Information Management & Computer Security

A security risk management approach for e-commerce

M. Warren W. Hutchinson

Article information:
To cite this document:
M. Warren W. Hutchinson, (2003),"A security risk management approach for e-commerce", Information Management &
Computer Security, Vol. 11 Iss 5 pp. 238 - 242
Permanent link to this document:
http://dx.doi.org/10.1108/09685220310509028
Downloaded on: 16 June 2015, At: 01:19 (PT)
References: this document contains references to 7 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 2412 times since 2006*

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Users who downloaded this article also downloaded:

Someswar Kesh, Sam Ramanujan, Sridhar Nerur, (2002),"A framework for analyzing e-commerce security", Information
Management & Computer Security, Vol. 10 Iss 4 pp. 149-158 http://dx.doi.org/10.1108/09685220210436930
Godwin J. Udo, (2001),"Privacy and security concerns as major barriers for e-commerce: a survey study", Information
Management & Computer Security, Vol. 9 Iss 4 pp. 165-174 http://dx.doi.org/10.1108/EUM0000000005808
Kwo-Shing Hong, Yen-Ping Chi, Louis R. Chao, Jih-Hsing Tang, (2003),"An integrated system theory of information
security management", Information Management & Computer Security, Vol. 11 Iss 5 pp. 243-248 http://
dx.doi.org/10.1108/09685220310500153

Access to this document was granted through an Emerald subscription provided by emerald-srm:499410 []

For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com

Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.
*Related content and download information correct at time of download.

A security risk management approach for

e-commerce

M. Warren
School of Information Technology, Deakin University, Geelong, Australia
W. Hutchinson
School of Computer and Information Science, Edith Cowan University,
Mt Lawley, Australia

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Keywords

Electronic commerce,
Risk analysis, Information systems

Abstract

E-commerce security is a complex

issue; it is concerned with a
number of security risks that can
appear at either a technical level
or organisational level. This paper
uses a systemic framework, the
viable system model (VSM) to
determine the high level security
risks and then uses baseline
security methods to determine the
lower level security risks.

The viable system model (VSM) developed by

Stafford Beer (Beer, 1985), uses the principles
of cybernetics. It has been successfully used
to diagnose existing organisational
structures and design new ones. It is the
generic nature of the VSM that allows it to be
used in a number of different situations
(Hutchinson and Warren, 2000). In terms of
this paper the model will be used to analyze
potential security vulnerabilities to an

organisation's information systems at a high

level.
Before using the VSM, it is essential to
understand the dynamics of its applicability
and a diagrammatic representation is shown
at Figure 1. The VSM consists of five
subsystems, or functions. These are:
1 Implementation (S1): this function consists
of semi-autonomous units, which carry
out the operational tasks in the system.
These are the functions that are basic to
the existence/purpose(s) of the system.
They interact with their local
environment, and each other. Each unit
has its own local management, which is
connected to wider management by
vertical information flows. This function
is the ``doing'' part of an organization. The
VSM has a recursive element, and each S1
has another VSM embedded in it.
2 Co-ordination (S2): this function
co-ordinates the S1 units to ensure that
each S1 unit acts in the best interest of the
whole system, rather than its own. This
could be represented by something as
simple as a timetable, or as subtle as
morale among the workforce.
3 Internal control (S3): this function
interprets policy information from
``higher'' functions (S4), and ``lower''
functions. It is the function which
controls the operational levels. Its
function is not to create policy, but to
implement it. Information arriving from
the S1 function must periodically be
audited for its quality and correctness.
This is the S3* audit function.
4 Intelligence and development (S4): this
function acts as a filter of information
from the S3 function and the overall
outside environment. Its purpose is to
ensure that the policy making function
(S5) is adequately briefed, and decisions
are transmitted to S3.

The Emerald Research Register for this journal is available at

http://www.emeraldinsight.com/researchregister

The current issue and full text archive of this journal is available at
http://www.emeraldinsight.com/0968-5227.htm

Introduction
Information systems are now heavily utilized
by all organizations and relied upon to the
extent that it would be impossible to manage
without them. This has been encapsulated by
the recent development of e-commerce in a
consumer and business environment. The
situation now arises that information
systems are at threat from a number of
security risks and what is needed is a
security method to allow for these risks to be
evaluated and ensure that appropriate
security countermeasures are applied.

Security methods
The aim of the research was too combine a
information systems modeling method with a
baseline security method to form a hybrid
security method. This method could be used
to evaluate high and low level security risks
associated with e-commerce. The methods
used in this model are the viable system
model (VSM) and baseline security approach.
The VSM is used to model an organisation's
basic functions and associated data flows,
whilst the baseline security approach is used
to implement appropriate security
countermeasures.

