The current issue and full text archive of this journal is available at

www.emeraldinsight.com/1751-1348.htm

A comparative study of the Evolution of

vulnerabilities in
evolution of vulnerabilities in IT IT systems
systems and its relation to the
new concept of cloud computing 409
Issam Kouatli
ITOM Department, Lebanese American University, Beirut, Lebanon

Abstract
Purpose – The purpose of this paper is to classify and categorize the vulnerability types emerged with
time as information technology (IT) systems evolved. This comparative study aims to compare the
seriousness of the old well-known vulnerabilities that may still exist with lower possibility of happening
with that of new technologies like cloud computing with Mobility access. Cloud computing is a new
structure of IT that is becoming the main part of the new model of business environment. However,
issues regarding such new hype of technology do not come without obstacles. These issues have to be
addressed before full acceptability of cloud services in a globalized business environment. Businesses
need to be aware of issues of concerns before joining the cloud services. This paper also highlights these
issues and shows the comparison table to help businesses with appropriate decision-making when
joining the cloud.
Design/methodology/approach – A historical review of emerged vulnerabilities as IT systems
evolved was conducted, then these vulnerabilities were categorized into eight different categories, each
of which composed of multiple vulnerability types. Simple scoring techniques were used to build a
“risk” analysis table where each vulnerability type was given a score based on availability of matured
solution and the likeliness of happening, then in case of vulnerability type, another score was used to
derive the impact of such vulnerability. The resulted weighted score can be derived from the
multiplication of likeliness to happen score with that of its impact in case it did happen. Percentage of
seriousness represented by the percentage of the derived weighted score of each of the vulnerabilities
can then be concluded. Similar table was developed for issues related to cloud computing environment
in specific.
Findings – After surveying the historical background of IT systems and emerged vulnerabilities as
well as reviewing the common malicious types of system vulnerabilities, this paper identifies 22
different types of vulnerability categorized in eight different categories. This comparative study
explores amount of possible vulnerabilities in new technology like cloud computing services. Specific
issues for cloud computing were also explored and a similar comparative study was developed on these
issues. The result of the comparative study between all types of vulnerabilities since the start of IT
system development till today’s technology of cloud computing, shows that the highest percentage
vulnerability category was the one related to mobility access as mobile applications/systems are
relatively newly emerged and do not have a matured security solution(s).
Practical implications – Learning from history, one can conclude the current risk factor in dealing
with new technology like cloud computing. Businesses can realize that decision to join the cloud
requires thinking about the issues mentioned in this paper and identifying the most vulnerability types
to try to avoid them. Journal of Management History
Vol. 20 No. 4, 2014
pp. 409-433
© Emerald Group Publishing Limited
The author would like to thank Shawn Carraher for his helpful comments on an earlier draft of this 1751-1348
paper. DOI 10.1108/JMH-02-2014-0018
JMH Originality/value – A new comparative study and new classification of vulnerabilities demonstrated
with risk analysis using simple scoring technique.
20,4 Keywords Comparative method, Business ethics, Cloud computing, Work ethic,
Technology management, Network security, Work motivation, Vulnerability categories,
Cloud ethics, Business security, Cloud business protection, Cloud malware attacks
Paper type Research paper
410
Introduction
As most types of advancement in application of information technology (IT), cloud
computing is becoming one type of IT that has a leap of change in different aspects of
businesses and customers. At personal level, customers realize that accessing the cloud
is an easy and cheap operation of driving any facilities or utilities in their day-to-day
social and their business need operations. For example, cloud service can be used to
auto-sync the downloaded music files from a mobile device and synchronize with a
desktop or laptop. Device mobility augmented with cloud services provides an excellent
attraction to business operations. For example, businesses in construction industry can
auto-sync their mobile devices with servers in the cloud. This gives them a global access
to their main headquarters from their mobile device like an iPhone or similar. The way
of conducting business operation in such case is changing dramatically. Using a mobile
device like a smartphone, businesses can now use business intelligence technique to
automatically investigate different issues regarding marketing needs, supply chain
problems, customer services on the fly and with minimal amount of effort and expertise.
Businesses and consumers already started using cloud computing services as a facility
of data storage and collection as well as communication and collaboration (Simmhan
et al., 2008; Yogesh et al., 2009). The main benefit to businesses is the time and cost
saving of IT technical setup and troubleshooting which is highly valuable issue for
small firms. Actually small and mid-sized companies can benefit from cloud computing
by freeing up company’s employee resources to spend more time on increasing sales and
profits. However, there are many different types of clouds, as well as different types of
services offered. Each of which has a different types of issues and risks that has to be
addressed and studied before joining the cloud. Technically, the main weak bottleneck
of cloud computing is that it is purely based on the “Internet”. Although it is not very
likely with today’s technology, but if connectivity failed for one reason or another, the
whole business will freeze. This paper will review all relevant issues concerned with
businesses considering the utilization of the new cloud model. The drive behind the
theme of this paper was motivated by Carraher (2012a, 2012b) editorials, where a need of
study and investigations with empirical work related to management history was
identified. This paper review the history of IT and computer based management and
conclude with an empirical study to categorize the number and seriousness of
vulnerabilities in historical as well as modern management of systems like Cloud
Computing environment. Different theoretical and empirical issues for modern
management examining the Japanese and American history were also cited by Carraher
(2012c) editorial.
One major issue that is highly sensitive to the operation management of cloud
computing providers’ environment would be Ethics and its relation to employee and IT
professional behaviour. An interesting study related to culture and personality effects to
business ethics introduced by Therneau et al. (2014) where they studied the difference of
these criteria and its effect to business ethics in United stated and Japan. A similar study Evolution of
was conducted by Pučėtaitė et al. (2010) where they explored the interrelations between
organizational trust and ethics management tools where significant dependence has
vulnerabilities in
been found. Smith and Smith (2011) discussed the issues of assumptions involved the IT systems
Protestant work ethics and they found that there is a bias in management literature
concerning the protestant work ethics. Sabia (1996) discussed ethics from political point
of view in general and the problem of “dirty hands” in specific. Booth and Rowlinson 411
(2010) outlined the prospects for management and organizational history in ten different
points where one of them was related to evolution of ethics in history and reviewed
ethics of past business behavior.
In the relation of the study of ethical effect to employee behavior, Novicevic (2003)
studied the ethical behavior of employees in multinational corporations and focused on
the efficient way of socializing foreign country national employees into the domestic
organization of multinational corporations by appropriate communication of the code of
ethics. Later on, Carraher et al. (2006) also studied job satisfaction where they targeted
the Baltics and USA to predict the satisfaction with pay levels. The strongest predictor
was job tenure (not the initial expectation of compensation level). A more recent study
done by the same author (Carraher, 2011) investigating other parts of the world like
Estonia, Lativia and Lithuania. Wright (2006) discussed the development of job
satisfaction from historical point of view. Based on this, the author provided a practical
framework explaining the reason why job satisfaction became the most important
measure for worker happiness. Novicevic (2009) examined the religiosity as an
antecedent to moral identity as well as examining the mediating role of self-control and
found that dimensions of morality have different effects on the internalization and
symbolization of moral identity. Humphrey (2009) also investigated the role holder
impact on team effectiveness to develop a theory of the strategic core of teams. Their
theory suggests that certain team roles are most important for team performance and
that the characteristics of the role holders in the “core” of the team are more important
for overall team performance. (Moon et al., 2004) studied the team effectiveness from a
different angle where they viewed that a particular role is more core than other roles if it
has a greater exposure to the tasks that the team is performing. In effect, some role
holders may have greater responsibilities within the team. Researchers have noted that
work may be designed such that a role is responsible for performing a multitude of tasks
or relatively few tasks (Humphrey et al., 2007a, 2007b). Those roles that perform more
tasks or complete more of the work will make the greatest contribution toward team goal
achievement. Research has noted that the behavior and performance of the team are
influenced by the composition of its members (Humphrey et al., 2002; Kim, 1997; LePine
et al., 2001; Morgeson and Humphrey, 2008; Morgeson et al., 2005; Schmidt and Hunter,
1986)
After reviewing different historical background on IT management, IT
infrastructure, IT ethical evolution and IT Security vulnerabilities evolution, Cloud
types and services are explored from business perspectives and a comparative study of
different vulnerabilities were studied where each vulnerability is given a weight based
on the level of seriousness effect of this vulnerability as well as the level of confidence of
existing solution for these vulnerability. The final weighting factor would result from
multiplication of this factor with impact level factor in case of that vulnerability
occurred. Code of ethics and its relation to cloud services also explored in this article
JMH together with a review of most common malicious attack due to unethical behavior. The
move to the cloud requires supreme trust between businesses (the clients) and the cloud
20,4 providers. This trust is not easily established. Cloud providers have to prove to their
clients that all their professionals handing their data are of high ethical standards by
maintaining the integrity of the data they are handling. Hence, the comparative study
aims to evaluate the different vulnerabilities for generic IT systems as well as
412 evaluating the newly identified issues of cloud computing vulnerabilities.

