Lin Liming 1 Li Xinchun 2
(School of Management, China University of Mining and Technology, Xuzhou, Jiangsu 22 1008)
Based on all kinds of risk problems faced by e-commerce security at present, combined with some current risk management methods, this paper makes some basic analysis and research on the security risk management of e-commerce system, in order to provide some valuable references for enterprise e-commerce security risk management.
E-commerce security, risk management, risk identification, risk control
1 Introduction
With the rapid development of the open Internet system, the application and promotion of e-commerce has greatly changed people's work and lifestyle, and brought unlimited business opportunities. However, as a platform for the development of e-commerce, the Internet is full of huge and complex security risks. Hacker's attack and virus's rampant make it difficult to carry out e-commerce business safely and smoothly. In addition, the development of e-commerce is also facing severe internal risks, such as the blindness of security issues and weak security awareness within e-commerce enterprises, and the lack of attention paid by senior leaders to the operation and security management of e-commerce, which makes enterprises inevitably encounter risks of one kind or another when implementing e-commerce. Therefore, while investigating the operating environment of e-commerce and providing security solutions for e-commerce, we need to focus on the risk problems faced by e-commerce systems and effective control methods for risks.
E-commerce security risk management is a scientific management method to identify, measure and analyze the security risks of e-commerce system, and on this basis, to achieve as much security as possible at the lowest cost and expense.
2 security risks faced by e-commerce
Due to the complexity and fragility of the network, the development of e-commerce based on the Internet is facing severe security problems. Generally speaking, e-commerce has the following security risks:
1) intercept and steal information
This means that users or outsiders related to e-commerce intercept and steal other people's messages and information through various technical means without authorization to obtain business secrets.
2) Information tampering
Network attackers rely on various technical methods and means to tamper with, delete or insert the transmitted information in the middle and send it to the destination, thus achieving the purpose of destroying the integrity of information.
3) Denial of service
Denial of service refers to the complete failure of the network system or server service system within a certain period of time. The main reasons come from the attacks of hackers and viruses and the ideological destruction of computer hardware.
4) The problem of system resource stealing.
In the network system environment, system resource theft is a common security threat.
5) False information
The impersonation of information means that an attacker can impersonate a legitimate user or impersonate information to deceive other users when mastering the laws of network information data or decrypting commercial information. The main manifestations are illegal transactions such as impersonating customers and forging e-mails.
6) Reject the transaction
Transaction rejection includes the sender's later denial of sending the message; The buyer does not recognize it after placing an order; The seller refused to acknowledge the original transaction on the grounds of price difference.
3 Risk management rules
In view of all kinds of security risks faced by e-commerce, e-commerce enterprises should take active measures to maintain the security of e-commerce systems and monitor new threats and loopholes. Therefore, it is necessary to formulate complete and efficient e-commerce security risk management rules.
Generally speaking, the formulation process of risk management rules has three stages: evaluation, formulation, implementation and operation.
(1) evaluation stage
The main task of this stage is to comprehensively evaluate the security situation of e-commerce, the information to be protected and various assets, and identify and analyze some basic security risks.
E-commerce security assessment is the basis of making risk management rules.
Information and asset evaluation refers to the evaluation of relevant information and assets that may suffer losses, so as to determine appropriate risk management rules and avoid a serious mismatch between input costs and information and assets to be protected.
Security risk identification requires finding potential security risks as much as possible and collecting information on various threats, vulnerabilities, developments and countermeasures.
Security risk analysis is to determine risks, collect information, evaluate possible losses to estimate the level of risks, so as to make wise decisions and take measures to avoid security risks.
(2) Development and implementation stage
The tasks in this stage include risk remedial measures formulation, risk remedial measures testing and risk knowledge learning.
The development of risk remedial measures uses the results of the evaluation stage to establish a new security management strategy, which involves configuration management.
Management, patch management, system monitoring and auditing, etc.
After the risk remedial measures are formulated, the safety risk remedial measures will be tested. In the testing process, the effectiveness of countermeasures will be evaluated according to the control effect of security risks.
(3) Operation stage
The main tasks in the operation phase include evaluating new security risks according to the new security risk management rules. This process is actually a process of change management and also a process of implementing security configuration management.
