Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 103
Pages: 103
Authors: Tim Speed, Juanita Ellis
|
"Quality control" is defined by Merriam Webster's Collegiate Dictionary as "an aggregate of activities (as design analysis and inspection for defects) designed to ensure adequate quality especially in manufactured products." [1]
Quality control can also be defined as a system for ensuring quality of output involving inspection, analysis, and the actions to make required changes. Implementing a security process for an Internet-facing enterprise business is like initiating a quality control program. As your enterprise provides service to your customers, you will need to make it safe from the outside world. As a factory incurs expenses to ensure consistent product quality, so must an Internet business incur security expenses. If the service fails to live up to the expectations of the customer, the business can fail. Customers expect consistency, accuracy, and responsiveness when they purchase a service or a product. If the business fails to meet one or more of these expectations, repeat business from these customers can be lost. In the same way, a customer who cannot safely conduct business via the Internet loses confidence. Today's business environment relies on the use of the Internet and the safety it is expected to provide. Quality and consistency cannot be overlooked by the Internet business. The value of the company is affected by the way customers view the quality or safety of transactions. Quality control cannot be viewed just as a necessary expense; it must be considered a competitive asset. The company who has truly done its homework will have a reliable security system in place so it can provide a service that is competitive. A secure transaction is a quality transaction. Customers will be willing to use your services if they feel safe.
Today, many stories abound about credit card numbers being stolen and used. Conducting business transactions on the Internet can be a scary experience. Fears of privacy violation are prevalent. The Internet is a place where we, the consumers, place confidential financial information on the line. The information we enter can be very personal and it can be quite distressing to worry that it is available to anybody. The customer needs to be reassured, or he or she will either decide not to do business over the Internet or go to a competitor who he or she may feel provides a secure environment.
A balance needs to be struck here. Let's look at an example: You have a business on 101 Main Street. You open the doors for business at 9 A.M. and close at 7 P.M. every day. This morning, when you went to open the business, you found 10,000 pounds of horse manure at the front door. With all of this stuff in front of the door, you cannot get into the building to do business and your customers can't either. This is known as a denial-of-service attack. (We have discussed denial-of-service attacks at length in other chapters, so we will stick with the analogy here.) Getting rid of all this excrement and reopening the business will take about two days. Having done that, you plan to hire security guards to monitor the door at all times and make sure that it never happens again. You will need to consider the same for your Internet business. But be warned: Be careful how you choose to promote the safety of your site. Do not paint a bull's-eye on your door. The dilemma in our story is this: The security guard can protect you since you are facing Main Street, but with the Internet-facing enterprise, you will be facing the Internet. Please do not take out an advertisement in the Wall Street Journal that says, "We are a secure Internet enterprise and cannot be hacked!" This action would invite every hacker from the 12-year-old down the street to the catatonic geek at the library web terminal to attack your site. We do want you to market your security as a competitive advantage, but not as a dare for hackers to try to break through your security wall.
Many important decisions in a business boil down to the effects they will have on revenues and, expenses, and, subsequently, on the profits of the company. Security costs money like everything else, and if you needlessly spend too much on security, you may not be able to generate a profit. This process involves capital expenditures for the hardware and the software used as security assets. In many cases, a consulting firm must be hired to perform the work, and to be available for future upgrades and problems. Personnel must be trained to use the system, and there will be some expenses involved in the constant monitoring such a system requires.
It may be expensive, but if we were talking about a factory producing Widgets and the necessity of producing a quality product, we can agree on the necessity of the expense. The quality product being produced here is a secure transaction. The quality of the transaction and the value of the transaction to the customer revolve around the safety of the transaction. A quality Internet transaction is a secure transaction.
If we agree that the expense is a necessary one, what costs to do we need to look at? Quality costs involve four main items:
Prevention here, the prevention of a security breach
Appraisal these are recurring costs
Internal problem identified and resolved before customer is involved
External customer is involved, now must make amends
This cost begins with the decision to do something about security. The costs involve planning, information gathering, designing the security system, training, and analyzing the system for problems. The planning stage depends on an extensive analysis of the business and its needs.
These are the costs of constant monitoring and surveillance that the company practices on itself. Reports should be created and maintained that list how many security glitches have occurred, and where and how they were handled. A security program is not a one-time cure-all; in fact, it requires frequent updates to stay ahead of the "bad dudes." It must always be a continual process.
These are the costs of repairing a security incident before a customer realizes it has occurred. This can include the cost of incident handling.
These costs can be the most severe. A customer (or several) is involved. It could be that his information was compromised, or she did not get what she requested because the order was deleted by an error somewhere along the system. Your site may have been down for an extensive time period due to something from the outside entering your system and tying it up. At this point, the customer can try again to buy from you because you have always been reliable in the past, or the customer can choose to go elsewhere. If the latter happens, you have most likely permanently lost that customer. That customer will no longer trust your site to be secure and reliable. If the Internet is the only place you conduct business, you could end up being forced to close down. This is the largest cost of maintaining a quality service.
