause and effect model of attacks on information systems. Computers and Security, 17(1), 211–221.

 

Caminada, M., 1998. Internet security incidents, a survey within Dutch organizations. Computers & Security (17:5), Amsterdam, pp. 417.

 

Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches:

empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.

 

Chen, W.Z., 1997. Internet Security Handbook. GOTOP Information Inc., Taipei.

 

Chen, S.R., Hsieh, S.C., 1998. A study on factors affecting implementation of Internet banking and benefits/

 

Chiu Chang a, Hsin-Ginn Hwang a, David C. Yen b,Hen-Yi Huang(2006) An empirical study of the factors affecting Internet security for the financial industry in Taiwan .p343–364

 

Eloff, J.H.P., 1998. Computer security policy: important issues. Computers & Security (7:6), pp. 559–562.

 

Forcht, K.A., 1994. Computer Security Management. Boyd & Fraser Publishing Company, Massachusetts, USA

Francis K. Andoh-Baidoo, Kweku-Muata Osei-Bryson. (2007). Exploring the characteristics of Internet security breaches that impact the market value of breached firms Expert Systems with Applications 32 p703–725

 

Galaxy Software Services, Top to the Hack, and Keep Network in Mind, http://www.gss.com.tw/gsseis/10/lan1.htm, 1999.10.

 

Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Information security expenditures and real options: a wait-and-see approach. Computer

Security Journal, 19(2), 1–7.

 

Grover, V., Goslar, M.D., 1933. The initiation, adoption, and implementation of telecommunications technologies in US organizations. Journal of Management Information Systems (10:1), 141–163.

 

Gupta, M., Chaturvedi, A. R., Mehta, S., & Valeri, L. (2000). The experimental analysis of information security management issues for

online financial services. In The twenty-first international conference on information systems (pp. 667–675). Brisbane, Australia

 

Hovav, A., & D’Arcy, J. (2003). The impact of denial-of-service announcements on the market value of firms. Risk Management and

Insurance Review, 6(2), 97–121.

 

Howard, J. (1997). An analysis of security incidents on the Internet. Carnegie Mellon University

 

Huang, J.M., 2000. Attack and Protection of Extranet vs. Computer Hacker, Connectimes, Taipei. Publisher of Info and Computer, Taiwan, March 2000, no. 104, pp. 40–43.

 

Ke, X.R., 1997. Gist of Banking Law, Banchiau City, Taipei. Publisher of LiJian, Taiwan.

 

Lin, Y.C., Huang, M.X., 1999. Technology of Internet system security. Communication of Information Security

(15:3), pp. 12–22.

 

Lindup, K.R., 1995. A new model for information security policies. Computers & Security 14, 691–695.

 

Markillie Paul,21 May 2004, The internet offers huge scope for.business.but security urgently needs to be improved.” See, ‘A survey of e-commerce: Unlimited opportunities?’ The Economist, 14.

 

Norifusa, M., 1998. Internet security: difficulties and solutions. International Journal of Medical Informatics (49),69–74.

 

Olnes, J., 1994. Development of security policies. Computers & Security 13, 628–636.

 

Power, R. (2003). 2002 CSI/FBI Computer crime and securuty survey. Computer Security Issues and Trends, 8(1), 1–21.

 

Refik Molva. (1999)Internet security architecture , p787–804

 

Richard, T.C., 1986. A historical prospective of computer related fraud, security, audit and control review. ACM,

 

Russell, D., Gangemi, G.T., 1992. Computer Security Basics. O_Reilly & Associates Inc., California, USA.

 

Shen, W.Z., 1999. Attack and protection with Hacker. Communication of Information Security (5:3), pp. 86–96.

 

Sherwood, J., 1997. Security issues in today_s corporate network. Information Security Technical Report (2:3),pp. 8–17.

 

Sullivan Brendan, Deloitte: Tech future includes cybercrime, nanotechnology: Digital crime and online security threats are

expected to skyrocket in ’05, 20 January 2005, Computerworld www.computerworld.com/printthis/2005/0,4814,99097,00.html at 9 May 2005;

 

TWCert, 1999. Survey of The Web Server Secure in Taiwan, http://www.cert.org.tw/chi/index.html, 1999.10. Thong, James Y.L., 1999. An integrated model of information systems adoption in small businesses. Journal of Management Information Systems 15 (4), 187–215.

 

Vaughn Jr., R.B., Saiedian, H., Unger, E.A., 1993. A survey of security issues in office computation and the application of secure computing models to office systems. Computer & Security (12), 79–97

 

Weill, P., Margrethe, H.O., 1989. Managing investment in information technology mini case examples and implication. MIS Quarterly, pp. 3–17.

 

Wu, Z.F., Hsieh, C.C., 1998. Information Management: Theory and Reality. BestWise Publishing Co., Ltd., Taipei, Taiwan.

 

Yong Jin Park. (2009). Regime formation and consequence: The case of internet security in the East-Asia ‘Four Tigers’ p398–406

 

Zeng, X.J., 1996. Omnibus Internet Security, Taipei, Connectimes. Taipei, Taiwan, Publisher of Info and Computer, no. 63, June 1996, pp. 36–41

 

About the Author

Ems_salehi64@yahoo.com

mehrdad.salehi64@gmail.com

Golden Oriole Katana, Paul Chen, www.katana-samurai-sword.com

Paul Chen Lance Spear Head Paul Chen Lance Spear Head…

Paul Chen Spontoon 27 Overall Paul Chen Spontoon 27″ Overall…

Paul Chen Viking Short Bladed Spear Head All Steel Paul Chen Viking Short Bladed Spear Head All Steel…

Paul Chen 2124 V-42 WWII Combat Dagger with Stacked Leather Washer Handles $80.33 Paul Chen – V-42 WWII Combat Dagger with Stacked Leather Washer Handles. Model: PC2124. 12 1/2″ overall. 7″ double edge gun blued steel dagger blade. Stacked leather washer handle with black finish guard and skull crusher pommel. Brown leather belt sheath. An authentically detailed replica of the dagger that was issued to the US Special Forces in WWII….

Paul Chen 2311 Mini French Swept Hilt Rapier $28.22 Paul Chen – Mini French Swept Hilt Rapier. Model: PC2311. 8″ overall. 5 1/2″ blade. Replicated period swords in every detail. The blades are forged from maraging steel, a steel typically associated with the sport fencing world, then tempered in a process unique to this material, creating the flexibility inherent in the rapier style. Includes stand. Gift boxed….

Paul Chen Scottish Court Sword $131.27 Paul Chen – Bushido Wakizashi with Genuine Rayskin Handles & Brown Japanese Cotton Cord Wrap. Model: PC1211. 25 1/2″ overall. 18 3/8″ sharpened hand tempered folded K120C powder steel blade. Genuine white rayskin handle with brown Japanese cotton cord wrap and a blackened and bronzed iron tsuba featuring relief artwork of Samurai battle scene detailed in silver and gold. Wooden scabbard with old g…

The Futurist $7.03 10 tracks. Slipcover….

Greatest Hits: Straight Up! $7.59 All products are BRAND NEW and factory sealed. Fast shipping and 100% Satisfaction Guaranteed….

Phantom Of The Paradise: Original Soundtrack Recording $7.01 All products are BRAND NEW and factory sealed. Fast shipping and 100% Satisfaction Guaranteed….

Race for Glory [VHS] $89.99 …