Introduction
Security considerations
of doing business via the
Internet: cautions to be
considered
Alicia Aldridge
Michele White and
Karen Forcht
The authors
Alicia Aldridge is an Associate Professor in the Department
of Marketing, Walker College of Business, Appalachian State
University, Boone, NC, USA.
Michele White is a Researcher and Karen Forcht is a
Professor, Department of Information and Decision Sciences,
both at the College of Business, James Madison University,
Harrisonburg, VA, USA.
Abstract
Looks at the growth and potential of the Internet in relation
to security issues. Presently, lack of security is perceived as a
major roadblock to doing business online. Risks of system
corruption, fraud, theft and viruses point companies to the
need for enhanced security. Investigates the importance of
securing a company’s systems, its individual users and its
commercial transactions, and provides a checklist along with
a brief discussion of available protection measures for these
three primary security concerns.
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · pp. 9–15
© MCB University Press · ISSN 1066-2243
9
Security is one of the most challenging topics
faced by companies which wish to go online.
When a user attaches to the Internet, anyone
from anywhere around the world has access to
the information being sent. When a Web server
is opened, a window to the local network is
provided. The risk of data theft, theft of service,
and corruption of data and viruses becomes a
reality. The possibility of fraud also increases
significantly with the Internet because of the
difficulty of accounting for use of the service.
Companies need to focus more on security;
however, 59 percent say they lack human
resources, and 55 percent state they do not have
a budget to support Internet security (Internet
Security Survey Results, 1996). “The risks of
working and doing business in cyberspace are
present because there is also a tremendous
potential for reward. As long as we keep our eyes
open, assess the risks realistically, and take
intelligent precautions, we can navigate cyber-
space knowing that our own networks are safe
from unwanted intrusion” (Russell, 1995).
Importance of security
Built-in security is not provided by the Internet
as messages and information sent via computer
may be routed through many different systems
before reaching their destination. Each different
system introduces unwanted individuals who
can access data; therefore, security is needed to
protect messages from unwanted damage, copy-
ing, or eavesdropping (Forcht and Fore, 1995).
RDI Computer Corporation recently con-
ducted a survey on how people feel about Inter-
net security. The majority (57 percent) of
people surveyed felt security was important.
Forty-six percent stated that they have experi-
enced some type of security break-in; however,
80 percent have not recently purchased any type
of security software. The top three main con-
cerns mentioned by the respondents were unau-
thorized data retrieval (system privacy), pass-
word security (user privacy), and security of
commerce transactions (Internet Security Survey
Results, 1996).
System privacy
Unauthorized data retrieval is the most common
reason for wanting a good security system.
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
Companies do not want private or confidential
documents falling into the wrong hands. Unau-
thorized persons may also break into systems
just to destroy data stored there. This may prove
very costly to the company, even if they have
made backups, as it takes time to restore the
data and make additional backup copies.
During reinstallation, the company may be
paralyzed and unable to attend to their cus-
tomers’ needs and these consumers may
become dissatisfied and give their business to
someone else.
To compound the problem, a secure network
is critical to keep unwanted users from using
company resources. Some unauthorized users
may break into networks just to borrow
resources and these additional users may cause
organizations to lose valuable system adminis-
tration time. If there is a large number of addi-
tional users on a system, it will slow down,
possibly to a stop. The slow or down system may
keep employees and customers from doing their
business and will further their frustrations.
Intruders may also execute commands that
modify or damage the system or cause corrupt-
ed or damaged products to be sent to
customers.
Companies must consider the threat of per-
sonal or financial information being altered,
damaged or destroyed as personnel records or
customer records are greatly at risk of losing
their confidentiality and secrecy – i.e. credit
card numbers being intercepted.
An important security issue to consider is
that information about the Web server’s host
machine may leak through, giving outsiders
data that will allow them to break into the host
machine. Allowing a security hole to the host
machine would make a host vulnerable to the
outside.
Netscape is an example of software in which
security holes were found and used to alter
information. Netscape was broken into by two
graduate students who said they found security
gaps in some of the software used at many dif-
ferent Internet sites. These gaps were used to
intercept and alter copies of software. Once the
security routine was altered in the software, then
any program it touched was also put at risk of
being compromised (Verity, 1995). Netscape
quickly corrected the problem found in its
10
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
software, but they are just an example of soft-
ware compromised by someone on the outside.