Historical background of Man and Technology management

Management of Man and Technology in Information systems environment has always
been a challenge to adapt and change with the everlasting evolving new technology
across the history. For example, Ifinedo and Ifinedo (2011), highlighted the key
Information System (IS) issues in Estonian organizations for the mid 2000s and found
out that there is a significance differences in key IS issues across IT-Professionals and
non-IT-Professionals grouping. Kivipõld and Vadi (2010) proposed a tool to evaluate
organizational leadership capability. The objective was to improve the organizational
performance in the long term. Skurvydas et al. (2013) surveyed and analyzed the
paradigm of complex dynamic systems with a possibility of applying them in
management of social systems. Kotri and McKenzie (2010) provided a description of
mass customization system to satisfy its customer individual needs where they found
out that the success came from the use of several mass customizations at the same time.
Solberg and Olsson (2010) contrasted three management orientations in export industry
(export, technology and customer orientations) and found out that technology
orientation correlated positively with the export performance while customer
orientation correlated negatively with export performance. Mihhailova (2009),
investigated the challenges arising from virtual work use in organizations while
Pundziene et al. (2006), identified the life cycle changes in Lithuanian enterprises and the
emerged challenges at that particular stage. Management change would also be a
challenge to be adopted by employees and to be engaged in the desired behavioural
actions voluntarily (Maamari and Messarra, 2012a, 2012b). Furthermore, a study result
by Maamari and Smith (2012) on the IS users in the banks of Lebanon reveals that
females are generally more satisfied on the job than males. (Maamari and Chaanine,
2013) also identified that most of the employees who use information systems at work
for more than 50 per cent of their working-time are defined as extensive information
system users. (Jiang and Klein, 2000; Kassicieh et al., 1999) defined the external career
anchors are measured in terms of individuals’ perceptions about organization’s concern
to satisfy the internal anchors through benefits and incentives. Zernand-Vilson and
Elenurm (2010) studied the implementation of modern management ideas in Estonian
business organizations. Carraher (1998) studied the effect of bio data inventory to
measure service-oriented construct and he finds out it was highly correlated with three
topical scales:
(1) “The need to make a good impression”;
(2) “sociability”; and
(3) “helpfulness”.

Spender (2003), categorized uncertainty as three types of knowledge deficiency:

indeterminacy, ignorance and incommensurability where these uncertainties leads to
emotions as value judgment. Very recently, Meczynska et al. (2014), proposed a Evolution of
decision-making method for poorly structured problems in schools and found that the
four main areas of finance, teaching, internal process and organization development
vulnerabilities in
were distinguished. Decision models have also been studied before using an IT systems
“Intelligent” techniques like fuzzy logic to enhance decision making process under
uncertainty, Kouatli (2011, 2013) where the decision making technique termed as
“Genetic Fuzzimetric Technique” which was motivated by the introduction of the 413
concept of “Fuzzimetric Arcs” introduced by Kouatli and Jones (1990, 1991) as well as
the concept of simplified multivariable systems (Kouatli, 1993, 1994). Formal definition
of the combination between Fuzzimetric Arcs and the concept of Genetic Algorithm was
defined by Kouatli (2008). Implementations of formal definition of the technique in
different technical management areas were reported by Kouatli and Beyrouti (2010) as
well as Kouatli and Khayat (2010). System thinking and its effect to leadership
performance was reported by Palaima et al. (2010) where they compared the impact of
system thinking on leadership performance in manufacturing and retail trade
enterprises and the correlated results shows that system thinking is associated with
higher leadership performance. Kemp and Kemp (2013) found out that the main four
principles of scientific management are:
(1) management of knowledge production;
(2) empowerment;
(3) total quality management; and
(4) teamwork.

Klotz et al. (2013) studied the historical counterproductive work behavior till today’s
performance and found out that as organizations became more complex, employees
found more ways to engage in counterproductive work experience. Spender (2004),
proposed a new approach towards asset evaluation as a part of knowledge management
of corporate assets.
With the advent of the concept of gender equity since Barnard’s introduction of the
concept, different results are reported on this relationship between pay, gender and job
satisfaction (Carraher et al., 2013; Novicevic et al., 2013a, 2013b). Barnard theory was not
the only management theory that was studied by researchers, for example, Wren (1995)
and Wren and Bedeyon (2009) discusses the contribution and influence of Henri Fayol
towards the development of management theory. More recently, Kurzynski (2012) has
also discussed Drucker’s model implementation to modern business community and its
relation to improve the framework for modern managerial behavior. Vauleon (2014), the
innovative Rousseau theory of management, and discussed the significant part of
Rousseau approach to management science as well as the individual’s subjection to
authority.

Historical background of ethical evolution in computing environment

Ethical behavior forms an important part of driving the success of cloud computing
environment. Wiener (1950) was the pioneer in computer ethics when he wrote his book
“The human Use of Human Beings”. The work of Norbert Wiener motivated
Weizenbaum (1966) to generate a simple program termed as ELIZA to diagnose and
interpret patient response by asking them open ended questions. During the same year,
JMH the first computer crime was committed when a programmer inserted a bit of code to
stop his bank account from being flagged as overdrawn. During that period of time, code
20,4 of ethics was not emerged yet and definitely no obvious law to stop him/her from
conducting such crime. Because of this incident, Businesses started to think about
Business ethics in general and computer ethics code of conduct and hence, Maner (1980)
realized that ethical decisions are harder to make after the establishment of computer
414 devices and started to lay down the “Computer ethics” definitions. Shortly after that by
mid 1970s, the ACM (Association of Computing Machinery) decided to adopt a
professional code of ethics where computer crime laws had been put in place in USA as
well as Europe. Shortly after that by 1985, Terrell Ward Bynum, published famous
article, “Entitled Computers and Ethics”, In the same year, Moor (1985), published an
essay called “What is Computer Ethics” where he identified the computer-generated
policy vacuums as well as formulation of policies for the use of computer technology and
ethical justification of such policies. By 1990s, computers with telecommunication
started to be combined, the Internet and other media meant that many new ethical issues
were raised. In the year 1992, ACM adopted a new set of ethical rules called “ACM code
of Ethics and Professional Conduct” which consisted of 24 statements of personal
responsibility. Since that time, few other organizations also tried to define code of ethics
like the International Center for Information Ethics (ICIE) (http://icie.zkm.de/).
Comparison across different ethical models and different cultures was studied by
Gould (1999), while Malcolm and Hartley (2009) discussed Drucker’s views on ethics and
its applicability to 20th century. A qualitative approach was used to prove that
Drucker’s model is still valid to 20th century and beyond. Schwartz (2007) also examined
the gap between business ethics and the old laid down management theory where three
theories were studied, Drucker’s, Taylor’s and Barnard. They concluded that there are a
significant business ethics contents and its implications in all of these theories. Barnard
theory was also studied earlier by Feldman (1996) where he referred to Barnard’s classic
theory and concluded that organizations (not society) can provide an integrated moral
whole which contradicts with Barnard’s justifications to achieve legitimate moral
system. Nam and Lemak (2007) applied Barnard’s ideas about authority in organization
to the modern phenomenon of “Whistle-blowing”. They concluded that it was applicable
in modern organizations where they also developed a conceptual framework to
capitalize on Barnard’s insight of “whistle-blowing”. Fernández (2010) interpreted the
contribution of Barnard to the practice of business and found out that Barnard theory
can act as the basis of leadership framework that places the executives as the center of
a system to achieve equilibrium between life, work and society. Dickerson et al. (2006)
explored the need for a new ethical model that accounts for cultural differences from
Western and Eastern Europe. A more recent study on ethical behavior in organizations
was studied by Carraher (2007) where he examined the ethical values that are important
to good leaders and found a support of Forsyth theory in general and that idealism
importance for good ethical leadership. Novicevic (2008) examined the accountability
and judgment biases that occur in social comparisons and its relation to ethical decision
making and found that ethical self-enhancing individuals demonstrated higher
responsiveness to increase in accountability than self-effacing individuals (i.e. those
who thought they are less ethical in comparison to their peers, a reverse of
self-enhancing). A more recent study on accountability was conducted by Morf et al.
(2013) where he used historical qualitative analysis to show how accountability shifted
with time as part of social responsibility reporting. Spender (2005) also talked about Evolution of
ownership and control of management knowledge and found that management
education has become professionalized around quasi-scientific research methods and a
vulnerabilities in
regulated body of knowledge which is distant from what manager use. Mullikin and IT systems
Syed (2010) also discusses the ethical dilemma of governmental wiretapping and its
effects to public and private liberties where they had also analyzed the ethical and legal
concerns of wiretapping. Smith and Smith (2011) discussed the issues of assumptions 415
involved the Protestant work ethics and they found that there is a bias in management
literature concerning the protestant work ethics. Novicevic (2011) contrasted the
contemporary view of industrial relations and HRM with Barnard’s theory. More recent
work on similar topic was also reported by Novicevic et al. (2013a) where they concluded
that we need to understand how people’s beliefs develop and change, as this is central to
being able to manage them.
Cloud provider has to guarantee that their professionals handling client’s data and
software are dealt with in highly ethical manner. Businesses must be assured about the
security and integrity of their data. Cloud providers must ensure that there is a
mechanism to measure the ethical behavior of their employees in different sections of
their corporate. Kouatli (2014) identified the impact of any unethical behavior to
corporates IT systems and proposed to measure the relative ethical behaviors based on
multiple criteria. Professionals who work with information in cloud technology have
access to sensitive information and tools that are important to business operations.
Implementation of the common ethics is still elementary as individuals are either
unaware of unethical actions or ignore policies and regulations. Cultural background
has a large influence on the typical employee(s) behavior in corporate life. For example,
Al-A’ali (2008) studied the effect of computer ethical behavior on individuals coming
from Muslim cultures. Stahl et al. (2010) also studied the emancipatory issues of ICT in
a specific Egyptian culture. A statistical study by (Kouatli and Balozian, 2011)
compared the practical perception of IT ethics as opposed to the academically taught
perception of IT ethics. The study resulted in the main conclusion that the un-ethical
violations were due to the existence of ill-defined boundaries of ethical and legal
standards when the study was conducted.

