Steven Furnell

Security implications of electronic commerce: a survey of consumers and businesses

Examines the general requirement for security technologies in order to provide a basis for trust in the e‐commerce environment. The discussion is supported by the findings from two surveys, conducted by the authors, among general Internet users (i.e. potential target consumers) and commercial businesses. These surveys considered both the attitudes to e‐commerce in general and opinions relating to the associated security requirements. Attempts were also made to assess the respondent’s knowledge of the existing security safeguards that may be applied. The survey results suggest that, while there is significant concern among Internet‐based consumers regarding the security of their purchasing activities, these are outweighed by the merits offered by the medium. The results also suggested a lack of awareness or understanding of the security technologies that are available and it is concluded that overcoming this problem would help to establish a wider foundation of trust in the new technology.

The challenges of understanding and using security: A survey of end-users

Many applications contain security features that are available for end-users to select and configure, as well as the potential to place users in situations where they must take security-related decisions. However, the manner in which these aspects are implemented and presented can often serve to complicate the process, such that users cannot actually use the security that they desire, or which may be expected of them. This paper presents the results of a survey of over 340 end-users in order to determine their understanding of the security features within Windows XP and three popular applications (Internet Explorer, Outlook Express, and Word). The study reveals some significant areas of difficulty, with many standard security features presenting apparent usability challenges for large proportions of the respondents. The results highlight the need for a more considered approach towards the presentation of security functionality if users are to have a realistic chance of protecting themselves.

Events: Insider Threat Prediction Tool: Evaluating the probability of IT misuse

Despite the well documented and emerging insider threat to information systems, there is currently no substantial effort devoted to addressing the problem of internal IT misuse. In fact, the great majority of misuse counter measures address forms of abuse originating from external factors (i.e. the perceived threat from unauthorized users). This paper suggests a new and innovative approach of dealing with insiders that abuse IT systems. The proposed solution estimates the level of threat that is likely to originate from a particular insider by introducing a threat evaluation system based on certain profiles of user behaviour. However, a substantial amount of work is required, in order to materialize and validate the proposed solutions.

A practical evaluation of Web analytics

E‐commerce has resulted in organisations investing significant resources in online strategies to extend business processes on to the World Wide Web. Traditional methods of measuring Web usage fall short of the richness of data required for the effective evaluation of such strategies. Web analytics are an approach that may meet organisational demand for effective evaluation of online strategies. A case study of Web analytics usage in a large multinational airline company demonstrates an application of the theory to a practical context with a company that invests significant resources in their Web strategies. The attitudes of company individuals toward the evaluation of Web strategy and the value of the approach are shown through a survey of key employees. This work demonstrates the potential value of Web analytics and also highlights problems in promoting an awareness of Web analytics and how it can be applied to corporate goals.

Authentication and Supervision: A Survey of User Attitudes

User authentication is a vital element in ensuring the secure operation of IT systems. In the vast majority of cases, this role is fulfilled by the password, but evidence suggests that this approach is easily compromised. Whilst many alternatives exist, particularly in the form of biometric methods, questions remain over the likely user acceptance. This paper presents the results of a survey that examines user attitudes towards a range of authentication and supervision techniques. It is concluded that whilst there is still an element of reluctance amongst users to depart from the familiar password based mechanisms, many are convinced of the need for improved authentication controls. The acceptability to users of various new techniques is variable, but many seem willing to consider a range of alternative methods.

An assessment of website password practices

Password-based authentication is frequently criticised on the basis of the ways in which the approach can be compromised by end-users. However, a fundamental point in the defence of many users is that they may not know any better, and lack appropriate guidance and support when choosing their passwords and subsequently attempting to manage them. Given that such support could reasonably be expected to come from the systems upon which the passwords are used, this paper presents an assessment of password practices on 10 popular websites, examining the extent to which they provide guidance for password selection, enforce restrictions on password choices, and support easy and effective recovery or reset if passwords are forgotten. The findings reveal that the situation is extremely variable, with none of the assessed sites performing ideally across all of the assessed criteria. Better efforts are consequently required if password practices amongst the general populous are expected to improve.

From desktop to mobile: Examining the security experience

The use of mobile devices is becoming more commonplace, with data regularly able to make the transition from desktop systems to pocket and handheld devices such as smartphones and PDAs. However, although these devices may consequently contain or manipulate the same data, their security capabilities are not as mature as those offered in fully-fledged desktop operating systems. This paper explores the availability of security mechanisms from the perspective of a user who is security-aware in the desktop environment and wishes to consider utilising similar protection in a mobile context. Key issues of concern are whether analogous functionality can be found, and if so, whether it is offered in a manner that parallels the desktop experience (i.e. to ensure understanding and usability). The discussion is supported by an examination of the Windows XP and Windows Mobile environments, with specific consideration given to the facilities available for user authentication, secure connectivity, and content protection on the devices. It is concluded that although security aspects receive some attention, the provided means generally suffer from usability issues or limitations that would prevent a user from achieving the same level of protection that they might enjoy in the desktop environment.

Beyond the PIN: Enhancing user authentication for mobile devices

There is now an increasing need for an enhanced level of user authentication on mobile devices. In this article, Steven Furnell, Nathan Clarke and Sevasti Karazouni begin by examining the existing provision, which is dominated by PIN and password-based approaches. They established that these may be both inconvenient and inadequate for securing modern devices and services. Mobile devices have changed significantly over the last decade, in terms of both their form factor and underlying capabilities. The introduction of third generation (3G) technologies has provided the underlying mechanism for a wide variety of innovative data-orientated services, with approximately one million users every day adopting these new features. 1

A preliminary model of end user sophistication for insider threat prediction in IT systems

The dangers that originate from acts of IT system misuse by legitimate users constitute a separate category of threats with well documented consequences for the integrity, privacy and availability of computer systems and networks. Amongst the various properties of malicious legitimate users one of the most notable ones is the level of his/her sophistication. Various studies indicate that user sophistication and the potential to misuse IT systems are properties that are strongly related. This paper presents a methodology that automates the process of gauging end user sophistication. The establishment of suitable metrics to characterize end user sophistication is discussed followed by an experimental verification of the metrics on a sample of 60 legitimate users, using the UNIX Operating System. The results indicate that a combination of application execution audits and computational resource utilization metrics could be used to characterize the level of IT sophistication of an end user. Although additional testing in a greater variety of computational environments is required in order to validate the derived preliminary scheme, it is considered that the derived methodology could serve as a component of experimental insider threat prediction processes, or any other model that requires a procedure to measure the level of IT knowledge of a legitimate user base.

Acceptance of Subscriber Authentication Methods For Mobile Telephony Devices

Mobile phones are now an accepted part of everyday life, with users becoming more reliant on the services that they can provide. In the vast majority of systems, the only security to prevent unauthorized use of the handset is a four digit Personal Identification Number (PIN). This paper presents the findings of a survey into the opinions of subscribers regarding the need for security in mobile devices, their use of current methods, and their attitudes towards alternative approaches that could be employed in the future. It is concluded that, although the need for security is understood and appreciated, the current PIN-based approach is under-utilized and can, therefore, be considered to provide inadequate protection in many cases. Surveyed users responded positively towards alternative methods of authentication, such as fingerprint scanning and voice verification. Based upon these findings, the paper concludes that a non-intrusive, and possibly hybrid, method of authentication (using a combination of techniques) would best satisfy the needs of future subscribers.