Netcetera


 

CIA Triad of Information Science


The CIA triad, hence the confidentiality, integrity and availability model is a tool used to evaluate and implement information security of an organization. As a matter of fact, these three components are defined as the most crucial ones of security and often exploited through different degrees of attacks. (Technopedia, 2018)

Information security focuses mainly on the protection of the following three elements:
  • Confidentiality, that consists of making data accessible only to intended users as well as systems and not making it available or disclose it to unauthorized individuals, entities, or processes.
  • Integrity, which means maintaining and assuring the accuracy and completeness of data without being modified in an unauthorized or undetected way.
  • Availability, that consists of making sure that the computing systems used to store and process data, the security controls used to protect it, and the communication channels used to access it must be available and functioning correctly when needed by authorized people.
(Threat Matrix, 2018)


Threats

The constant evolution of technology and the society’s constant connection to the internet has many positive effects to companies but includes also a black market hence cyber criminality. These can reveal themselves in single or mass attacks.

Single attacks
A single attack takes place if only one user or client is attacked. This kind of threat is not going to harm so much a business; however, the damage has to be isolated and the necessary and possible precautions should be taken in order to lower the risk. (Brantschen, 2018)

Mass attack
Mass attacks harm the entire business since they attack and take down the whole server / system or take advantage of weak implementations and processes. In this case all the data and company is in danger. (Brantschen, 2018)

Underneath some of the possible online and offline threats are outlined.

Distributed Denial of Service (DDoS)
A distributed denial of service attack is an attempt where many compromised computer systems attack a server, website or network making it unavailable. This means that the incoming traffic to the target system is too high, forcing it to slow down or even crash. (Webopedia, 2018)

Trojan Horse
Trojan horse gets on a computer through malware. Once activated Trojans starts doing destructive actions like: Deleting, blocking, modifying, copying data, sending spam-and phishing-mails, on-click fraud or starts DDoS attacks. By installing antivirus software and using firewalls individuals can protect themselves against Trojans. (Kaspersky, 2018)

Botnets, Bots and Zombies
Botnets, Bots and Zombies are computer or network security threats hence they perform malicious tasks. This allows hackers to take control over the affected computer with the owner of it being unaware of anything. They start sending malware or spam, do hacking attacks, password theft and DDoS attacks. Best counter measures are security software, passwords on network devices, secure browsing and frequent updates. (Webroot, 2018)

Natural disasters or power outage
Natural disasters caused by fire, avalanches, flood or earthquake as well as power outage can also be a threat to the security. In fact, they can cause data losses if for example no redundancies nor regular backups are done.

Threat Analysis
Figure 1: Threat analysis cycle (Brantschen, 2018)



According to Michael Brantschen from Necetera (2018) in order to minimize threats in a company a threat analysis should be done.

This ongoing process is composed of the following four components: Inventory, threat analysis, assessment prioritization and measures implementation.

Inventory
The first step consists in the definition of what has to be protected. This could be:

  • Data of the customers or of the company
  • Privacy, identity or anonymity of data
  • Mete-Data
  • Functionality or services
  • Intellectual propriety
(Brantschen, 2018)

Threat Analysis and assessment prioritizationThe threat analysis consists in creating a table answering the following questions:

  • What events could happen?
  • How likely will the event happen?
  • What would be the impact?
  • What is the effort for prevention needed?
  • What is the prioritization of the event?
(Brantschen, 2018)

Measures / implementationThis final step consists of implementing some measures that allow to protect a company from threats. In the next paragraph this topic will be explained more extensively.

An example of a threat analysis could be as the following matrix.
Event
Probability
Impact
Effort for prevention
Prioritization
Credit card data stolen
Medium
Medium / high
High
2
Denial of service attacks
High
High
Medium
1
Table 1: Threat analysis (own illustration)

 The aim of the threat analysis is to implement immediately mitigation measures and anticipate eventual attacks.

Measures

There are different points which should be taken into consideration to protect a company from online attacks. According to Michael Brantschen from Necetera (2018) there are three main points: People, technology and process.