Cloud ethics
The above review of unethical/illegal IT attack techniques would be conducted by
individuals who have a reason for such unethical behavior which might have been
triggered by a situation in their working environment. For example, unethical behavior
could be triggered by angry un-ethical individuals fired from their positions and/or a
small business facing fierce competition […], etc. To rectify and minimize this unethical
behavior, it would not be enough to counterattack the malicious techniques by using
anti-virus technology/techniques. Proper management would be necessary to rectify
any possible problem in unethical IT behavior. Therefore, the issue is not really the
malware technology, but it is rather people-ware problem (Shaw et al., 1998). Because the
people are behind the creation and attack of the same systems, it would be necessary to
conduct psychological analysis of the information systems criminals to safeguard those
systems. Knouse et al. (2007) discussed the evolution of business code of ethics and how
they are influenced by ideology of the time regarding the social responsibility of
business while Trevinyo-Rodriguez (2007) discussed and classified the integrity trait of
JMH ethics in to three main categories of integrity: Personal, moral and organizational
integrity. As cloud computing business reliance increases, ethical implications would
20,4 also increase. Privacy and security with cloud-based services are the main concerns.
Appropriate action should be taken to ensure only authorized persons allowed to have
access to the shared active online data. Hence, a full trust of ethical behavior of
provider’s employees must exist in this case to avoid and violation in data access.
416
Historical background of it infrastructure evolution
IT infrastructure in corporate went through six stages of evolution where in each stage
a different configuration, infrastructure strategies were developed. It started with
general purpose mainframe in late 1950s which later was evolved into IBM 360 series
mainframe IBM360 was the first real commercial mainframe providing newly
developed model of multitasking and time sharing. IBM dominated the market from
1965 to 2005, where it was the main corporate data center data storage and computing
power By 1965, DEC Alpha minicomputers started to appear in the market offering
same facilities as mainframe with lower cost allowing a possibility to conveniently
decentralize computing power and, hence, the capability to introduce computing power
to each department in a business environment individually. It was around 1981 when
the first real commercial Personal Computers (PC) started to appear in the market with
the appearance of IBM PC using Disk Operating system (DOS) which later was
developed into Windows operating system. PCs started as standalone desktop
productivity computing system using for word processing, presentation and small data
management programs. It was early 1990s when PCs evolved into a networked PC
allowing communication with other devices mainly mainframe at that time where
TELNET protocol was used to emulate a terminal connectivity to the mainframe.
The environment was based on a mainframe providing all the services and
processing power required by the computing system and the PC was acting as the local
computing power to achieve the requested information. In 1983, the trend started to
change by the introduction of Client/Server environment where a PC or laptop in today’s
terminology (called Client) share the processing tasks and power with the server (a
mainframe or another PC with server service capability) to achieve common tasks. Most
businesses uses multitier of client/server environment and it allows the creation of new
business services like Internet Banking, for example. Such a feature allowed businesses
to distribute computing functionality to different departments or branches and, hence,
allowing better customer services by introducing more exploded applications. The
success of client/Server computing generated another problem to corporates where
integration problem arises in one geographical area. This is due to the different
applications developed by different departments and these applications are not
well-interfaced with each other creating disjointed applications into one business
environment.
By mid-1990, corporates started using standard networking protocols allowing
integration of these dis-jointed applications to compose an enterprise-wide
infrastructure. This networking mechanism was enhanced by the emergent of
Transmission control Protocol/Internetworking Protocol (TCP/IP 1995). TCP/IP is a
suite of protocols governing the network operations globally which is now termed as the
INTERNET. This technology not only solved the problem of joining the applications
but also allowed the mixture of different platforms into one environment. Nowadays,
enterprise network links different devices and platforms like MAC, PC Servers, mobile Evolution of
devices, phones […], etc. IT governance and security issues at this stage became a
highly important issue. The scope is that global enterprises would be able to deliver
vulnerabilities in
business services without any obstacle. However, this proves to be difficult to achieve IT systems
without appropriate security and protection mechanisms and standards. Hence, IT
governance started to became popular among organizations where the objective was
(and still is) to integrate all enterprise services and applications in a highly secured and 417
organized fashion keeping in mind the appropriate mechanism of businesses
operational and functional tasks. In today’s enterprise environment, IT is the center of
all other functionalities where finance, Inventory Control, Sales, Marketing […], etc.
departments are sharing one big infrastructure. Hence, the importance of developing a
well-organized infrastructure through enterprise IT governance emerged and became a
necessity.
Corporates realized this added complexity of integration and started initially by
developing their own data centers to accommodate all their business need globally while
maintaining protection and security of data and systems. This concept was later utilized
by some IT business to create “public” data centers where they were selling the
protection and security guarantees to other businesses by accommodating the
customers’ equipment in their extremely protected and secured environment. These
centers were termed as “Management Centers”. Dubai Internet City is an example of
such centers. This idea of Global Management Center was later elaborated into a virtual
center that can be located anywhere in the world where customer would have the
advantage of replicating their data for extra protection globally using the Internet. This
has led to the emergence of cloud computing concept where customers (in this case,
customer could be any business requesting services and application from IT cloud
computing provider) request services and application from cloud service provider. This
has an extremely new advantage, and it is changing the face of conducting businesses in
the future. New business does not have to initiate the required systems from scratch by
setting up the hardware including server initial cost and management, software initial
cost and maintainability, IT staff training and operation as well as system security and
ethical behavior monitoring. All these issues are handled by the cloud service provider
in return of a monthly fee. Also, businesses can start conducting the business in an
extremely short period where there is no set-up time for required systems when using
cloud computing services.

