skip to main content
research-article

Security analysis of Internet technology components enabling globally distributed workplaces—a framework

Published:06 October 2008Publication History
Skip Abstract Section

Abstract

As organizations increasingly operate, compete, and cooperate in a global context, business processes are also becoming global to propagate the benefits from coordination and standardization across geographical boundaries. In this context, security has gained significance due to increased threats, as well as legislation and compliance issues. This article presents a framework for assessing the security of Internet technology components that support a globally distributed workplace. Four distinct information flow and design architectures are identified based on location sensitivities and placements of the infrastructure components. Using a combination of scenarios, architectures, and technologies, the article presents the framework of a development tool for information security officers to evaluate the security posture of an information system. To aid managers in better understanding their options to improve security of the system, we also propose a three-dimensional representation, based on the framework, for embedding solution alternatives. To demonstrate its use in a real-world context, the article also applies the framework to assess a globally distributed workforce application at a northeast financial institution.

References

  1. Agrawal, M., Kuo, C.-J., Nam, K., and Rao, H. R. 2003. Electronic commerce infrastructure. Encyclopedia of Information Systems, H. Bidgoli, ed. Academic Press, 29--46.Google ScholarGoogle Scholar
  2. Ahituv, N. 1980. A systematic approach toward assessing the value of an information system. MIS Q. 4, 61--75.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Alberts, C. and Dorofee, A. 2002. Managing Information Security Risks, The OCTAVE Approach. Addison Wesley Longman. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Axelrod, W. 2007. Analyzing risks to determine a new return on security investment. Managing Information Assurance in Financial Services, H.R. Rao et al. eds., Idea Group, Hershey, PA, 6--36.Google ScholarGoogle Scholar
  5. Bass, L., Clements, P., and Kazman, R. 2003. Software Architecture in Practice. Addison Wesley Longman. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Broadbent, M., Weill, P., and Clair, D. S. 1999. The implications of information technology infrastructure for business process redesign. MIS Q. 23, 159--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Campbell, H. 1998. Risk assessment: Subjective or objective? Eng. Sci. Edu. J. 7, 57--63.Google ScholarGoogle ScholarCross RefCross Ref
  8. Department of Defense. 1984. Procedures for performing failure mode effects and criticality analysis. http://www.fmeainfocentre.com/handbooks/milstd1629.pdf.Google ScholarGoogle Scholar
  9. Department of Homeland Security. 2006. Homeland Security Advisory System.Google ScholarGoogle Scholar
  10. Earl, M. J. 2002. The risks of outsourcing IT. Sloan Manag. Rev. 37, 26--32.Google ScholarGoogle Scholar
  11. Ekanayaka, Y., Currie, W., and Seltsikas, P. 2002. Delivering enterprise resource planning systems through ASPs. J. Logistics Inf. Manag. 15, 192--203.Google ScholarGoogle ScholarCross RefCross Ref
  12. Elky, S. 2006. An introduction to information system risk management. SANS Institute, 16.Google ScholarGoogle Scholar
  13. Emmerich, W. 2002. Distributed component technologies and their software engineering implications. In Proceedings of the International Conference on Software Engineering, Orlando, FL, ACM, 537--546. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Feller, W. 1950. An Introduction to Probability Theory and its Applications. John Wiley and Sons, New York.Google ScholarGoogle Scholar
  15. Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD.Google ScholarGoogle Scholar
  16. Freeman, J. W., Darr, T. C., and Neely, R. B. 1997. Risk assessment for large heterogeneous systems. In Proceedings of the Computer Security Applications Conference, 44--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Gokhale, S. and Trivedi, K. S. 2002. Reliability prediction and sensitivity analysis based on software architecture. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE'02), Annapolis, MD. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Goseva-Popstojanova, K., Mathur, A. P., and Trivedi, K. S. 2001. Comparison of architecture-based software reliability models. In Proceedings of the 12th IEEE International Symposium on Software Reliability Engineering (ISSRE'01), Hong Kong. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Goseva-Popstojanova, K. and Trivedi, K. S. 2001. Architecture based approach to reliability assessment of software systems. Perform. Eval. 45. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Gupta, M., Rao, H. R., and Upadhyaya, S. 2004. Electronic banking and information assurance issues: Survey and synthesis. J. Organiz. End User Comput. 16, 1--21.Google ScholarGoogle ScholarCross RefCross Ref
