ABSTRACT
The low cost and wide availability of the Internet have revolutionized electronic commerce (e-commerce) and its applications. Security, then, has become one of the most important issues that must be resolved first to ensure its success. To protect an e-commerce system from existing threats, there must be e-commerce security experts who can help ensure its reliable deployment. This paper presents a curriculum design for e-commerce security in which the Delphi method and the Analytic Hierarchy Process (AHP) method were used. The AHP method determines the priorities of the e-commerce security courses, and the results of the study provide useful guidelines in the design of the e-commerce security curriculum.
Keywords: Electronic commerce, security, curriculum development, e-commerce security expert, AHP method.
1. INTRODUCTION
The low cost and wide availability of the Internet have sparked a revolution in electronic commerce (e-commerce) and its applications. Many organizations have begun exploiting the opportunities offered by Internet-based e-commerce, and many more are expected to follow. Exemplary applications include online shopping, telebanking and Internet banking, teleteaching and distance education, online gambling, and virtual casinos, as well as Pay-TV and video-on-demand services (Oppliger, 1999). While this offers convenience for both consumers and vendors, many consumers are concerned about security and their private information when purchasing products or services over the Internet (Wang, Cao, and Kambayashi, 2002). Recently, there have been attacks on popular websites that resulted in the possible theft of credit card numbers of several thousand customers (He and Wang, 2001). Indeed, security is a major factor in e-commerce services.
Recently, courses in e-commerce have been offered in many schools and departments. These courses can be classified as technical and non-technical courses. Non-technical courses frequently focus on the changes in the business and in the industry due to e-commerce, the development of e-commerce, marketing practices, the processes in marketing research, etc. In technical courses, many academic units provide the contexts to understand the technology, and its applications such as web page design and associated programming languages, linking of databases to the website, customer data collection, catalog development, etc. (Jenkins, 2001).
However, courses in e-commerce security are not enough despite the priority on security to ensure the success of e-commerce. Many schools and academic departments on e-commerce have only one or two courses that deal with e-commerce security. When considering the importance of security in e-commerce, there is a further need to train e-commerce security experts who can help ensure its reliable deployment.
To produce e-commerce security experts, e-commerce security education should be treated more significantly, and sound curricula in e-commerce security are required. In this paper, we suggest a curriculum design for e-commerce security that would be useful in training e-commerce security experts. An e-commerce security curriculum is designed in consideration of existing e-commerce threats and current information security curricula. To analyze the designed e-commerce security curriculum, the Delphi method and the Analytic Hierarchy Process (AHP) method are applied. The AHP method determines the relative importance of e-commerce security courses (Nam and Kim, 2003; Saaty, 1995). By using the AHP method, we can determine the priorities in e-commerce security courses. To produce e-commerce security experts, these priorities provide useful guidelines in the selection of e-commerce security courses.
The rest of the paper is organized as follows. section 2 analyzes e-commerce threats and current e-commerce curricula. In section 3, the e-commerce security curriculum is designed. section 4 introduces the methodology. section 5 shows the results of the Delphi and AHP methods. The conclusions are then discussed in section 6.
2. RELATED WORKS
2.1 E-commerce security
Without question, security is one of the most important issues that must be resolved to ensure the success of e-commerce. Researchers have studied how to protect e-commerce systems from threats. A number of papers have dealt with threats and related security issues in e-commerce applications (Oosthuizen, 1998; Wright, 2001).
Customer privacy is becoming the most common security issue in e-commerce (Udo, 2001). No customer wants to use a business that distributes sensitive customer data, such as credit card information, without his knowledge or permission. Encryption technologies are widely used to protect customers' privacy. Encryption algorithms and digital signatures support secure applications in E-mail and electronic payment schemes. Public key infrastructure (PKI) also plays an important role in secure e-commerce transactions (Gollmann, 2000).
Hacking and distribution of viruses are also serious threats to e-commerce. They mostly attack networks or e-commerce sites to render e-services unavailable. Businesses mainly use firewalls to protect their internal networks. Firewalls have now become the main points of defense in the business security architecture. Various complementary systems, such as Intrusion Detection System (IDS), Virtual Private Network (VPN), Information Retrieval System, etc., have also been applied (Marchany and Tront, 2002).