Historical background of IT security vulnerabilities evolution

Although IBM360 mainframe was the earliest (mid 1960s) commercial computing power
used by organizations, the security then was merely physical security to the mainframe
room. Maintainability in general and security maintained was simple procedure, as all
applications run from the only central processing unit in the mainframe. Operator
(administrator) was the only user has access to all the computing resources. It was only
by late 1970s when user identification started to emerge by a simple mechanism of
logging into the mainframe. The concepts of access control to resources were still under
development; however, some rare data sets were password-protected. As processing
was still predominantly batch processing, this was not yet a major issue. The only
possibility to of security vulnerability is to reach the console of the mainframe where all
control of applications and access can be set and monitored. The administrative
JMH password was the only logical security needed for protection. User passwords carry no
threat, as users use dump terminals that have no processing power and have no control
20,4 on modifying or maliciously corrupting any execution of any application resident on the
mainframe. Only by mid-to-late 1976, user authentication was provided via 8-byte
password with individual access to authorized data set. Security threat to computing
resources from unauthorized access was only possible from within the enterprise over
418 the network. By early 1980, data protection was expanded to all data sets in the
mainframe rather than selected sets of critical data. Access control grouped by set of
different lists accessing the relevant portion of the data. At this stage, appropriate
authentication (User ID and password) became mandatory in almost all computing
devices in organizations. Profile threat emerged which lead to security and privacy
issue.
With the commercial emergent of TCP/IP and other network protocols like Netbeui
(Microsoft) and IPX/SPX (Novell Netware) by 1990, there was growing use of smaller
decentralized systems and networks increasing the vulnerability of sources of threat as
the user identification using Access Control was completely confused by the
introduction of such technologies forcing the necessity of multi-level security support
mechanism. Also, connection to the Internet by late 1990s added the growing number of
viruses and hacking attempts. By early 2000, TCP/IP was spread all over the world
connecting all different enterprises into a global “platform” termed as the “Internet”
digital certificate started to emerge to identify program management as well as client/
server security via protocols like Secure Socket layer (SSL) protocol. Encryption, in
general, became a necessity that most corporate requires having in all their systems.
By 2005, Public Data Centers became popular, where by that time encryption and
virtual private network solution for data and connection protection became a stabilized
and trusted technology to maintain a secure connectivity. Businesses and enterprises at
that time realized a good strategy by keeping their data and equipment at their data
center where they can access them via a secure VPN connection. This idea motivated
some businesses to create a new service (around 2010), where they can deliver any
application a customer may want via such secure connectivity. They can also provide
data protection using the same secure technology and data replication among different
sites. This was termed as cloud computing where the cloud service provider provides
the required application(s) as well as guarantees the security, privacy and protection of
customer data. In return, the customer (another generic business in this case) provides
fees for this “Cloud” service.

Common threat of malicious behaviors

As most types of business IT, security would be the main issue which is more vulnerable
when it comes to cloud computing. Hackers would have more opportunity to practice
their malicious attacks to businesses using the cloud. It would be beneficial in this case
to list the major malicious attacks that cloudy businesses could be subjected to. The list
of all types of malware/hacking techniques is rather endless and the technical details are
beyond the scope of this paper. Hence, only the major malwares specifically related to
cloud attacks will be reviewed in this section with minimal technical description of each.
• Brute force attack: The brute force attack is the slowest method of password
attack, effective for simple and short passwords only. It is designed to determine
an unknown value by using an automated process to try a large number of
 possible values. Data Encryption Standard (DES) was released in 1970, in which Evolution of
56-bit key length was more than a match for available computing technology, but
by 1995, networked computers were powerful enough to try every possible DES
vulnerabilities in
key. DES was cracked in 1995 in 81 days by trying 7 billion keys per second. IT systems
• A logic bomb: A logic bomb is a hidden program in the target computer, and is set
to trigger to destroy data at a future predetermined date and time. This is a
much-used technique of disgruntled employees after being fired. They just get 419
their revenge from their employers, sometimes without being noticed.
• DDOS: (Flooding Attacks) DDOS stands for distributed denial of service attacks,
which prevent computer resources being available for intended users, by flooding,
for example, Web servers with more data than they can process, thus forcing Web
sites offline. An attacker can throw a huge amount of requests forcing the cloud to
expand automatically (scalability), until the Cloud reaches a request limit it cannot
exceed. Hence, the system uses all available resources and could not respond to
provide services to legitimate users. Attackers in this case would be capable of
attacking the server and application residing in it.
• Spyware: Spyware is a program that records typed data from an infected
computer, and then forwards the data back to the attacker, used in stealing
passwords and credit card details.
• Identity theft: Identity theft is closely associated with Spyware where the objective
is to use the stolen credit card credentials to get access and use all financial and
bank information and credits of the victims. Identity theft started to be popular
among hackers when financial Web application started to be used commercially
among financial institutions and banks (approximately around 2001).
• Botnets (or zombies): Botnets are network computers taken hostages by malwares
and remotely controlled, and are used usually to send spam e-mails and
distributed denial of service attacks.
• Investigation attacks: Using ping command, a malicious intruder can sweep the
target network to determine which IP addresses (computers) are alive. Then
the second step is to check which port (socket) is active on that IP address. The
intruder, in this case, can identify the targeted servers to be attacked. The ping
command tells the attacker what IP addresses are available, in this case, packet
sniffing used for eavesdropping. The information gathered by eavesdropping can
then be used to pose other attacks on the network.
• SQL injection attack: It is one type of Web application vulnerability where
unwanted SQL queries injected to an application input. If successful, this allows
the attacker to add or delete database content and browse e-mails, passwords and
personal information of Web site users. The SQL injection-type threat occurs if a
Web site passes queries from untrusted sources to the database. This type of
attack started to be popular among hacker at the same time Web application
started to be commercially applicable to businesses around 2001.
• Cloud malware injection attack: It is one type of SQL injection attack where an
attacker tries to damage application or a service in the cloud by injecting the
intruder’s credentials as if it is a legitimate one. If successful, attacker would
JMH upload virus program into the cloud structure. This type of attack emerged as
cloud computing and started to be popular around 2011.
20,4
• Password attacks: Password attacks usually refer to repeated attempts by hackers
to find passwords. Password attacks can be implemented using several methods,
like brute-force attacks, Trojan horse programs, IP spoofing and packet sniffers.
Brute-force attack is the most popular technique, using a program that runs across
420 the network. When an attacker gains access to a resource, he has the same access
rights as the user whose account has been compromised. If this account has
sufficient privileges, the attacker can create a back door for future access.
• Phishing: Phishing is one type of social engineering where data theft by phishing
is the notion when a hacker tries to trick others into providing sensitive
information, such as credit card numbers or passwords. The phisher is disguised
as a trusted party or a friend to access sensitive information.
• Man-in-the-middle attacks: A man-in-the-middle attack requires that the hacker
have access to network packets that come across a network. In this case, the hacker
just monitors the packets via packet sniffers until the time he/she needs to interfere
(for example, when a bank is ready to wire money or provide details of account
number to a client). The hacker then masquerades himself as the recipient by
altering the TCP session (also called session highjack). Man-in-the-middle attack
alleviation is achieved by encrypting traffic in an IPsec tunnel, which would allow
the hacker to see only cipher text.
• Session highjack: Session hijacking was not possible with early versions of HTTP
where cookies and other features were necessary for session hijacking. It was only
after 1994 (HTTP version 0.9 Beta) when cookies were supported, and session
hijacking started. HTTP 1.1 started to protect against session hijack, however,
session hijacking mechanism evolved with time to become a permanent possible
security risk.
• Browser security: Web browsers have to make a secure connection whenever a
customer requests services. This is usually termed as “Secure Socket Layer” or SSL.
SSL is the connection between the customer and the cloud providers usually via a
third part company. A hacker may use sniffer (a tool that can “sniff” packets
communicated via the two party) to get the credentials to log in to the cloud as if he
is a legitimate user (Jensen, 2009).
• Masquerade/IP spoofing attacks: IP spoofing occurs when intruders create IP data
packets with falsified source addresses. An attacker is usually outside the network
and pretends that he is a trusted party. Normally, an IP spoofing attack is limited
to contamination of data or commands into an existing stream of data passed
between a client and server application or a peer-to-peer network connection.

Security vulnerabilities IT systems across platforms/technologies

From the above discussion, it can be seen that as years pass by and technology evolves
into different platform and devices, vulnerabilities to systems in general also evolve to
generate new types of vulnerabilities. Vulnerability types are considered in here and not
specific vulnerabilities/threats for each application/system. As a conclusion from the
above sections, eight different categories of vulnerabilities can be identified. These are
summarized in Table I, sorted from smallest to highest where each category is composed
Vulnerability 1st reported Related platform or Likely Weighted Vulnerability Vulnerability
category Vulnerability type approx. date devices weight Impact score % category %

