Elsevier

Computers & Security

Volume 26, Issue 2, March 2007, Pages 177-182
Computers & Security

Information security in networkable Windows-based operating system devices: Challenges and solutions

https://doi.org/10.1016/j.cose.2006.09.002Get rights and content

Abstract

This paper explores information security risks in networkable Windows-based operating system (NWOS) devices. While these devices face the same information security risks as any other Windows platform, NWOS devices present additional challenges to vendors and buyers throughout the product lifecycle. It appears that NWOS devices are particularly vulnerable to information security threats because of the vendors' and buyers' lack of awareness of the security risks associated with such devices. Based on evidence collected from a manufacturer of Digital Storage Oscilloscopes, the paper offers a set of challenges faced and solution applied by this vendor in its interactions with buyers. In order to reduce the vulnerability of NWOS devices, the paper considers several information security measures for the production, sales and after-sales phases. Lastly, the paper outlines the business reasoning for both vendors and buyers to pursue this information security strategy.

Introduction

Recent years have seen a surge in the introduction of networkable Windows-based operating system (NWOS) devices. Some examples are home entertainment systems (e.g. Xbox), smart phones (e.g. Motorola i930 and PlamOne's Treo) and Pocket PC (e.g. Toshiba e850). While NWOS devices present an appealing proposition for both software vendors and buyers in terms of the flexibility to add supplementary software applications, such devices also introduce new challenges in terms of managing information security risks. NWOS devices are particularly vulnerable to information security threats because of the vendors' and buyers' lack of awareness of the security risks associated with such devices. In addition to the direct damage to business operations that an infected NWOS device might cause, other consequences may also include alienated customers and a tarnished reputation (Austin and Darby, 2003).

The information security literature has indeed discussed at length prevention, detection and recovery strategies related to information security management (e.g. Joseph and Blanton, 1992, Jung et al., 2001); however, these studies mainly focused on computer- and Internet-related information security threats and highlighted practices associated with the management of software development and information systems that could offer protection from malicious software. In this regard, NWOS devices present an extended set of challenges that call for the development of additional capabilities by the vendor. Indeed, several studies have recently discussed the need to integrate software development and operational processes with strategic business objectives, when building security into products (McAdams, 2004, von Solms and von Solms, 2004, Taylor and McGraw, 2005, von Solms and von Solms, 2005). Clearly, the careless management of information security of NWOS devices will not only risk the vendor's or the buyer's network environment but could also harm the relationships between vendors and buyers, as malicious software may be transferred between their networks during production, sales, and after-sales activities. In a recent article, Arce (2003) acknowledges that networkable gadgets pose unique information security risks to vendors; however, little is so far known about the challenges faced and solutions applied by vendors when managing the information security of NWOS devices throughout the product lifecycle.

This paper aims to address this gap by reporting on key information security challenges that vendors of NWOS devices face during the lifecycle of the product. In discussing these challenges, this paper will attempt to bring out aspects relating to the alignment of information security issues, operational activities and strategic objectives that a vendor should consider during the lifecycle of an NWOS product.

The challenges faced by vendors will be associated with three phases, critical to devising an information security strategy, during the product lifecycle: production, sales and after-sales. Furthermore, in this paper the solutions applied by a supplier of digital oscilloscope, LeCroy, a New York based company, to reduce the vulnerabilities presented by NWOS devices will be outlined per phase. Lastly, the paper will offer practical implications for vendors attempting to improve their information security strategy in the NWOS devices market.

Section snippets

Information security: the case of NWOS devices

While the literature on information security has addressed various issues relating to (i) best practices in managing information security programs (e.g. Joseph and Blanton, 1992, Austin and Darby, 2003, Farahmand et al., 2003), (ii) risk management and evaluation of security management programs (e.g. von Solms et al., 1994, McAdams, 2004), and (iii) the links between the management of information security and operational activities (McAdams, 2004), recent studies have claimed that there is a

Research background

An in-depth case study was carried out in August 2005 at LeCroy Research Systems, New York during which the challenges faced and solutions applied by this vendor of digital storage oscilloscopes were examined and analyzed. LeCroy Research Systems specializes in the design and production of oscilloscopes and other signal analyzer equipment. The company employs more than 400 people worldwide and its 2004 sales amounted to $120 million. In particular, LeCroy's line of DSOs, also known as the

Information security in networkable Windows-based operation systems: evidence from LeCroy research systems

The trigger: In 2003, LeCroy introduced an oscilloscope (WaveMaster) that operated on Windows 2000. This operating system did not offer a firewall protection, and anti-virus software was not offered or installed on this particular product release. One unit was delivered to a LeCroy client in Japan. After a while, the client contacted LeCroy's service department with a complaint that the performance of this unit had worsened. To solve this problem, LeCroy suggested that the unit be sent back to

Implications for practice

The main objective in this paper was to report on the information security challenges faced and solutions applied by vendors of NWOS throughout the product lifecycle. Our early discussion outlined the challenges that vendors of NWOS may face in some critical stages in the product lifecycle. LeCroy, a vendor of Digital Storage Oscilloscopes, have addressed these challenges by introducing various measures that attempted to reduce the vulnerability of its NWOS products to malicious software and

Dr. Ilan Oshri is Assistant Professor of Strategic Management, Rotterdam School of Management Erasmus, The Netherlands. Ilan holds a PhD degree in technological innovation from Warwick Business School (UK). His main research interest lies in the area of knowledge management and innovation. Ilan has published widely his work in journals and books which include IEEE Transactions on Engineering Management, Communications of the ACM, European Journal of Information Systems, Information Systems

References (11)

There are more references available in the full text version of this article.

Cited by (0)

Dr. Ilan Oshri is Assistant Professor of Strategic Management, Rotterdam School of Management Erasmus, The Netherlands. Ilan holds a PhD degree in technological innovation from Warwick Business School (UK). His main research interest lies in the area of knowledge management and innovation. Ilan has published widely his work in journals and books which include IEEE Transactions on Engineering Management, Communications of the ACM, European Journal of Information Systems, Information Systems Journal, Management Learning, and others.

Dr. Julia Kotlarsky is Assistant Professor of Information Systems, Warwick Business School, UK. She holds a PhD degree in Management and IS at Rotterdam School of Management Erasmus (The Netherlands). Her main research interests revolve around social and technical aspects involved in the management of globally distributed IS teams, and IT outsourcing. Julia published her work in Communications of the ACM, European Journal of Information Systems, Information Systems Journal, International Journal of Production Research, and a number of book chapters.

Dr. Hirsch has served as Associate Faculty in Information Systems, and subject tutor and course author in Customer Relationship Management Systems at Henley Management College since January 2002, and recently as tutor in Information and Communications Technology. He completed his Doctorate degree in Business Administration, awarded by Brunel University, London, and his Masters in Business Administration from the University of Oregon. Recently he has earned a Certification in Information Security Management (CISM) from Information Systems Audit and Control Association (ISACA).

1

Tel.: +44 2476 524692; fax: +44 2476 5244539.

2

Tel.: +44 1491 571454; fax: +44 1491 571635.

View full text