EXECUTIVE SUMMARY 6
1. INTRODUCTION 7
1.1 Introduction 7
1.2 Background 7
1.3 Aims & Objectives 8
1.4 Approach 9
1.5 Dissertation Structure 9
2. LITERATURE REVIEW 10
2.1 Introduction 10
2.2 E-Commerce 10
2.3 History and Evolution 11
2.4 Types of E-Commerce systems and Applications 12
2.4.1 Electronic Funds Transfer (EFT) 12
2.4.2 Electronic Data Interchange (EDI) 12
2.4.3 Enterprise Resource Planning (ERP) 12
2.4.4 Data Mining 13
2.4.5 Data Warehouse 13
2.4.6 Web Commerce 13
2.4.7 E-Shopping Carts 13
2.4.8 Electronic Payments Gateway (E-Payment Gateway) 14
2.4.9 E-business 14
2.4.10 E-banking 14
2.4.11 E-Logistics 15
2.4.12 E-Learning 15
2.5 Critical Success Factors for E-Commerce 15
2.5.1 Strategic IT Plan for e-commerce investment should be established 16
2.5.2 Market research and analysis 16
2.5.3 Selection of Appropriate Solution 16
2.5.4 Providing Security Features 16
2.6 E-Commerce Security Issues and Countermeasures 16
2.6.1 information security Requirements 17
2.6.2 Privacy and Confidentiality Issues 17
2.6.3 Theft and Fraud 18
2.6.4 Data Integrity Violations 18
... and PayNow?. CyberCash takes the lead in electronic commerce. A global reach to do banking operations ... The next step taken would be the introduction of a third party that guaranties that ... which could be stolen and fraudulently used. Security mechanisms are implanted to guarantee the confidentiality ... encryption. -To Assure the integrity of the data transferred, by means of digital signatures. ...
2.6.5 Denial of Service (DOS) Attacks 19
2.6.6 Repudiation Issues 20
2.7 E-Commerce Laws and Legislations 20
2.8 An Account of E-Commerce Security Incidents in UK 20
2.8.1 Cyber Black Mailing For Extortion Money 21
2.8.2 Online Mobile Frauds 21
2.9 Summary and Implications 21
3. METHODOLOGY 23
3.1 Introduction 23
3.2 Research Methodology 23
3.2.1 Quantitative Research 24
3.2.2 Qualitative Research 24
3.3 Research Strategy 25
3.4 Data Collection Techniques 26
3.5 Framework for Data Analysis 27
3.6 Limitations and Potential Problems 28
4. FINDINGS AND DISCUSSIONS 30
4.1 Introduction 30
4.2 UK Online Industry 30
4.3 Key Research Findings 31
4.3.1 Nature of Online Payments 31
4.3.2 Importance of online security in Retailers� Views 32
4.3.3 Supporters and Inhibitors of Online Frauds 32
4.3.4 Fraud Management Methods 32
4.3.5 Expenditure on Fraud Management 33
4.4 Survey Results by PWC and UK DTI 33
4.5 Results of E-Commerce Users Survey 37
4.5.1 Internet as a Preferred Buying Mode 37
4.5.2 Frequency of E-Commerce Activities 37
4.5.3 Mode of Electronic Payments and Amount of Transactions 38
4.5.4 Problems in E-Commerce faced by Users 38
4.5.5 E-Commerce Security 39
4.6 Other Findings 40
4.6.1 Indirect Cost of E-Commerce Fraud 40
4.6.2 Lack of Awareness about Information Security Standards 41
4.6.3 Information Security Management 41
4.7 Conclusion 42
5. CONCLUSION 43
5.1 Introduction 43
5.2 Recommendations to Enhance Security Measures 43
5.2.1 Strengthening Authentication and Access Controls 43
5.2.2 Encryption 44
5.2.3 Firewall and Intrusion Detection 44
5.2.4 Information Security Training and Awareness Programs 45
5.2.5 Periodic Risk Assessment and Audits 45
5.3 Operational Guidelines and Recommendations 46
5.3.1 Use fair business, advertising and marketing practices 46
Case 10-3: Galvor Company Background Galvor Company was founded in 1946 by owner, and president M. Georges Latour. The company had acted as a fabricator, buying parts and assembling them into high quality, moderate-cost electric and electronic measuring and test equipment. Latour had always been personally involved in every detail of the firm's operations as in most family businesses. Fiscal ...
5.3.2 Provide comprehensive information about the company and products 46
5.3.3 Disclose full information about the terms, conditions and costs of the transaction 47
5.3.4 Ensure that consumers know they are making a commitment to buy before closing the deal 47
5.3.5 Provide an easy-to-use and secure method for online payments 47
5.3.6 Protect consumer privacy during electronic commerce transactions 47
5.3.7 Address consumer complaints and difficulties 48
5.3.8 Adopt effective and easy to understand policies and procedures 48
5.3.9 Help spread consumer awareness about electronic commerce 48
5.4 Conclusion 48
5.5 The Road Ahead 49
A. Questionnaire for Companies 54
B. Questionnaire for Customers 57
LIST OF CHARTS/ FIGURES
Figure 4.1: UK E-Commerce Transaction Share, 2007 31
Figure 4.2: Instances of Security Incidents in UK Companies, 2006 34
Figure 4.3: Companies that have Undertaken IT Risk Assessments, 2006 35
Figure 4.4: UK Organisations that have Disaster Recovery Plan, 2007 36
Figure 4.5: Frequency of B2C E-Commerce Activities by Survey Respondents, 2007 38
Figure 4.6: Problems in E-Commerce Transactions, 2007 39
E-Commerce industry in United Kingdom is an attractive business prospect for organisations of all sizes, dealing in all types of goods, service and other businesses. E-commerce provides far greater reach, market capitalisation opportunity, and customer base than traditional businesses. However, there are a number of security risks and threats that the businesses and organisations face when they implement and operate an e-commerce system. These risks, if materialise, will have an adverse impact on not only revenue and profits of the organisation in the short run, but will also have lethal affects on the goodwill and reputation of the company, which might result into long term losses and may ultimately lead to systemic failure for the business. This report has presented an analysis of the types of risks that e-commerce industry faces in general, and UK�s e-commerce industry in particular; the severity of these risks is discussed which is then supported by appropriate statistics from the industry, and the industry trends in this field. This is followed by recommendations to mitigate the impact of these risks by introducing and implementing appropriate controls both technical and operational. The report can be used as a starting point towards development of an e-commerce business strategy by businesses and industries in United Kingdom.
Bitcoin, a digital currency that utilizes P2P technology, and functions with no central authority has become a global intermediary in the e-commerce arena. BitPay through Bitcoin has helped a staggering 10,000 merchants across the world accept payments. In North America 50% of the merchants use BitPay, 25% from the EU as well as countless others internationally. Merchants using the payment service ...
E-commerce is a growing field in today�s world; every passing day brings new technology and associated new security and operational risks to this relatively newer form of doing business. This chapter provides a background of the e-commerce industry in general, and UK e-commerce industry in particular. The evolution of e-commerce industry is discussed and the overall structure of this research report is presented.
Global electronic commerce revenue for 2000 was in the region of $286 billion; a figure which was expected to increase to $500 billion in 2001 and to $3 trillion by 2004 (Law Commission, 2001, p.1).
