Skip to main content
SpringerLink
Log in

A Management Perspective on Risk of Security Threats to Information Systems

  • Published:
Information Technology and Management Aims and scope Submit manuscript

Abstract

Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIO’s and IT managers: it outlines the current state of the art for security in e-commerce, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organizations, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. British Security Standard, BS 7799 (British Standards, 1999).

  2. V. Ahuja, Building trust in electronic commerce, IT Professional 2(3) (2000) 61–63.

    Google Scholar 

  3. T. Bui and T.R. Sivasankaran, Cost-effectiveness modeling for a decision support system in computer security, Computers and Security 6 (1987) 139–151.

    Google Scholar 

  4. R.P. Campbell and G.A. Sands, A Modular Approach to Computer Security Risk Management, in: AFIPS National Computer Conference (1979) 293–303.

  5. Cohen (1997) http://citeseer.nj.nec.com/lee00toward.html

  6. R. Elmasri and S.B. Navathe, Fundamentals of Database Systems, ed. 4 (Addison Wesley, 2004).

  7. G. Eschellbeck, Active Security A Proactive Approach for Computer Security Systems, Journal of Network and Computer Applications 23(2000) 109–130.

    Google Scholar 

  8. F. Farahmand, S.B. Navathe and P.H. Enslow, Electronic commerce and security–-A management perspective, in: ISS/INFORMS Seventh Annual Conference on Information Systems and Technology (San Jose, 2002).

  9. F. Farahmand, S.B. Navathe, Gunter P. Sharp and P.H. Enslow, Managing Vulnerabilities of Information Systems to Security Incidents, in: ACM International Conference on Electronic Commerce, ICEC 2003 (Pittsburgh, Sept. 2003) 348–354.

  10. F. Farahmand, W.J. Malik, S.B. Navathe and P.H. Enslow, Security Tailored to the Needs of Business, in: ACM Workshop on Business Driven Security Engineering (BIZSEC) (2003).

  11. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn and R. Chandramouli, Proposed NIST Standard for Role-Based Access Control, ACM Transactions on Information and System Security (TISSEC) 4(3) (2001) 224–274.

    Google Scholar 

  12. R.L. Field, Issues in the Law of Electronic Commerce, Networker (ACM Press) 1(3) (1997) 28–37.

    Google Scholar 

  13. A.K. Ghosh and T.M. Swaminatha, Software security and privacy risks in mobile e-commerce, Communications of the ACM 44(2) (2001) 51–57.

    Google Scholar 

  14. R. Henning, Security Service Level Agreements: Quantifiable Security for the Enterprise? in: ACM Proceedings of the 1999 Workshop on New Security Paradigm (Sept. 1999) 54–60.

  15. ISO, Information Processing Systems–-Open Systems Interconnection-Basic Reference Model, Part 2: Security Architecture, ISO 7498-2 (1989).

  16. J. Joshi et al., Security Models for Web-Based Applications, Communications of the ACM 44(2) (2001) 38–44.

    Google Scholar 

  17. C.E. Landwehr et al., A Taxonomy of Computer Program Security Flaws, with Examples, Naval Research Laboratory (Nov. 1993).

  18. C.E. Landwehr and D.M. Goldschlag, Security Issues in Networks with Internet Access, in: Proceedings of the IEEE 85(12) (1997) 2034 –2051.

    Article  Google Scholar 

  19. S. Lichtenstein, Internet Risks for Computers, Computers & Security 17 (1998) 143–150.

    Google Scholar 

  20. U. Lindqvist and E. Jonsson, How to systematically classify computer security intrusions, IEEE Symposium on Security and Privacy (1997) 154–163.

  21. N. Linketscher and M. Child, Trust issues and user reactions to e-services and e-marketplaces: a customer survey, IEEE 12th International Workshop on Database and Expert Systems Applications (2001) 752–756.

  22. R. Lipmann, et al., The 1999 DARPA off-line Intrusion Detection Evaluation, Computer Networks 34 (2000) 579–595.

    Article  Google Scholar 

  23. D.W. Manchala, E-commerce trust metrics and models, IEEE Internet Computing 4(2) (2000) 36–44.

    Article  Google Scholar 

  24. D.H. McKnight, C. Choudhury and C. Kacmar, Developing and Validating Trust Measures for e-Commerce: An Integrative Typology, Information Systems Research 13(3) (2002) 334–359.

    Article  Google Scholar 

  25. P.G. Neumann and D.B. Parker, A Summary of Computer Misuse Techniques, in: Proceedings of the 12th National Computer Security Conference (Oct. 1989) 396–407. National Institute of Standards and Technology/National Computer Security Center.

  26. National Bureau of Standards (NBS), Data Encryption Standards (FIPS Publ. 46, Jan 1977).

  27. E. Orlandi, The Cost of Security, in: IEEE International Carnahan Conference on Security Technology (1991) 192–196.

  28. E. Pate-Cornell and S. Guikema, Probabilistic Modeling of Terrorist Attacks: A System Analysis Approach to Setting Priorities Among Countermeasures, Military Operation Research (Oct. 2002).

  29. C.P. Pfleeger, Security in Computing (Prentice Hall, 1997).

  30. R. Power, Computer Security Issues & Trends, 2002 CSI/FBI Computer Crime and Security Survey VIII(1) (2002).

  31. R.L. Rivest, A. Shamir and L.M. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, CACM 21(2) (1978) 120–126.

    Google Scholar 

  32. H.J. Schummacher and S. Ghosh, A fundamental framework for network security, Journal of Network and Computer Applications (1997) 305–322.

  33. G. Stonebumer, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems (NIST Special Publications 800–30, 2001).

  34. M. Swanson, et al., Security Metrics Guide for Information Technology Systems (NIST Special Publications 800-55, 2002).

  35. C.J. Tarr, Cost effective perimeter security, security and detection, European Convention on Security and Detection (1995) 183–187.

  36. C.C. Wood, et al., Computer Security: A comprehensive Control Checklist (John Wiley & Sons, 1987).S

Download references

Author information

Authors and Affiliations

  1. College of Computing, Georgia Institute of Technology, Atlanta, Georgia, 30332-0280

    Fariborz Farahmand

  2. School of Industrial and Systems Engineering, Georgia Institute of Technology, Georgia

    Shamkant B. Navathe

  3. College of Computing, Georgia Institute of Technology, Atlanta, Georgia, 30332-0280

    Gunter P. Sharp & Philip H. Enslow

Authors
  1. Fariborz Farahmand
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shamkant B. Navathe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gunter P. Sharp
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Philip H. Enslow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fariborz Farahmand.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Farahmand, F., Navathe, S.B., Sharp, G.P. et al. A Management Perspective on Risk of Security Threats to Information Systems. Inf Technol Manage 6, 203–225 (2005). https://doi.org/10.1007/s10799-005-5880-5

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10799-005-5880-5

Keywords

Search

Navigation