E-Commerce Risks and Controls

Introduction
Risk is ‘the probability of a threat to a system’ and control represents ‘security
mechanisms, policies, or procedures that can successfully…reduce risk’ (Whitman &
Mattord 2003, pp.27-28). In the fast-evolving world of e-Commerce, there are
numerous risks and controls. Moreover, new risks and controls emerge everyday
when environment changes and it is not easy to keep track of every single risk and
control. Hence, risks and controls need to be separately categorised for easier
understanding and management. This literature will explore the categorisation of both
risks and controls and illustrate each category with examples.

Categorisation of Risks
Jamieson et al. (2002) and Whitman & Mattord (2003) illustrated a few
comprehensive paradigms for risk categorisation. Among these paradigms, there is
one common categorisation of risks: Human and Technology, as illustrated in the
diagram below.
Human Technology

Within each category, there are many different risks that are related to e-Commerce
and for the brevity of this literature, only the key ones will be discussed.

Human
• Fraud and theft. Credit card details and identity of customers or business partners
can be stolen and used to perform fraudulent transactions. The dollar value of
transactions can also be manipulated in fraud.
• Financial loss. For profitable organisations, e-Commerce must generate values
and financial profits. E-Commerce will become a burden to the business
objectives if it only induces financial loss.
• Legal issues. There are laws in place with which the companies need to comply.
One such requirement is to protect the confidentiality of customer and employee
data. By running e-Commerce, there is a risk of breaching this legislation if the
data is abused or not protected.

Page 1 of 4
Technology
• Sabotage or vandalism. The e-Commerce system may suffer from different
malicious attacks, which can be in the form of virus/worm/trojan horse attack,
denial of service, and web page defacement.
• Unauthorised access. There may be malicious intruders who gained illegal access
to the e-Commerce system. This unauthorised access can originate from many
causes and some of them can be poor configuration or design of the system,
unpatched security hole, unencrypted or poorly encrypted transmission, and
stealthy backdoor program.
• Performance degradation. After the e-Commerce system is up and running, there
may be a trend of degrading performance due to increasing demand of network
traffic, processor speed, and data storage, as well as more frequent software and
hardware failure.

Categorisation of Controls
Jamieson et al. (2002) categorised controls as either procedure or technical in the
paradigm they proposed. However, for a more comprehensive control mechanism, the
education and legal categories should also be included and addressed. This
categorisation is illustrated with the diagram below.
Legal (External) Policy and Education Technology
Procedure

It is worth mentioning that each control category is not limited to addressing only one
category of risk. Instead, the control categories and risk categories have a complex
interrelation.

Similar to the previous categorisation of risks, there is a variety of controls within

each control category that can be applied to e-Commerce. However, due to the limited
amount of space in this literature, only the vital ones will be discussed.

Legal (External)
Legislations are acting as controls to protect the parties involved in e-Commerce, e.g.
Electronic Transactions Act 1999. Also, external legal audit and assistance

Page 2 of 4
(Dilanchian 2001) can be employed to mitigate the risks companies may face during
the operation of e-Commerce.

Policy and Procedure

Internal policies and procedures must be in place to act as controls for the risks within
e-Commerce. Risk assessment, cost/benefit analysis, system development
methodology and auditing, and transaction auditing are some of the controls that can
help address the risks that companies will face when implementing e-Commerce.

Education
All communities that are involved in e-Commerce, ranging from external parties
(such as consumers, business partners, outsourcing companies, and vendors) to
internal parties (such as business analysts, system designers, programmers, database
administrators, system administrators, and testers), must be adequately trained so that
they can be aware of the risks and controls in e-Commerce.

Technology
Contrary to the belief that technology is the sole control of risks in e-Commerce,
technology alone cannot effectively address the risks (KnowledgeLeader 2003). Some
of the controls within the technological category are: antivirus software, firewall,
access control list, log files, encryption, digital certificates, audit trails, and patch
management.

Conclusion
This literature has discussed the categorisation paradigm for risks and controls within
e-Commerce. Due to the time and space constraints within this literature, only the key
risks and controls have been provided within each category. Hence, the risks and
controls outlined are by no means exhaustive. Moreover, new risks and controls will
continue to emerge due to the change of environment. For a more comprehensive and
detailed analysis, more in-depth study is required.

Page 3 of 4
Bibliography
1. A Team 2003, INFS5905 Information Systems Auditing Session 2, 2003 Identity
Fraud Assignment Part One Identity Fraud Report, UNSW, NSW.
2. Commonwealth of Australia 1999, ELECTRONIC TRANSACTIONS ACT 1999,
Australasian Legal Information Institute, viewed 16 October 2003,
<http://www.austlii.edu.au/au/legis/cth/consol_act/eta1999256/>.
3. Dilanchian, N 2001, E-commerce Legal Risk Minimization. Part 1: Introduction,
Dilanchian Lawyers & Consultants, viewed 26 April 2004,
<http://www.dilanchian.com.au/images/610_01_EL1.pdf>.
4. Forristal, J, Broomes, C, Simonis, D, Bagnall, B, Dinowitz, M, Dyson, J, Dulay, J,
Cross, M, Danielyan, E, and Scarborough, D 2001, Hack Proofing Your Web
Applications, Syngress, Rockland, USA.
5. Jamieson R, Baird A, and Cerpa N 2002, Development of a Framework for Risks
and Security in B2C E-Business, UNSW, Sydney.
6. KnowledgeLeader 2003, Information Security: Ten Myths, KnowledgeLeader,
viewed 1 January 2004,
<http://www.knowledgeleader.com/InternalAudit/website.nsf/print/ChecklistsGui
desTenMythsAboutInformationSecurity?opendocument>.
7. Kohli, K 2004, Stealing passwords via browser refresh, Astalavista Security
Group, viewed 26 April 2004,
<http://www.astalavista.com//data/stealing_passwords_via_browser_refresh.pdf>.
8. Moore, D 2002, ‘The current state of e-Commerce security’, 2600 The Hacker
Quarterly, Vol. 19, No. 3, pp.53-54.
9. Responsive Systems 2004, Responsive Systems – Risks of E-Commerce,
Responsive Systems, viewed 26 April 2004,
<http://www.responsivesystems.com.au/ecommerce/risks.html>.
10. Terzievski, K 2004, ‘Patch me happy’, Technology & Business, May 2004 Issue,
pp.94-102.
11. Whitman, M & Mattord, H 2003, Principles of Information Security, Thomson
Course Technology, Canada.
12. Younan, Y 2003, An overview of common programming security vulnerabilities
and possible solutions, Astalavista Security Group, viewed 26 April 2004,
<http://www.astalavista.com//data/thesis.pdf>.

Page 4 of 4