Access control and Brute force attack 1997 Mainframe, server 1 2 2 1.74 6.96
authentication DNS database contamination 1989 Mainframe, server 2 3 6 5.22
vulnerabilities
Physical security Server damage 1965 Mainframe, client, server 1 5 5 4.35 8.70
vulnerability Network damage 1980 Router, switch, cabling 1 5 5 4.35
Availability Physical disconnection 1980 Cabling 1 5 5 4.35 9.57
vulnerabilities Damaged services or DDOS 2000 System services 2 3 6 5.22
Application security Insecure developed software – Development methodology 2 3 6 5.22 10.43
vulnerabilities SQL injection 2001 Web applications 2 3 6 5.22
Personnel security IT staff security violations/ 1984 – 1 5 5 4.35 12.17
vulnerability criminal act
IT staff unethical behavior 1992 – 3 1 3 2.61
IT staff negligence 1992 – 3 2 6 5.22
Database security Data loss or corruption 1970 Storage Media 1 4 4 3.48 16.52
vulnerabilities Damaged backup tapes 1970s Tape, CD, 1 1 1 0.87
Data replicated location is 1970s Location, policy 1 2 2 1.74
not secure
Data Integrity is 1970s Database 2 4 8 6.96
compromised
Data contamination occurred 1970s Database 1 4 4 3.48
TCP/IP security Network eavesdropping 1989 Network Infrastructure 2 4 8 6.96 17.39
vulnerabilities Session hijack 2000 Network Infrastructure 1 4 4 3.48
Identity theft 2005 Network Infrastructure 2 4 8 6.96
Mobile devices BYOD security breach 2011 iPhones, iPad [. . .] 2 3 6 5.22 18.26
vulnerabilities Out of date application 2012 iPhones, iPad [. . .] 3 2 6 5.22
maintenance
Lack of comprehensive 2013 iPhones, iPad [. . .] 3 3 9 7.83
security services

history of IT
Table I.
List of evolved
vulnerabilities across
421
IT systems
Evolution of
vulnerabilities in
JMH of multiple types that emerged in an approximate date, as indicated from the discussions
in the previous sections. Using simple scoring techniques between 1 and 5, where 1 is
20,4 lowest and 5 is highest, vulnerability can be estimated based on the vulnerability type,
Availability of documented solution – if any and how recent emergent of such
vulnerability. In case of such an occurrence of any vulnerability type, the impact can
also be estimated based on the severity of such threat. Obviously, newly emerged
422 vulnerabilities with no standard and known solution would have the highest score.
Accordingly, the weighted score of each vulnerability type as well as vulnerability
category can be calculated with the percentage of each vulnerability category. This can
be shown in Figure 1 where it is obvious the new mobile technology using new platforms
like smartphones appears to be the highest, as this type of technology is still evolving
and applications/OS are not secured appropriately.
It should be noted that in this analysis, only the specific type issues for each
technology/platform considered to draw the weighted score. It is obvious, however, that
some of these vulnerabilities are embedded into other types of vulnerabilities. For
example, TCP/IP vulnerability can be part of overall cloud computing possible
vulnerabilities which will be discussed in the next section where issues related to cloud
computing will be explored and evaluated as well. It should also be noted that the score
of TCP/IP vulnerability is lower than the mobile access vulnerability. This is simply
because solutions to TCP/IP breach technique (unlike the new mobile access
vulnerability) are well-matured. It is only a matter of good implementation and
management of such solution steps to prevent any possible breach. As seen by Figure 1,
the highest possible current vulnerability is the access of systems via mobile devices.
This is due to the fact that businesses are encouraging bring their own devices (BYOD)
as part of company operations to increase productivity. However, mobile application
and systems are still relatively recent with immature security measure. This will
encourage hackers in the near future to target this weak “Access point” vulnerability via
mobile devices.

Figure 1.
Histogram of weighted
score percentage of
vulnerability category
Overview of cloud computing types and services Evolution of
Cloud computing is the new concept of IT utilization to drive businesses. The attraction
of cloud computing to businesses is that it reduces the IT infrastructure cost of the
vulnerabilities in
company by immediately providing the services to the businesses and, hence, cutting IT systems
the down time and cost to set-up process, as well as reducing the required skills within
the company. Cloud providers have proved to be very beneficial for the establishing
businesses that have the urge to quickly grow in future. There are three different types 423
of clouds and three different major services in the cloud. Large pools of resources
can be connected via private or public networks to provide dynamically scalable
infrastructures for application, data and file storage. Firms can choose to deploy
applications on Public, Private or Hybrid clouds. Cloud computing revolutionized the
concept of IT delivery by introducing the cloud technology in a form of services. Similar
to electric power service, cloud computing provided services where you “pay as you go”
in a form of metered service. Businesses can choose from three main services offered by
cloud providers. The list of different cloud types and services is as follows:
• Public clouds: Public clouds operated by third-party providers, allowing customers
to benefit from reducing infrastructure costs as it is spread across all users. The
main advantage of public cloud infrastructures is that they are typically larger in
scale than an in-house developed enterprise cloud, which improved the
“on-Demand” scalability. As it is operated and managed by a third party, all
customers share the same infrastructure configuration and security protection.
Initial cost is minimal, but if data are stored for a long period, it proves to be
expensive. Accessibility, availability and reliability criteria make the pubic cloud
more popular than private cloud.
• Private cloud: Private clouds are specifically built for individual enterprise
allowing them to host applications in the cloud, while addressing concerns
regarding data security and control, which is often lacking in a public cloud
environment. Initial cost is expensive, but gets minimal at later stages of using it
as a service. There are two variations of private clouds, the externally hosted and
the internally hosted. The externally hosted cloud is facilitated by service provider
with full guarantee of privacy which is usually preferred for organizations trying
to avoid risks due to shared resources. The internally hosted cloud is built within an
organization’s own data center. Although there is a limitation to size and
scalability, complete control and configuration management is under the internal
administration.
• Hybrid cloud: Takes the best of both options where organization can partially or
fully control the cloud provided by third-party cloud providers. Hence, control
flexibility and on-demand scalability are available in this type of cloud.
• Infrastructure as a service: Infrastructure as a service (IAAS) is the cloud model in
which an organization outsources the equipment used to support operations,
including storage, hardware, servers and networking components. The service
provider owns the equipment and is responsible for housing, running and
maintaining it. Clients typically pay on a “per-use” basis, in return, service
providers guarantee administrative automation as well as Internet secure
connectivity with dynamic scalability. IAAS is popular in the data center where
software and servers are purchased as a fully outsourced service and usually
JMH billed on usage and how much of the resource is used – compared to the traditional
method of buying software and servers outright, IAAS is an excellent mechanism
20,4 to start the required business application quickly and with minimum cost and
effort.
• Software as a service: Software as a service (SAAS) is a cloud model where
software applications hosted by the service providers and made available to
424 customers/subscribed organizations via the Internet. SAAS is becoming more
popular as the Web services like service-oriented architecture (SOA) are
well-developed and maintain high reliability. Tremendous benefits from SAAS
delivery starting from easier administration and, hence, lower maintenance costs.
This would be inclusive of all necessary patches and updates, insuring
compatibility across multiple platforms and more efficient collaboration via global
accessibility.
• Platform as a service: Platform as a service (PAAS) is an extension of SAAS. On
top of SAAS, it is a way to rent hardware, operating systems, storage and network
capacity over the Internet. PAAS allow customers to run their own application
and/or develop and test new ones. This would result in benefits to developers
where necessary operating system features can be updated whenever needed as
well as allowing software development team to collaborate globally.