Even if the security technologies are applied well, nontechnology factors, such as human errors, can make ecommerce system unstable. The individuals operating systems have become the most obvious vulnerable avenues of attack for internal and external threat (Arce, 2003). To minimize the damage caused by human errors, social engineering technology must be applied adequately.
To protect e-commerce systems from existing threats, all the security factors mentioned above should be considered. Additionally, e-commerce managers and engineers who have expert knowledge on security are required to manage these factors adequately. However, there are still very few researches on e-commerce education that focus on e-commerce security.
2.2 E-commerce Curriculum
Nowadays, e-commerce education is one of the most common courses in many educational institutions. Many colleges, graduate schools, and MBA programs include e-commerce education in their curricula. To investigate the current state of e-commerce education, we surveyed the curricula of e-commerce programs in 14 undergraduate schools, seven graduate schools, and five MBA courses. Those curricula differed in the number and depth of subjects, but there have been many structural similarities.
From a brief survey of those e-commerce curricula, e-commerce programs are classified into technical and non-technical courses. Technical courses are mainly related to the development and management of e-commerce systems. These courses focus on educational issues, like web and database technologies, telecommunication and networking, programming methods, and other technical concerns. Non-technical courses include the basic concepts of e-commerce, finance, accounting, marketing, public policy, leadership, and social engineering. Technical courses mainly focus on e-commerce system development, while non-technical courses are more related to the training of e-commerce managers.
The current e-commerce system requires an e-commerce professional to have a thorough knowledge of both technical and non-technical courses. In particular, the e-commerce professional must obtain an expert knowledge in e-commcrcc security. However, security-related courses have not been sufficiently organized to meet such demands. Among the examined 26 e-commerce programs, only 14 programs include related courses to e-commerce security in their curricula. In addition, those programs have, at most, one or two security courses, whose contents are inconsistently constructed. This shows that there are not enough courses that deal with e-commerce security, and e-commerce security guidelines or standards barely exist. Therefore, sound curricula must be required to ensure e-commerce security, based on well-organized guidelines to produce e-commerce security experts.
3. E-COMMERCE SECURITY CURRICULUM DESIGN
Continued from page 1.
In this paper, we suggest an e-commerce security curriculum, which is designed to train e-commerce security experts. A number of factors have contributed to the design of a new curriculum in e-commerce security education. In the previous section, many threats to the success of e-commerce have been detected, and the current e-commerce curricula have been found insufficient in training e-commerce professionals. Therefore, the information security curricula must be used to develop an e-commerce security curriculum. Materials that were related to e-commerce threats from information security curricula were chosen, and were utilized in the construction of e-commerce , security education courses (Armstrong and Jayaratna, 2002; Kirn and Surendran, 2002; Kirn and Choi, 2002).
An e-commerce security curriculum should include fundamental security knowledge, security management, and system development. Encryption technologies and knowledge about hacking and viruses are classified as fundamental security knowledge because they are basic knowledge about e-commerce threats that are mentioned in section 2.1, and should be considered in the development of every e-commerce system. The contents about security management consist of e-commerce standards, laws, ethics, and security management and evaluation. These are partly related to human factors. The knowledge about system development concerned system technology, including web and database design, firewall, IDS, etc.
A total of 27 courses are developed conclusively for e-commerce security education. They are classified into three types: eight security managerial courses, five fundamental security courses, and 14 technology-based courses. The courses on e-commerce security education are as follows.