The biggest problem associated with tracking the cost of quality is quantifying the numbers themselves. How do you account for lost revenue and how do you apply a cost to customer complaints? If they have securityrelated problems, many customers will not come to your site again. It is difficult to ascertain what they would have spent. Probably the best numbers you can estimate involve personnel and keeping track of how many problems they handle in a day, and assigning a time to each.
Another method may be recording the number of hits on a site. The customer may have never gotten into the site, but you will have records of the total tries and the completed transactions. This method involves estimating again, but it will allow you to better assess the true value of those external costs.
Let's look at costs using the following example:
| Prevention costs | $100,000 |
| Appraisal costs | $50,000 |
| Internal costs | $50,000 |
| External costs | $35,000 |
| Total quality costs | $235,000 |
| Sales for the same period | $450,000 |
| Quality index = Total quality costs * (100%) | Sales base |
| Quality index = $235,000 * (100%) = | 52% |
| $450,000 |
Now, this may appear to be a rather high ratio, but what would have been the cost of closing down the business had a security program not been implemented, and a security breach had occurred? Let's look at the numbers if nothing had been spent on security:
| Prevention costs | $0 |
| Appraisal costs | $0 |
| Internal costs | $25,000 (let's assume that some monitoring is being done) |
| External costs | $400,000 |
| Total quality costs | $425,000 |
| Sales for the same period | $450,000 |
| Quality index = Total quality costs * (100%) | Sales base |
| Quality index = $425,000 * (100%) = | 97% |
| $450,000 | |
| Quality index = | 97% |
Now the quality index ratio has risen drastically, even with the assumption we have made that the sales base has remained at the same level. If a security breach occurred, customers either could not access the site, or they heard from any number of sources how unreliable your connection was, so they stayed away altogether. You will not be able to remain competitive in the marketplace, and another firm that maintains a secure site will get all the sales. At this juncture, your choices are either to spend a lot of capital on playing catch-up (if the capital is available) or to sell the business (or what remains of it).
The bad news is that the cost of maintaining a secure environment may not decrease much over time. Conditions will constantly change and so will your security needs. If you are providing quality transactions, customers will come to rely and depend on them, and thus increase your sales. Over the course of time, the increase in sales may cause your quality cost index to decrease. Forecasting is an integral part of decision making regarding the security process. Expense forecasting was considered, but how about fore-casting what the consumer will expect from a firm with an Internet presence? The days of the brick-and-mortar structure are rapidly changing. A customer buying on the Internet does not interact one-on-one with an individual. The transaction is conducted on the computer screen without any paperwork changing hands.
If a company wants to conduct business in this environment, future, as well as present, requirements of the consumer must be considered. Forecasting must take into account daily, weekly, or monthly sales targets. Longrange forecasts that extend three years or more must also be factored into the decision being made about the security requirements for a company. If a company manufactures Widgets and sells them over the Internet, there may not be a building where the customer deals face-to-face with a service rep. A customer is a demanding entity, someone who demands fast, efficient, and safe transactions. These expectations will never change, but the customer's standards of what meets or exceeds these expectations are constantly changing.
Let's go back to our Chapter 2 example of the Company. The Company has a reputation for producing the best Widgets available. When transactions were mailed or telephoned in, the customer knew to allow extra time for the transaction to be processed and completed. Over the Internet, however, the customer enters an order and expects it to be sent out that very day, or the next day, at the latest. The effort required to place the order was minimal, little time was used up, and the customer is free to go on to something else. After the order has been placed, the Company is expected to fill it safely and with little delay. If the Company does not have up-to-date security processes in place, this transaction may not flow as expected. The Company has been smart, however, and has forecast these customer expectations, and is able to meet them.
But it does not stop there. Let's suppose the same customer wants to place a new order next month, or even next week. In that small passage of time, conditions have changed. Circumstances that compromise security, or that the customer assumes have compromised security, have occurred. The Internet environment is shifting constantly, and therefore, appraisal expenses must be ongoing. Installing a security process is not like installing a hotwater heater. We do not allow it to function without maintenance until it breaks down, at which time we replace it with a newer, better model. The security process is just that a process and it must be a continual one, lest there be problems that can be very costly to fix later on.
What about the customer's perception? Let's assume the customer has been reading stories in the media about unsecured sites and transactions being lost, or payment information being intercepted and stolen. The customer may be apprehensive, and when he or she accesses the Company's web site, he or she may expect to see certain screens or information that indicates a secure environment. The customer has read that the Other Guy's Company, which produces comparable Widgets, has installed a highly secure system and is therefore the safest site on the Internet. The Company has to foresee this concern and needs to either have planned for a change or already have implemented it. Reassurances must be made to the customer, or a sale could be lost, including any future ones. Constant vigilance will be required by the Company in order to compete effectively. Security is an extension of the quality of the service provided. It cannot be ignored.
