Citation
(2002), "Reducing e-commerce risks", Work Study, Vol. 51 No. 7. https://doi.org/10.1108/ws.2002.07951gaf.003
Publisher
:Emerald Group Publishing Limited
Copyright © 2002, MCB UP Limited
Reducing e-commerce risks
Reducing e-commerce risks
Most security managers will tell you that risk is a function of three primary factors: threats; vulnerabilities; and business impact.
Combining these provides a standard formula for risk that is often used in security and business continuity planning. E-commerce has had a big impact on all three factors.
Threats naturally increase with exposure. The more exposed a system is to people or other systems, the greater the odds that someone or something will attack that system. E-commerce magnifies the exposure of systems by making business services available via the Internet or other networks and by integrating with back-office systems, such as mainframes and enterprise resource planning (ERP) software.
Vulnerabilities increase with complexity. The more complex a system is, the greater the likelihood of software defects or configuration flaws that make the system susceptible to compromise. E-commerce increases complexity by promoting the use of Web services, multi-tiered applications, distributed databases, security zones and other technologies.
Business impact increases with the business value of the system, as well as the length of time the system is compromised during an attack. While the relationship between business impact and business value is often linear, the relationship between business impact and length of time is rarely linear: the maximum loss may be incurred instantaneously. For example, an attacker may steal 100,000 credit card numbers and customer profiles quickly after compromising a database server. E-commerce affects business value directly on the bottom line.
Any organisation dealing with e-commerce must reduce these three factors, in order to successfully reduce the overall risk. They must control exposure by ensuring that only the minimum number of people or systems can access (physically and logically) the systems involved. Threats are reduced by deploying firewalls, routers, switches, VPNs (virtual private networks) and other access control technologies.
Managers must also mitigate vulnerabilities in complex systems by defining secure e-commerce architectures, establishing security policies for e-commerce, and by performing routine vulnerability assessments – and then acting upon them.
There is little or nothing that can be done in security terms to manage the first component of business impact, business value; it is a consequence of the business itself. However, the second component of business impact, time of compromise, can be reduced by lowering the time for detection and reaction, maximising the time provided by protective measures, or both. Implementing host-based protection technologies, intrusion detection systems and security event management products often helps reduce this "time of compromise".
As ever, security is "simply" a matter of identifying and understanding potential threats and implementing measures to remove or reduce them.