User privacy
Just as the Internet does not provide its own
system privacy, it does not have built-in individ-
ual user protection. “The danger of the Internet
now is the illusion of anonymity that is com-
pletely false. People think they’re invisible”
(Miller, 1996). In reality servers log every
access, IP address, time of download, user’s
name, URL requested, status of request, size of
data transmitted, client the reader is using and
sometimes the user’s real name and e-mail
address. If the client is using a single-user
machine the download can be attributed to an
individual. This information could be very
damaging. It could signal corporate takeover, or
show who is interested in a job change by read-
ing who looks at job listings. In addition, record-
ing the time a cartoon is downloaded could
show an employee who is misusing company
time. Users expect privacy; therefore, compa-
nies need to respect that and refrain from post-
ing usage statistics that can be attributed to an
individual.
Government sites are required by law to
protect the privacy of their readers. It will not be
surprising if a law is passed in the near future
that makes it illegal to sell or distribute records
that have been collected on individual usage.
Presently, protected sites summarize raw data
and practice moral server administration by not
using statistics that can be traced to an individ-
ual.
Commerce transaction privacy
The third and fastest growing security concern
is the protection of commercial transactions
over the Internet. With wide, inexpensive and
convenient access to the Internet, one would
think electronic commerce would be the new
way of doing business. However, the concept is
off to a slow start owing to the problems associ-
ated with insuring security, as new security
holes keep appearing. The issue of security is a
major roadblock to the realization of the Web’s
recognized potential as a vehicle for commerce.
Even as buying and selling are now possible
through the Internet, so have credit card num-
bers and other sensitive information been stolen
online. “If consumers and merchants don’t have
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
a certain degree of confidence, electronic com-
merce is not going to work” (Verity, 1995).
The lack of security, reliability and account-
ability make Internet transactions too risky for
many users. One major fear of merchants is to
shield their computers from hackers. If a hacker
would break into their system, they could steal
thousands of credit card numbers. One large
study found that 66 percent of respondents
cited credit card fraud as a major concern about
shopping online. Other concerns included
unsolicited mailing lists (65 percent), merchant
legitimacy (59 percent), and lack of data privacy
(57 percent) (Stores, 1996). The Internet allows
stockpiling of thousands of credit card numbers
untraceably. Thieves use each number once,
reducing the probability of investigation
(Matsumoto, 1995). For example, one master
hacker stole more than 20,000 credit card num-
bers. Total intrusions into government, business
and university computers on the Internet
increased by 344 percent between 1993 and
1995 (Keating, 1996).
Additionally, technology companies and
cyber businesses have yet to agree on which
protocols to use in sending payments over the
Net. A battle has erupted over which format to
use since these protocols are so important to the
future of the network and digital economy. The
major players in developing acceptable proto-
cols are banks, software makers (i.e. Microsoft,
Netscape) and credit-card companies (Verity,
1995).
Security requirements are very different for
different types of businesses. Security require-
ments in a business-to-business relationship are
easy because the people doing business together
know each other. They know who they will be
getting messages from and what types of mes-
sages they will be receiving. If one company
receives a message from someone other than the
usual sender, it will be “checked out” before it is
processed. Retailers, on the other hand, have
very little protection when open to the Internet
because they are not designed to help people
share information. Adding security to retail
transactions is becoming a big challenge.
Methods of protection
Now that the dangers of Internet use are
known, users need to take measures to protect
11
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
themselves and their businesses against the
possibility of systems being invaded, users
identified and commercial transactions compro-
mised. Some protective options available today
are very easy and inexpensive, while others are
more complicated and expensive. One inexpen-
sive option is awareness; simply being more
aware of the dangers out there and how to avoid
them. More expensive and complicated mea-
sures include choosing more secure operating
systems, imposing access restrictions and
enforcing authentication procedures.
Systems protection
Operating systems security
Some operating systems are more secure as
platforms for Web servers than others. The
more powerful and flexible the operating
system, the more open it is for attack through its
Web servers. Unix systems are a good example
of an insecure, open system. Servers that offer
many features often contain more security holes
than simple servers that only make static files
available. Some servers can restrict browser
access to documents or portions of documents
by using IP addresses or passwords or providing
data encryption.
Unix systems are more vulnerable to attack
because of the large numbers of portals of entry
for hackers to try; whereas, Macintoshes and
MS-Windows machines are more difficult to
exploit because they are much smaller. Howev-
er, it depends on the experience of the adminis-
trator. As an example, a Macintosh set up by a
novice is more susceptible to attack than a Unix
system run by very experienced administrators.