The viable system model (VSM)

Information Management &

Computer Security
11/5 [2003] 238-242
# MCB UP Limited
[ISSN 0968-5227]
[DOI 10.1108/09685220310509028]

[ 238 ]

M. Warren and W. Hutchinson

A security risk management
approach for e-commerce

Figure 1
The viable system model

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Information Management &

Computer Security
11/5 [2003] 238-242

5 Strategy and policy (S5): this function is

responsible for the direction of the whole
system. It must balance internal and
external factors.
The data flows between S1 and S5 and the
environment are shown in Figure 1. These
flows show the potential points of
vulnerability to a ``computer based attack''.
With this conceptual model of a viable
system (organisation), strategies and tactics
can be developed to make the system
``non-viable'' or dysfunctional. The logic
being that investigating functional
shortcomings can be used to improve an
organisation and show its weaknesses, but
also, to show possibilities for attack.

Baseline security approach

The aim of risk analysis is to eliminate or

reduce risks and vulnerabilities that affect
the overall operation of organisational
computer systems. Risk analysis not only

looks at hardware and software, but also

covers other areas such as physical security,
human security, and business and disaster
protection. In practice, there are major
problems with the use of risk analysis; the
time taken to carry out a review; the cost of
hiring consultants and/or training staff. To
overcome these negative aspects, baseline
security approaches were developed.
Baseline security offers an alternative to
conventional risk methods as they represent
the minimally acceptable security
countermeasures that an organisation should
have implemented. These countermeasures
are applied in a generic manner, for example,
every organisation should have the same
baseline security countermeasures
implemented.
The advantages of using baseline methods
include (Warren and Hutchinson, 2000):
.
cheap to use;
.
simple to use;

[ 239 ]

M. Warren and W. Hutchinson

A security risk management
approach for e-commerce
Information Management &
Computer Security
11/5 [2003] 238-242

no training is required to use the method;

and
it is quicker then undertaking a full
security review.

Commonly used baseline methods include:

the Australian and New Zealand AS/NZS
4444 standard (Australian and New Zealand
Standard Committee, 1998), the British
BS7799 standards (British Standards
Institute, 1995; 1998) and German BSI
standard (BSI, 1994).
The authors decided to develop a security
assessment method by which baseline
security techniques could be applied.

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Duality risk analysis model

The aim of the duality risk analysis security
model is to develop a security method that
combines the strength of VMS and baseline
approaches. Another aim is to overcome the
weaknesses associated with baseline security
models and allows for the VMS approach to
be used in a security environment.
The stages of the duality risk analysis
model are:
.
Stage 1 VMS stage. This stage of the
model is concerned with using the VMS
model to determine the impacts and risks
that a particular security threat would
have upon an organisation The impact
can be assessed upon the whole
organisations as shown by Figure 1.
Vulnerabilities of the various functions
(S1 to S5) are used to examine various
options for attack. The authors have
developed software to assist in this task as
shown by Figure 2.
.
Stage 2 baseline stage. The appropriate
baseline countermeasure are selected to
reduce the security threat as defined in
stage 1. The authors have created special
advisory software that allows for
appropriate countermeasures to be
selected, e.g. what are the
BS7799 guidelines that relate to computer
viruses.
.
Stage 3 evaluation of impact. The stage 1
process is repeated but this time the
impact of the security countermeasure is
evaluated. This will allow for the
evaluation of the security countermeasure
and show its effectiveness across the
whole organization. The information
provided by this will allow management
to determine of effectiveness of security
countermeasures.
This approach can by used to evaluate any
security risk associated with e-commerce.
This type of approach will allow an

[ 240 ]

organisation to model what it perceives are

the important security risks and how they
could relate to their organization.

Validation of research
To validate the model the authors looked at a
number of security risks that could impact
organisations in relation to e-commerce. In
this section we will look at the impact of
viruses. The type of virus attack that is being
modeled would be a ``Word macro'' virus
infection similar to the ``Lovebug'' virus.