This rapid increase reflects the fact that electronic commerce has a number of advantages over paper-based commerce � in particular, speed and reducing the cost of doing business. The e-commerce industry in UK has also experienced almost £500 million in first ten months of 2006 (Cyber Source, 2007).
With an increase in the magnitude of e-commerce applications and systems, there is a growing threat of security issues, vulnerabilities and exposure on the use of e-commerce based systems, which is a concern for companies, individuals, government and law enforcement agencies. In order to deal with this threat, a number of measures have been taken that include development and enforcement of laws and regulations to protect against e-commerce frauds, development of the IT risk assessment standards, and periodic evaluation of e-commerce systems to identify weaknesses and control gaps.
1.3 Aims & Objectives
This report presents an analysis of the e-commerce industry in United Kingdom with a view to identify appropriate measures that can be taken by organisations to protect their systems and data from potential threats of hacking, identity thefts, repudiation and other form of frauds, misappropriations, and malicious attempts to disrupt the normal flow of operations.
1. Why is it important to understand the difference between computer literacy and information literacy? Answer: Computer literacy – When you are computer literate, you have a general working knowledge of computers. You understand what they can be used for. Most people know that they can type a paper, create a power point and if you have internet access, you may e-mail and search the World ...
The detailed objectives of the research are provided below:
o To study the evolution of e-commerce to ascertain the reasons for rapid growth of the industry in UK in recent years
o To study the types of risks having an impact on the e-commerce industry and the extent of the impact
o To find out the measures that can be taken to appropriately safeguard against these risks
o To conduct an evaluation of a sample of UK companies who have implemented e-commerce applications, with a view to analyse the security architecture they have implemented for their systems
o To obtain statistics about online frauds and security incidents in 2006, with a view to analyse the reasons and security vulnerabilities of the systems
o To obtain views from general public and internet users� community about perceived security of e-commerce transactions
o To analyse public opinion about e-commerce security and to provide an analysis of UK companies� responses to people�s demands.
The research is a study based project in which various security related technologies and issues are explored and study is conducted to examine the state of e-commerce security in contemporary industries of UK. The research consists of both primary and secondary data to effectively captures and analyse required statistics for the industry. Results are presented in subsequent chapters of the report and recommendations are provided to effectively deal with the security vulnerabilities of UK industry towards e-commerce businesses.
1.5 Dissertation Structure
The dissertation is divided into a set of chapters where each chapter is developed in a way that logically links to its predecessor and successor chapters. The chapter two focuses on an analysis of literature and review of current market and systems in e-commerce. It addresses the history of e-commerce, various types and models for online business are discussed, and the security risks and issues that are critical to be addressed in order to provide a safe, secure and reliable e-commerce business model are discussed in length. Chapter 3 discusses the methodology and research techniques that are used for the project. It also provides the techniques of data collection and the analysis procedure that was adopted to carry out the research work. Chapter 4 then evaluates the findings that were noted during the research and the impact of these findings on the e-commerce industry. Industry statistics from UK e-commerce industry are provided, and major issues have been highlighted. The last chapter then concludes the report by providing recommendations and strategies that should be adopted by UK industry in order to effectively deal with the security issues that the e-commerce industry faces.
The design of a system varies in response to the expected audience for the perticulare application. Some systems are intended for back rooms, some for the front office, and some are for the general public. They are designed for technical users, others for end users. Some are intended to work standalone in real-time control applications, others for an environment of timesharing and pervasive ...
2. LITERATURE REVIEW
The purpose of this chapter is to provide an introduction of the term �E-Commerce� as it applies in today�s world, and then the chapter continues to provide explanations of the security risks and exposures that are a constant threat to the e-commerce industry in general, and UK in particular. The chapter discusses the origin of e-commerce concept and the efforts that are being carried out to adequately protect and prevent the clients� and companies� data from uauthorised, unrestricted and fraudulent attempts to hack, tap, and attack the systems.
E-Commerce has been defined in various ways. A few definitions are listed below:
o �Electronic Commerce consists primarily of the distributing, buying, selling, marketing and servicing of products or services over electronic system such as the Internet and other computer networks� (Wikipedia.org, 2007).
o �E-Commerce is business that is conducted over the Internet using any of the applications that rely on the Internet, such as e-mail, instant messaging, shopping carts, Web services, UDDI, FTP (File Transfer Protocol), and EDI, among others� (Webopedia, n.d.).
o �E-Commerce refers to support services for trading in goods and services. It encompasses inter-organisational e-mail; directories; trading support systems for commodities, products, customised products and custom-built goods and services; ordering and logistic support systems; settlement support systems; and management information and statistical reporting systems� (Xamax Consultancy, 2005).
List of the databases in which data about you exists •Flat- file data bases. The flat file databases are used to store small amounts of data that is required to be edited by the hand. They are made up of files strings that combine one or more files and they are effective in storing simple data lists but they become complex if the data structures are replicated. Flat file databases require a simple ...
In short, e-commerce is a term used to identify the tools, techniques, procedures and processes carried out to enhance the concept of traditional businesses and transactions, to include and support online, electronic, and mainly internet based economic activities like sharing and exchanging information, marketing and advertising, payment systems and gateways, credit cards and online currencies, virtual money and paperless environments, and to conduct business beyond the limitations of physical space, resources, markets and reach. E-commerce has revolutionised the traditional methods of businesses, it has fully exploited the true potential of internet and electronic communication; and has truly opened enormous opportunities for all sorts of businesses by bringing the world on a computer screen.
2.3 History and Evolution
The practical concept of e-commerce was first introduced in 1994 when the first banner ad was placed on a website (Wikipedia.org, 2007).
But even before that, the term was used to mean the facilitation of electronic funds transfer (EFT), and electronic data interchange (EDI); which were introduced in late 1970s.
The introduction, acceptance and growth of credit cards, automated teller machines, and telephone banking were all forms of e-commerce, but the term was not used for these as such. The enterprise resource planning system (ERP), data mining and data warehousing are all branches and typed of e-commerce. In the dot-com era, the concept of �Web Commerce� was introduced which was again, a type of e-commerce. The e-shopping carts, the electronic payment gateways, the secure transmission of data, all were the byproducts of this unique and exciting concept to do business online without the restrictions of area, reach, resources, and brick-and-mortar facilities. Latest supporters of e-commerce concept are e-business, e-banking and e-logistics. There is also an emerging concept of e-learning and e-tuition. All these prominent forms of e-commerce show the power and high degree of acceptance of this type of business methodology by customers, businesses and other stakeholders.
2.4 Types of E-Commerce systems and Applications
There are a variety of e-commerce applications and systems in use today as stated above. A description of some of these is provided below:
2.4.1 Electronic Funds Transfer (EFT)
EFT is a technique that provides for electronic collections and payments (Financial Management Service, n.d.).
It is less expensive as compared to paper based system, and faster as the transactions take place online and are completed within seconds.
2.4.2 Electronic Data Interchange (EDI)
EDI refers to the electronic communication of business transactions between two or more organisations, systems and/or parties. This may involve interchange of invoices, orders, messages and other information of interest in an electronic format (Answers.com, 2007).
It effects cost savings and improves efficiency because it minimizes the errors that can occur if the same information has to be typed into computers more than once. Companies that participate in EDI are referred to as trading partners.
