E-Commerce Risks and Controls

Introduction

Risk is ‘the probability of a threat to a system’ and control represents ‘security mechanisms, policies, or procedures that can successfully…reduce risk’ (Whitman & Mattord 2003, pp.27-28). In the fast-evolvingworld of e-Commerce, there are numerous risks and controls. Moreover, new risks and controls emerge everyday when environment changes and it is not easy to keep track of every single risk and control. Hence, risks and controls need to be separately categorised for easier understanding and management. This literature will explorethe categorisation of both risks and controls and illustrate each category with examples.

Categorisation of Risks

Jamieson et al.(2002) and Whitman & Mattord (2003) illustrated a few comprehensive paradigms for risk categorisation. Among these paradigms, there is one common categorisation of risks:Human and Technology, as illustrated in the diagram below.

Human / Technology

Within each category, there are many different risks that are related to e-Commerce and for the brevity of this literature, only the key ones will be discussed.

Human

  • Fraud and theft.Credit card details and identity of customers or business partners can be stolen and used to perform fraudulent transactions. The dollar value of transactions can also be manipulated in fraud.
  • Financialloss.For profitable organisations, e-Commerce must generate values and financial profits. E-Commerce will become a burden to the business objectives if it only induces financial loss.
  • Legalissues. There are laws in place with which the companies need to comply. One such requirement is to protect the confidentiality of customer and employee data. By running e-Commerce, there is a risk of breaching this legislation if the data is abused or not protected.

Technology

  • Sabotage or vandalism.The e-Commerce system may suffer from different malicious attacks, which can be in the form of virus/worm/trojan horse attack, denial of service, and web page defacement.
  • Unauthorised access.There may be malicious intruders who gained illegal access to the e-Commerce system. This unauthorised access can originate from many causes and some of them can be poor configuration or design of the system, unpatched security hole, unencrypted or poorly encrypted transmission, and stealthy backdoor program.
  • Performance degradation. After the e-Commerce system is up and running, there may be a trend of degrading performance due to increasing demand of network traffic, processor speed, and data storage, as well asmore frequent software and hardware failure.

Categorisation of Controls

Jamieson et al. (2002) categorised controls as either procedure or technical in the paradigm they proposed. However, for a more comprehensive control mechanism, the education and legal categories should also be included and addressed. This categorisation is illustrated with the diagram below.

Legal (External) / Policy and Procedure / Education / Technology

It is worth mentioning that each control category is not limited to addressing only one category of risk. Instead, the control categories and risk categories have a complex interrelation.

Similar to the previous categorisation of risks, there is a variety of controls within each control category that can be applied to e-Commerce. However, due to the limited amount of space in this literature, only the vital ones will be discussed.

Legal (External)

Legislationsare acting as controlsto protect the parties involved in e-Commerce, e.g. Electronic Transactions Act 1999. Also, external legal audit and assistance(Dilanchian 2001) can be employed to mitigate the risks companies may face during the operation of e-Commerce.

Policy and Procedure

Internal policies and procedures must be in place to act as controls for the risks within e-Commerce. Risk assessment, cost/benefit analysis, system development methodology and auditing, and transaction auditing are some of the controls that can help address the risks that companies will face when implementing e-Commerce.

Education

All communities that are involved in e-Commerce, ranging from external parties (such as consumers, business partners, outsourcing companies, and vendors) to internal parties (such as business analysts, system designers, programmers, database administrators, system administrators, and testers), must be adequately trained so that they can be aware of the risks and controls in e-Commerce.

Technology

Contrary to the belief that technology is the sole control of risks in e-Commerce, technology alone cannot effectively address the risks (KnowledgeLeader 2003). Some of the controls within the technological category are: antivirus software, firewall, access control list, log files, encryption, digital certificates, audit trails, and patch management.

Conclusion

This literature has discussed the categorisation paradigm for risks and controls within e-Commerce. Due to the time and space constraints within this literature, only the key risks and controls have been provided within each category. Hence, the risks and controls outlined are by no means exhaustive.Moreover, new risks and controls will continue to emerge due to the change of environment. For a more comprehensive and detailed analysis, more in-depth study is required.

Bibliography

  1. A Team 2003, INFS5905 Information Systems Auditing Session 2, 2003 Identity Fraud Assignment Part One Identity Fraud Report, UNSW, NSW.
  2. Commonwealth of Australia 1999, ELECTRONIC TRANSACTIONS ACT 1999, Australasian Legal Information Institute, viewed 16 October 2003, <
  3. Dilanchian, N 2001, E-commerce Legal Risk Minimization. Part 1: Introduction, Dilanchian Lawyers & Consultants, viewed 26 April 2004,
  4. Forristal, J, Broomes, C, Simonis, D, Bagnall, B, Dinowitz, M, Dyson, J, Dulay, J, Cross, M, Danielyan, E, and Scarborough, D 2001, Hack Proofing Your Web Applications, Syngress, Rockland, USA.
  5. Jamieson R, Baird A, and Cerpa N 2002, Development of a Framework for Risks and Security in B2C E-Business, UNSW, Sydney.
  6. KnowledgeLeader 2003, Information Security: Ten Myths, KnowledgeLeader, viewed 1 January 2004, <
  7. Kohli, K 2004, Stealing passwords via browser refresh, Astalavista Security Group, viewed 26 April 2004, <
  8. Moore, D 2002, ‘The current state of e-Commerce security’, 2600 The Hacker Quarterly, Vol. 19, No. 3, pp.53-54.
  9. Responsive Systems 2004, Responsive Systems – Risks of E-Commerce, Responsive Systems, viewed 26 April 2004, <
  10. Terzievski, K 2004, ‘Patch me happy’, Technology & Business, May 2004 Issue, pp.94-102.
  11. Whitman, M & Mattord, H 2003, Principles of Information Security, Thomson Course Technology, Canada.
  12. Younan, Y 2003, An overview of common programming security vulnerabilities and possible solutions,Astalavista Security Group, viewed 26 April 2004,

Page 1 of 4