Security Managerial Courses
Introduction to E-commerce security, Privacy and Ethics, Laws and Regulations, E-commerce security Policy, E-commerce Standards, security Projects for E-commerce, E-commerce security Evaluation, and Risk Analysis Management
Fundamental security Courses
Mathematical Cryptography, Encryption Technology, Public Key Infrastructure (PKI), Analysis of Hacking Techniques, and Handling Computer Viruses
Technology-Based Courses
Database Concept and Design, Database Management and security, Website Design and Management, Web Server Implementation and Management, Web Programming Language, Server Authentication System, Firewall Technology, Network security, Mobile Computing security, Virtual Private Network, Information Retrieval System Design, Electronic Payment and security, Intrusion Detection System, and Distributed Computing security
The detailed explanation of these courses is provided in Appendix A. Although these courses consist of the essential components related to e-commerce security, it is difficult to cover all of them in e-commerce education because e-commerce education should also cover general subjects about e-commerce, including finance, marketing, etc. Therefore, it is recommended that more important courses for e-commerce security must be selected and taken with general e-commerce subjects. We evaluate the relative importance of e-commerce security courses to provide guidelines in creating an e-commerce curriculum that would be useful in producing e-commerce security experts.
4. METHODOLOGY
In this paper, we use a phase of the Delphi method and the Analytic Hierarchy Process (AHP) method to determine the relative importance of e-commerce security courses. The outcome from using the Delphi method is used as input for the hierarchical processing procedure in AHP. The AHP method is a flexible multiple-criteria decision-making (MCDM) technique (Saaty, 1995). It helps set priorities and make the best decision qualitatively and quantitatively. It serves as a framework in structuring complex decision-making problems and in providing judgments based on knowledge, experience, or feeling. The AHP method has been successfully applied in software and computer selection (Maiden and Ncube, 1998; Zviran, 1993), and some applications of AHP have been introduced in books (Golden, Wasil, and Harker, 1989; Saaty and Vargas, 2000).
The research process of this paper consists of three steps.
Step 1 : Creating a full list of e-commerce security cou-rses and developing the hierarchical model of the list to apply AHP.
Step 2: Gathering relational data to compare alternatives by using the Delphi method.
Step 3: Estimating the priorities of e-commerce security courses.
The detailed research procedure performed in each step is as follows.
In step 1, we create a full list of 27 e-commerce security courses. (The full list was already mentioned in the previous section.) To apply AHP, the components of the list are further divided into a three-level hierarchy. Figure 1 shows the hierarchy of the e-commerce security courses. In step 2, we use the Delphi method in gathering relational data to determine the order of importance of each of the e-commerce security courses. The outcome of the Delphi approach is used as input for the hierarchical processing procedure in AHP.
In this step, we prepare a questionnaire based on the hierarchy of e-commerce security courses. In the questionnaire, pairwise comparisons are made among all the factors at each level in the hierarchy. The pairwise comparison process elicits qualitative judgmental statements that indicate the strength of the decision maker's preference in a particular comparison. Saaty suggests the use of a 1-9 scale to quantify the strength of the decision maker's feelings between any two alternatives with respect to a given attribute (Saaty, 1995). An explanation of this scale is presented in Table 1.
In step 3, the relative weights of the e-commerce security courses are estimated, and the survey results are analyzed. To use the AHP, a judgment matrix should be obtained from the input data collected through the Delphi method.
Saaty's eigenvalue method is the most preferred approach in this estimation (Saaty, 1995). In this section, no attempt is made to prove the mathematical founda-tions for AHP.
5. ANALYSIS OF THE E-COMMERCE secURITY CURRICULUM
To determine the relative importance of e-commerce security courses, a questionnaire was sent to research groups, e-business managers, system engineers, etc. Participants were asked to check relative importance in pairwise comparisons, which are shown in Appendix A. The questionnaire was sent via E-mail to 500 professionals in universities, research institutes, e-businesses, and IT companies. A total of 67 professionals returned the questionnaires for a response rate of 13.4%, which is normal for a mail survey. Some participants might have refused to respond to the questionnaire due to unfamiliarity with the subject. The respondents' classification by job is shown in Table 2.
By multiplying the weights of the first, second, and third levels in the hierarchy, the overall rankings of the e-commerce security courses could be determined. Table 4 shows the priority rankings of e-commerce security courses based on the results of Table 3.