Figure 2: Measures to protect a company (Brantschen, 2018)

People
There are some rules which employees as well as individuals should follow to protect their computer like:
  • Use a proper antivirus system.
  • Do not open doubtful attachements.
  • Clean up histories, cookies and temp files.
  • Make a regular backup and test it.
  • Do not visit untrustworthy sites.
  • Do not use illegal software.
One of the most important points is the password security. It is better to have a longer than a shorter password and it should be verified with a password strength checker. Furthermore, for a password, data like birth date, family name, phone number, etc. should not be used. It is also important to use different passwords for different purposes and change it regularly. (Brantschen, 2018)One of the best ways to keep a password in mind, is if a sentence is used and it can be remembered through an aide-memoire. (Heuzeroth & Fuest, 2014)

The following rules could be given to employees in a company to protect the firm:
  • Lock the working machine when leaving the desk.
  • Different passwords in business and private.
  • Open communication structure: Do not hide faults or problems.
  • No export of business data via USB stick.
  • Define a clear back-up process.
  • How to handle potential crisis (scenarios for crisis management) 

Technology
To safe a company or the computer of an individual person from a hacker attack, technology plays an important role in the fields of network security, malware protection and user privilege management. This means, that one should use a firewall which can decide who can reach the computer. For example, a firewall could refuse a website without certificate which means an URL without https. (Brantschen, 2018)Unsecure websites are not just a problem for individuals but also for companies which do not use a secure URL as then their Google ranking will be bad as they see websites without https as unsecure in Google Chrome. (Eisworth, 2017)Furthermore, the different machines on the used device should have the latest version or update on it. For sure the more, the better but it also costs more and maybe the usability of the website has to suffer under these circumstances. (Brantschen, 2018)

Process
The different processes like when the back-ups are done or how often the passwords in a company in a year or month have to be changed, have to be defined properly. But not only the process also the responsibility plays an important role. (Brantschen, 2018)

Another important topic related to information security are payment services which will be explained in the following paragraphs.

How new payment services are changing E-Commerce

It was the year 1994 when the first E-Commerce transaction was done. Since then, E-Commerce has grown rapidly and in an immense size. Since the beginning of E-Commerce, payment methods are a key issue to the topic. Advanced technology has led to the proliferation of alternative payment methods. All of them with the aim to make financial transactions secure, easy in handling and quick. There is a broad range of providers and according to Worldpay, over 300 different types of payment methods are actually used in E-Commerce. (Light, 2017)

The customer experience as the central element 
In E-Commerce, the customer experience is a central element of customer satisfaction and therefore for the success of the business. Consumption is shifting to mobile and this creates opportunities for companies to develop and offer new and improved payment possibilities. Nevertheless, according to the Baymard Institute, payment issues are staying on top when it comes to the reasons, why shoppers abandon their credit cards. Many of these shoppers are still discouraged when it comes to slow checkout processes or if there is a lack of available payment methods. According to this, it demands the availability of easy-to-handle or use and quick payment solutions for both customers as well as for the merchants. As a result, providers are now offering more different variations of payment possibilities. Among these are apps, digital wallets or other contactless technologies. (Gal, 2017) 

A solution for Switzerland
One solution for the Swiss market within the topic of digital wallets is SwissWallet with its digital payment solution MasterPass. This solution is focused on E-Commerce and online shopping. Core function of the MasterPass is a simplification of paying during online shopping. Once the holder or the user of a credit card has registered via VisecaOne for the MasterPass, contact details and delivery addresses are deposited. That means, no additional or renewed typing in of data has to be done when checking-out of an online shop. This should shorten the process up to 80 percent. And even more important, it is more comfortable to the client as well as to the merchant. They expect less stopped buying transactions because check-outs are now longer complicated and time consuming. (Dietrich & Duss, 2016)

Digital wallets
As mentioned, there are a lot of competitors playing in this game. As digital consumer behaviour changes constantly and fast, so should also do and develop the related technologies and services supporting the E-Commerce business. Digital wallets seem to be one of the best solutions, as they offer quick and very easy handling to the customer. But new things will come constantly as the E-Commerce stakeholders are all working on the best experience for the customer.