The second task in the operational phase is to test and deploy the stability of new or changed countermeasures. This process is implemented by system management, security management and network management teams.
The three stages of the above risk management rules can be represented by the following figure:
Figure 1 Three-stage risk management rules
4 risk management steps
Risk management is the process of identifying risks, analyzing risks and making risk management plans. The control methods of e-commerce security risks include risk identification, risk analysis, risk control and risk monitoring.
(1) risk identification
Through the risk assessment of the system, the security requirements of e-commerce system are determined. In order to effectively manage e-commerce security risks, identifying security risks is the first step of risk management.
Risk identification is to identify all kinds of security risks that may pose a potential threat to e-commerce system on the basis of collecting all kinds of threats, vulnerabilities and related countermeasures.
There are many ways to identify risks. For the security of e-commerce system, the main goal of risk identification is to identify the network environment risk, data existence risk and online payment risk of e-commerce system.
It should be noted that not all e-commerce security risks can be managed by risk identification, and risk identification can only find known risks or potential risks that are easy to know according to known risks. For most unknown risks, it is necessary to solve or reduce them by risk analysis and control.
(2) Risk analysis
Risk analysis is to use various qualitative and quantitative methods such as analysis, comparison and evaluation to determine the importance of various risk elements of e-commerce security, rank the risks, and evaluate their possible consequences on all aspects of e-commerce system, so that the project implementers of e-commerce system can concentrate on dealing with a few important security risks and effectively control the overall risks of e-commerce system. Risk analysis is a method to determine risks and evaluate possible losses, and it is the basis for formulating safety measures.
The goal of risk analysis is to determine the risk, make qualitative and quantitative analysis of the potential risks that may cause damage, and finally seek the balance between risk loss and risk input cost economically.
At present, the main methods used for risk analysis are: risk probability/impact assessment matrix, sensitivity analysis, simulation and so on. When analyzing the security risks of e-commerce, due to the practical difficulties in quantifying the influencing factors, qualitative methods combined with a small amount of quantitative methods can be mainly used for risk analysis according to actual needs, which provides theoretical basis for formulating risk management system and risk control.
(3) Risk control
Risk control is to choose and use certain risk control means to ensure that the risk is reduced to an acceptable level. Risk control is the most important link in risk management and the key factor that determines the success or failure of risk management. The goal of e-commerce security risk control is to change the risk level of enterprise e-commerce projects.
Generally speaking, there are two types of risk control methods:
The first category is risk control measures, such as reducing, avoiding, transferring risks and loss management. In the security risk management of e-commerce, transfer risk and loss management are commonly used methods.
The second category is financing measures for risk compensation, including insurance and taking risks at your own risk. In e-commerce security risk management, managers need to make decisions on financing measures for risk compensation, that is, choose insurance or take risks at their own risk.
In addition, the selection of risk control methods should fully consider the cost of losses caused by relative risks. Of course, other influences can not be ignored, such as corporate goodwill.
For the security of e-commerce, the effective and feasible risk control method is to establish a complete and efficient security solution to reduce risks, master some basic technologies needed to ensure security, and plan the solutions that enterprises should adopt when specific security accidents occur.
5 Risk management countermeasures
Because of the importance of e-commerce security, it is very urgent to deploy a set of complete and effective risk management countermeasures for e-commerce security. The purpose of formulating security risk management countermeasures for e-commerce is to eliminate potential threats and security loopholes, thus reducing the risks faced by e-commerce system environment.
At present, defense-in-depth strategy is commonly used in e-commerce security risk management countermeasures. The so-called defense in depth strategy is depth security and multi-layer security. By deploying multi-layer security protection, it can be ensured that when one layer is destroyed, other layers can still provide the security needed to protect the resources of e-commerce system. For example, the external firewall of a unit is destroyed, and the intruder cannot obtain the sensitive data of the unit or destroy the data due to the function of the internal firewall. Ideally, each layer provides different countermeasures to avoid using the same attack method in different layers.