2.4.3 Enterprise Resource Planning (ERP)
ERP is a software system that attempts to integrate all departments and functions across a company on a single computer system that can serve all those departments� particular needs (Koch, 2006).
This form of e-commerce takes care of both EFT and EDI in an integrated package with support for management information system reports for higher management for decision making purposes.
2.4.4 Data Mining
Complex large and distributed applications on the internet often require data mining techniques to fetch desired data quickly and accurately to the customer. The concept of data mining is used for that which relates to �the extraction of hidden predictive information from large databases� (Theearling.com, n.d.).
2.4.5 Data Warehouse
Data warehouse is a huge collection of data and records that may be located in geographically distant locations. The purpose of maintaining a data warehouse is to develop a coherent set of data from varied sources and having different relationships with each other. E-commerce applications are usually implemented over the internet and as such these require a database to operate and keep records of the transactions that occur using these systems. Data warehouse can be used to support these applications in an efficient and effective way.
2.4.6 Web Commerce
Web commerce is the name given to e-commerce that uses internet or websites to carry out transactions and businesses. The web commerce was popular term in the beginning but then e-commerce replaced it since now every other transaction uses web or web based interface.
2.4.7 E-Shopping Carts
E-shopping carts are a popular concept of implementing e-commerce based applications for buying and selling online. The concept of e-shopping cart is best explained by Small Business Bible as �When a person enters a shop, the shop keeper provides him a shopping cart. So that whatever he likes from his shop, he can easily store it in the cart and then at the end present it on the counter for the payment. Similarly, when a person visits a website related to ecommerce his intention is to buy something from there. When a person visits a website he is also provided by an e-shopping cart: this is software which helps you to select the items you want to purchase.� Hence, an e-shopping cart software acts like a technology equivalent of real life shopping carts at super stores.
2.4.8 Electronic Payments Gateway (E-Payment Gateway)
Electronic payments or e-payments refer to the online exchange of funds and currency to settle the transactions. The various forms used include credit cards, debit cards, Pay Pal system, e-money, wire transfers, western union, and other forms of virtual money. The transferred takes place over the internet with some third party assurance that the transferred funds are valid.
The term e-business is sometimes used synonymously with e-commerce but it has a separate distinct definition as well. E-business is composed of either Business to Business (B to B) or Business to Consumer (B to C) type of relationship between buyer and seller of products or services over the internet.
E-Banking or Internet Banking is an important application of e-commerce where a financial institution like bank, investment company or any other institute offers its customers to bank online without the hassle of coming to a brick and mortar facility and waiting in queues for their turns. An e-banking system works over the web. It is used by customers for a variety of operations like generation of statement of account, funds transfer, online bills payment etc.
An integrated supply chain management could be an example of e-logistics type of e-commerce application. All the suppliers are connected to the company�s network through extranets and virtual private networks thus allowing the company to minimise cost of ordering and warehousing, since the suppliers are able to provide materials just in time. The concept of JIT (just in time) inventory can be exploited to the fullest using e-logistics system. These are also used for distribution, online asset tracking, order tracking and other purposes.
E-learning is a form of e-commerce where teachers and students from different parts of the world are able to communicate with each other in a mutually learning class room like setting. The student pays fees online and teachers conduct the teaching session using state of the art tools and techniques.
2.5 Critical Success Factors for E-Commerce
The e-commerce system can be implemented using a variety of techniques and tools. However, there are some key criteria and performance indicators that should be identified before an e-commerce project in undertaken, in order to develop a system with maximum efficiency and effectiveness gains for the involved parties. Some of the critical success factors for an e-commerce project are identified below:
2.5.1 Strategic IT Plan for e-commerce investment should be established
Prior to establish an e-commerce based system online, the companies must develop a viable business model. The feasibility should be verified, internal and external environment should be analysed carefully and a proper business plan should be developed and tested prior to initiating an e-business system.
2.5.2 Market research and analysis
A detailed analysis should be undertaken, appropriately supported by market research and analysis before an e-commerce project is initiated.
2.5.3 Selection of Appropriate Solution
An appropriate solution is one that provides all the required features, is secure and adequately controlled, and is cost effective for the organisation.
2.5.4 Providing Security Features
Security features like encryption, firewalls, hardware redundancy and fail safe systems should be provided to resume operations even if normal business operations can not be conducted due to some contingencies.
2.6 E-Commerce Security Issues and Countermeasures
As per a Gartner survey of more than 160 companies, it was discovered that 12 times more fraud exists on internet transactions as compared to conventional transactions around the world� (Gartner Group, 2000).
The main issue with any e-commerce system is to ensure system�s security vis-a-vis the confidentiality, integrity and availability of data and information.
2.6.1 Information Security Requirements
Some security requirements for an e-commerce application are outlined below (British Standards, 2006):
o Confidentiality � ensuring that information is accessible only to those authorised to have access to it.
o Integrity � safeguarding the accuracy and completeness of information and processing methods
o Availability � ensuring that authorised users have access to information and associates assets when required
o Authenticity � information should be available to sender and recipient, who must prove their identities to each other
o Non-repudiation � assurance/ proof that the transmitted message was indeed received (ECD, 2007).
The risks to information security in e-commerce are many and their impact varies. A description of a few of these is provided below:
2.6.2 Privacy and Confidentiality Issues
The information that is being sent over the internet can be viewed by anyone since the data packets take various paths to traverse. This results into breach of privacy and confidentiality of information. A method to deal with this risk is to encrypt the data packet before sending it across to the network. In this approach, the contents of the data packet are encoded using an algorithm which is known to the sender and receiver only. At destination, the contents are decoded using the same algorithm. This ensures that no modifications are done with the data contents of packets reaching the destination. One of the primary building blocks for security in e-commerce is cryptography, the theoretical basis for encryption (ISACA, n.d., p.2).
A given cryptographic technique may be based on either private keys or public/secret key pairs. Public key infrastructure (PKI) rests atop encryption and in turn supports e-commerce.
2.6.3 Theft and Fraud
An evident risk of e-commerce transactions over internet is the risk of theft and fraud whereby a person knowingly tries to misappropriate funds. One form of electronic fraud is called the Rounding Off technique, which refers to drawing off small amounts of money from a computerised transaction or account and re-routing it to another account. Another form of electronic theft is carried out by stealing identities of authorised personnel and then carrying out transactions impersonating as others. This is also called Spoofing. Effective ways to counter these risks is to use a strong user ID and password mechanism, or perhaps a biometric control at the site from where the transactions are made. In addition, strong internal controls in the e-commerce software can track the transaction trails, keep logs of the activities that are being carried out, and can report if any non-routine activity is noted. The logs can also be viewed to detect occurrence of fraudulent activity.
2.6.4 Data Integrity Violations
When data is transmitted across two points, a risk arises that an intruder might tap the wire and will read the contents of data packet. (S)he will then be able to alter and modify the data contents, can redirect the data packet to some other location, or can do other malicious activities. The integrity of data will then be compromised and the contents of the data packet can not be trusted. One way to protect against data integrity violations is to use data encryption procedures as described above. Another approach is to use Digital Certificates. These are used to endorse an electronic document in a way that can be later validated for authenticity. Digital Certificates are like electronic fingerprints that authenticate the identity of a person or website, positively.