The Intrusion Detection System course is considered the most important course among e-commerce security courses. Many technology-based courses show high priorities - 1st, 2nd, 5th, 7th, and 10th. The ?-commerce security Policy course is ranked 3rd, the highest rank among security managerial courses. The security policy influences security management infrastructure, training of employees, security documentations, etc., which are closely related to the human factors in a company. The fact that security policy is ranked relatively high means people think that the human factor is important in the success of e-commerce security. Among fundamental security courses, the Analysis of Hacking Techniques course is ranked highest. On the contrary, all encryption courses received low priorities compared to other e-commerce security courses. The Mathematical Crypto-graphy course is ranked lowest, and the Encryption Technology and PKI courses are ranked 24th and 18th, respectively. This shows that people view that theoretical studies on encryption technology are not significant in ecommerce security education.
The priorities of e-commerce security courses can be used to develop an e-commerce security curriculum in ecommerce education institutes. When designing a practical and efficient e-commerce curriculum in training ecommerce security experts, the priorities given in Table 4 provide useful guidelines in the selection of e-commerce security courses.
6. CONCLUSIONS
Continued from page 2.
In e-commerce environments, security should be considered as an essential factor in their success. In this paper, a curriculum design on e-commerce security was provided to train e-commerce security experts. The 27 e-commerce security courses were constructed by considering existing ecommerce threats, current e-commerce courses, and information security curricula. The Delphi method and the AHP method were used to determine the relative importance and the overall rankings of the designed ecommerce security courses.
The current e-commerce system requires an e-commerce professional to have a thorough knowledge of security issues in e-commerce. However, it is difficult to cover all of them in e-commerce education because e-commerce education should also cover general subjects about ecommerce. Therefore, more important courses for ecommerce security should be selected. The research results can serve as useful guidelines in the development of secure e-commerce curricula.
To improve the validity of our achievements, the proposed work needs to be verified by further studies. There are very few researches on e-commerce security requirements. A further study on e-commerce security requirements may contribute to designing a more suitable curriculum in ecommerce security. Additionally, our work can provide more reliable results if we apply our method to larger and more various respondents. *
7. ACKNOWLEDGEMENTS
This work was sponsored in part by the Korean Ministry of Information and Communication under the University IT Research Center Project.
8. REFERENCES
Arce, I. (2003), "The Weakest Link Revisited." IEEE security & Privacy Magazine. Vol. 1, Issue 2, MarchApril 2003, pp. 72-76.
Armstrong, H., N. Jayaratna (2002), "Internet security Management: A Joint Postgraduate Curriculum Design." Journal of Information Systems Education. Vol. 13, No. 3, 2002, pp. 249-258.
Golden, L. B., E. A. Wasil, and P. T. Harker (1989), The Analytic Hierarchy Process: Applications and Studies. Springer-Verlag, Berlin.
Gollmann, D. (2000), "E-commerce security." Computing & Control Engineering Journal. Special Feature on Ecommerce, Vol. 11, No. 3, June 2000, pp. 115-118.
He, J. and M. Wang (2001), "Cryptography and Relational Database Management Systems." 2001 International Symposium on Database Engineering & Applications, July 16-18, pp. 273-284.
Jenkins, A. M. (2001), "Meeting the Need for E-commerce and E-business Education: Creating A Global Electronic Commerce Concentration in the Master of Business Administration (MBA) Program." 9th European Conference on Information Systems, June 27-29, pp. 1081-1086.
Kim, K., K. Surendran (2002), "Information security Management Curriculum Design: A Joint Industry and Academic Effort." Journal of Information Systems Education. Vol. 13, No. 3, 2002, pp. 227-236.
Kim S., M. Choi (2002), "Educational Requirement Analysis for Information security Professionals in Korea." Journal of Information Systems Education. Vol. 13,No. 3, 2002, pp. 237-246.
Maiden, N. A., C. Ncube (1998), "Acquiring COTS Software Selection Requirements." IEEE Software. Vol. 15, No. 2, March 1998, pp. 46-56.
Marchany, R. C., J. G. Tront (2002), "E-commerce security Issues." Proceedings of the 35th Hawaii International Conference on System Science, January ?10, pp. 2500-2508.
