Comparative Analysis of Available Internet Security Systems
Introduction of Internet Security Systems
In this age of rapidly growing usage of social networking sites, the importance of internet security systems has attracted the attention of policy makers and security gurus alike. One of the major technological developments stemming from Web 2.0 is the phenomenon of social networks (Squicciarini, Shehab, & Paci, 2009). Social networks are virtual communities that allow members to share in a diverse array of common interests, such as religion, politics, ethnicity, photographs, sports, music, movies, books, and even personal details about themselves (H. Jones & Soltren, 2005). For many participants, social networks provide an online gathering place where mingling and self-expression are possible, even for the most timid or unpretentious disposition (Squicciarini et al., 2009). Within the United States, social networking has become increasingly widespread, with tens of millions of citizens actively participating in online communities.
In order to partake in an online community and fully actualize its potential benefits, members are obliged to furnish social networks with information about themselves. This information can be very concise, such as username and password, or it can be more exhaustive, comprised of various elements of personally identifiable information, such as full name, address, telephone number, date-of-birth, pet’s name, eye color, hair color, city, state, zip code, user name or E-mail address. Concise or minimal disclosure of information allows rudimentary participation by members within online communities, however, for those willing to disclose more of their personally identifiable information, social networking seems much more favorably disposed (Schrammel, Köffel, & Tscheligi, 2009).
Cyber Threats and the Internet Security Systems
The potential harm caused by cyber-attacks can threaten the national security of any country (Morel, Workshop on Exploring the International Demensions of Cybersecurity 2005). One cyber threat particularly relevant to the national interests of an ICT-emerging country is the potential harm to economic growth (Klutse 2008). While those nations have identified many ways in which they can benefit from the Internet, they have not yet recognized and dealt with the cyber threats they are facing. If they continue their current development progress, their cyberspace defenses will likely fail to meet their increasing cyber vulnerability (Morel, Workshop on Exploring the International Demensions of Cybersecurity 2005). This is a troubling prediction. They are in dire need of guidance on how to develop and implement an effective security strategy because they are becoming heavy users of the Internet at a time when securing cyberspace is a complicated and difficult task.
According to Acquisti and Gross (2006), most users of social networking sites are wholly unaware of the potential risks or consequences associated with unrestricted disclosure of information within online social networks (Acquisti & Gross, 2006). This could explain the dissonance or seeming lack of care shown by many users within online social communities, in order to maximize the social networking experience (Acquisti & Grossklags, 2004).
Mobile Phone Usage
There has been a great amount of research conducted on both familial communication and adolescent mobile phone and text message usage. However, little to no previous research on the perceived impact of mobile phone usage has on interpersonal family communication was presented. People utilize technology to enhance communication among friends, to make plans, and make contacts outside of the day –to-day face-to-face conversations (Bryant, Sanders-Jackson, & Smallwood, 2006). No doubt by utilizing text messaging we are doing so because of its convenience, freedom, privacy, cheaper cost, and its speed when compared to other types of technology. However, the concern here lies with the notion by using text messaging extensively, young people will be destroying face-to-face communication (Thompson, & Cupples, 2008).
As the use of ICTs becomes more prevalent throughout the world, the adoption of new ICTs can create both opportunities and difficulties. ICTs reduce or completely eliminate physical barriers that have traditionally limited the interactions between individuals and across organizations. While ICTs inherently foster the flow of communication, they also increase its volume regardless of its utility or the accuracy of its content. Because of this, ICTs can improve communication with stakeholders while making it more challenging to implement locally and regionally focused business initiatives and practices.