2.6.5 Denial of Service (DOS) Attacks
Every system has some limits to provide concurrent support and services to customers. Online systems have to accept and respond to a large number of simultaneous users� requests. These perform this function using the phenomenon of Time Sharing where the system�s time is split into parts and is dedicated to each request on priority basis. Denial of Service attacks refer to the situation where an external intruder tries to bring the system down by generating repeated requests for information that appear to have come from a variety of different sources (distributed denial of service � DDOS).
As new requests arrive before the prior ones get responded, the system�s performance starts to degrade, and a point comes where the system is no longer able to support any more requests and the performance is severely affected. This situation is called system failure due to the DOS attack. An effective way to mitigate this risk is through the use of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).
IDS and IPS are installed at the network perimeters. These systems constantly monitor all packets coming into the network to find out if an attack pattern is being generated. If any attack like pattern is detected, these generate an automatic notification to the user/ network administrator for their review. The only limitation with these systems is a large number of false positives, that is, the system detects and warns that an attack is being initiated when in reality there is no attack and the data requests are valid.
2.6.6 Repudiation Issues
These refer to the risk that customers or business partners may deny that they transacted any business, when in reality they did. Example, a customer orders a CD then denies to the vendor that such a request was ever made. The effective way to control repudiation issues is through the use of digital signature and digital certificates.
2.7 E-Commerce Laws and Legislations
Realising the importance of this field, a number of best practices, benchmark standards and e-commerce laws and regulations have come in to effect. Two most popular standards for information security over the e-commerce applications include ISO27001 Information Security Management System, and Control Objectives for Information Technology �(CObIT).
The UK industry follows Electronic Commerce (EC Directive) Regulations 2002 to cover virtually all commercial websites. These regulations detail the minimum requirements for a website to operate in UK, the roles and responsibilities of the parties involved in e-transactions, the caching, hosting and marketing techniques online and a suite of other important areas, to appropriately cover the risks that are involved in this mode of business.
2.8 An Account of E-Commerce Security Incidents in UK
A brief account of recent e-commerce security incidents in UK industry is provided below. The purpose is to evaluate the gravity of situation.
2.8.1 Cyber Black Mailing For Extortion Money
�In November 2006, Russian authorities jailed three criminals who used distributed denial-of-service (DDoS) attacks to blackmail online businesses� (Young, 2006).
Ivan Maksakov, Alexander Petrov and Denis Stepanov used to threaten sites with huge volume of internet traffic to pay more than £2m or else, be ready for a DDOS attack. The culprits were ultimately caught and sentenced to eight years According to prosecutors, the gang made more than 50 similar attacks in their six-month spree. One firm, Canbet Sports Bookmakers, which refused to pay a £5,000 ransom, suffered £100,000 in lost business for its day of downtime, when the attackers took it out of business.
2.8.2 Online Mobile Frauds
In 2001, Radomir Lukic, a 41 year old man, was arrested in the UK after committing an estimated £3,000,000 fraud with BT Cellnet and Telewest (Leyden, 2001).
He was involved in selling “hacks” for popular UK based cellular phones and cable TV services. It was believed to be largest fraud involving the use of software, in UK at that time.
2.9 Summary and Implications
The above review shows that e-commerce, though a powerful enabler to do business online and without boundaries; is also vulnerable to a number of security risks and exposures, which if not controlled adequately, may lead to a disaster for the organisation; and may turn the benefits of e-commerce into financial and reputation losses for the company.
The subsequent chapters provide an analysis of UK e-commerce market with emphasis on e-commerce security issues to determine whether the UK industry has taken required steps to protect itself from the clutches of security threats, or is it vulnerable to security incidents and mishaps related to e-commerce.
An important aspect of this research is to find out the current situation with regard to ecommerce security in UK. This was also stated in the research objectives in chapter 1 that called for identifying and studying the risks to UK e-commerce industry, and the actions that organisations take to protect against e-commerce vulnerabilities in their systems.
As noted in the Literature Review section, the advent of e-commerce marked an era of ever increasing threats and exposures to the e-commerce industry around the globe. This has also affected the e-commerce industry in UK. The purpose of this report is to provide a status report of the steps taken by UK industries to appropriately control these threats and the impact of losses that these risks have brought to the industry.
By gaining an insight in to the industry�s practices towards risk mitigation and information security, an analysis can be carried out of the effectiveness with which UK industries have adopted procedures to prevent against misfortunes of e-commerce.
This chapter highlights the research methodology that has been used to collect, analyse and present data from the UK industries regarding the statistics for frauds, measures, and losses.
3.2 Research Methodology
The research methodology can be classified in a number of ways. Two of the most common classifications include quantitative research, and qualitative research methodology (Myers, 1997).
The distinction between the two methods is provided below:
3.2.1 Quantitative Research
Quantitative research was originally developed in natural sciences but now is widely used in all forms of research work as an acceptable and effective method of doing research. Examples of quantitative research include survey methods, numerical methods, and laboratory experiments.
3.2.2 Qualitative Research
Qualitative research was developed as a method to assist researchers in studying social and/ or cultural phenomenon where absolute numbers can not be identified with certainty. Examples of qualitative research include case study research, interviews, questionnaires, observation, and action research.
The research methodology used for this project was largely based on qualitative research technique where questionnaires were developed and provided to companies having e-commerce presence. The results of the survey questionnaire were then compiled to produce qualitative results based on the responses from companies.
To obtain feedback from general public and potential e-commerce customers, questionnaires were also developed and distributed to internet user community with a view to gain valuable information about people�s awareness level with e-commerce security and how it affects them, and their apprehensions, suggestions for improvements and general opinion about the state of e-commerce in the country.
In addition, secondary research was conducted to gather more statistics and details relating to fraud and other security issues in e-commerce industry over the years. The results were verified against the primary research results to determine the accuracy and reliability of responses obtained from companies where the research questionnaires were distributed. Also, this assisted in development of a comprehensive and reliable set of information for analysis. The report also presents the statistics and data obtained from secondary sources.
3.3 Research Strategy
One research method that has been adopted related to the choice of overall research strategy, is the �Case Study�.
�Case study research is the most common qualitative method used in information systems� (Orlikowski and Baroudi, 1991; Alavi and Carlson, 1992).
Though many different definitions have been proposed for case study, Yin (2002) defines the scope of a case study as follows:
�A case study is an empirical inquiry that investigates a contemporary phenomenon within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident.�
The above shows clearly that the case study strategy is best suited to information systems research, and in this case, e-commerce security in UK industries. Since, there may be various e-commerce risks that are faced by similar organisations, yet there responses to these risks may differ depending on the factors that are not clearly evident; hence the approach of case study based research is the most appropriate in this case. The paper presents the views of a subset of e-commerce users, and then based on the views expressed by this subset, generalises the findings. In addition, it also suits the title of the research paper, that is to identify and analyse the security flaws and systems� weaknesses at various e-commerce businesses in UK with a view to identify the threats and losses that these businesses have suffered as a price to implement e-commerce into their organisations; and the benefits that have been provided by e-commerce to these organisations to offset the costs associated with implementing such systems. However, the research is not conducted for one specific company in the industry; in fact, the entire industry is treated as the subject of this research.