  21. Hagel III, J. and Brown, J. S. 2001. Your next IT strategy. Harvard Bus. Rev., 105--113.Google ScholarGoogle Scholar
  22. Im, G. P. and Baskerville, R. L. 2005. A longitudinal study of information system threat categories: The enduring problem of human error. ACM SIGMIS Database 36, 68--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. International Security Technology (IST Inc) 2000. Managing risks using CORA.Google ScholarGoogle Scholar
  24. Jarvenpaa, S. and Leidner, D. Communication and trust in global virtual teams. Organiz. Sci. 10, 791--815. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Karabacak, B. and Sogukpinar, I. ISRAM: Information security risk analysis method. Comput. Secur. 24, 147--159.Google ScholarGoogle Scholar
  26. Kumamoto, H. and Henley, E., 1996. Probabilistic Risk Assessment for Engineers and Scientists. IEEE.Google ScholarGoogle Scholar
  27. Kuzmanovic, A., Dumitriu, D., Knightly, E., Stoica, I., and Zwaenepoel, W. 2005. Denial-of-service resilience in peer-to-peer file sharing systems. In Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Lao, G. and Wang, L. 2007. Security risk management strategy of financial services institutions. Managing Information Assurance in Financial Services, In H. R. Rao et al. eds. Idea Group, Hershey, PA.Google ScholarGoogle Scholar
  29. Markowitz, H. M. 1991. Portfolio Selection: Efficient Diversification of Investments. Blackwell.Google ScholarGoogle Scholar
  30. McIlroy, M. D. 1968. Mass-Produced software components. In Proceedings of the North Atlantic Treaty Organisation (NATO) Conference on Software Engineering, Garmisch-Partenkirchen, NATO Science Commitee, 138--150.Google ScholarGoogle Scholar
  31. Microsoft. 2006. Security Risk Management Guide. Microsoft, Redmond, WA.Google ScholarGoogle Scholar
  32. Neumann, P. G. 1995. Computer-Related Risks. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Pawlowski, S., Robey, D., and Raven, A. 2000. Supporting shared information systems: Boundary objects, communities, and brokering. In Proceedings of the 21st International Conference on Information Systems (ICIS), Brisbane, Australia, 329--338. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Sahajpal, G., Agrawal, M., Kishore, R., and Rao, H. R. 2006. Business process offshoring to India: An overview. Outsourcing, In A. Heinzl et al. eds.Google ScholarGoogle Scholar
  35. Seshasai, S., Malter, A. J., and Gupta, A. 2006. The use of information systems in collocated and distributed teams: A test of the 24-hour knowledge factory. In Proceedings of the SSRN eLibrary, SSRN.Google ScholarGoogle Scholar
  36. Sharma, V. S. and Trivedi, K. S. 2005. Architecture based analysis of performance, reliability and security of software systems. In Proceedings of the 5th ACM International Workshop on Software and Performance (WOSP), Palma de Mallorca, Spain. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Shaw, M. and Garlan, D. 1996. Software Architecture: Perspectives on an Emerging Discipline. Prentice-Hall, Upper Saddle River, NJ. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Sitkin, S. B. and Pablo, A. L. Reconceptualizing the determinants of risk behavior. Academ. Manag. Rev. 17, 9--38.Google ScholarGoogle Scholar
  39. Stolen, K., Braber, D., F, L., and Aagedal, J. 2002. Model-Based risk assessment—The CORAS approach.Google ScholarGoogle Scholar
  40. Stoneburner, G., Goguen, A., and Feringa, A. 2002. Risk management guide for information technology systems, National Institute for Standards and Technology, Gaithersburg, MD, 55.Google ScholarGoogle Scholar
  41. Tanna, G., Gupta, M., Rao, H. R., and Upadhyaya, S. 2005. Information assurance metric development framework for electronic bill presentment and payment systems using transaction and workflow analysis. Decision Support Syst. 41, 242--261. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Tygar, J. D. and Whitten, A. 1996. WWW electronic commerce and Java trojan horses. In Proceedings of the Second USENIX Workshop on Electronic Commerce. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Weidenhaupt, K., Pohl, K., Jarke, M., and Haumer, P. 1998. Scenarios in system development: Current practice. IEEE Softw. 34--45. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Security analysis of Internet technology components enabling globally distributed workplaces—a framework

                        Recommendations

                        Comments

                        Login options

                        Check if you have access through your login credentials or your institution to get full access on this article.

                        Sign in

                        Full Access

                        PDF Format

                        View or Download as a PDF file.

                        PDF

                        eReader

                        View online with eReader.

                        eReader
                        About Cookies On This Site

                        We use cookies to ensure that we give you the best experience on our website.

                        Learn more

                        Got it!