Insider Security Threats
Threats to information security are always increasing and vary from organization to organization, but the one threat that remains the same regardless of the type of organization is the insider threat (Carroll, 2006). Insider security threats may not occur as frequently as external attacks, but they have a higher rate of success, can go undetected and pose a greater risk than an external attack (Chinchani, Iyer, Ngo, & Upadhyaya, 2005). Insider threats can be classified into two categories: the intentional and the unintentional threat (Carroll, 2006). The intentional threat occurs when a party or trusted person within the organization knowingly sets out to cause damage or loss of data to a system (Blyth & Kovacich, 2006). The intentional threat can be anything from an employee creating a security risk for malicious reasons or personal gain to the more familiar threat of a hacker trying to gain access to a system (Blyth & Kovacich, 2006; Carroll, 2006). The intentional threat is a more serious threat to information security in that hackers and criminals have learned to manipulate users into divulging confidential information with a technique called social engineering (Aytes & Connolly, 2004). As Bruce Schneier of Counterpane Internet Security stated, ―[A]mateurs hack systems, while professionals hack people‖ (Tucker, 2002, p. 10).
The unintentional threat occurs when a trusted person within the organization causes damage or loss of data or service without direct intent (Blyth & Kovacich, 2006). Unintentional threats can be caused by anything from leaving a laptop or sensitive document unattended, to inadvertently installing software with an unknown flaw or bug that can create a security risk (Andrews & Whittaker, 2004; Blyth & Kovacich, 2006). Other unintentional threats from due to users’ poor judgment include opening e-mail attachments without checking for viruses, downloading unauthorized software, reconfiguring the system security setting, disabling a firewall to access an unauthorizedwebsite, and providing personal information or a password to a coworker (Blyth & Kovacich, 2006; Carroll, 2006). As more users become responsible for their own system security, the number of unintentional security threats will increase (Chinchani et al., 2005). Because organizations have their information infrastructure connected, the unintentional threat by one user can lead to a security breach affecting the entire infrastructure (Aytes & Connolly, 2004).
Research on inappropriate user action regarding online protection, especially protection against phishing attacks, includes the following. Reeder and Arshad (2005) reported that 75% of the participants still fell victim to a mimicked phishing attack even though the researchers provided clues that it was an email scam. In addition, Kumaraguru et al. (2007) reported that participants still fell victim to a phishing attack even though they had received training and warnings about such attacks. Engelman, Cranor, and Hong (2008) reported that users heeded security warnings; however, if the user did not understand what a phishing attack was, that user would not pay attention to the security warning. Further, Wu, Miller, and Garfinkel (2006) reported that security toolbars failed to prevent users from being spoofed by phishing attacks because users failed to respond to security toolbars. Finally, Dhamija, Tygar, and Hearst (2006) reported that standard security indicators were not effective for most users.
With the Internet emerging as a fundamental communication infrastructure of our society, concerns about safety in cyberspace are also dramatically rising. Increasing Internet based communication can jeopardize uses by various information privacy and security problems (Perugini 1996; Chociey 1997).
According to Internet Crime Report, the Internet Crime Complaint Center received 275,284 submissions during 2008. The economic impact of referred compliant was 265 million dollars that is recorded all-time high(IC3 2008). In the corporate setting, inadequate security is a critical obstacle to implementing new information technologies for organizations (Duchessi and Chengalur-Smith 1998). Cyber security professionals are critical to solving security problems for safe online communication. As our society realizes the risk of threats in cyberspace, demands for cyber security professionals will increase greatly and will be needed to protect networks and information systems of organizations.
The types of problems that may arise when using mobile application software because of inadequate security measures might include unauthorized use of mobile devices, reckless behavior, theft, viruses, and spyware. The damage caused by any one of these security breaches might be costly, depending on the organization and the type of data comprised. Analysts at the International Data Corporation (2007b) asserted that information protection and control would continue to be a substantial security investment over the next 5 years. Insider scandals, involving the leaking of customer records, confidential information, and intellectual property, would continue. Designing technology solutions help prevent the deliberate or inadvertent disclosure of sensitive information in organizations of all sizes.
Phishing (fishing), short for password harvesting and fishing, is the act of an attacker deceiving an online account holder into divulging sensitive or protected information to an unknown third party, posing as a trusted or legitimate party, such as a bank, corporation, or government agency (Newton, 2008). Regarded traditionally as an electronic mail (E-mail) based assault, phishing attacks are carried out when attackers send out fraudulent unsolicited E-mail messages (spam) to recipients in hopes of enticing E-mail users into exposing sensitive information (Downing et al., 2009). The veracity or sophistication of the attacker’s falsified identity as a trusted party, coupled with a general lack of awareness on the part of potential victims has made phishing extremely profitable for those seeking to extract information from online account holders (Robila & Ragucci, 2006).
