Creating Trust in ECommerce

1
Creating Trust in E-Commerce

• The importance of trust in cyberspace
• The nature of the risks in EC
• Taking actions to enhance security - The defence
  program
• Privacy in e-commerce how to create public
  confidence

2
Trust in cyberspace

• The concept of trust in business
• The special characteristics of EC
• The reasons for concerns
• How lack of trust has affected EC
• What companies have been doing to create trust
• the role of PKI and industry-wide code of conduct
  (TRUSTe)

3
Problems in trust building

• The lack of visible corporate policies on privacy
• The lack of understanding of the risks involved
  in on-line data transfer

4
The nature of the risks

• External hackers - vandals and serious data
  thieves
• Corrupt (ex)employees
• The vulnerability of a computer system due to
  lack of management support, neglect, misuse by
  external partners etc.
• Inappropriate use of data collected on-line
• Use of networked mobile equipment.

5
A defence programme to enhance security

• A defence programme is an integrated set of
  processes designed to create an infrastructure
  for maintaining confidentiality and integrity of
  data.
• It involves on-going activities of risk
  assessment, planning, developing, testing and
  implementing controls, and awareness raising

6
(No Transcript)
7
Identifying threats and vulnerabilities

• Analyse existing systems and activities
• examine the information handled
• evaluate the importance and sensitivity of the
  information
• assess the threats and vulnerabilities
• review the effectiveness of the current safety
  measures.

8
A plan of action

• Technical information about the systems under
  consideration
• A note of the sensitivity levels of the systems
• An overview of the security requirements
• The controls already in place
• The controls to be implemented
• The rules of behaviour
• Measures taken to protect systems from individual
  employees

9

• Policies to assess the security risks from
  trading partners
• Management and operational responsibilities for
  implementing and monitoring security plans
• Response procedures in case of breeches of
  security
• Plans for training programmes and awareness
  raising activities

10
Establishing controls - operational

• Taking steps to protect a systems from corrupt
  individuals
• Improving physical security to limit damage and
  theft
• Making recovery plans
• Improving manual procedures to ensure accuracy
  and safety of data input.

11
Technical controls

• The establishment of
• Proper management of user access procedures
• Policies on the distribution of access rights
• Management of the allocation and maintenance of
  access to partners and external users
• Implementing a legal infrastructure

12
The other steps in a defence programme

• Test control following established methods of
  testing a system
• Create awareness by trianing and awreness raising
  sessions

13
Privacy in e-commerce

• At the root of consumers resistance against EC
  is the uncertainty surrounding how data submitted
  by them on-line is used and what regulatory
  framework there is to safeguard it.

14
The steps taken to create public confidence

• In the EU the Data Protection Directive of 1998
  aims to
• Give individual certain rights
• Compels data users to comply with the law
• Forces data users to inform data subjects of how
  their personal data will be used
• Maintains a data register holding data users
  details plus nature and purpose of data held.

15
The principles of the DP Directive

• The holders of data must
• Obtain and process data fairly and lawfully
• Collect and use data only for specified,
  explicitly stated and legitimate purposes, as
  described in the register entry
• Collect only data which is relevant (and not
  excessive) to the stated purposes, and disclosed
  only to those people described in the register
  entry

16

• Ensure that data is accurate and kept up-to-date
• Take reasonable steps to rectify or erase
  inaccurate data
• Keep data in an identifiable form for no longer
  than is necessary for the registered purposes

17

• Protect the security of data against accidental
  or unauthorised access or manipulation. However,
  data must be accessible to the data subjects who,
  where appropriate, has the right to have
  information about themselves corrected or erased
• Guarantee that safeguards are implemented if data
  is transferred abroad.

18
The situation in the USA

• In the USA, self-regulation has so far been
  preferred to a government act.
• But now there is pressure from the FTC for
  organisations to take action to provide choice
  and awareness among consumers and establish
  policies for security, integrity, accountability
  and verification procedures.

19
International collaboration on privacy

• For effective data protection, an international
  agreement is required.
• The EU has created a list of safe countries for
  data protection based on the adequacy of their
  data protection levels.
• The USA and EU have a safe harbour policy which
  enables U.S. organisations included on such a
  list to receive data from the EU.

20
Other initiatives

• Some companies have joined initiatives
  facilitated by organisations such as Trust UK and
  TRUSTe in which they follow a code of conduct in
  return for a seal of assurance.
• The display of the seal assures customers of the
  reliability of a company and also creates a
  doorway for further information.

21
Questions

• To what extent is it realistically possible for
  e-commerce companies to gain consumer trust?
• Concerns over the Internets contribution to the
  emergence of a big brother state have provoked
  much debate. What, if any, are the justification
  behind such concerns?
• Comment on the effectiveness of the measures
  described in todays lecture in alleviating the
  above fear.

22
Case studies

• PKI at Eduard de Graaff
• Earnst Young
• Firefly