Stage 1 VMS stage

Figure 1 illustrates the different levels of a

sample organisatons. The impact of the virus
attack upon that sample organization
would be:
.
S1 implementation. During the attack the
S1 operating units will be affected. Within
an organization each S1 might well have
their own IT infrastructure as part of the
overall organization's system. A virus
outbreak would focus upon the
communication infrastructure of the S1
unit. The impact will be that e-mail
servers will crash under the extensive
volume of data and possibly cause a
cascade effect through the S1 unit by the
increase of email traffic caused by the
viruses. For example, if the mail server
crashes what else would crash? Therefore
a macro virus attack might affect S1 units'
ability to interact from their operating
(local) environment as well as
disconnecting them from other S1 units
and separating them from management
functions. The attacks on the S1 unit will
decrease the efficiency of the whole
organization because of the disruption it
will have upon the operational aspects.
.
S2 co-ordination. There would be a
dramatic impact upon the coordinating
function of the S1 units. Because of the
impact of the macro viruses S2 would not
be able to work due to the isolation of the
S1 units. There is also a chance that the S2
function would be affected by viruses
spreading from the S1 units and therefore
become isolated causing the coordination
function to collapse.
.
S3 internal control. The internal control
of the information system will be
disrupted because of the chaos at the
lower levels. It is therefore difficult to
implement policy when structure of the
information system infrastructure to be
neutralized.
.
S4 intelligence and development/S5
strategy and policy. The virus will not

M. Warren and W. Hutchinson

A security risk management
approach for e-commerce

Figure 2
Software developed by authors to model VSM situations

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Information Management &

Computer Security
11/5 [2003] 238-242

directly impact the S4 and S5 functions,

unless the cascade effects of failures were
dramatic to affect these higher level
systems or unless the S4 and S5 functions
were identified for attack and they would
then become isolated from the rest of the
organization.

Stage 2 baseline security stage

The decision support security software

would be used to pick an appropriate
baseline security countermeasure. Figure 3
shows a screenshot from the baseline
security tool.
The software will work by the user
selecting an appropriate baseline security
countermeasure that could be implemented.
The user would use the security baseline tool
software (as shown in Figure 3) and find an
appropriate security countermeasure that
would relate to computer viruses. The
software would then show the appropriate
baseline security countermeasure such as:
Implement appropriate virus protection
strategy.

The user can select this as being the security

countermeasure that they wish to assess.

Stage 3 re-evaluation of impact

The user reviews the situation with the

existing new countermeasure in place, using
the VMS approach:

.
.

S1 implementation. The virus protection

strategy localises the damage to a few S1
units, assuming that some S1 units do not
effectively implement a proper virus
protection system for example, virus
checkers out of date.
S2 co-ordination. There would be
localised disruption of a few S1 units.
Co-ordinations functions can be adapted
to overcome these localised difficulties
until the problem is quickly resolved.
S3 internal control. No direct impact.
S4 intelligence and development/S5
strategy and policy. No direct impact.

Stage 2 and Stage 3 can be repeated if a

security countermeasure does not have the
required effect in reducing a security risk to
an acceptable level.

Conclusion
The paper has shown that hybrid security
risk analysis models can be used to model
complex security solutions in relation to
e-commerce. The aim of the research is not to
fully replace detailed security risks analysis
methods but to offer an easier alternative
that can be used to model different
e-commerce security risks and determine the
impact of appropriate security
countermeasures.

[ 241 ]

M. Warren and W. Hutchinson

A security risk management
approach for e-commerce

Figure 3
Security baseline tool

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

Information Management &

Computer Security
11/5 [2003] 238-242

References

Australian and New Zealand Standard Committee

(1998), AS/NZS 4444.1 Information Security
Management.
Beer, S. (1985), Diagnosing the System for
Organisations, John Wiley & Sons,
Chichester.
British Standards Institute (1995), BS7799 Code
of Practice for Information Security
Management, BSI, London.
British Standards Institute (1998), BS7799-2,
Information security management,
Specification for Information Security
Management Systems, BSI, London.

[ 242 ]

BSI (1994), Information Technology Baseline

Protection Manual, Bundesamt fur Sicherheit
in der Informationstechnik, available at:
www.bsi.bund.de
Hutchinson, W. and Warren, M. (2000), ``Using the
viable systems model to develop an
understanding information system security
threats to an organisation'', Proceeding of the
1st Australian Information Security
Management Workshop, Deakin University,
Geelong, Australia, November.
Warren, M. and Hutchinson, W. (2000), ``The
Australian and New Zealand Security
Standard AS/NZS 4444'', New Zealand
Journal of Computing, Vol. 8 No. 1/2, pp 37-43.

This article has been cited by:

Downloaded by Universiti Tunku Abdul Rahman At 01:19 16 June 2015 (PT)

1. Dan HarneskConvergence of Information Security in B2B Networks 571-595. [CrossRef]