The following figure shows an effective defense-in-depth strategy:
Figure 2 Effective defense in depth strategy
The following is a brief description of the main defense contents of each layer from the outer layer to the inner layer:
1) physical security
Physical security is the premise of the security of the whole e-commerce system. The purpose of formulating the physical security strategy of e-commerce is to protect the hardware entities and communication links of e-commerce systems such as computer systems and e-commerce servers from the security risks caused by natural disasters and man-made destruction.
2) Peripheral defense
The protection of network periphery can play a role in resisting external attacks. E-commerce system should install some kind of security equipment as far as possible to protect each access node of the network. Technically speaking, firewall is the most important means of network perimeter defense. E-commerce system should install one or more firewalls to minimize the risk of external attacks, and use intrusion detection function to detect illegal access and attacks from outside in time.
3) Network defense
Network defense is to evaluate the network system environment and take certain measures to resist the attacks of hackers to ensure that they are properly protected. At present, network security defense behavior is a passive response behavior, and the development speed of defense technology is not as fast as that of attack technology. In order to improve the network security defense ability and make the network security protection system occupy an active position in the offensive and defensive confrontation, in addition to passive security tools (firewall, vulnerability scanning, etc. ), active security protection measures (such as network trap, intrusion forensics, intrusion detection, automatic recovery, etc. ) need to be adopted in the network security protection system.
4) Host defense
Host defense is to evaluate the security of each host in the system, and then formulate corresponding countermeasures to limit the tasks performed by the server according to the evaluation results. In the host and its environment, the security protection objects include the server, client, operating system and application system installed on it in the user application environment. These applications can provide services including information access, storage, transmission and input. According to the technical framework of information security, the security protection of the host and its environment is firstly to establish the first line of defense against malicious attacks by internal personnel, and secondly to prevent external personnel from attacking across the system protection boundary.
5) Application defense
As a defense layer, application hardening is an indispensable part of any security model. Strengthening the protection of operating system security can only provide a certain degree of protection. Therefore, it is the responsibility of the developers of e-commerce system to integrate security protection into the application, so as to provide special protection for the areas accessible by the application in the architecture. Applications exist in the system environment.
6) Data defense
For many e-commerce companies, data is the asset of the company. Once it falls into the hands of competitors or is destroyed, it will cause irreparable losses. Therefore, strengthening the protection of e-commerce transactions and related data is of great practical significance to the security of e-commerce systems and the normal operation of e-commerce projects.
6 conclusion
Generally speaking, risk management has three basic countermeasures, including managers taking appropriate measures to reduce the probability of risk accidents; The manager formulates and implements the emergency plan in case of emergency; Another situation is that managers do nothing. For the selected countermeasures, the potential risks should be fully estimated, and corresponding emergency plans should be formulated to minimize possible risk losses.
There are no fixed rules for risk management. For the security risk management of e-commerce, firstly, it is necessary to scan and detect the internal and external environment of e-commerce system, check the loopholes and weak links of the system, and repair and add equipment in time in order to reduce losses as much as possible when risks arise; Secondly, fully analyze the security risks of e-commerce, and then formulate corresponding plans and measures, and monitor and track them at all stages of implementation; Finally, adjust risk management measures at any time according to the change of environment and make a complete disaster recovery plan.
refer to
[1] Gan Zaobin. Introduction to Electronic Commerce (2nd Edition). Huazhong University of Science and Technology Press .2003.9
[2] Zhong Cheng. E-commerce security. Chongqing University Press .2004.6
[3] Only book training. Security risk management and control of e-commerce. Northeastern University Press .2004.6
[4] Yi Shan, Zhang Xuezhe. Analysis on security strategy of e-commerce. Science and technology information development and economy .2004.5
[5] Gao Xinya and Zou Jing. Risk analysis and risk management of e-commerce security. Journal of Wuhan University of Technology. Information and Management Engineering Edition .2005.8
[6] Guo Xueqin, Rola Chen. Security countermeasures of e-commerce. Computer and Digital Engineering.2001.7
[7] Jing Li. Security precautions for e-commerce. Anhui Science and Technology .2003.4
[8] greenstein M, Vanmante M. E-commerce: security, risk management and control [M]. new york: mcgraw-hill companies, 2000.
[9]Charles Cresson Wood, Basic Control of Internet E-commerce [M]. Network Security, 1998