Nam, C., B. Kim (2003), "A Study on ?-commerce Firms' Selecting Criteria for Small Package Express Service Provider by Using the Analytic Hierarchy Process." The Journal of Internet Electronic Commerce Research. Vol. 3,No. !,February2003.
Oosthuizen, G. (1998), "security Issues Related to Ecommerce." Network security. No.5, 1998, pp.10-11.
Oppliger, R. (1999), "Shaping the Research Agenda for security in ?-commerce." Proceedings of the 10th International Workshop on Database & Expert Systems Applications, 1999, pp. 810-814.
Saaty, T. L. (1995), Decision-Making for Leaders: The Analytical Hierarchy Process for Decisions in a Complex World. RWS Publications.
Saaty, T. L., and L. Vargas (2000), Models, Methods, Concepts, and Applications of the Analytic Hierarchy Process. Kluwer Academic Publishers, Boston.
Udo, G. J. (2001), "Privacy and security Concerns as Major Barriers for E-commerce: A Survey Study." Information Management & Computer security. Vol.9, No.4, 2001, pp. 165-174.
Wang, H., J. Cao, and Y. Kambayashi (2002), "Building a Consumer Scalable Anonymity Payment Protocol for Internet Purchases." Proceedings of RIDE-2EC, February 24-25, pp. 159-168.
Wright, A. (2001), "Controlling Risks of ?-commerce Content." Computers & security. Vol.20, No.2, 2001, pp. 147-154.
Zviran, M. (1993), "A Comprehensive Methodology for Computer Family Selection." Journal of System Software. Vol. 22, No. 1, July 1993, pp. 17-26.
Hyunwoo Kim
Younggoo Hau
Sehun Kim
Department of Industrial Engineering
KAIST, 373-1 Guseong-dong
Yuseong-gu, Daej eon, 305-701, Korea
hwkim@tmlab.kaist.ac.kr vghan@tmlab.kaist.ac.kr shkim@kaist.ac.kr
Myeonggil Choi
National Security Research Institute, 161 Gajeong-dong
Yuseong-gu, Daejeon, 305-350, Korea
mgchoi@etri.re.kr
AUTHOR BIOGRAPHIES
Hyunwoo Kirn received the B.S. degree in industrial management and M.S. degree in industrial engineering from Korea Advanced Institute of Science and Technology (KAIST) in 1999 and 2001, respectively, where he is pursuing the doctoral degree in industrial engineering. His research interests are in the areas of information system security evaluation, e-commerce security, and optimal design and analysis of intrusion detection systems in ad hoc networks.
Younggoo Man received the B.S. degree and M.S. degree in industrial engineering from Korea Advanced Institute of Science and Technology (KAIST), Daejeon, in 2002 and 2004, respectively, where he is pursuing the doctoral degree in industrial engineering. His research interests are topics in e-commerce security, secure communication in wide-band networks, and intrusion detection system.
Sehun Kim received the B.S. degree in physics from Seoul National University, Seoul, Korea, in 1972, and the M.S. and Ph.D degrees in operations research from Stanford University in 1978 and 1981, respectively. In 1982, he joined the faculty of the Korea Advanced Institute of Science and Technology (KAIST). He has published a number of papers in IEEE Trans. on Vehicular Technology, Computer Networks, Telecommunication Systems, IEICE Transactions on Communications, International Journal of Satellite Communications, and Journal of KIISC (Korea Institute of Information security and Cryptology). He served as the chief editor of the Journal of KIISC from 1990 to 1993.
Myeonggil Choi is a senior engineer at National security Research Institute, Electronics and Telecommunications Research Institute (ETRI) in Korea. He received the M.S. degree from Pusan National University and Ph.D. degree in Management Information Systems from Korea Advanced Institute of Science and Technology (KAIST) in 2004. He worked at Agency for Defense Department (ADD) as researcher and has worked for National security Research Institute, Electronics and Telecommunications Research Institute (ETRI) in Korea. His recent research issues include Network security, Information System security Evaluation, E-Commerce security and Information security Management.
Copyright EDSIG Spring 2005
Provided by ProQuest Information and Learning Company. All rights Reserved
|