The e-commerce security issues in businesses do not follow a scientific pattern and can not be predicted by considering the current system only. There is no clear relationship between the likelihood of occurrence of a risk and the actual occurrence. All the studies and risk assessment models incorporate the fundamental subjectivity that is inherent to information security management process; for example, two organisations having exactly the same business environment, similar technology infrastructure, expertise and types of transactions, may not be affected by a potential risk in the same way. The likelihood and extent of impact may be different for both the organisations. Hence, there is no clear and evident formula to calculate the security preparedness of companies towards implementing and operating e-commerce based systems. This is the reason why case study based research is selected as the research strategy.
3.4 Data Collection Techniques
The data that has been collected for this research mainly consists of the statistics from UK industry. These statistics have been obtained from a variety of sources and are compiled to provide an integrated view of the entire industry. The methods used to collect data included secondary research through internet, books and other sources. In addition, primary data was tried to be obtained by sending questionnaires to selected UK companies who operate as retail superstores, sell products online and use e-commerce modes. Most of the respondents belonged to the retail sectors, with the remainder largely coming from financial services, telecommunication service providers, and travel businesses. The names of these companies are not disclosed due to confidentiality of the matter. None of the companies agreed to disclose information relating to e-commerce frauds and thefts that took place there. They were of the opinion that this would adversely impact there credibility. They also refused to disclose their identity because they believed if a culprit gets to know the exact structure and devices that are operating at their network perimeters, the intruder may try to invade their networks, a situation they don�t want to arise. Hence, the names and identities of the personnel and organisations are not disclosed in this paper. The interview questionnaires were sent to the companies through email to maintain the anonymity of the personnel filling these.
In addition to the questionnaires sent to UK companies, user surveys were also conducted. The purpose of these surveys was to collect information from internet users and potential e-commerce customers to get their views on the state of e-commerce security in the UK companies and what could be done to strengthen it. The results of these user surveys have also been incorporated in the relevant sections of this report.
3.5 Framework for Data Analysis
The data was analysed to identify statistics about security incidents related to ecommerce industry in UK for the last few years, and specifically for the most recent year. In addition, several statistics are obtained and presented regarding the modes of payments over internet, the security systems and techniques used by organisations to prevent against security breach, and the significant factors that have impacted UK e-commerce industry in the past. The results are provided in the form of graphical charts, wherever required, with a view to provide ease of understanding and reading to users of the report. This detailed analysis might help in developing reasons for ecommerce security incidents in the market and could help towards developing appropriate risk treatment plans to mitigate the risk in the ecommerce industry.
3.6 Limitations and Potential Problems
During the course of research work and report development, some problems were faced in data gathering. Some of the most prominent of these are noted below:
o Most of the companies refused to entertain the email questionnaires sent to them, stating that they do not want to share confidential information. This put a serious limitation on the research fieldwork with regard to availability of data. To deal with this issue, the primary data was used with secondary data obtained from various sources to analyse the UK industry.
o Another limitation on the research work was development of the survey questionnaire. It was difficult to develop an interview questionnaire comprehensive enough to cover all the areas of the e-commerce industry in United Kingdom; yet easy and less time consuming. This was required to allow respondents to fill out the questionnaire with objective data instead of filling the forms without a proper thought process. It is generally observed that long questionnaires and surveys are not able to achieve the desired target as they are time consuming and complex. In order to acquire valid information, the questionnaire needed to be concise, comprehensive, focussed and targeted to the research objectives. The actual questionnaire that was developed is attached in the Appendix of this report.
o Due to unavailability and unwillingness of organisations to provide required data, and the need to obtain and present factual information about the industry, some data is obtained from other research agencies and sources. However, appropriate acknowledgments are provided to the sources of data.
The above provided a description of research methodology that is used for this paper, the techniques, strategies, research types and the data collection framework. The next chapter presents the results of the research work in the form of findings. These findings provide the general trend that prevails in the ecommerce market in United Kingdom, which is heavily populated by a variety of merchants and online stores. All of them share similar risks when opting to go online. The nature, severity and consequences of these are highlighted in the next chapter.
4. FINDINGS AND DISCUSSIONS
This chapter focuses on the significant findings of the research that was conducted to identify the preparedness level of organisations in UK with regard to e-commerce security. The discussion provides statistics and cases of online frauds and other security incidents that took place in recent history for UK companies. In order to provide a comprehensive and completed picture of the state of UK e-commerce industry with regard to security, several results have been presented from the surveys conducted by reliable and credible sources and companies, with much higher research budgets, and logistical advantages.
4.2 UK Online Industry
United Kingdom has a major share in the number of internet users in the world. As per the data provided by Miniwatts Marketing group (2007), there are close to 37.6 million internet users from UK that surf internet. This is 6th largest in the world. In a population of approximately 60.3 million, this corresponds to almost 62.3%; that is, 62.3% of the total population of UK use internet. By looking at figures for the world, UK users are 3.4% of the entire internet users� population from around the globe. This is a huge figure and a virgin market ready to be tapped.
The online retail industry in UK is booming with online sales growth at £50 million per month for the first ten months of 2006, as per the reports of Interactive Media in Retail Group (IMRG) (CyberSource, 2007).
By looking at this trend, it can be assumed that this bullish trend in growth is matched by the level of online frauds and security incidents. However, this is not the reality on ground. While the retailers� total loss seems to have increased over this period, but there has been a decrease in number of instances that have been reported.
4.3 Key Research Findings
CyberSource, founded in 1996, is pioneer in online fraud screening at the inception of internet commerce. They have conducted a study recently that involved surveys of 150 online retailers in UK, to obtain statistics about online frauds that have been conducted in UK.
4.3.1 Nature of Online Payments
As far as the nature of online payments are concerned, it has been observed that almost 94% of online payments are made through credit or debit cards; other modes of payments included PayPal, gift certificates and direct debits to accounts.
In 2005, almost 78% of the payments received by UK online retailers were from abroad. In 2006, the percentages of local sales have increased with almost 56% payments received from customers in Europe and United Kingdom, and 40% sales were originated from South and North America.
(Figure 4.1: UK E-Commerce Transaction Share, 2007)
4.3.2 Importance of Online Security in Retailers� Views
The survey results show that managing security was the second most important preference of doing online business for organisations, second only to customer satisfaction and service. This shows the importance of e-commerce security among online retailers as an area that requires resources in terms of time and money, to be able to mitigate security related risks and continue operations.
4.3.3 Supporters and Inhibitors of Online Frauds
The survey revealed that the UK retailers think that manual methods to review system�s security in insufficient and automated methods are costly. In addition, higher rates of identity thefts are a point of concern for online retailers who are worried about the identity of customers they are dealing with. Online businesses fear that fraudsters are always one step ahead of them when it comes to effectively managing e-commerce security and privacy. However, they believe that chip and PIN systems are making it difficult for intruders to carry out unauthorised transactions, and actions by police is having a positive impact on reducing the ability and scale of fraudsters to carry out their activities. Others are of the opinion that compliance with Payment Card Industry (PCI) Data Security standard helps to prevent against online security incidents.
4.3.4 Fraud Management Methods
Statistics show that almost 75% of online businesses use Card Verification Number (CVN) and Address Verification Service (AVS) to verify that the online transactions are valid or not. About 50% state that they have a procedure to verify card details with Visa/ Master Card source code (CyberSource, 2007).
Others use company built or other procedures to verify the transaction request against identity theft, invalid account, and repudiation risks. The above services were obtained from respective vendors and are the ones most trusted by e-commerce business around United Kingdom.