Speaking of which, the customer experience online should be secure and at the same time user friendly.

Usability vs. security

Commitment and trust are two keywords that are strongly connected with the usability and security of a website, e-shop, mobile app and so on. They are key variables when it comes to successful long-term relationships with customers online. In several lectures the students have been taught that a website needs to be user-friendly in order to reach customers. Usability means the ease of understanding a site navigation, content or functions of a website as well as the speed; how fast users can get what they are looking for. On the other hand, are security and privacy. These two terms refer to the protection of personal data. (Casaló, Flavián, & Guinalíu, 2007)

There is a close relationship between usability and security. The growth of capacity, new technology and complexity online has made security and usability two enormously vital issues. The question arises if a company can achieve both of them and still have satisfied customers.
To illustrate this topic the case of Amazon's 1-click ordering is evaluated. 
One click ordering by Amazon enables the purchases of people with just one click automatically. This way the users can skip going to the shopping cart. The product-ordering will instantly be performed, automatically charged and shipped. This requires just a one-time registration beforehand, entering payment method and shipping address. 
One click means speed and with that along comes a positive user experience. User experience experts fight against security experts but at the end of the day they realize how important it is to include both into the planning, implementation and design phase of a project. According to The Telegraph, the user experience is the element that can suffer from more secure digital products. Although the security might seem to hurt usability, it does not have to be that way. There is a thin line between balancing those two terms. Whenever a user is asked to register, they need to type in a password. It happens often, that the password then is not long enough and with every new device, the process of registering starts all over again. But once that is done, the customers "only" have to trust the site/company and believe that their personal data is used appropriately. Quickly replicated: The first process for the customer with security measures during registration takes a fair bit of patience. Having that done, the customers can move freely within the website. Thinking about solutions in order to speed up the process, Bowles (2016) mentions: "Relying on things such as Touch ID is going to make the whole authentication process so much easier, but that means we have to trust Google and Apple, of course" (Bowles, 2016).The issue usability suffers from security and vice versa. One solution is to build security in by design (Touch ID) so that usability and security can benefit from one another instead of being at odds. (Kobie, 2016)
Summarized and answering the question above, it is for now still true to say that: If you do not have usability, you do not have customers. If you do not have security you will lose customers or have none at all. (Brantschen, 2018)


Linda, Marianne, Nico, Sina


References 

Bowles, C. (2016, July 28). Security vs usability: it doesn't have to be a trade-off. Retrieved April 10, 2018, from telegraph.co.uk: https://www.telegraph.co.uk/connect/better-business/security-versus-usability-ux-debate/

Brantschen, M. (2018). Security in e-Commerce.Lecture.

Casaló, L., Flavián, C., & Guinalíu, M. (2007). The role of security, privacy, usability and reputation in the development of online banking | Online Information Review | Vol 31, No 5.Retrieved April 10, 2018, from emeraldinsight-com.ezproxy.fh-htwchur.ch: https://www-emeraldinsight-com.ezproxy.fh-htwchur.ch/doi/full/10.1108/14684520710832315

Dietrich, P., & Duss, C. (2016, May 30th). Digital Payment für e-commerce: Der Launch von MasterPass und SwissWalletRetrieved April 12th, 2018, from https://blog.hslu.ch/retailbanking/2016/05/30/digital-payment-fuer-e-commerce-der-launch-von-masterpass-und-swisswallet/

Eisworth, L. (2017, October 28th). Find Out Why It's Time to Convert to SSL ASAP. Retrieved April 15th, 2018, from https://www.sangfroidwebdesign.com/search-engine-optimization-seo/google-https-ranking/

Gal, R. (2017, May 30th). How New Payment Services are Changing Ecommerce. Retrieved April 12th, 2018, from http://multichannelmerchant.com/blog/new-payment-services-changing-ecommerce/

Heuzeroth, T., & Fuest, B. (2014, January 25th). Diese Massnahmen schützen Sie vor Hacker-Angriffen. (d. W. online, Ed.)