Two general security precautions should be
taken by Web servers running on Unix
machines:
(1) limit the number of log-in accounts, and
(2) delete any inactive users.
Users should use good passwords and turn off
any unused services on the machine. A system
administrator should check the system and Web
logs regularly for any suspicious activity and
make sure permissions are set correctly on the
system files (a user can make changes to the
configuration file or document tree that could
open up security holes).
Automatic directory listing is an optional
feature that is a potential security risk. The
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
more a hacker knows about a system, the more
likely he/she is to find loopholes. Symbolic Link
following is also dangerous because someone
can accidentally create a link to a sensitive area
of the system, opening a hole for a hacker to
enter.
Administrators should carefully consider to
whom permission has been given for saving
HTML files for the Web. Adopting a “need to
know policy” for the document root (where
HTML documents are stored) and the server
root (where log and configuration files are kept)
is as critical as it is important for these to be
correct because CGI scripts and contents of the
log and configuration files are stored there.
Writers of HTML documents should have
access only to their own files.
Protecting files and data
Regardless of the operating system used, one of
the first things a company can do is avoid down-
loading from unknown sources such as bulletin
board systems. The files and software from
these sources may contain damaging bugs or
viruses. Even when downloading files from
familiar sources, the program should be run
through some type of virus-protection software.
Another easy and inexpensive way to protect
systems is to generate backup copies of critical
files and store them in a different location, thus
protecting from both physical failure and attack.
With backup files, lost or compromised data can
be destroyed, followed by a reinstallation of the
backup files since restoring backup data is much
faster and more inexpensive than trying to
recreate lost data.
Many organizations are now designating a
staff member to serve as an information security
officer (ISO) whose main responsibility is to
monitor the environment and watch for any-
thing unusual. This person watches for any
suspicious activities in-house or from someone
on the outside trying to get into the system by
monitoring how many times a user is logged on
and which files are being used. An ISO can also,
by careful monitoring, tell how many times a
password has been hit unsuccessfully, indicating
that someone is trying to break into the system.
There are presently a number of hardware
and software items that can be purchased to
help protect systems. A firewall is one of the
most widely used options and is a combination
of hardware and software which is placed
12
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
between a company and the Internet. Firewalls
are designed to be a gateway through which all
connections are made and offers a secure solu-
tion against intruders getting into and employ-
ees sending out information they should not
(Russell, 1995). The three main principles of a
firewall are to:
(1) defend against known forms of attack,
(2) provide protection against breaches,
(3) detect any unusual events within the fire-
wall.
Netscape has developed a secure sockets layer
(SSL) to help increase security while using
Netscape. SSL is an open protocol designed to
secure data communications across computer
networks and was designed with three layers of
security:
(1) server authentication,
(2) privacy using encryption, and
(3) data integrity.
Another software tool that can be used by
system administrators is the security adminis-
trator tool for analyzing networks (SATAN),
whose main intent is to scan networked com-
puters and identify their weaknesses. SATAN
was developed to make network administrators
pay more attention to computer security.
User, information and message protection
Users, their personal information, communica-
tions and messages are protected by educating
users, by imposing restrictions on accessing
individual files and accounts, and by authenti-
cating sender identity and message integrity.
User education
There are several steps a company can take to
help protect its clients. The easiest way is to
have a clear site policy on Web usage and edu-
cate users on the risks associated with using the
Web. Another way to help protect users is by
summarizing logs and keeping only summarized
usage statistics and delete any information that
can be attributed to an individual.
Access restrictions
There are three types of access restrictions
available:
(1) IP address, subnet, domain,
(2) user name and password,
(3) encryption using public key cryptography.
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
IP Address and domain name secure against
casual nosiness but not against a determined
hacker. IP address and domain name should be
paired with something that checks the identity
of the user.
User name and password protection is only as
good as the password being used. Users should
not use pet names, phone numbers or share user
names and passwords with other users. If the
password is not encrypted, a hacker can capture
it as it passes over the network, as passwords are
passed every time the user requests a secure
document. Generally, users are on the system
for a significant amount of time which makes it
easy for a hacker to intercept them.
Encryption – “Data encryption scrambles
data to prevent it from being read or tampered
with during transit. Only those with the right
key can read it” (Verity, 1995). Encryption
encodes the text of a message with a key. The
keys come in pairs with one to encode and the
other to decode. In a public system, the encod-
ing key (public key) is widely distributed while
the decoding key (private key) is closely held
and used to decrypt incoming messages.