Trusteer Incorporated is a leading desktop security firm committed to securing online transactions that travel between consumer Web browsers, and online banks, brokerages, and retailers from malicious software (malware) and fraudulent websites. According to Trusteer (2009), of one million online bank customers who encountered phishing attacks in 2009, 45% actually fell victim to phishing attacks by divulging personal credentials, which resulted in as much as $9.4 million in losses (Trusteer, 2009).
According to the Identity Theft Resource Center (ITRC), “identity theft is an act in which an imposter gains access to key elements of one’s personally identifiable information, such as social security numbers, driver’s license numbers, credit card or sensitive banking information, then uses it for their own personal or financial gain. Known as ID Theft, identity-jacking, or i-Jacking, identity theft can originate from lost or stolen wallets, hijacked or stolen mail, information data breaches, computer viruses, phishing attacks, conventional scams, or un-shredded paper documents thrown out, then later retrieved by others through a process known as dumpster diving” (ITRC, 2010).
According to Grabosky, Smith, and Dempsey (2001), a fundamental principle of criminology is that illegal acts tend to expand as opportunities increase (Grabosky, Smith, & Dempsey, 2001). As the Web 2.0 enabled Internet continues to evolve, so do opportunities for illicit behavior (Bryant, 2008). According to Melek (2006) of Deloitte Touche Tohmatsu, identity theft has supplanted viruses and worms as the dominant threat to information privacy for organizations and individuals (Melek, 2006).
Harassment can be defined as words, conduct, or deeds that are intended to cause annoyance, aggravation, nuisance, or emotional distress in a person (Garner, 2009). The infusion of computers and the Internet have redefined the meaning of harassment, and expanded its reach by means of electronic communications (Edwards & Waelde, 1997). Even though no universal definition exists for this type of online activity, cyberstalking is a form of electronic harassment that occurs when an individual or group uses the Internet, electronic mail, or other electronic means to aggrieve or persecute another (Valetk, 2004). Similar to conventional harassment, cyberstalking is a form of online aggression that involves constant annoying or threatening behavior, carried out through the use of Email, blogs, chat rooms, bulletin boards, instant messaging, text messaging, or online social networking (Harvey, 2003).
One challenge that occurs often when attempting to define cyberstalking is the synonymous usage or interchangeability of the terms “cyberstalking”, “cyberharassment”, and “cyberbullying”. While the terms do resemble from a definitional viewpoint, each term bears subtle distinctions. The difference between cyberstalking and cyberharassment is derived from the purpose or motives of the perpetrator (Aftab, 2004).
To counter the security risks posed by inappropriate user action, security professionals propose security awareness and training programs for users (Aytes & Connolly, 2004; Blyth & Kovacich, 2006; North et al., 2007). Awareness programs consist of “newsletters, posters, flyers, and lectures while training programs are more involved and may include case studies and hands-on training” (Crossler & Belanger, 2006). The primary goal of security-training programs is to make the user aware of the various security risks and how they could affect the organization (Aytes & Connolly, 2004). Prior to conducting any security training, an organization security manager must assess the organization’s state of security awareness (Blyth & Kovacich, 2006).
A good information security-awareness program is more than simply ensuring that everyone knows and obeys the security rules (e.g., rules for user behavior, policies, and procedures), it involves providing the reason behind the security rules in order for users to make sound security decisions in the absence of specific guidance (Boyce & Jennings, 2002). Raising the user level of security awareness will provide that user with the knowledge to be able to recognize and prevent inappropriate actions (Al-Hamdani, 2006). Security awareness should help curtail inappropriate user behavior, prevent the user from creating system security vulnerabilities, and protect the user from becoming the next victim of a cyber attack (Blyth & Kovacich, 2006; Hazari, 2005).