4.3.5 Expenditure on Fraud Management
Realising the importance of this area, companies spend fair bit of funds to ensure the security and reliability of their systems. Excluding the large companies having a huge balance sheet and a revenue figure of £1 billion and above, the companies spend between £10,000 to £100,000 on fraud management systems. This amount, though seems quite a bit, but is not enough to effectively combat against the threat that this risk poses for the companies in United Kingdom.
4.4 Survey Results by PWC and UK DTI
The UK Department of Trade and Industry (DTI) and Price Waterhouse Coopers (PWC) conducted Information Security Breaches Survey (ISBS 2006), and provided some amazing trends in their report on information security breaches in the UK, as summarised below (Department of Trade and Industry, 2006):
o Average cost of a serious security incident was £65,000 to £130,000 for large business and £8,000 to £17,000 for the entire industry. This cost included the cost of business disruption, the cost incurred for the time spent responding to incident, the amount of direct cash spent responding to the incident, direct financial losses, and loss due to damage to the reputation of company. This cost will be compounded in case a security incident triggers other incidents due to weak internal controls system, and lack of proper planning to deal with an incident.
o The average expenditure on security by those organisations that perform regular risk assessment of their systems is lesser as compared to the companies that do not perform risk assessments for their IT systems. This shows that the companies who perform periodic risk assessments are more aware to the needs of spending on e-commerce and online security. They, in turn, are better protected against security threats for their e-business systems.
o 62% of companies surveyed had experienced at least one malicious security incident, which is an improvement over 2004 when 74% of the companies in the industry were victims of malicious security incident. For big companies, this figure shows a huge 87%, that is, 87% of the total big companies have experiences an e-commerce security incident in the last one year.
(Figure 4.2: Instances of Security Incidents in UK Companies, 2006)
o 56% of the companies surveyed were not appropriately covered by cyber insurance, or were not sure if their current insurance policies cover cyber incidents.
o Despite of such high cyber crime and security risk materialisation rate, 40% of the companies spend around 1% of their total IT budget on information security over the internet. Only 44% companies have carried out risk assessments in the year 2005-06. Investment in security standards and related qualification is also quite low, with 60% of the UK online businesses are without a security policy.
(Figure 4.3: Companies that have Undertaken IT Risk Assessments, 2006)
o UK companies also lack other security controls like absence of backup and recovery procedures and disaster recovery controls. A disaster recovery plan is used to continue operations of the business in cases of disruption from disastrous events like earthquake, floods, etc. Almost 60% of the UK companies either do not have disaster recovery plans or have not checked them through periodic recovery drills and testing, since the last twelve months. This poses another security threat since the company will not be able to resume operations in case a disaster strikes. As a result, the loss that will occur from a security incident will be increased beyond measure.
(Figure 4.4: UK Organisations that have Disaster Recovery Plan, 2007)
o Many of the companies do not invest in security training, even lesser actually encrypt their data when it is transmitted over digital links. 60% of the companies that provide remote login facility do not encrypt their data transfers over the internet. Most UK companies are not properly equipped to prevent identity thefts and to protect themselves from the losses in case of such attempt. 84% companies have the opinion that identity theft does not pose significant threat to their systems, only 1% is properly secured with adequate systems and protection. Almost 30% of the transactional websites do not encrypt transactions when they pass over the internet. This state of affairs show a serious lack of awareness and attempt to appropriately protect network against illegal, unauthorised and undesired use by intruders and attackers both from outside and inside the organisations.
4.5 Results of E-Commerce Users Survey
To gather opinions from user community, a comprehensive survey was carried out to identify their spending patterns, apprehensions about e-commerce security and vulnerability of the system, and frequency of e-commerce activity. In all, 56 respondents were contacted and their views were gathered. Key findings of the user surveys are discussed below:
4.5.1 Internet as a Preferred Buying Mode
81.8% of the total respondents prefer internet for buying and selling of goods and services. This high percentage shows that despite of its security issues, internet has become a medium of choice for buyers due to the ease and global reach that internet provides in purchasing goods and services.
4.5.2 Frequency of E-Commerce Activities
53.6% survey participants have utilised the power of online commerce in the last 2 months. Only 26.8% revealed that they made an online purchase more than 4 months ago. This statistic shows the volume of transactions that e-commerce is able to attract and the magnitude and scale of online commerce. If not appropriately controlled, this could lead to a disaster for bulk of the population who has started to use e-commerce as replacement to traditional commerce activities.
(Figure 4.5: Frequency of B2C E-Commerce Activities by Survey Respondents, 2007)
4.5.3 Mode of Electronic Payments and Amount of Transactions
Survey revealed that most common and popular mode of making online payments is credit/ debit card since 78.2% people use it to make e-payments; Pay Pal and wire transfer follows. Of the users surveyed, about 44% used internet to make transaction of under $100 value, with only 23.6% of the respondents making transactions of value in excess of $500.
4.5.4 Problems in E-Commerce faced by Users
In views of the general public, UK companies need to enhance their system features as 33.3% people provided feedback that the system did not give proper response when they try to make online transactions. Top three answers given when asked to identify problems with e-commerce system, were:
(Figure 4.6: Problems in E-Commerce Transactions, 2007)
4.5.5 E-Commerce Security
When asked whether in their views, e-commerce, generally, is a secure systems and whether UK companies are doing enough to ensure security of the system; various responses were received. Many respondents showed signs of awareness about the needs for encryption, security, prevention against hacking attempts etc. Many people believe that as far as the web site, at which transactions are being made, is well known and transactions are encrypted, e-commerce can be safe. However, most people are concerned about the health of e-commerce security in general and believe that it is in best interest of the online companies to ensure that their sites are adequately protected against online frauds and attacks.
More than 50% of the respondents believe that e-commerce will have increasingly larger role to play in future. Many traditional commerce systems will switch to electronic commerce due to the ease, availability and reach of e-business; many customers will be inclined to make online purchases from the comfort of their homes instead of going to a market, and many companies will offer e-commerce website to tap this largely untapped market. Almost all the respondents believe that e-commerce is useful provided it is appropriately handled by companies and online businesses.
In the views expressed by survey respondents, UK companies need to spend more on e-commerce security to prevent against phishing, hacking and other attacks; they need to be aware of the latest technological and technical advancements not in the field of IT alone but also the systems that are used to break into an IT system. In addition, the companies need to hire IT security resources to develop systems and strategies to combat against e-commerce crimes. One respondent candidly respond by saying ��they can pay hackers to help them protect their servers against (attacks) by other people��. This shows the desperate need of implementing security in e-commerce systems.
4.6 Other Findings
The key personnel responsible for development, maintenance and management of e-commerce and IT security function in the organisations, provided following information.
4.6.1 Indirect Cost of E-Commerce Fraud
As per the survey results, the cost of a fraud to an organisation goes beyond the loss that occurs due to the fraudulent activity only. The total cost of a fraud includes direct as well as indirect costs, and the indirect costs of online frauds are much higher as compared to the direct losses that result as a result of fraudulent activities. The total cost of fraud includes the cost of tools and systems to review orders, the cost orders that are rejected (some may be rejected as a result of false positives by the fraud management software), the cost of manual order review, and the direct fraud loss and associated administration. It was noted that on average, merchants reject 4% of orders; some of these are in fact valid orders that get rejected due to software error. On average, 31% of the transactions are manually reviewed for accuracy and correctness and over 75% of these are ultimately accepted. Direct fraud loss is only 1% of the overall orders. This shows that the total cost of frauds is in fact much greater than the actual costs of the losses that have to be absorbed as a result of an online e-payment fraud.