Encryption is only as good as the protection of
the key, and if stored on the computer, it is then
vulnerable to hackers. If stored on a piece of
paper, it can also be compromised owing to the
extreme visibility. The key must be protected in
order for encryption to work, and the stored
data on a computer should also be encrypted
adding an additional level of security.
Authentication of data
Authentication in a digital setting is a process
whereby the receiver of a digital message can be
confident of the identity of the sender and/or the
integrity of the message. Authentication in
public-key systems uses recent technology
called digital signatures, which play a function
for digital documents similar to that played by
handwritten signatures for printed documents.
A certificate is attached at the end of each docu-
ment being sent, thus creating a trail that the
receiver can trace back. This method will only
work if the user has agreed not to accept any-
thing unless it has certificate attached:
The progress in the area of trustworthy and con-
trolled dissemination of information does not
depend primarily on technology but rather on the
development of an overall model, or architecture,
for control, as well as education and public atti-
tudes that promote responsible, ethical use of
13
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
information, and associated regulation and policy
(National Academy Press, 1994).
Commercial transaction protection
To strengthen the security of business on the
Internet, two levels of security checks can be
used:
(1) perimeter security can be achieved by using
firewalls,
(2) transaction security provides authentica-
tion, message integrity, helps protect
against eavesdropping, and provides a
record of each transaction (“Security
Truce?”, 1995).
To achieve transaction security, channel-based
security and document-based security can be
used. Channel-based security secures the chan-
nel being used. SSL (Secure Sockets Layer) is
the current leader in this field. Document-based
security secures the documents that make up
the transaction being sent (SHTTP – Secure
Hypertext Transport Protocol is the current
leader). Merchants would like to see a toolkit
developed to merge these two; however, they
will support whatever consumers want (Byte,
1995a, b, c).
Cryptographic software can be used for
transaction security. A scrambled message is
sent and the receiver must have a key to
unscramble it. As an example, a buyer encrypts
a credit card number; the merchant passes it on
to a bank to be unscrambled and read. The
bank will then tell the merchant if they should
continue with the sale. This method has been
proposed by Visa, Microsoft and Netscape. By
using this method, the bank’s exposure to risk is
actually less than purchases made in person or
by phone because they can verify the sale before
it is made.
There are a few security systems already on
the market to improve security for electronic
commerce. First Virtual allows users to sign up
for a First Virtual account by telephone and
provides their credit card number and contact
information before they receive a First Virtual
account number. When users are online and
want to buy something, they simply give their
account number instead of their credit card
number. First Virtual then contacts the user by
e-mail which gives them the chance to approve
or disapprove the transaction before the credit
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
card is billed. First Virtual needs no special
hardware or software.
Digicash is another security system being
developed. With digicash, a user makes advance
lump-sum payments to a bank that is part of the
digicash system and receives e-cash in return. E-
cash is then debited from the checking account
as it is used. Special client software is needed at
both the user’s and merchant’s computers.
Cybercash, yet another security system, is
both a debit and credit card system. For the
credit card user, special software is installed on
the computer. When the credit card number is
needed, a window pops up and the number is
entered and encrypted then sent to the mer-
chant’s software. In debit mode, the connection
is established at a participating bank.
Vendors have an incentive to reach a better
level of security because they include a dis-
claimer on their software which disallows any
liability to them if the system is broken into
(Verity, 1995). As time passes, better security
methods will be developed and hackers will also
become more skilled. “We will never reach
perfect security in this world of ever-increasing
technology. However, we can reach a level of
security we can live with. The risk that remains
is a cost of doing business” (Verity, 1995).
Involvement of governmental agencies
To improve security vastly, some governmental
involvement is necessary:
The architecture should provide for mechanisms
that protect against classic security threats (to
confidentiality, integrity, and availability of data
and systems) as small as violations of intellectual
property rights and personal privacy. This security
architecture must include technical facilities,
recommended operational procedures, and a
means for recourse within the legal system
(National Academy Press, 1994).
Three elements must be present to make securi-
ty successful:
(1) “Walls” will be used to separate network
functions and services that are accessible
from those which are not (National Acade-
my Press, 1994). The information providers
will be able to determine who will have
access to certain files.