Cloud computing-specific business issues

• Reliable Internet availability: Unless the Internet connection is reliable and
available all the times, business operations and data security and protection may
be compromised. Today’s technology maintains high reliability of Internet
connection. However, if its connectivity is lost for some reason, then the whole
business continuity would stop during that downtime. Hence, as it can be seen in
Table I, it was given the scale of 1 (lowest) in case of unavailability of the Internet
and an impact scale of 5 (highest), in case it has happened.
• Data security and protection: As there is no appropriate regulation to data
protections, data storage security and protection is heavily dependent on trust
between the business and the provider as well as a binding contract detailing the
legal responsibility of the service providers in terms of security and protection of
data. Data encryption is recommended before data are sent to PAAS cloud
providers. This would be necessary to ensure secure environment when using
PAAS. However, this would result in slow system performance. Using
technological tools to maintain security and protection is becoming a standard
procedure and well-documented and, hence, easily maintained. Again, if these
tools were not monitored appropriately, it would result in an exposure to possible
security breach or data contamination. Hence, the values allocated were 2 and 4.
• Data location and replication: One advantage of cloud services is that business
data are replicated in a multiple version across the globe to maintain backup and
integrity of the data. However, the disadvantage of too many replication is that the
professional themselves working for the cloud providers may not be aware of how
many automated replica produced in the cloud. Moreover, a replica might be
located in different countries where there is no clear legislation about data security
and privacy. Also, as part of disaster recovery plan, steps to maintain business
 continuity against possible threats like fire and natural disaster has to be clarified Evolution of
by the cloud service provider. Businesses must be aware of this fact, and it must be
discussed as part of contract negotiation with the cloud providers. Although it is
vulnerabilities in
unlikely for such automated replica of the data to be exposed by other parties in a IT systems
different country, however, if it did happen, that the impact would be high. Hence,
the likely factor was given the value of 1 and the impact factor was given the value
of 4. 425
• Password management and context awareness access: As SAAS provides
applications from the cloud, the main risk would be multiple passwords accessing
applications. Single sign-in would solve this problem but reduces access-ability in
case a user left signed-on in one location, then the system wouldn’t allow the user
to login from different location without formal sign-out from previous location.
In addition to the password management, clients in a globalized business
environment using mobile devices like tablets and smart phones, does not
guarantee who, why and from where that specific customer or employee request to
access specific information. Although adds complexity, context awareness access
investigation would be necessary to identify reasons for a user to request access/
information. Although technological tools may help in password management and
context awareness mapping of user to the relevant data sections, monitoring of
such tools would require reasonable effort to maintain it; hence, it was given the
score of 3 to implement it and a score of 2 as an impact score in case of possible
occurrence due to the fact that not all accessed data are sensitive information.
• Cloud ethical standards: History of IT proves that technology always ahead of
regulations. Cloud computing is of no exceptions. Code of ethics to protect data on
cloud is not well developed yet and needs further study not only to provide policy
and regulations but also to motivate and measure ethical behaviors. For example,
ethical dilemma might emerge when the same IT professional serves two different
clients in the same industry sector (serving two competitors). This raises an ethical
dilemma situation where the question of business strategy, methodology and
secrets might be exposed to competitors via the IT professional who will act as the
intersection link between them. Although this can be avoided by either allocating
different IT professionals in case of competitive clients, the implementation might
not always be easy in case of too many business competitors requesting the same
service. This has been given the value of 3 of likelihood and an impact score of 3 in
case of an unethical behavior conducted by an IT professional leading to
information leak to the competing business.
• Accountability: Accountability for security and privacy in public cloud cannot
simply be delegated to a cloud provider. Businesses must conduct careful planning
of the security and privacy aspects of cloud computing solutions before
implementing them. To do this, full understanding of the public cloud computing
environment offered by the cloud provider would be necessary. Cloud providers,
on the other hand, have to ensure that a cloud computing solution – both cloud
resources and cloud-based applications – can satisfy organizational security and
privacy requirements. IT professionals must be accountable for any step taken
during day-to-day operations like tape backup, managing and replication data,
securing data encryption […] etc. This can be easily handled via a log detailing
JMH individual tasks conducted by all IT professionals. However, the impact of any
misconduct of actions would be medium to high depending on the level of security/
20,4 protection breach. Hence, a score of 1 is given for ease of implementation of activity
log (monitoring IT professionals actions) and an impact score of 3 in case such
misconduct has happened (intentionally or unintentionally).
• Auditing and full governance of IT services: Unless a good control of IT
426 governance and access security by the organization, un-warranted access of
services by employees might result. Before joining the cloud services, businesses
must have appropriate plan of access control to specific employees requesting
specific service. Cloud service governance frameworks would be recommended to
prevent employees accessing information or services they are not permitted to use.
Also, auditing cloud computing requires identification of risks, evaluate
mitigating controls and audit the risky objects. A good framework [like ISACA’s
IT Assurance Framework (ITAF™)] would be required to think about the IT risks
and, thus, assist the IT auditor in conducting an effectual risk assessment. IT
auditors must be from a third-party auditing company and not an internal auditor
from the cloud service providers. Businesses must insist to have access to the
auditing report or may negotiate to involve their own business auditors in the
process of cloud service provider’s auditing process. For example, businesses
using service providers may request to audit the data storage/backup procedure at
the service provider’s site. The dilemma is that service providers may refuse such
request due to confidentiality of services as well as other businesses privacy. The
score of implementing governance of IT service and audit it might be slightly
difficult, hence a score of 4 was given. The impact of flaws in the system where
employees might have the wrong data access and/or bad auditing item might be
tolerable in many cases. Hence, the impact score was set to 2.
• Mobility access and context awareness: Smartphone users have increased suddenly
over the past two years. Over 100 million Android phones shipped in the second
quarter of 2012 alone. This has encouraged hackers to target these mobile devices
and whole new types of vulnerabilities have started to emerge. For example, a new
business model for Android malware attacks is to install fake apps that secretly
send expensive messages to premium rate SMS services. Newer versions of fake
applications uses a form of Trojan to gain root access, installing malicious code
and communicate with a remote Web site to further contaminate data or to
download and install additional malware. This allows these Trojans to avoid
detection and removal, while recruiting the device into a global botnet.
Eavesdropping on incoming SMS messages has also been noticed recently
allowing data leakage of sensitive information like Internet banking services
where mobile transaction confirmed to customer via SMS which might include
authentication details.

Perhaps, the main advantage mobility access of information was the improved
productivity from an employee, as it allows ease and fast information exchange for
corporates, and hence most corporates allow their employees to BYOD and started to
gain popularity by 2011.
Hence, a policy was needed for such new concept emerged in the corporate strategy
of processing information. BYOD security relates strongly to the end node problem,
wherein a device is used to access both sensitive and risky networks/services. BYOD Evolution of
can result in data breaches in case of phone loss and accessed by untrusted person(s)
who can view and edit any unsecured data on the phone. Also, when the employee leaves
vulnerabilities in
the company, company data may still be present on their own devices. Mobility access IT systems
to cloud computing environment is easy to setup and become available (a score of 1 was
given). However, possible access to sensitive information due to flaws in some mobile
application might be disastrous (impact value ⫽ 5). 427

Conclusion
Cloud computing is a relatively new concept in IT where the projections seems to be
interesting and evolving into a better standardized models for business environment.
Just like any newly evolved system, new vulnerabilities emerge. This paper surveyed
and reviewed the different evolved vulnerabilities across the history of IT systems
inclusive of today’s new emergent cloud computing technology. Business perspective of
cloud computing has also been reviewed where issues related to security and ethics of
cloud service provider professionals have been identified with suggestions to
businesses to be ready before joining the cloud. Moving to the cloud would require
technical preparation and managerial actions to control and protect businesses when
joining the cloud. Full trust is an essential factor between businesses and cloud service
provider. As such, businesses (cloud service clients) need to be assured that all
protection mechanisms have been adopted to avoid any possibility of issues mentioned
in this paper. Ethics is one of the main issues of concern towards establishing full trust
and reducing vulnerabilities, and hence ethical evolution inclusive of business ethics
and IT ethics was also reviewed in this paper. Just like any other IT system, newly
emerged technology comes with newly emerged vulnerabilities. Hence, the study
conducted in this paper shows that mobility access is currently the highest vulnerability
score (18.26 per cent) for generic information systems (Figure 1) where it could lead to
the possible future “point of access” vulnerabilities due to the immature nature of
secured mobile devices/applications, as well as, businesses allowing “BYOD” to
enhance productivity. For cloud computing-specific issues mentioned in this paper,
mobility access was also high (10.42 per cent); however, as IT ethical behavior among IT
professional is of utmost importance, cloud ethics indicates the highest score of 18.75 per
cent (Figure 2). Obviously, other generic vulnerability types (Table I) mentioned in this

Figure 2.
Histogram showing
vulnerability issues
related to cloud
computing
JMH Difficulty Impact in % Cloud
20,4 level to case of Weighted issue
Cloud issue Related operations achieve flaws score vulnerability

Cloud ethical standards Cloud and IT ethics 3 3 9 18.75

Data security/protection Storage media, 2 4 8 16.67
networked media
428 Auditing and full governance
of IT services IT governance 4 2 8 16.67
Password management Access control 3 2 6 12.50
Reliable Internet availability Servers access 1 5 5 10.42
Table II. Mobility access Access control 1 5 5 10.42
List of cloud computing Data location and replication Location, policy 1 4 4 8.33
vulnerability issues Accountability Personnel ethics 1 3 3 6.25

analysis might be implicitly embedded in the cloud computing overall listed

vulnerabilities in Table II.