4.6.2 Lack of Awareness about Information Security Standards
It was noted that there is a lack of awareness and appreciation for information security standards and best practices in UK organisations. Though security is considered important and many organisations have established an IT security function, yet only a few are aware of relative information security standards, and even fewer are concerned to get certified with a security standard like BS7799/ ISO27001 information security management system. In only one of the total companies surveyed, employees and management had some knowledge about the specificities of the British standard on information security.
4.6.3 Information Security Management
It was found that most of the organisations are vulnerable to security attacks and incidents as they do not have appropriate security management tools and processes for their information systems for finance, e-commerce and operations. Though, there is a realisation that such systems are critical for smooth operations of a company, yet many small and some medium scale companies have not implemented such systems mainly due to the high acquisition and implementation cost of security management tools, and a recurring maintenance cost in terms of licenses and personnel to operate these systems. The IT budgets are insufficient to support proper information security infrastructure having firewalls, IDS and monitoring software at appropriate places, and most IT managers were found firefighting with the inadequate resources available to their disposal.
The statistics stated above show that there is a serious lack of awareness and training in the e-commerce industry in UK, although recently the companies are adopting best practices to implement security controls for their information systems however, this still is a point of major concern for UK companies. The investment on IT is very small as compared to the scale at which the e-commerce systems are growing. The threats to e-commerce industry though have declined over the years due to better technology and relatively more secure systems, yet the losses due to e-commerce frauds are still posing a threat to new business ventures. The customers� trust on the industry is gradually growing as new and improved systems to ensure security and reliability are being introduced and implemented.
However, there is an ever increasing need to develop and strengthen the systems of internal controls related to IT and e-commerce in UK organisations to get an assurance about security risks. The next chapter focuses on the international best practices and controls that should be adopted by organisations in UK to ensure that their systems are no longer vulnerable to the security weaknesses, loopholes and intruder attacks.
This chapter provides a set of recommendations that can be used by organisations to effectively address the risks that are discussed above. A comprehensive risk management and controls program is discussed that can be adopted to ensure that all the risks relating to e-commerce businesses are suitably identified, appropriately analysed and adequately controlled. This would result in organisations reaping the benefits of secure and reliable e-commerce business with high returns in terms of revenue, customer base, and market share.
5.2 Recommendations to Enhance Security Measures
To provide assurance that the system of internal controls is operating as desired, and is equipped with all the key controls that must be in place to effectively mitigate e-commerce and online commerce risks, the companies involved in e-commerce businesses are advised to improve security controls over their systems and processes. Towards this goal, following key recommendations are provided:
5.2.1 Strengthening Authentication and Access Controls
Controls over authentication and authorisation processes should be enhanced to prevent against risks like identity thefts and to some extent, card frauds. This includes implementing one of the following, or a combination of the following controls:
o A strong user name and password combination with automatic password lockout and change controls. An awareness programme should be initiated to ensure that all the stakeholders choose a strong password that is hard to crack by ordinary brute force (dictionary) attacks.
o Two factor authentication systems can be implemented that require the users to apply something that they have like a card, and something that they know like a personal identification number. Both are required to get access to the secured location. This control ensures prevention against unauthorised access.
o A digital certificate that ensures the identity of the person by authenticating his/ her unique digital ID.
o If the company is not limited by the amount of budget they have, they should implement a biometric control like face recognition, speech recognition, retina recognition, finger print or hand scanners. These controls identify the person by some of his/ her most unique attributes like finger prints, audio pitch and quality, and face image. These systems are hard to break into and provide the maximum level of security against unauthorised access.
As a rule of thumb, all transactions data packets traversing the internet should be encrypted using state of the art encryption techniques and algorithms like Secure Socket Layer (SSL), IPSec and others. The higher the degree of encryption, the more is the security of the transmitted data. Generally, 128 bit SSL encryption is considered to be adequate and is hard to break into; and it is treated as an industry de-facto standard to guard against unauthorised viewing of the contents of data packets.
5.2.3 Firewall and Intrusion Detection
To protect network perimeters, companies should deploy firewall. The purpose of a firewall is to filter the data packets coming in and going out of the company�s network according to a set of rules that have been defined in the firewall. The firewall can be implemented either at hardware or software level, but care must be taken in placement of the firewall at appropriate point in the network structure. All the traffic should pass through the firewall in order to obtain maximum protection against undesired access. The basic purpose of the firewall is to prevent outside parties from gaining access to systems and information on the internal network. All the companies should install firewalls at their network perimeters to prevent against malevolent users.
An IDS and IPS are two separate systems that monitor the data packets for attack like signatures and if they find an attack pattern, they raise a warning sign (alarm) for the administrators through an email or some other means. Companies should deploy an IDS and IPS in order to prevent against the DOS attacks.
5.2.4 Information Security Training and Awareness Programs
Despite the sophistication of technical controls, they are only as good as the people who use them. Due to this reason, all the companies, regardless of the size and scope of their e-commerce systems and applications, should initiate a continuous security training and awareness program for their employees which will allow them to properly equip themselves with required tools to prevent against a security incident.
5.2.5 Periodic Risk Assessment and Audits
UK organisations are recommended to carry out a periodic risk review of their systems and e-commerce applications. This would assist them to identify all the risks in their system, and only then will they be able to develop ways and means to mitigate these risks. Currently, a very small percentage of UK firms perform IT risk assessment for their systems, this statistic need to improve, if organisations want to be adequately protected against e-commerce security risks.
5.3 Operational Guidelines and Recommendations
The ultimate goal of any e-commerce security initiative is to build customers� confidence in e-commerce transactions by working to ensure that consumers are just as safe when shopping online as when shopping offline, without the geographical boundaries or limitations of their place of residence or the company�s place of doing business. To prevent against the risks and instances of security incidents that have been discussed in previous chapters, and to detect occurrence of undesired events on timely basis, e-commerce businesses follow following best principles an have designed their practices around these.
5.3.1 Use fair business, advertising and marketing practices
Businesses, operating over the internet and other electronic means, should provide accurate and complete information to customers, and avoid false or unfair claims, or practices.
5.3.2 Provide comprehensive information about the company and products
In order to attract the attention of the customer and to maintain credibility in market, the companies must disclose the information consumers need to understand to understand the company and its businesses, along with the accurate description of company�s products and services. The required information that companies should post on their website includes the company�s name, its physical address, including the country, and an email address or telephone number that can be used by consumers if they have queries and/ or problems.
5.3.3 Disclose full information about the terms, conditions and costs of the transaction
The online businesses should provide consumers with full, accurate and correct information like costs involved in the transaction, designating the currency involved, as well as terms of delivery or performance, and terms, conditions and methods of payment.
5.3.4 Ensure that consumers know they are making a commitment to buy before closing the deal
The organisations should take steps to protect consumers who are merely surfing the internet from unknowingly entering into a sales contract. They should give the consumer a chance to change the order before committing to the purchase or to cancel it altogether. Consumers should also be allowed to keep a record of the transaction.