One approach for forecasting future expenses is through the "moving average method." The results of past periods are used to estimate future expenses. Following is the formula:
| Note | Moving average = Number of incidents
The time period can be days, months, or even years. This flexibility allows you to plan for these security expenses using the number of incidents as a point of comparison. Table 9.9 shows some examples.
|
By plotting the three sets of numbers on a line graph, we can see that the five-month moving average has a smoother run. This may misdirect your forecast because it looks like everything is going along pretty consistently. Errors are occurring, but they appear to not be deviating as much. The three-month moving average plot, however, is closer to the current number of incidents occurring, since it is tracking data in a tighter time period. It does not provide an exact match, but it is suitable for forecasting purposes.
The three-month moving average has provided an estimate of how many instances we can expect to occur, but decisions must be made as to what to do with this information, and how to handle the expenses that will be required to keep the situation under control. We say "keep the situation under control" rather than "solve the situation" because, remember, the Internet environment is always changing. The possibility of security breaches will never really go away. It can be maintained, however, within acceptable limits. What is acceptable? Using the information such as in table 9.9, we know the frequency of these incidents occurring over several time periods, and, coupled with sales transactions data, we can compute the ratio of number of incidents to number of successful sales transactions on a per-month, three-month moving average and five-month moving average basis. If the ratio is high say, 50% or more we can safely say that the Company is losing half of all possible sales per month to security incidents. Where are these sales going? They are going to the competition, of course the majority of them, anyway. The industry as a whole will face the problem of dealing with security incidents. What level will be acceptable to you and your customers? This is where surveys of your employees and customers can help you find the answer.
As you decide, remember that you are in business to make money and to ensure the viability of your company. Viability requires that you be competitive. If an investor were to evaluate an Internet business, what would he or she want to see? Such an evaluation would very likely include an evaluation of the company's financial standing. The income statement of a company lists the sales figures less expenses for a given time period, which results in the net income for the company. The list of expenses should include the cost of security. If an investor were to compare your company to other possible investments, how would it stack up? Today's investor is savvy enough to know that without a good security process in place, your company will not survive all the possible pitfalls that can occur due to the interconnectivity of the Internet. Also, one of the contingency listings in the financial statements should acknowledge the possibility of a security breach and the possible related costs. Insurance for security can be purchased and should also be included in the list of expenses. There should also be evidence of a continuing relationship with an external firm that specializes in security, which is the equivalent of an accounting firm that comes in to audit the financial records. There should be a security team that comes in periodically to audit the firm's security and advises the company on updates in order to help keep the company truly secure. The capital expenditures breakdown should list security hardware and software purchased as security assets. In the future, we can expect audit statements to be issued by the security firms that perform the periodic audits of the Internet enterprise. The statements will attest to the fact that the company audited is following accepted security practices. The statements will reflect that due diligence is being practiced by the company. The security firm will be performing the same function as that currently being performed on a company's financial records by accounting audit teams.
The security audit statement will become as important as the accounting audit statement. Potential investors will be provided some assurance as to the computing security capability of a firm. Customers will also be provided some assurance that their transactions will be handled securely, consistently, accurately, and in a timely manner. After the security system has been successfully audited, the customer will feel that he or she can safely access a company's web site and make purchases. The investor may feel compelled to invest in the company.
A company does not exist in a vacuum. It depends on customers and, if it plans to grow, on investors. The perceptions that these individuals hold can be responsible for the rise or fall of a company. Security firms that perform the auditing will be accountable for being intimately knowledgeable with the regulations that govern how they perform the audits and what they are looking for. Security firms will be required to have their auditors receive continuous training in order to stay current. How can someone audit a process and attest that it is up-to-date on all the regulations for security if this individual is not aware of the current regulations? The Internet's future existence depends on it providing a secure environment in which individuals can conduct private transactions without fear. If this problem is not addressed in a regulatory format, like accounting practices, investors will lose faith and move back to the brick-and-mortar businesses.
The traditional businesses will have accounting auditors attesting to their reliability, and investors will feel more secure about investing their money in these firms. Internet businesses cannot let this happen. Security must become another competitive asset, just like the practice of having unbiased external auditors come in each year to audit financial statements. Security audits will be an expense that a firm is obligated to incur. The absence of a security audit report ought to become a red flag to possible investors, indicating that a company may be subject to security problems. This is the way of the future. This is what Internet firms must undergo in order to remain viable in this highly competitive world.
[1]Merriam Webster's Collegiate Dictionary, 10th Ediition.
|