Using case-based reasoning for the design of controls for internet-based information systems
Introduction
As an innovative system, internet-based information systems (hereafter IIS) have received much attention because they can have considerable organizational impact. The Web’s ease of use and multi-media approach to the presentation of information attracts potential customers. The advantages of IIS can only be obtained when it is utilized and automated to its fullest extent. High speed and the lack of human intervention, however, may cause the errors of one system to rapidly propagate into other systems. Information privacy is defined as the seclusion and freedom from unauthorized intrusion and has been one of the most important issues of contemporary management practice (Stewart & Segars, 2002). Information privacy must be addressed for organizations that base strategic initiatives on the collection and use of personal information or they risk serious consumer backlash. Software security needs to be considered as a focal point for designing, developing, and deploying software applications in the environments of such intertwined dependencies between various enterprise application components (Wang & Wang, 2003). The security risks are categorized based on the targets of attack: application layer, platform layer, and network layer. The increasing prevalence of spyware which are stealth invaders to personal computers poses a risk of serous ham to consumers (Sipior, Ward, & Roselli, 2005). The ethical and legal issues of spyware include trespass, surreptitious data collection, direct marketing, and hijacking. Various types of cybercrime such as computer hacking, Internet fraud, cyber piracy, and spreading of malicious code occur in the global electronic networks (Chung, Chen, Chang, & Chou, 2006); fighting cybercrime require updating existing laws, enhancing specialized task forces, utilizing civic resources, and promoting cybercrime research.
The introduction of IS controls, however, must proceed in view of system requirements for security and integrity. It is inefficient to implement expensive controls in subsystems if the sensitivity and vulnerability of the systems themselves are not high. Since available resources are limited, it is not possible for IIS managers to develop all of the necessary controls. Guidance in control design must be provided so that the cost of their implementation is lower than the reduction in expected losses.
The tasks of designing control systems, as performed by IIS auditors, however, are difficult and unstructured, as there exists no normative model of IIS controls. Many alternative forms of controls may exist, and many system environments affect the design of controls. It is difficult to establish if–then rules explaining the choice of controls in some organizational contexts, as the benefits of controls are hard to be measured quantitatively. Many organizational factors, such as volume and complexity of transactions, and the speed of processing affect the effectiveness of controls. IISCBR (IIS-controls design using case-based reasoning) is designed to act as a decision aid in recommending the most effective controls in certain organizational contexts.
From the literatures reviewed, there is no study focusing on the recommendation of controls for IIS. Therefore, this study would like to focus on the book markets and develop an accurate and practical controls recommendation model. The purpose of this paper is to develop IISCBR, a prototype case-based reasoning (CBR) system that is designed to recommend controls for IIS systems. This paper describes how IISCBR functions and explains the way such a case-based reasoning system may be utilized to support the design of IIS controls. CBR is useful for tasks where the rules are incomplete, as is the case in the design of IIS controls. IIS auditors collect organizational information from questionnaires and interview guides. They then recommend appropriate controls using experience based on a review of past cases. IISCBR has been developed to function in a manner that is compatible with the current practice in designing controls.
Section snippets
Techniques for IS security and controls
Current security approaches are categorized into four parts, Standards and Policies, Library and Tools, Administrative and System Management, and Physical Tools (Wang & Wang, 2003). Standards and policies include IPSec: a standard aimed at dealing with IP network-level security using public-key cryptography. Libraries and Tools include VeriSign which is integrated with the application to be developed in order to provide protection against security risks. Administration and System Management
System environments affecting IIS controls
Those variables that are expected to influence IIS controls are selected. A direct relationship exists between system environments and controls (Chan et al., 1993, Jamieson, 1994, Jaworski et al., 1993, Lee and Han, 2000); thus, when system environments are known, the probable level of IIS controls can be predicted (Fig. 1).
The organizational, IS, and IIS implementation factors are as follows:
- (1)
Organizational factors:
- •
Competitive intensity (E1).
- •
Compatibility (E2).
- •
Relative advantage (E3).
- •
Complexity
- •
Data collection
The IISCBR casebase is filled with past cases that have been collected from the interviews and discussions with IIS personnel. One or two IIS staff members participated in the study. The feasibility and benefits of multiple informants were assessed during the initial round of interviews. Since no other person has a vantage point for providing data relevant for this study, one or two IIS managers were chosen. The informant (s) were believed to have sufficient knowledge about IIS implementation,
Recommendation of controls
After a new case is entered into IISCBR, the system retrieves 10 similar cases and returns the level of controls that have the highest frequency in those cases. The predicted level of controls for the case in the estimation sample can then be compared with the true level of controls and “hit ratios” can be produced.