5.3.5 Provide an easy-to-use and secure method for online payments
Companies should adopt security measures appropriate to the transactions to ensure that the vulnerability of personal information is reduced and the risk is appropriately mitigated.
5.3.6 Protect consumer privacy during electronic commerce transactions
Businesses must develop information privacy policies and disclose their privacy policies or information practice statements prominently on their websites, so that the customers are aware of it. In addition, online retailers should adopt a system where none of the information stored for a customer can be leaked out without prior consent and choice of the customer. Consumers should be given the opportunity to refuse having their personal information shared with others or used for promotional purposes.
5.3.7 Address consumer complaints and difficulties
Companies should develop and adopt policies and procedures to address consumer problems quickly and justly, and without cost or inconvenience to the consumer.
5.3.8 Adopt effective and easy to understand policies and procedures
Electronic commerce should be extended the same basic level of protections that cover other forms of commerce. The government must develop easy, comprehensive, and easy to understand rules and regulations to ensure that businesses and consumers are provided with the tools they need to make informed decisions and to resolve complaints.
5.3.9 Help spread consumer awareness about electronic commerce
Businesses should assist and play their role in creating a consumer-friendly electronic marketplace. UK companies should work with governments and consumer representatives to ensure that consumers understand their rights and responsibilities when participating in online commerce. In addition, they must ensure that customers� trust over e-business and e-transactions is developed and maintained. This would ensure an increase in number of transactions online and over the internet.
E-commerce is a growing field, and promises to provide a great deal of business and advantages to the organisations who have adopted it as a means of doing business. However, several new and unique risks are associated with this domain; these risks are needed to be taken care of before viable business opportunity can be created to succeed online. The research studies� results shown above can provide a starting point for organisations to understand the nature of risks and problems involved with e-commerce; and can be used by organisations to develop a road map of e-commerce business. In short, the benefits of the area are unlimited provided careful analysis is carried out and information security is given due consideration by companies who desire to reap the fruits of this form of business.
5.5 The Road Ahead
This report provides an initial analysis of the risks and exposures involved in implementing and operating an e-commerce system over the internet. The security vulnerabilities that have been identified should be analysed in depth, to develop a customise solution for a particular company. The recommendations that are provided in this report can be used to establish, define and implement a fail-safe system of controls to ensure that organisations� data and information is suitably protected from the risks identified above. Organisations can use this report to develop a comprehensive security strategy and processes around their e-commerce business. However, as new developments in technology take place, there is not only a simultaneous change in the nature, materiality and potential impact of existing risks, but new risks may also be identified. For this reason, security should be an integral part of all processes of an organisation.
Alavi, M. and Carlson, P. (1992).
A review of MIS research and disciplinary development. Journal of Management Information Systems. 1992, pp. 45-62.
Electronic Data Interchange (EDI) [Internet]. Available from:
British Standards Institute. (2006).
Information Security Management Systems. p. 3-4
Cyber Source. (2007).
Third Annual UK Online Fraud Report 2007 Edition.
Department of Trade and Industry. (2006).
Information Security Breaches Survey 2006 [Internet]. Available from:
Customer Security: Basic Principles [Internet]. Available from:
Financial Management Service. (n.d.).
Electronic Funds Transfer [Internet]. Available from:
Gartner Group. (2000).
Gartner Survey: Retail Internet Fraud Is Twelve Times Higher Than Offline Fraud [Internet]. Gartner Group Press Release July 17, 2000. Available from: < http://retailindustry.about.com/library/bl/bl_gartner0717.htm> [Accessed 25 March 2007].
ISACA: Information Systems Audit and Control Association. (n.d.).
eCommerce Security: PKI, Digital Certificates in E-Commerce.
Koch, C. (2006).
The ABCs of ERP: Getting Started With Enterprise Resource Planning [Internet]. CIO.com. Available from:
Law Commission. (2001).
Electronic Commerce: Formal Requirements in Commercial Transactions. Crown.
Leyden, J. (2001).
Multi-million Pound Mobile Phone Fraudster Goes to Jail [Internet]. The Register. Available from:
Minniwatts Marketing Group. (2007).
Internet World Stats: Top 20 Countries with the Highest Number of Internet Users [Internet]. Available from:
Myers, M. D. (1997) Qualitative Research in Information Systems. MIS Quarterly. June 1997, pp. 241-242.
Orlikowski, W.J. & Baroudi, J.J. (1991).
Studying Information Technology in Organizations: Research Approaches and Assumptions. Information Systems Research (2) 1991, pp. 1-28.
Small Business Bible. (2006).
Importance of Shopping Cart for E-Commerce [Internet]. Available from:
An Introduction to Data Mining [Internet]. Available from:
Electronic Commerce [Internet]. Available from:
Electronic Commerce [Internet]. Available from:
Xamax Consultancy Private Limited. (2005).
Roger Clarke�s E-business Homepage [Internet]. Available from:
Yin, R. K. (2002).
Case Study Research, Design and Methods. 3rd ed. Newbury Park, Sage Publications.
Young, T. (2006).
IT Industry Core to Global E-Crime Battle [Internet]. Computing. Available from:
A. Questionnaire for Companies
Company Name (Optional): ___________________________
Designation (Optional): ___________________________
Type of Business: ___________________________
Online since: ___________________________
E-Commerce Revenue earned in 2006:
(Please check one that applies)
What is the IT budget? (in terms of percentage of total budget of the company)
Main payment type offered online:
What, in your views, are the key areas that result into an increase in e-commerce frauds?
(Please rate as 1-5)
What, in your views, are the key areas that result into a decrease in e-commerce frauds?
(Please rate as 1-5)
What are the most effective methods to reduce e-commerce frauds in your views?
(Please rank from 1-5)
Does your company have an information security policy?
Is your company certified or in the process of getting security certifications like BS7799?
Does your company have a Business Continuity/ Disaster Recovery Plan (BCP/DRP)?
Does your company encrypt data packets when they are transmitted over the internet?
How many security incidents, on average, have occurred over the last year in e-commerce business? (Please select one that applies)
What was the total cost of fraud that affected the company?
Is the company protected against e-commerce fraud losses through insurance?
Has a formal IT risk assessment, specifically related to e-commerce business, been carried out for the company by independent third party?
Whether the company provides regular trainings to its employees with regard to information security?
If Yes, when was the last training provided? What were its contents?
B. Questionnaire for Customers
Please answer the following brief questions to help us develop a customer profile towards e-commerce security in UK companies. Your help will be greatly appreciated.
1. Are you an internet user?
2. Do you use internet for buying/ selling of goods/ services?
3. When was the last time you accessed internet for e-commerce purpose?
4. Approximately what amount of transactions you carry out online?
5. Which mode of payment do you normally use for e-commerce transactions?
6. Have you ever encountered a problem in making payments online?
7. If �Yes�, please briefly describe the problem you faced
8. In your view, is e-commerce safe?
9. If �Yes�, why?
10. If �No�, why?
11. Do you think that e-commerce will replace the traditional commerce channels in next 5 years? Why?/ Why not?
12. Do you think the UK companies have secure systems and processes in place to meet the requirements for information privacy, data security and authorisation checks on customers and transactions?
13. What, in your view, can UK companies do to maximize e-commerce security for their systems, customers and data? (Please explain your thoughts)