Developing Trust for Electronic Commerce

While much attention is currently being devoted to solving technological challenges of the Internet, for example increasing the bandwidth on existing narrowband network platforms to overcome bottlenecks, little attention appears to be given to the nontechnical aspects. This has been a mistake in the past as human resistance to, or incompetence during, the introduction of new Information Technology (IT) often caused Information Systems (IS) to fail. By focusing on a broad range of technical and nontechnical elements early in the adoption of Internet technology, we have the opportunity to avoid the mistakes made in the past. The Internet has given rise to electronic commerce (e-commerce) through the use of the World Wide Web (Web). E-commerce, by its nature, offers enormous possibilities but in an uncontrolled environment. Therefore, for e-commerce to be accepted, trust must be established as soon as interaction with a Web site begins. In the virtual environment of the Web trust has become even more important because the parties are not in physical proximity. There are no handshakes or body language to be observed when closing a deal. Furthermore, jurisdiction is unclear. Developments on a global scale are required that provide assurance that e-commerce can be conducted in a ‘trusting’ manner.

Securing the Internet in New Zealand

The growing popularity of the Internet has taken many organisations by surprise. Established mechanisms such as fax technology, electronic data interchange (EDI), electronic messaging, and file transfers over private networks have dominated electronic commerce until now. The advantages of the Internet are changing that technological landscape very rapidly. Those advantages include: a) Worldwide connectivity. b) Hardware and software independence provided by ubiquitous Web browsers. c) User friendliness. d)Interactive nature of Web-aware technologies. e) Affordable technology.

Protecting Personal Privacy in Cyberspace

This chapter canvasses the impact of the Privacy Act 1993 on those who transact their business in cyberspace who fall within the Act’s definition of “agency”3 . The writer argues that, for the most part, the Act can be effective in protecting individuals’ privacy in cyberspace. Privacy protection does not place restrictions on freedom of expression and communication on the internet. The internet has proved to be extremely difficult to regulate, perhaps not surprisingly given its origins and function. It has exhibited a high degree of resistance to regulation of any kind, thus confirming a type of “frontier” image.

Developments in Security Mechanism Standards

However, despite this wide range of standardisation activity, the ISO/IEC JTC1/SC27 work is unique in being both truly international and also aimed at general applications. As such, while we mention the relevant work of other standards bodies, the main focus of this chapter is the work of ISO/IEC JTC1/SC27. The main purpose of this chapter is to bring the international standards for cryptographic techniques to the widest possible audience. Adoption of these standards, which have received detailed scrutiny from experts worldwide, can only help to improve the quality of products incorporating security features. Note that much of the work described in this chapter is based on recent research. For brevity, references to research papers are not included here. For further information the interested reader should consult the bibliographies in the quoted standards, or the excellent encyclopaedic work (Menezes, van Oorschot and Vanstone, 1997).

Electronic Mail, Employee Privacy and the Workplace

Electronic mail (e-mail) has become increasingly important in the workplace. The growth of this new medium of communication has generated important legal questions about the privacy and monitoring of e-mail messages, so much so that most experts strongly recommend that organizations adopt explicit policies about e-mail for their own legal protection. The legal questions concerning e-mail in the workplace include both: (a) employee rights to privacy regarding e-mail messages; and (b) employee obligations to monitor e-mail to ensure a suitable workplace or to prevent illegal behavior. We discuss both of these topics in this chapter, attempting not only to outline current legal thinking in the area, but also to raise questions that managers and policy makers should consider. It is worth noting at the start that many of the legal issues surrounding the use of e-mail are direct extensions of principles that apply to other forms of communications. Indeed, much of the law that governs e-mail is not legislation that was written explicitly to cover this particular form of communication. Issues of the privacy of employee e-mail messages, for example, are directly analogous to issues of the privacy of employee phone calls or written correspondence. To be sure, there are questions about exactly how legal principles that were established for older communication technologies should be applied to a new one, and perhaps not all of these questions are fully settled at this point in time, but our understanding of this topic is broadened if we appreciate the application of legal principles across communication media.

Managing Security in the World Wide Web

Advances in the World Wide Web technology have resulted in the proliferation of significant collaborative applications in commercial environments. However, the World Wide Web as a distributed system, which introduces new technologies (like Java applets and ActiveX) and uses a vulnerable communication infrastructure (the Internet), is subject to various security attacks. These security attacks violate the confidentiality, integrity, and availability of Web resources. To achieve a certain degree of Web security and security management, different protocols and techniques have been proposed and implemented. This is still a hot topic in the current research area and still requires more ambitious efforts. We give an overview of the Internet security issues with special emphasis on the Web security. We describe an architecture built up by the means of security services to shield against these threats and to achieve information security for networked systems like the WWW. We focus on the authentication and access control services (like role-based access control) and their administration aspects. We discuss several elementary techniques and Internet standards which provide state-of-the-art of Web security.

Managing Security Functions Using Security Standards

In this chapter we will discuss the issue of managing security processing in business organization with special emphasis on computer systems. Our intention is not to prove that managing information security resources is the most important issue within the information security domain but that it must deal first in a chain of activities leading to building and operating information systems in a secure way. Before starting the discussion it is necessary to look at the historical developments leading to this issue. Most people are aware of the dramatic rate of development of information technology. However, few could attach quantitative values measuring this growth apart from a known statement that “If the auto industry had done what the computer industry has done in the last 30 years, a Rolls-Royce would cost $2.50 and get 2,000,000 miles per gallon.” This is true, but a more precise measure must be introduced.

Security Risk Assessment and Electronic Commerce

The security issue has been a compelling one for many organizations. In two separate studies completed in April 1998, Fortune 1000 companies reported more financial losses due to computer vandalism and espionage in 1997 than they ever experienced before. Several corporations said they lost $10 million or more in a single break-in. And reports of system break-ins at the Computer Emergency Response Team site are the highest they’ve ever been. Management objectives for security reflect the individual organization’s situation. However, there are several common themes in the objectives for security: • Safeguarding the organization’s assets and resources. • Complying with policies, procedures, laws, and regulations. • Utilizing resources economically and efficiently. • Ensuring the reliability and integrity of information.

Foundations for Cryptography

Products promising to secure electronic commerce and other Internet applications tend to rely heavily on cryptography. On occasion, it seems that constraints on the deployment of ‘strong’ cryptography remain the only obstacle on the path to achieving security. This chapter will point to other aspects of security that are fundamental prerequisites for the successful deployment of cryptography, viz computer security and security policy. To achieve the security their systems are striving for, researchers and developers alike will have to provide adequate solutions in these areas. Otherwise, the value of strong cryptography will be greatly diminished.

Cryptography

The protection of information for business or private purposes can be achieved through the careful selection and use of cryptographic tools. Throughout recorded history the art and science of cryptography has been the exclusive domain of government in the form of military and diplomatic use. For the most part the many and varied techniques were used for protecting strategic communications. With the advent of the microcomputer the tools to incorporate some of the complex mathematical tools necessary to provide strong encryption1 became readily available to the public at large. That availability has contributed to the proliferation and use of cryptographic tools that are capable of providing strong encryption to anyone who would care to use them. This important security technique has become the main tool for protecting communications of all kinds and is used throughout the business community. The banking community, for example, is probably one of the largest users of data encryption for the protection of their clients’ financial transactions.