(2) Data integrity will be protected by technol-
ogy:
A technological means is needed for “certify-
ing” the authenticity of data, so that users are
able to choose sources of information with a
14
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
reasonable degree of confidence (National
Academy Press, 1994).
This way the publisher can be sure informa-
tion the users get is what they intended and
users can be sure of what they are getting.
(3) The network must be reliable.
Handling Internet requirements
BBN Internet Services identifies the four Ps of
Internet Security:
(1) Paranoid – everything forbidden – no con-
nection.
(2) Prudent – everything forbidden except what
is explicitly allowed.
(3) Permissive – opposite of prudent – every-
thing allowed except what is explicitly
forbidden.
(4) Promiscuous – everything allowed (Byte,
1995).
An organization must determine which range is
most appropriate at all levels as needs may vary
between departments. Once a determination
has been made as to what will and will not be
permitted, degrees of security can be estab-
lished. Revisions will be necessary as security
system needs change. The right fix today may not
be the right fix for tomorrow.
To handle Internet requirements, several
steps/measures can be taken:
• Use an in-house staff. By relying on an in-
house staff, the company will have to hire
someone with extensive experience in Inter-
net security administration. If they do not
wish to hire someone they will need to pro-
vide training for their employees to make
them aware of all the possible security dan-
gers of not enforcing good security and the
methods available to achieve avoiding them.
• Hire consultants to the in-house staff. The
consultants can determine the best method
of security for the firm. The in-house staff
can then be trained only on the method
which is best for the firm. This approach will
save the firm time and money because it will
not take as long to get the security method in
place and working.
• Outsourcing. With outsourcing someone is
hired from the outside to come in, view the
system and install the best security system. It
will still be necessary to train internal staff so
 Security considerations of doing business via the Internet
Alicia Aldridge, Michele White and Karen Forcht
that they will be able to maintain the system
once the group leaves.
Conclusion
The Internet beckons us in some alluring ways. It
promises a great deal in the way of rewards and
benefits – connections with a multitude of individ-
uals and organizations and access to information
and resources on a scale heretofore unparalleled.
And yet hooking up to the Internet can also be the
source of significant dangers and risks (Bryan,
1995).
Most users today feel they will suffer a greater
loss by not connecting to the Internet than they
will face with security issues. “Ensuring security
requires attention to operating procedures, user
attitudes and values, policy and legislative con-
text, and a range of other issues” (National
Academy Press, 1994).
Perfect security will never be reached; howev-
er, organizations and users will, hopefully, reach
a level everyone can live with in this age of
cyberspace.
References and further reading
Bryan, J. (1995), “Build a firewall,” Byte, pp. 91-6.
Byte (1995a), “Safe Network Services: FTP, DNS, & XII” April,
pp. 91-6.
Byte, (1995b), “Security truce?,” July, p. 80.
15
Internet Research: Electronic Networking Applications and Policy
Volume 7 · Number 1 · 1997 · 9–15
Byte (1995c), “Network security starts with a workable
policy” April, p. 93.
Forcht, K.A. and Fore, R.E. III (1995), “Security issues and
concerns with the Internet,” Internet Research, Vol. 5
No. 3, pp. 23-31.
Internet Security Survey Results (1996), http://guide p.infos-
eek.com/www/ns/tables/BTitles?qt=
Internet+security+col=WWWS st=10
Keating, P. (1996), “Protect your money from cybertheft,”
Money, February, p. 20.
Luse, E. (1995), “The devil of the internet,” US News and
World Report, April 17 p. 14.
Matsumoto, C. (1995), “Security issues continue to dog
commerce on Internet,” San Jose and Silicon Valley
Business Journal, 2-8 October, p. 25.
Miller, L. (1996), “On the internet, virtually no privacy”, USA
Today, May 30, 6D.
National Academy Press (1994), Realizing the Information
Future.
Ratzan, L. (1995), “The Internet cafe-exchange and connec-
tion on the Internet: an information outlet for
romance,” Wilson Library Bulletin, May, pp. 66-7.
Russell, K. (1995), “Barricading the Net,” Byte, April, p. 89.
Stein, L.D. (1996), “World Wide Web Security FAQ,” <lstein@
genome.wi.mit.edu, Version 1.1.7, February 16.
Stores (1996), “Internet shopping: new competitor or new
frontier?”, Special Research Report, April, mc16.
Verity, J.W. (1995), “Bullet-proofing the net”, Business Week,
November 13, pp. 98-9.