Kaspersky (2018). What is a Trojan Virus?Retrieved April 14thfrom:
https://www.kaspersky.com/resource-center/threats/trojans

Kobie, N. (2016, July 28). Security vs usability: it doesn't have to be a trade-off. Retrieved April 10, 2018, from telegraph.co.uk: https://www.telegraph.co.uk/connect/better-business/security-versus-usability-ux-debate/

Light, J. (2017, June 7th). the evolving world of ecommerce payments. Retrieved April 12th, 2018, from https://bankingblog.accenture.com/evolving-world-of-ecommerce-payments?lang=en_US

Technopedia (2018). CIA Triad of Information Security. Retrieved April 14th2018 from: 
https://www.techopedia.com/definition/25830/cia-triad-of-information-security

Threat Matrix (2018). All About the CIA Triad. Retrieved April 14thfrom:
https://threatmatrix.cylance.com/en_us/home/all-about-the-cia-triad.html

Webroot (2018). What are Bots, Botnets and Zombies?Retrieved April 14thfrom:
https://www.webroot.com/us/en/home/resources/tips/pc-security/security-what-are-bots-botnets-and-zombies

Webopedia (2018). DDoS attack - Distributed Denial of Service. Retrieved April 14thfrom:
https://www.webopedia.com/TERM/D/DDoS_attack.html






Comments

Post a Comment

Popular posts from this blog

Conversion Rate Optimization – strategies for hotel sector

Image
Introduction “One accurate measurement is worth more than a thousand expert opinions”  Admiral Grace Hopper If it is not stated separately, the given content is taken out of the lecture from October 17, 2017 with Joe Dreixler. Conversion Rate Optimization, short CRO, is essential in nowadays business, especially in hotel business. But why is it a crucial component? There are many booking platforms, such as booking.com, through which customers can book their rooms. For each booking, a commission fee must be paid from the hotel to the booking platform. Thus, the hotel’s aim is it to convert these passive guests, the ones who book over a third seller, into active guests, and therefore forgo the additional fees. This is the desired action they seek: for people to book a room through their own website. Hence, this action is called conversion. CRO is the process of maximizing the number of people doing this desired action. Essential components To reach the mentione...
Read more

SWISS E-Sales and E-CRM

Image
Introduction The lecture of Luca Graf, former Head of Online Sales SWISS, offered some insights into SWISS‘ E-Sales and into the E-CRM.  If not cited differently the content in this blog entry is based on the presentation of the lecturer or the accompanying slides (Graf, 2018).  SWISS serves 17 Mio guests per year and generates a revenue of 5 billion CHF per year (Handelszeitung, 2018). The airline can be considered as too big for the niche market and too small to dominate the mass market. Therefore, SWISS needs to find an appropriate strategy to increase their profit. The competition in the airline industry is extremely high and on the other hand customers have a very high transparency. Customers look for information on the internet and can find almost everything they want to know. Further, customers want to be entertained, like a high level of convenience and are price sensitive. New Strategy To establish the SWISS brand a strategy with five pillars was created. Th...
Read more

Technology

Image
Web Technologies Siegrist Chantal & Hinze Gabriel Intro Websites are sources of all kinds of information in which one can search. Any entity or firm today has its own and there are more than 1.25 billions to be online. They vary over their content, layout, purpose, usability etc. However, they are all built by the same technologies, which are HTML, CSS and JavaScript. Websites At the beginning of the Internet, there existed only static websites. These are web pages in which the content is fixed and displayed the same way to every visitor. In other words, if you encounter a static website and try to shorten the width of your browser, the website won’t adapt but parts of its content will be hidden. On the contrary, dynamic websites are pages that adapt themselves for each visitor. Also, static websites are written in HTML, as dynamic ones combine HTML with other languages such as PHP. Through history, static websites are part of the web 1.0, which means a web of conten...
Read more