There were so many researchers that have been comparing different prediction methods. For instance, Chang, Lai, and Lai (2006) compared average error rate of CBR (with weight value
Implications and conclusions
Organizations attempt to prevent unauthorized access and other harm to their systems by using control procedures that address specific organizational contexts. The prototype CBR system, IISCBR was developed to aid IIS auditors in retrieving past similar cases and to suggest effective controls for each company’s specific system environment. This paper demonstrates that CBR could be incorporated into decision support software tools that provide recommendations for choosing the best combination of
References (43)
- et al.
A hybrid system by evolving case-based reasoning with genetic algorithm in wholesaler’s returning book forecasting
Decision Support Systems
(2006) - et al.
Fighting cybercrime: A review and the Taiwan experience
Decision Support Systems
(2006) - et al.
Risks in the use of information technology within organizations
International Journal of Information Management
(1996) - et al.
Matching information security vulnerabilities to organizational security profiles: A genetic algorithm approach
Decision Support Systems
(2006) - et al.
Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection
Decision Support Systems
(2007) - et al.
The impact of organizational contexts on EDI controls
International Journal of Accounting Information Systems
(2000) - et al.
An integrative model of computer abuse based on social control and general deterrence theories
Information & Management
(2004) Case-based reasoning: Market applications and fit with other technologies
Expert Systems With Applications
(1993)- Althoff, K. D., Auriol, E., Bergmann, R., Breen, S., Dittrich, S., & Johnston, R., et al. (1995). Case-based reasoning...
- Chan, S., Govindan, M., Picard, J. Y., Leschiutta, E. (1993). EDI for Managers and Auditors, Electronic Data...
Portfolios of control in outsourced software development projects
Information Systems Research
Coefficient alpha and the internal structure of tests
Psychometrica
Mining e-mail content for author identification forensics
SIGMOD Record
Case-based reasoning and risk assessment in audit judgment
Intelligent Systems in Accounting, Finance and Management
A model of information assurance benefits
Information Systems Management
Planning for Internet security
Information Systems Management
Case-based reasoning: Application techniques for decision support
International Journal of Intelligent Systems in Accounting, Finance and Management
EDI: An audit approach
Control combinations in marketing: Conceptual framework and empirical evidence
Journal of Marketing
Cited by (10)
Hierarchical balanced scorecard-based organizational goals and the efficiency of controls processes
2021, Journal of Business ResearchCitation Excerpt :Our model maximizes the governance objectives that are hierarchically related to the balanced scorecard-based enterprises and IT goals. While previous studies have applied data mining algorithms such as case-based reasoning, neural networks, and genetic algorithms to security management (Gupta, Rees, Chaturvedi, & Chi, 2006; Lee & Ahn, 2011; Lee and Kim, 2009), studies employing genetic algorithms for analyzing the effects of controls on the optimum extent of organizational goals are lacking. Furthermore, previous studies on security planning (e.g., Nandi, Medal, and Vadlamani (2016), Schilling and Werners (2016)) lack suggestions on optimal organizational goals, ones that are hierarchically related to each other and can be accomplished from the current status of controls.
An integrated case-based reasoning approach for personalized itinerary search in multimodal transportation systems
2013, Transportation Research Part C: Emerging TechnologiesThe hybrid model of neural networks and genetic algorithms for the design of controls for internet-based systems for business-to-consumer electronic commerce
2011, Expert Systems with ApplicationsCitation Excerpt :Items for system environments variables were refined based on earlier empirical work on innovation (Appendix). The measures for ISB2C controls were newly devised as a part of larger study on the controls of Internet-based information systems (Lee & Kim, 2009). As it is difficult to assess the usage level of ISB2C controls in quantitative manner (e.g., labor cost of security staffs, investment cost of security software), only qualitative measures are used.
Using data envelopment analysis and decision trees for efficiency analysis and recommendation of B2C controls
2010, Decision Support SystemsPrevention from Security Risks of Spyware by the use of Ai
2019, 1st International Conference on Advanced Technologies in Intelligent Control, Environment, Computing and Communication Engineering, ICATIECE 2019An Ontological Chinese Legal Consultation System
2017, IEEE Access