Security Requirements and Exposure
What are we really concerned about when we talk about security? Independent of any technology, including computers, almost everyone agrees that there are certain common security requirements. However, they may not agree on what the specific requirements are. For some guidance about specific requirements we can look to the Information Security Technology Evaluation Criteria recommendation [ITSEC 1991]. It breaks security down into three broad requirements.
Availability: The resource that we're trying to secure must be available to those who require its use. In computer networks, denial-of-service attacks violate this aspect of security by flooding Web sites with so many bogus requests that they aren't able to service legitimate users. In the physical world, we want our car to be there, in the parking lot, when we're ready to go home.
In conducting electronic commerce we're usually most concerned with the integrity of transactions and next concerned with confidentiality. That isn't to say that availability isn't an issue, but it is such a general issue that it isn't very often a specific concern of electronic commerce (at least the type of business-to-business commerce discussed in this book).
When we speak of risks of any type, we need to put them into perspective not only in regard to what we stand to lose if the worst happens (that is, our exposure) but also in regard to the likelihood that the worst will happen. In common electronic commerce situations we're probably most concerned about fraud or violation of transaction integrity. We could be concerned about processing orders from bogus businesses from which we'll never receive payment or about paying bogus invoices for goods we never received. Some organizations are also concerned about trading partners that deny an electronic transaction took place or dispute the details of a transaction, but this is less common. What is usually at stake in these cases is a specific dollar amount. If we take an objective look at all these things, they really don't happen very much. While the exposure may be moderate, the likelihood is low.
We're also frequently concerned with confidential information getting into the wrong hands. We don't want competitors to know the details of products in development. We may not even want other organizations to know what we buy or sell and the prices involved. However, if you listen to the concerns most voiced by users, fraud is mentioned more than confidentiality.