References
Al-A’ali, M. (2008), “Computer ethics for the computer professional from an Islamic point of view”,
Journal of Information, Communication & Ethics in Society, Vol. 6 No. 1, pp. 28-45.
Booth, C. and Rowlinson, M. (2010), “Management and organizational history: prospects”,
International Journal of Managing Information Technology (IJMIT), Vol. 2 No. 4.
Carraher, S.M. (1998), “Validation of an instrument to measure service-orientation”, Journal of
Quality Management, Vol. 3 No. 2, pp. 211-224.
Carraher, S.M. (2007), “Ethics among German entrepreneurs: what is important for good leaders?”,
Proceedings of the Academy of Entrepreneurship, Reno, NV.
Carraher, S. (2011), “Turnover prediction using attitudes towards benefits, pay, and pay
satisfaction among employees and entrepreneurs in Estonia, Latvia, and Lithuania”, Baltic
Journal of Management, Vol. 6 No. 1, pp. 25-52.
Carraher, S. (2012a), “The future of the Journal of Management History”, Editorial Article, Journal
of Management History, Vol. 18 No. 1.
Carraher, S. (2012b), “Global and empirical management history?”, Editorial Article, Journal of
Management History, Vol. 18 No. 3.
Carraher, S. (2012c), “Social entrepreneurship: interviews, journal surveys, and measures“,
Editorial Article, Journal of Management History, Vol. 18 No. 4.
Carraher, S.M., Gastrock, A.S. and Jon and Serrate (2013), An Ethics & Student Involvement in
Research, Faculty Forum St Antony’s College, Oxford University, Oxford.
Carraher, S.M., Gibson, J.W. and Buckley, R.M. (2006), “Compensation satisfaction in the Baltics
and the USA”, Baltic Journal of Management, Vol. 1 No. 1, pp. 7-23.
Dickerson, D.B., Kouzmin, A. and Korac-Kakabadse, N. (2006), “Taking ideology out of ethics:
from failed business strategies to new cross-cultural platforms”, Baltic Journal of
Management, Vol. 1 No. 3, pp. 285-299.
Feldman, S.P. (1996), “The disinheritance of management ethics: rational individualism in
Barnard’s”, Journal of Management History (Archive), Vol. 2 No. 4, pp. 34-47.
Fernández, S. (2010), “Re-discovering Barnard: the functions of the […] leader? Highlighting Evolution of
Chester Barnard’s contributions for the twenty-first century business executive”, Journal of
Management History, Vol. 16 No. 4, pp. 468-488. vulnerabilities in
Gould, J.W. (1999), “Ethics: a pencil case”, Journal of Management History (Archive), Vol. 5 No. 8, IT systems
pp. 506-515.
Humphrey, S.E. (2009), “Developing a theory of the strategic core of teams: a role composition
model of team performance”, Journal of Applied Psychology, Vol. 94 No. 1. 429
Humphrey, S.E., Hollenbeck, J.R., Meyer, C.J. and Ilgen, D.R. (2002), “Hierarchical team decision
making”, in Ferris, G.R. and Martocchio, J.J. (Eds), Research in Personnel and Human
Resources Management, Vol. 21, Elsevier Science, Amsterdam, pp. 175-214.
Humphrey, S.E., Hollenbeck, J.R., Meyer, C.J. and Ilgen, D.R. (2007a), “Trait configurations in
self-managed teams: a conceptual examination of the use of seeding to maximize and
minimize trait variance in teams”, Journal of Applied Psychology, Vol. 92 No. 3,
pp. 885-892.
Humphrey, S.E., Nahrgang, J.D. and Morgeson, F.P. (2007b), “Integrating motivational, social,
and contextual work design features: a met analytic summary and theoretical extension
of the work design literature”, Journal of Applied Psychology, Vol. 92 No. 5,
pp. 1332-1356.
Ifinedo, P. and Ifinedo, A. (2011), “A snapshot of key information systems (IS) issues in Estonian
organizations for the 2000s”, Baltic Journal of Management, Vol. 6 No. 2, pp. 163-178.
Jiang, J. and Klein, G. (2000), “Supervisor support and career anchor impact on the career
satisfaction of the entry-level information systems professional”, Journal of Management
Information Systems, Vol. 16 No. 3, pp. 219-240.
Jensen, M. (2009), “On technical security issues in cloud computing”, IEEE International
Conference in Cloud Computing, pp. 109-116.
Kassicieh, M., Igbaria, S.K. and Silver, M. (1999), “Career orientations and career success among
research, and development and engineering professionals”, Journal of Engineering and
Technology Management, Vol. 16 No. 1, pp. 29-54.
Kemp, L. and Kemp, J. (2013), “Modern to postmodern management: developments in scientific
management”, Journal of Management History, Vol. 19 No. 3, pp. 345-361.
Kim, P.H. (1997), “When what you know can hurt you: a study of experimental effects on group
discussion and performance”, Organizational Behavior and Human Decision Processes,
Vol. 69, pp. 165-177.
Kivipõld, K. and Vadi, M. (2010), “A measurement tool for the evaluation of organizational
leadership capability”, Baltic Journal of Management, Vol. 5 No. 1, pp. 118-136.
Klotz, A., Klotz, C. and Buckley, M.R. (2013), “A historical perspective of counterproductive work
behavior targeting the organization”, Journal of Management History, Vol. 19 No. 1,
pp. 114-132.
Knouse, S.B., Hill, V.D. and Hamilton, J.B. III (2007), “Curves in the high road: a historical analysis
of the development of American business codes of ethics”, Journal of Management History,
Vol. 13 No. 1, pp. 94-107.
Kotri, A. and McKenzie, B. (2010), “Mass customization and system development: case findings
from the packaging industry”, Baltic Journal of Management, Vol. 5 No. 1, pp. 100-117.
Kouatli, I. (1993), “Design of a fuzzy multivariable technique based upon human behavior”, Two
Decades of Fuzzy Control – Part 2, IEEEXplore, London.
JMH Kouatli, I. (1994), “A simplified fuzzy multi-variable structure in a manufacturing environment”,
Journal of Intelligent Manufacturing, Vol. 5 No. 6, pp. 365-387.
20,4 Kouatli, I. (2008), “Definition and selection of fuzzy sets in genetic-fuzzy systems using the concept
of fuzzimetric arcs”, Kybernetes, Vol. 37 No. 1, pp. 166-181.
Kouatli, I. (2011), “Multivariable decision making process using the concept of genetic fuzzimetric
technique”, ICIC Express Letters, Vol. 5 No. 9A.
430 Kouatli, I. (2013), “A biologicaly inspired decision model for multi variable genetic-fuzzy-AHP
system”, Procedia Computer Science, Vol. 22, pp. 2-9.
Kouatli, I. (2014), “A guide to the business protection from un-ethical IT behaviors”, scheduled to
be published in International Journal of Trade and Global Markets, in press, Inderscience,
www.inderscience.com/info/ingeneral/forthcoming.php?jcode⫽ijtgm
Kouatli, I. and Balozian, P. (2011), “Theoretical versus practical perception of IT ethics in
Lebanon”, Society of Interdisciplinary Business Research (SIBR) 2011 Conference on
Interdisciplinary Business Research, 22 June, available at: http://papers. ssrn. com/sol3/
papers. cfm?abstract_id⫽1869432
Kouatli, I. and Beyrouti, N. (2010), “Student performance expectation system using genetic
fuzzimetric technique”, Review of Business Research, Vol. 10 No. 2.
Kouatli, I. and Khayat, H. (2010), “FIE: a generic decision making tool with an example of CRM
analysis”, European Journal of Management EJM, Vol. 10 No. 2, pp. 64-72.
Kouatli, I. and Jones, B. (1990), “A guide to the design of fuzzy control systems for manufacturing
processes”, International Journal of Intelligent Manufacturing, Vol. 1 No. 4, pp. 231-244.
Kouatli, I. and Jones, B. (1991), “An improved design procedure for fuzzy control systems”,
International Journal of Machine Tool and Manufacture, Vol. 31 No. 1, pp. 107-122.
Kurzynski, M. (2012), “Peter Drucker: modern day Aristotle for the business community”, Journal
of Management History, Vol. 18 No. 1, pp. 6-23.
LePine, J.A. and VanDyne, L. (2001), “Voice and Cooperative behavior as contrasting forms of
contextual performance: evidence of differential relationships with big five personality
characteristics and cognitive ability”, Journal of Applied Psychology, Vol. 86 No. 2,
pp. 326-336.
Maamari, B. and Chaanine, J. (2013), “Job satisfaction of the modern information-system-using
nurse in Lebanon”, Journal of Technology Management in China, Vol. 8 No. 2, pp. 120-136.
Maamari, B. and Messarra, L. (2012a), “An empirical study of the relationship between
organizational climate and organizational citizenship behavior”, European Journal of
Management, Vol. 16 No. 2, pp. 165-174.
Maamari, B. and Smith, M. (2012b), “What is the impact of the use of information systems on job
satisfaction in the commercial bank sector in Lebanon?”, in Producing New Knowledge on
Innovation Management, PUG, Grenoble.
Malcolm, S.B. and Hartley, N.T. (2009), “Peter F. Drucker: ethics scholar par excellence”, Journal of
Management History, Vol. 15 No. 4, pp. 375-387.
Maner, W. (1980), Starter Kit in Computer Ethics, Helvetia Press, published in cooperation with
the National Information and Resource Center for teaching Philosophy, Originally
self-published by Maner in 1978.
Meczynska, A., Kmieciak, R. and Michna, A. (2014), “A decision support method for poorly
structured problems in school management”, Baltic Journal of Management, Vol. 9 No. 1,
pp. 91-112.
Mihhailova, G. (2009), “Management challenges arising from the use of virtual work”, Baltic Evolution of
Journal of Management, Vol. 4 No. 1, pp. 80-93.
Morgeson, F.P., Delaney-Klinger, K.A. and Hemingway, M.A. (2005), “The importance of job
vulnerabilities in
autonomy, cognitive ability and job-related skill for predicting role breadth and job IT systems
performance”, Journal of Applied Psychology, Vol. 90 No. 2, pp. 399-406.
Moon, H., Hollenbeck, J.R., Humphrey, S.E., Ilgen, D.R., West, B., Ellis, A.P.J. and Porter, C.O.L.H.
(2004), “Asymmetric adaptability: dynamic team structures as one-way streets”, Academy 431
of Management Journal, Vol. 47 No. 5, pp. 681-695.
Moor, J. (1985), “What is computer ethics?”, Metaphilosophy, Vol. 16 No. 4, pp. 266-275.
Morf, D., Flesher, D.L., Mario, H., Stephanie, P. and Caroline, H. (2013), “Shifts in corporate
accountability reflected in socially responsible reporting: a historical review”, Journal of
Management History, Vol. 19 No. 1, pp. 87-113.
Morgeson, F.P. and Humphrey, S.E. (2008), “Job and team design: toward a more integrative
conceptualization of work design”, in Martocchio, J. (Ed), Research in Personnel and Human
Resource Management, Vol. 27, Emerald Group, Bradford, pp. 39-92.
Mullikin, A. and Syed, R. (2010), “The ethical dilemma of the USA government wiretapping”,
International Journal of Managing Information Technology (IJMIT), Vol. 2 No. 4.
Nam, D. and Lemak, D.J. (2007), “The whistle-blowing zone: applying Barnard’s insights to a
modern ethical dilemma”, Journal of Management History, Vol. 13 No. 1, pp. 33-42.
Novicevic, M.M. (2003), “Socializing ethical behavior of foreign employees in multinational
corporations”, Business Ethics, Vol. 12 No. 3.
Novicevic, M.M. (2008), “Self-evaluation bias of social comparisons in ethical decision making: the
impact of accountability”, Journal of Applied Social Psychology, Vol. 38 No. 4.
Novicevic, M.M. (2009), “Religiosity and moral identity: the mediating role of self-control”, Journal
of Business Ethics, Vol. 88 No. 4.
Novicevic, M.M. (2011), “Integrating Barnard’s and contemporary views of industrial relations
and HRM”, Journal of Management History, Vol. 17 No. 1.
Novicevic, M.M., Zikic, J., Martin, J., Humphreys, J.H. and Roberts, F. (2013a), “Responsible
executive leadership: a moral- identity analysis based on Barnard’s conceptualization”,
Journal of Management History, Vol. 19 No. 4, pp. 474-491.
Novicevic, M.M., Humphreys, J.H., Buckley, M.R., Roberts, F., Hebdon, A. and Kim, J. (2013b),
“Teaching as constructive-developmental leadership: insights from Mary Follett”, Journal
of Management History, Vol. 19 No. 4, pp. 423-440.
Palaima, T. and Skaržauskienė, A. (2010), “Systems thinking as a platform for leadership
performance in a complex world”, Baltic Journal of Management, Vol. 5 No. 3, pp. 330-355.
Pučėtaitė, R., Lam̈sä, A.-M. and Novelskaite, A. (2010), “Building organizational trust in a
low-trust societal context”, Baltic Journal of Management, Vol. 5 No. 2, pp. 197-217.
Pundziene, A., Kundrotas, V. and Lydeka, Z. (2006), “Management challenges in rapidly growing
Lithuanian enterprises”, Baltic Journal of Management, Vol. 1 No. 1, pp. 34-48.
Sabia, D.R. Jr (1996), “Weber’s political ethics and the problem of dirty hands”, Journal of
Management History (Archive), Vol. 2 No. 1, pp. 6-20.
Schmidt, F.L., Hunter, J.E. and Outerbridge, A.N. (1986), “Impact of job experience and ability on
job knowledge, work sample performance, and supervisory ratings of job performance”,
Journal of Applied Psychology, Vol. 71 No. 3, pp. 432-439.
Schwartz, M. (2007), “The “business ethics” of management theory”, Journal of Management
History, Vol. 13 No. 1, pp. 43-54.
JMH Shaw, E., Ruby, K.G. and Post, J.M. (1998), “The insider threat to information systems”, Security
Awareness Bulletin, Vol. 2 No. 98, p. 1, available at: www.pol-psych.com/sab.pdf
20,4 Simmhan, Y., Barga, R., van Ingen, C., Lazowska, E. and Szalay, A. (2008), “On building scientific
workflow systems for data management in the cloud”, Fourth IEEE International
Conference on eScience, Indianapolis, IN, 7-12 December.
Skurvydas, A., Kundrotas, V., Valantiniene, I. and Valančiene, D. (2013), “Complex dynamic
432 systems – new management paradigm: fashion or necessity?”, Baltic Journal of
Management, Vol. 8 No. 1, pp. 66-78.
Smith, V.O. and Smith, Y.S. (2011), “Bias, history, and the protestant work ethic”, Journal of
Management History, Vol. 17 No. 3, pp. 282-329.
Solberg, C.A. and Olsson, U.H. (2010), “Management orientation and export performance: the case
of Norwegian ICT companies”, Baltic Journal of Management, Vol. 5 No. 1, pp. 28-50.
Spender, J.C. (2003), “Exploring uncertainty and emotion in the knowledge-based theory of the
firm”, Information Technology & People, Vol. 16 No. 3.
Spender, J.C. (2004), “Measuring knowledge assets ⫾ implications of the knowledge economy for
performance measurement”, Measuring Business Excellence, Vol. 8 No. 1.
Spender, J.C. (2005), “Speaking about management education: some history of the search for
academic legitimacy and the ownership and control of management knowledge”,
Management Decision, Vol. 43 No. 10.
Stahl, B.C., McBride, N. and Elbeltagi, I. (2010), “Development and emancipation: the information
society and decision support systems in local authorities in Egypt”, Journal of Information,
Communication and Ethics in Society, Vol. 8 No. 1, pp. 85-107.
Therneau, A.M., Carraher, S.M., Ramu, V., Charles, A. and AGBA (2014), Proceedings of AGBA
Thailand Chapter Inaugural Conference, Bangkok.
Trevinyo-Rodríguez, R.N. (2007), “Integrity: a systems theory classification”, Journal of
Management History, Vol. 13 No. 1, pp. 74-93.
Vauleon, F. (2014), “Jean-Jacques Rousseau and the science of management: the illusion of free
will”, Journal of Management History, Vol. 20 No. 1, pp. 99-113.
Weizenbaum, J. (1966), “Eliza – a computer program for the study of natural language
communication between man and machine”, Communications of the ACM, Vol. 9 No. 1,
pp. 46-45.
Wiener, N. (1950), The Human Use of Human Beings, first published 1950; 1954, Houghton
Mifflin.
Wren, D.A. (1995), “Henri Fayol: learning from experience”, Journal of Management History,
Vol. 1 No. 3.
Wren, D.A. and Bedeyon, A. (2009), The Evolution of Management Thought, 6th ed., Wiley.
Wright, T.A. (2006), “The emergence of job satisfaction in organizational behavior”, Journal of
Management History, Vol. 12 No. 3, pp. 262-277.
Yogesh, S., Van Ingen, C., Subramanian, G. and Li, J. (2009), “Bridging the gap between the gap
between the cloud and an eScience application platform”, Microsoft Research Tech Report
MSR-TR-2009-2021, 2010 IEEE 3rd International Conference on Cloud Computing, Miami
Marriott, FL.
Zernand-Vilson, M. and Elenurm, T. (2010), “Differences in implementing management and
organization development directions between domestic and foreign companies in Estonia”,
Baltic Journal of Management, Vol. 5 No. 1, pp. 82-99.
Further reading Evolution of
Carraher, S.M., Courington, J. and Burgess, S. (2008), “The design of the SBI model graduate
program in entrepreneurship that encourages entrepreneurship, ethics, and leadership in
vulnerabilities in
health care management and public service”, International Journal of Family Business, IT systems
Vol. 5 No. 1, pp. 3-6.
Carraher, S.M. and Whitely, W. (1998), “Motivations for work and their influence on pay across six
countries”, Global Business and Finance Review, Vol. 3 No. 1, pp. 49-56. 433
Dagher Grace, K. (2014), “A conceptual examination of the cultural intelligence construct”,
Proceeding of AGBA Thailand Chapter Inaugural Conference, Vol. 10 No. 2.
Igbaria, M. and Guimaraes, T. (1993), “Antecedents and consequences of job satisfaction among
information center employees”, Journal of Management Information Systems, Vol. 9 No. 4,
pp. 145-174.
Krebs, B. (2003), “A short history of computer viruses and attacks”, WA Post, available at: www.
securityfocus.com

Corresponding author
Issam Kouatli can be contacted at: issam.kouatli@lau.edu.lb

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints