Annotated Bibliography

 Provide five additional references related to your Dissertation topic in annotated bibliography format and/or incorporated into the literature review. Five new references will be required each week. Then provide suggestions and feedback to your peers’ work in the form of at least one of the following elements:

  • Make a suggestion.
  • Ask a probing or clarifying question.
  • Share an insight or thought.
  • Offer and support an opinion.

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

SERVICE LEVEL AGREEMENT FRAMEWORK

FOR E-COMMERCE CLOUD END-USER PERSPECTIVE

Abdelsalam H. Busalim

Faculty Of Computing
Universiti Teknologi Malaysia

Johor,Malaysia
busalim.86@gmail.com

Ab Razak Che Hussin
Faculty Of Computing

Universiti Teknologi Malaysia
Johor,Malayisa

abrazakutm@gmail.com

Abdulrahman Ibrahim

Faculty of computing
Universiti Teknologi Malaysia

Johor,Malaysia
info@jetpe.com

Abstract—Cloud computing provides a large pool of accessible
resources (hardware, platform, software) in a form of services.
It became a cost effective alternative to the traditional IT
infrastructure. Nowadays, as more and more e-commerce
companies delegate their task to cloud providers, Services
Level Agreement (SLA) became an important aspect between
the cloud consumer and cloud provider, the dynamic nature of
cloud computing needs to continue monitoring of the services.
The restricted choice of appropriate parameters in SLA affects
the interacting of end user with cloud services and creates risks
of user data. End users are concerned about their data and
how it will be stored in cloud and how the data is recovered in
the case of failure of disaster. However, none of SLAs consider
the end user view while conducting the SLA document. In this
paper, we reviewed the existing SLA framework in cloud
computing and introduced SLA framework for e-commerce
cloud based on WSLA lifecycle. In this paper, a list most
appropriate parameters and objectives which should be
included in the SLA are provided to alleviate the risks facing
the e-commerce cloud end user. The proposed framework may
provide holistic guarantee for the end user to interact with e-
commerce cloud websites.

Keywords- Cloud Computing; E-commerce cloud; Services Level
Agreement

I. INTRODUCTION
Cloud computing is a general term to describe the process
of delivering hosted services over the internet. According
to NIST (National Institute Of Standards and Technology)
definition : “Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a
shared pool of configurable computing resources (e.g,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort
or service provider interaction”[1]. Cloud services are
generally categorized into three parts: Software-as-service,
Infrastructure-as-service (IaaS) and Platform-as-service
(PaaS)[2]. Of late, many ecommerce companies move to
cloud services. According to Gartner group report, in 2013,
40 % of e-commerce companies will use a complete cloud
services (SaaS) solution, which is going to change the way
how businesses operate[3]. From the business perspective,

cloud computing can facilitate e-commerce companies by
reducing the cost of IT infrastructure, operation and
maintenance[4].
However there are some risks facing the end user during
interaction with ecommerce cloud websites [5]. End users
are concerned about the confidentiality of their data and
how it stored in the cloud.[6] pointed out that “the
capabilities of cloud computing to scale rapidly , store user
data remotely , and share services in a dynamic environm

ent

can thus become disadvantages in maintaining the level of
privacy assurance sufficient to sustain confidence in
potential users”.
This paper is organized as follows. Section I discusses
challenges and risks facing end user when interacting with
ecommerce cloud. Section II presents the literature review
of the exiting SLA frameworks. Cloud SLA and the main
parameters, objectives in cloud SLA discussed in Section
III. Section IV explains the proposed Ecommerce cloud
SLA framework based on the literature. Finally, the
conclusion and further study are summarized in Section VI.

II. RISKS AND CHALLENGES FACING END-
USER IN E-COMMERCE CLOUD

Cloud computing helps companies to quickly build up an e-
commerce website by on demand purchase and use. This
can totally reduce the cost of building e-commerce website
and maintenance costs. In addition, cloud service providers
offer professional teams to help in e-business application
and hardware maintenance. This can allow the e-commerce
seller to focus on the core business process .In ecommerce
cloud sellers, a large number of users information is stored
in the cloud and transmission and processing taking place in
cloud, therefore, the problems and risks more than
traditional e-commerce model.[2]

Increasingly, online retailers are relying on cloud services
and applications such as storage, computing, comparison
engines, product locators and dynamic imaging to run their
businesses. Outsourcing services may pose high risks to the
retailers. As a result, they are losing control of the end user
experience. The main risks discussed below.

576

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

A. Data confidentiality and privacy
In cloud computing, most of the business information are
stored in the cloud, e-commerce companies will be unable
to supervise and monitor user’s business sensitive
information. As virtualization technology been used in
cloud computing, e-commerce companies using cloud
services are not clear about where the data been stored, and
do not even know in which country the data is located.[2].
Privacy issues are very crucial in Cloud Computing. The
dynamic nature and structure of Cloud environment make it
difficult for Cloud providers to follow the current data
privacy and protection rules. The main reason for this is due
to the transnational nature of Cloud Computing that has to
face the national nature regulation privacy[7]. The current
cloud service contracts are not taking sufficient attention on
consumer privacy. Indeed, to the extent that consumers are
poorly informed about privacy issues[8]. The European
Network and Information Security Agency(ENISA),
conducted a survey for the main cloud computing security
issues. More than 70 % of the SME (small and medium
enterprises) in this study are concerned by the first six
criteria and more specifically by confidentiality of data.

Table 1: Main Security Issues Facing the Organizations by
(ENISA

B. Application Delivery Chain
Cloud based applications are based on complicated and
extended delivery chain, which involves, components that
cross the geographic organizational and boundaries. The
performance of the delivery chain can directly effect on
process on ecommerce companies. In this case, e-commerce
sellers are relinquishing control of end user experience.
When cloud service providers are unable to quickly provide
of these composite applications in the application delivery
chain, the end user will face difficulties in service retrieval.

Figure1: Application Delivery Chain

C. The cost of cloud break down
The failure in cloud services is highly affective. In April
2011, Amazon EC2 experienced an unexpected four
days outage in cloud services, which had affected
millions of end users, cost ecommerce companies and
online retailers incalculable revenue and damage in
brand [5]. Although the effected e-commerce companies
had a serious damage in their business and reputations,
this event did not violate Amazon services level
agreement because of the loose and unclear language of
the SLA. In this case, the ecommerce website visitors
won’t know and don’t care who’s at fault. Instead, user
will start blaming the e-commerce company. Thus, the
result is dissatisfaction from the e-commerce site visitors
that resulted to loss of customers and revenues.

III. RELATED WORK

There are many studies that had been conducted on the use
of SLA framework in cloud computing environment. Some
models proposed are in order to maintain the reliability
among cloud providers and consumers involved in the
negotiation process. Some studies focus on the revenue and
Quality of Services. In this study, some existing SLA
frameworks were reviewed and used to propose the B2C
ecommerce cloud SLA framework.

[9] proposed a mechanism to manage SLAs in a cloud
environment by using Web Service Level
Agreement(WSLA) framework ,which has been developed
for monitoring and enforcing SLA in a Service Oriented
Architecture (SOA).The proposed framework are for the
purpose in managing cloud consumer and provider SLAs
based on the WSLA specification, they argue that
consumers move toward adopting the Services-Oriented-
Architecture(SOA), which lead to the importance of the
service quality and reliability. The nature of consumer
demand makes the simple “measure and trigger” process is
hard. The main reason of using WSLA in this management
mechanism is because of the flexible architecture for
management SLAs between services provider and

577

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

consumers. The main problem of this framework is that it
does not support the whole SLA lifecycle. The other
problem of this framework is that the negotiation process
considered outside of the framework. [10] also used WSLA
which introduced by IBM to propose a framework for SLA
management in cloud computing environment. The
framework based on WSLA which provides SLA
negotiation language and framework management the
limitation of this framework is that it does not provide list of
appropriate parameters. Instead, it only mentioned the
Availability as an important parameter in the context.[11]
proposed a framework for cloud SLA management named
LoM2His, which is a subset of FoSII (Foundations of Self-
governing ICT Infrastructures) project[12].The framework
aims to map the low-level resource metrics to High-level
SLA parameters. The framework just supports the
monitoring and enforcement parts of the SLA lifecycle.

[13] proposed a conceptual framework for SLA in cloud
computing but it did not mention anything on SLA
framework management but only proposed the SLA
parameters in cloud environment. As [14] pointed out that
SLA attributes are different for the different of services
demnads. However, due to the lack of standardization of
SLA and no refferal is provided, it became difficult for
consumers to compare between the cloud service providers.
Hence, selecting the most reliable services provider
becomes a big challenge. [15] introduced a conceptual
platform of SLA in cloud computing. In this platform, they
proposed a Reputation System for evaluating the reliability
of providers, and also propose a SLA template pool in order
to make the SLA negotiation process between cloud
providers and cloud consumers more fair and transparent
services. Cloud provider can advertise their services in the
platform where the consumers can find the services which
meet their demands. The problems in this paltform is that is
under the cloud provider and the process of register the
cloud provider to advertise thir services seems impractical
in the real word systems. The table above concludes the
existing SLA frameworks thier components.

Table 2: Existing SLA farmework view of component in
SLA.

IV. DERIVATION OF CLOUD SLA PARAMETERS
AND OBJECTIVES

Service-level agreement (SLA) is a negotiated document
which describes the level of service expected by a customer
from a services provider based on metrics or policies by
which that services are measured and the remedies or
penalties, if any, should the agreed-upon levels not be
achieved[16]. SLA records the common understanding
about the services provided, responsibilities, priorities and
warranties[17]. The main goal of establishing services level
agreement had recently changed from being only financial
contract into a tool for managing the expectations of
customer [18]. However, to manage customer’s
expectations, it needs clear definition of services, suitable
measuring parameters and objectives to measure the level of
the services. In cloud computing environment, the computer
resources and infrastructures offered in a scalable way
where, the platform, software and infrastructure provided in
form of services, which can be accessed anytime, anywhere,
However, provisioning this paradigm of cloud services
required specific services level agreement.

The parameters used to measure and manage performance
compliance to SLA commitments are the key of successful
agreements and are a critical long term success factor[19].
However, most of cloud service providers focus only on
small set of parameters, namely Availability, request
completion rate and response time.[20] conducted a study to
break down the Cloud SLA into easy and understandable
components and compare the SLAs of the considered public

Framework Components in SLA lifecycle

Author Year

D
efinition

N
egotiation

D
eploym

ent

M
onitoring

M
anagem

ent

T
erm

ination

Patel & Ranabahu 2009

V. C. Emeakaroha, I.
Brandic & M. Maurer

2010

M. Alhamad, T. Dillon &
E. chang

2010

M. Wang, X. Wu, W.
Zhang & F. Ding

2011

M. Torkashvan & H.
Haghighi

2012

578

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

cloud provider. By comparing the SLA of Amazon,
Rackspace, Microsoft, Terremark vCloud Express and Stom
on demand, the study highlighted that none of those
providers offer nay performance guarantee for the services
nevertheless, none of the providers automatically credit the
consumer for SLA violation, consumer should detect the
SLA violation. The problems and unfulfilled expectations
during accomplishing the SLA are the result of , poor choice
of parameters[19].

TABLE 3: Deriving the main parameters for e-commerce
cloud SLA framework

In the context of ecommerce cloud, to alleviate the risks and
challenges mentioned in section 2, Table 3 identified the
most appropriate parameters which should emphasized
during the negotiation process between the cloud provider
and ecommerce consumer. The table describes the extracted
parameters for E-commerce cloud SLA, which can be used
for Managing and monitoring the Quality of services
delivered by cloud providers.

A. Objectives of parameters
1) Security :

a) Authenticity: trusting that the indicated identity of a
subject is true.

b) Data Integrity: is the impossible change or
deletion of data by unauthorized subjects.

c) Data Confidentiality: The access to data is given
only to authorized user, the unauthorized individuals are
denied to access confidential data.

d) Privacy: The ability of services to control sharing
personal information.

2) Performance :
a) Response time : The duration of time between

sending a request to a service and receiving a response from
the services back to the user.

b) Throughput : the amount of request which the
services can handle in certin time.

3) Reability :

a) Service Reliability : the service does operate
correctly with transactions preserving data integrity and if it
fails it reports failure to the user.

b) Message Reliability: the services typically
communicating with each other or with consumers through
messages.

V. E-COMMERCE CLOUD SLA FRAMEWORK
In this section we introduce our proposed SLA framework
for ecommerce cloud and how the it supports the whole
SLA lifecycle.

Figure 2: E-commerce cloud SLA framework.

Parameters Description Citations

Availability The uptime of the services for
the user in specific time

[20-21] [13]
[22] [23] [24]
[25]

Scalability Ability to increase and decrease
the storage space

[25] [22]

[13]

Portability the services working on
different devices or different
platforms

[25] [22] [13]

Performance The duration of time to respond
on user’s requests

[21] [24] [22]
[13] [20] [26]

Security The security of user data and the
safety of the environment in the
cloud

[21] [22] [13]

Reliability
Services ability to operate over
the time without failure

[25] [22] [13]

Usability
The ability of the service to be
attractive ,understandable,
learnable, operable

[22] [25] [13]

Backup&Recov
ery

How the Service store the image
of user data and the ability to
recover data in disaster.

[21] [13] [20]
[26]

Data location Availability zones in which the
data are stored

[13]

579

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

The framework supports the SLA life cycle; the SLA
lifecycle according to [27] consists of six components
(Definition, Negotiation, Deployment, Monitoring,
Management and Termination ) as shown in figure 3.

1. Definition

3. Deployment

4. Monitoring

5. Management

2. Negotiation6. Termination

Figure 3: SLA lifecycle

In this framework, step (1) a definition and negotiation
between cloud provider and e-commerce consumer, the
importance of this step is that the e-commerce consumer
provide the parameters with the objectives which should be
included in the SLA document to consider the end user
perspective. Then after the negotiation, SLA document will
be deployed in step (2); which covers monitoring, condition
evaluation and management. The measurement step (3) is
used to measure the runtime parameters of the provided
services. Based on the date provided from the measurement
services, condition evaluation in step (4) checks where the
parameters is over/equal/under the Services level
Objectives(SLO) which are defined for the SLA parameters.

Step (5) refers to the situation if there is violation in the
cloud services, the management services applies the suitable
action against this situation such as penalty or invoking
alternative services, based on what the SLA document
states. Step (6) represents the termination process between
the two sides. The framework bridges the gap of separating
the parameters from the main process of SLA framework,
and allow ecommerce cloud consumer to select the best
services provider, which can fulfill the requirements based
on the end user perspective.

VI. CONCLUSION AND FUTURE WORK
In conclusion, Services Level Agreement is an effective

way to ensure high quality of services provided. Considering
the end user perspective during conducting the SLA with
cloud with provider can provide holistic guarantee for e-
commerce cloud user to access and interact with cloud
services safely. In cloud computing, cloud consumer with
clear SLA parameters and good negotiations process can
trust and increase the reliability of cloud provider. In this
paper we have introduced SLA framework for the
ecommerce cloud, the framework covers the whole SLA
lifecycle with some extension and changes to fit the
ecommerce cloud. In addition, we have provided the most
appropriate parameters and objectives which should be
included in the SLA to consider the end user perspective. In
this stage of our research, we validated the proposed SLA
parameters and objectives of our framework. And as future
work, according to the agreed parameters we are going
design SLA document structure using XML language and we
will test the whole framework components.

REFERENCES

[1] P. Mell and T. Grance, “The NIST definition of cloud

computing (draft),” NIST special publication, vol. 800,
p. 7, 2011.

[2] H. Hanyan, “Research of E-commerce Security
Strategies Based on Cloud Computing Platform,” in
Green Communications and Networks. vol. 113, Y.
Yang and M. Ma, Eds., ed: Springer Netherlands,
2012, pp. 1487-1493.

[3] H. Motahari-Nezhad, et al., “Outsourcing Business to
Cloud Computing Services: Opportunities and
Challenges,” IEEE IT Professional, Special Issue on
Cloud Computing, vol. 11, 2009.

[4] N. Kshetri, “Cloud Computing in Developing
Economies,” Computer, vol. 43, pp. 47-55, 2010.

[5] C. Corporation. (2012, Building a Better E-Commerce
Experience – Is the Cloud Killing your Commerce.
compuware.com. [white papre ]. 3. Available:
http://video.tv18online.com/general/biztech/videos//w
hitepapers/March2012/IstheCloudKillingYourComme
rce

580

3rd International Conference on Research and Innovation in Information Systems – 2013 (ICRIIS’13)

[6] S. Pearson and A. Charlesworth, “Accountability as a
way forward for privacy protection in the cloud,” in
Cloud computing, ed: Springer, 2009, pp. 131-144.

[7] G. R. Gangadharan and D. Parrilli, “Service Level
Agreements in Cloud Computing: Perspectives of
Private Consumers and Small-to-Medium
Enterprises,” in Cloud Computing for Enterprise
Architectures, Z. Mahmood and R. Hill, Eds., ed:
Springer London, 2011, pp. 207-225.

[8] M. N. Bashir, et al., “Privacy in the cloud: going
beyond the contractarian paradigm,” presented at the
Proceedings of the 2011 Workshop on Governance of
Technology, Information, and Policies, Orlando,
Florida, 2011.

[9] P. Patel, et al., “Service level agreement in cloud
computing,” 2009.

[10] M. Torkashvan and H. Haghighi, “CSLAM: A
framework for cloud service level agreement
management based on WSLA,” in
Telecommunications (IST), 2012 Sixth International
Symposium on, 2012, pp. 577-585.

[11] V. C. Emeakaroha, et al., “Low level Metrics to High
level SLAs – LoM2HiS framework: Bridging the gap
between monitored metrics and SLA parameters in
cloud environments,” in High Performance
Computing and Simulation (HPCS), 2010
International Conference on, 2010, pp. 48-54.

[12] (2012, Foundation of Self-governing ICT
Infrastructures(FoSII)Available:
http://www.infosys.tuwien.ac.at/linksites/FOSII/index.
html

[13] M. Alhamad, et al., “Conceptual SLA framework for
cloud computing,” in Digital Ecosystems and
Technologies (DEST), 2010 4th IEEE International
Conference on, 2010, pp. 606-610.

[14] M. Rady, “Parameters for Service Level Agreements
Generation in Cloud Computing,” in Advances in
Conceptual Modeling. vol. 7518, S. Castano, et al.,
Eds., ed: Springer Berlin Heidelberg, 2012, pp. 13-22.

[15] M. Wang, et al., “A Conceptual Platform of SLA in
Cloud Computing,” in Dependable, Autonomic and
Secure Computing (DASC), 2011 IEEE Ninth
International Conference on, 2011, pp. 1131-1135.

[16] L. Greiner and L. G. Pau. (2009, 21-3). SLA
Definitions and Solutions. Available:
http://www.cio.com/article/128900/SLA_Definitions_
and_Solutions?page=1#what

[17] F. Zhu, et al., “A service level agreement framework
of cloud computing based on the Cloud Bank model,”
in Computer Science and Automation Engineering
(CSAE), 2012 IEEE International Conference on,
2012, pp. 255-259.

[18] J. Bouman, et al., “Specification of service level
agreements, clarifying concepts on the basis of
practical research,” in Software Technology and
Engineering Practice, 1999. STEP’99. Proceedings,
1999, pp. 169-178.

[19] A. Paschke and E. Schnappinger-Gerull, “A
Categorization Scheme for SLA Metrics,” Service
Oriented Electronic Commerce, vol. 80, pp. 25-40,
2006.

[20] S. A. Baset, “Cloud SLAs: present and future,” ACM
SIGOPS Operating Systems Review, vol. 46, pp. 57-
66, 2012.

[21] C. A. Ben Pring, William Maurer, Alexa Bona, “Best
Practices for Service-Level Agreements

for Software as a Service,” Gartner Stamford G00208699, 19
november 2010.

[22] M. Rady, “Parameters for Service Level Agreements
Generation in Cloud Computing,” in Advances in
Conceptual Modeling, ed: Springer, 2012, pp. 13-22.

[23] N. Ghosh and S. K. Ghosh, “An approach to identify
and monitor SLA parameters for storage-as-a-service
cloud delivery model,” in Globecom Workshops (GC
Wkshps), 2012 IEEE, 2012, pp. 724-729.

[24] T. Chauhan, et al., “Service level agreement parameter
matching in cloud computing,” in Information and
Communication Technologies (WICT), 2011 World
Congress on, 2011, pp. 564-570.

[25] G. Nie, et al., “Research on Service Level Agreement
in Cloud Computing,” in Advances in Electric and
Electronics, ed: Springer, 2012, pp. 39-43.

[26] S. Chakraborty and K. Roy, “An SLA-based
Framework for Estimating Trustworthiness of a
Cloud,” in Trust, Security and Privacy in Computing
and Communications (TrustCom), 2012 IEEE 11th
International Conference on, 2012, pp. 937-942.

[27] A. Keller and H. Ludwig, “The WSLA Framework:
Specifying and Monitoring Service Level Agreements
for Web Services,” Journal of Network and Systems
Management, vol. 11, pp. 57-81, 2003/03/01 2003.

581

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles false /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize false /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Arial-Black /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /ComicSansMS /ComicSansMS-Bold /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FranklinGothic-Medium /FranklinGothic-MediumItalic /Garamond /Garamond-Bold /Garamond-Italic /Gautami /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /Impact /Kartika /Latha /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaConsole /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSansUnicode /Mangal-Regular /MicrosoftSansSerif /MonotypeCorsiva /MSReferenceSansSerif /MSReferenceSpecialty /MVBoli /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Raavi /Shruti /Sylfaen /SymbolMT /Tahoma /Tahoma-Bold /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /Vrinda /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/ColorImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >>
/JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >>
/AntiAliasGrayImages false
/CropGrayImages true
/GrayImageMinResolution 200
/GrayImageMinResolutionPolicy /OK
/DownsampleGrayImages true
/GrayImageDownsampleType /Bicubic
/GrayImageResolution 300
/GrayImageDepth -1
/GrayImageMinDownsampleDepth 2
/GrayImageDownsampleThreshold 1.50000
/EncodeGrayImages true
/GrayImageFilter /DCTEncode
/AutoFilterGrayImages false
/GrayImageAutoFilterStrategy /JPEG
/GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/GrayImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >>
/JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >>
/AntiAliasMonoImages false
/CropMonoImages true
/MonoImageMinResolution 400
/MonoImageMinResolutionPolicy /OK
/DownsampleMonoImages true
/MonoImageDownsampleType /Bicubic
/MonoImageResolution 600
/MonoImageDepth -1
/MonoImageDownsampleThreshold 1.50000
/EncodeMonoImages true
/MonoImageFilter /CCITTFaxEncode
/MonoImageDict << /K -1 >>
/AllowPSXObjects false
/CheckCompliance [
/None
]
/PDFX1aCheck false
/PDFX3Check false
/PDFXCompliantPDFOnly false
/PDFXNoTrimBoxError true
/PDFXTrimBoxToMediaBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXSetBleedBoxToMediaBox true
/PDFXBleedBoxToTrimBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXOutputIntentProfile (None)
/PDFXOutputConditionIdentifier ()
/PDFXOutputCondition ()
/PDFXRegistryName ()
/PDFXTrapped /False
/CreateJDFFile false
/Description << /CHS
/CHT
/DAN
/DEU
/ESP
/FRA
/ITA (Utilizzare queste impostazioni per creare documenti Adobe PDF adatti per visualizzare e stampare documenti aziendali in modo affidabile. I documenti PDF creati possono essere aperti con Acrobat e Adobe Reader 5.0 e versioni successive.)
/JPN
/KOR
/NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken waarmee zakelijke documenten betrouwbaar kunnen worden weergegeven en afgedrukt. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.)
/NOR
/PTB
/SUO
/SVE
/ENU (Use these settings to create PDFs that match the “Required” settings for PDF Specification 4.01)
>>
>> setdistillerparams
<< /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice

TheImpacts of Service Quality and Customer

Satisfaction in the e-Commerce Context

Yong Lin, Jing Luo, Li Zhou, Petros Ieromonachou,
Lin Huang

The Business School
University of Greenwich

London, UK
Y.Lin@gre.ac.uk; J.Luo@gre.ac.uk; Li.Zhou@gre.ac.uk;
P.Ieromonachou@greenwich.ac.uk; L.Huang@gre.ac.uk

Shuqin Cai, Shihua Ma
School of Management

Huazhong University of Science & Technology
Wuhan, China

caishuqin@sina.com; shihuama@hust.edu.cn

Abstract—This paper aims to investigate the impacts of service
quality on customer satisfaction and loyalty in the e-commerce
context, in particular from a triad view of customer-e-retailer-
3PL (third party logistics) provider. A literature review is
primarily used to determine the conceptual model and to develop
the measurement scales. Data were collected through online
questionnaire survey conducted in China. Structural equation
modeling was used to analyze the collected data and test the
proposed research hypotheses. The results indicate that both e-
service quality and logistics service quality are strongly linked
with customer satisfaction. The research results shown that
practitioners (e-retailers) should not only focus on

e-service

quality, but also the logistics service quality. This research
validates the proposed service quality framework with two
dimensions (e-service quality and logistics service quality) in e-
commerce context. Second, it highlights the impact path of
service quality on customer satisfaction and loyalty.

Index Terms—Supply chain management, e-service quality,
logistics service quality, customer satisfaction, loyalty, e-
commerce.

I. INTRODUCTION
Along with the fast growth of Internet and its wide

application in business, online shopping has grown rapidly in
many countries [1]. Electronic commerce (e-commerce) brings
huge business opportunities (such as sale product and provide
service online) and revenue growth [2] to companies like e-
retailers, mainly due to its convenient, interactive, lower costs
and high degree of customization and personalization to their
customers [3]. However, even with the growing number of
customers for online shopping, e-commerce is proved to be
complicated and difficult more than traditional way of doing
business. Improving the service quality of electronic commerce
is regarded as one of the key factors leading to success or
failure [4].

During the past two decades, service quality in e-
commencer context is increasingly recognized as an effective
way of gaining and sustaining competitive advantages [5, 6],
and a key to customer satisfaction and loyalty [7, 8]. One
branch of past researches has focused on e-service quality [9,
10] due to the acceptance and usage of internet technologies in

commerce, which differs the interaction and exchange from the
traditional business. e-service quality is defined as “the extent
to which a Web site facilitates the efficient and effective
shopping, purchasing and delivery” [5].

However, this didn’t fully reflect the e-commerce
experience and the service quality perceived by customers.
From a process view, e-service is only the first part that
customer perceived during online shopping, covering search
and browser product information, and place order online. The
other important part is the logistics service [4], while
companies either deliver products to customer by themselves,
or outsource such service to third party logistics (3PL) provider
to accomplish the delivery. Logistics service quality is
regarded as an important key to create customer satisfaction
[11]. In a recent study, the data show that the most concerned
two issues of online shopping are actually logistics-related
problems, including long delivery time, the mismatch between
the received product and the product specification online [12].

As discussed above, in the context of logistics outsourcing,
the online shopping is happened within a service triad
consisting of e-retailer, customer, and 3PL provider (see Fig. 1),
not a dyad with only e-retailer and customer.

Fig. 1. Service triad of customer-e-retailer-3PL provider in e-commerce context

The perceived service quality of online shopping is much

more complicated due to several roles interacted with each
other in the service triad [13, 14]. The perceived service quality
from customer is not only decided by the e-service provided by
the e-retailer, but also the logistics service offered by 3PL
provider.

e-retailer Customer

3PL provider

e-service

Logistics service

978-1-4799-3134-7/14/$31.00 ©2014 IEEE

In order to better address the triad nature of the online
shopping (e-commerce) experience, this research aims to
propose a framework of service quality combing e-service
quality and logistics service quality, in particularly with a
triadic view in order to capture the complex dynamics in the
context of e-commerce [13, 15], and to investigate the
relationships between service quality and customer satisfaction
and customer loyalty.

This research makes two contributions. First, it validates
the proposed service quality framework with two dimensions
(e-service quality and logistics service quality) in e-commerce
context. Second, it highlights the impact path of service quality
on customer satisfaction and customer loyalty.

In the following sections, hypotheses related with service
quality and customer satisfaction/loyalty are developed through
a literature review. Then, results from the study that conducted
to test the research hypotheses are presented. Finally,
theoretical contribution and management implications are
discussed, and future research directions are proposed.

II. TTHEORETICAL FRAMEWORK AND HYPOTHESES

A. Service quality and customer satisfaction and loyalty
Service quality (SQ) has been an important research topic

in the marketing literature for some time beginning with the
conceptual model developed by [16]. The delivery of high SQ
strengthens corporate brands and excellence in the service
encounters [17], and contributes to consumer satisfaction.

In the e-commerce context, customer satisfaction is
normally defined as “the customers’ comparing applause of an
e-commerce enterprise, which causes the customers’ re-
purchase” [18], and it is proven to be positively related to
customer loyalty.

B. E-service quality
The quality of the online business service is considered to

be an important driver for the success of B2C e-commerce and
companies’ differentiation strategy [19], and it is normally
referred as electronic service quality (e-SQ) and defined as “the
extent to which a web site facilitates efficient and effective
shopping, purchasing, and delivery of products and services”
[6].

A considerable amount of research has been done on the
criteria that consumers used to evaluate e-SQ delivered through
the web site. These criteria range from web site design,
effectiveness and efficiency of online browse (information
availability and search), security issue, online purchase (order
transaction), and delivery of goods and services [20], mainly
focus on customers’ online experience and behaviors [21].

It is expected that e-service quality has positive impacts on
customer satisfaction and loyalty, hence there two hypothesis
are defined below.

H1: e-service quality directly and positively affects
customer satisfaction on e-services.

H2: Customer satisfaction on e-services directly and
positively affects customer loyalty on e-services.

C. Logistics service quality
Research on logistics service quality can be traced back to

1970s, but it is found that it is difficult to be measured,
particularly in an online shopping context.

In a B2C (business-to-customer) context, three dimensions
including availability of products, timeliness of delivery and
quality of delivery can be used to measure the physical
distribution service quality (PDSQ, [22]). Communication was
added as the fourth dimension emphasizing the importance of
order status information in improving SQ [23]. While in a
business-to-business (B2B) context, PDSQ can be evaluated
with three outcome dimensions: availability, timeliness and
condition [24]. The PDSQ framework was extended with
several other constructs, covering the ordering process and
receiving process [11].

This test will test whether logistics service quality has
positive effects on customer satisfaction and customer loyalty.

H3: Logistics service quality directly and positively affects
customer satisfaction on logistics services.

H4: Customer satisfaction on logistics services directly and
positively affects customer loyalty on logistics services.

D. Conceptual framework
From a view of the triad in the e-commerce context, the

perceived service quality of online shopping is defined with
two dimensions: e-service quality and logistics quality. This
research investigates how these two factors influences
customer satisfaction and loyalty. Figure 2 presents the
conceptual framework with the proposed hypotheses in this
research.

In order to fully understand the inter-relationship within the
service triad as described in Figure 1, the following hypotheses
are developed to test their interactions.

H1a: e-service quality directly and positively affects
customer satisfaction on logistics services.

H1b: e-service quality directly and positively affects
customer loyalty on e-services.

H1c: e-service quality directly and positively affects
customer loyalty on logistics services.

H2a: Customer satisfaction on e-services directly and
positively affects customer loyalty on logistics services.

H3a: Logistics service quality directly and positively
affects customer satisfaction on e-services.

H3b: Logistics service quality directly and positively
affects customer loyalty on e-services.

H3c: Logistics service quality directly and positively
affects customer loyalty on logistics services.

H4a: Customer satisfaction on logistics services directly
and positively affects customer satisfaction on e-services.

H4b: Customer satisfaction on logistics services directly
and positively affects customer loyalty on e-services.

H5: Customer loyalty on logistics services directly and
positively affects customer loyalty on e-services.

III. RESEARCH METHODOLOGY
A literature review was primarily used to determine the

conceptual model and to develop the measurement scales. Data
was collected through using the online questionnaire firstly
developed as English version and then translated into Chinese.
Structural equation modeling was used to data analysis.

A. Measurement Scales
E-service quality (ESQ) was measured by 5 constructs

mainly derived from [8]. Logistics service quality construct
was based on [11]. Customer satisfaction was measured by
items developed from [8, 11, 25]. Customer loyalty was
measured by items generated from [8]. Table I shows the list of
measurement constructs and items, and their detailed sources.

All construct items were measured on a seven-point Likert-
like scale, ranging from 1 (=strongly disagree) to 7 (=strongly
agree).

B. Data collection
A questionnaire was designed to measure service quality, to

evaluate the customer satisfaction and loyalty. The online
questionnaire link was sending out to contacts through QQ,
which is the most popular social networking tools in China.
And these contacts are also asked friendly to pass the
questionnaire link to their own contacts. As a result, total
number of requests and response rate are not calculated. In

total, 699 samples are collected. Table I shows the respondents
characteristics. Within 699 respondents, 495 are valid and
others are invalid due to uncompleted questions.

Why China was selected for this research is because, as the
second largest economy in the world, online shopping grows
very fast in China in last few years. The number of Internet
users in China has reached 618 million by the end of December
2014, of which the online shoppers amount to 302 million, and
this means a continuous growth rate of 24.7% comparing with
2012 [26]. Moreover, the total market transaction amount of
online shopping has hit 1.26 trillion Yuan (RMB) in 2012, with
a growth rate of 66.5% [12].

C. Reliability and validity
After data collection, a series of analyses were performed to

test the reliability and validity of the constructs based on the
sample of 495 respondents.

Reliability of the measurement scale is measured by
Cronbach’s α [27]. Cronbach’s α value for all four
measurement scales are all above 0.75, which shows good
reliability of the measurement scales.

Convergent validity is tested by evaluating whether the
individual scale item’s standardized coefficient is significant or
not, which means greater than twice its standard error [28]. As
presented in Table III, it reveals that coefficients for all items
greatly exceed twice their stand error. Such significance
provides evidence of convergent validity for the tested items.

In addition to convergent validity, to ensure adequacy of
the measurement model, discriminant validity should also be
evaluated to address the extent to which individual items
intended to measure one latent construct do not at the same
time to measure a different latent construct [29].

D. Structural equation modelling method
In this research, structural equation modeling [28] with

AMOS 20.0 is used to estimate the conceptual model as
described in Fig. 2, and the analysis is based on the sample of
495 respondents.

TABLE I. RESPONDENTS CHARACTERISTICS (BASES ON 699 SAMPLES)

(*Notes: RMB Yuan, during the data collection period, the exchange rate is
USD/CNY: 6.117(low)-6.196(high))

IV. EMPIRICAL ANALYSIS AND RESULTS

A. Hypotheses testing with structural model
Table II provides a summary of the goodness of fit statistics.

TABLE II. FIT STATISTICS OF STRUCTURAL MODEL
Fit statistics Overall fit measure

Notation Model value
Chi-square to degrees of

freedom x
2/d.f. 2.607 (x

2=3937.175;
d.f.=1510)

Root mean square error of
approximation RMSEA 0.053

Root mean square residual RMR 0.090
Goodness of fit index GFI 0.757

Normed fit index NFI 0.868
Comparative fit index CFI 0.914
Incremental fit index IFI 0.914

As shown in Table II, all the indices are with the

recommended range. In particular, with x2/df less than 3.0
suggested by [30], and RMSEA less than 0.08 according to
[31], the measurement model fits well.

As a measure for the goodness-of-fit, this research used
incremental fit index (IFI) and comparative fit index (CFI). The
IFI and CFI index values for the measurement models are both
0.914 (see Table II) suggesting an adequate fit [32].

The results of hypothesis test using the SEM technique are
shown in Table III.

TABLE III. TABLE V. RESULTS OF HYPOTHESIS TEST FOR STRUCTURAL
MODEL

Hypothesis Path Path coefficient S.E. C.R. p

H1 CSE←ESQ .620 .066 10.201 ***
H1a CSL←ESQ .202 .080 2.728 .006
H1b CLE←ESQ .089 .057 1.725 .085
H1c CLL←ESQ .092 .089 1.225 .221

H2 CLE←CSE .718 .063 12.813 ***
H2a CLL←CSE .527 .081 7.815 ***

H3 CSL←LSQ .400 .085 5.304 ***
H3a CSE←LSQ -.116 .069 -1.986 .047
H3b CLE←LSQ -.071 .050 -1.652 .098
H3c CLL←LSQ .098 .071 1.556 .120

H4 CLL←CSL .138 .067 2.667 .008
H4a CSE←CSL .416 .062 9.637 ***
H4b CLE←CSL -.071 .062 -1.959 .050

H5 CLE←CLL .293 .068 7.591 ***
(Notes: Significance level are denoted as *p<0.05, **p<0.01, ***p<0.001)

The findings for hypothesis H1 indicated that e-service

quality has positive impacts on customer satisfaction on e-
service. Moreover, this customer satisfaction on e-services
strongly leads to customer loyalty on the e-services as
hypothesis H2 is being accepted (ESQ CSE CLE).
Furthermore, customer satisfaction on e-services has a positive
link with customer loyalty with the logistics services as

Category Frequency Percent (%)
Gender Male 353 51%

Female 346 49%
Age <19 9 1.3%

20-29 473 67.7%

30-39 159 22.7%

40-49 39 5.6%

50-59 17 2.4%

60-69 2 0.3%
Monthly
average
amount of
online
shopping
(RMB*)

<50 97 14.16%

50-99 94 13.72%

100-199 149 21.75%
200-299 90 13.14%
300-399 67 9.78%
400-499 28 4.09%
>500 160 23.36%

Most-visited
website for
online
shopping

Amazon 36 5.26%

eBay 4 0.58%

Taobao 505 73.72%

Dangdang 26 3.8%

Jingdong 82 11.97%

Others 32 4.67%
Most-bought
product
category

Books 87 12.7%

Music/Games/Film 2 0.29%

Electronics 83 12.12%

Computer & Office 26 3.8%

Home/Garden/Pets 24 3.5%

Toys/Children/Baby 32 4.67%

Clothes/Shoes/Watches 351 51.24%

Sports/Outdoors 15 2.19%

Grocery/Health/Beauty 62 9.05%

DIY/Tools/Car 3 0.44%

indicated through the acceptance of hypothesis H2a. This also
means e-service quality will in-directly affect customer’s
loyalty on the selected logistics services (ESQ CSE CLL).

Since hypothesis H1b and H1c are both being rejected, that
means there a no direct affects between e-service quality and
customer loyalty on both e-service and logistics services.
However, e-service quality will in-directly impact on customer
loyalty on both e-services and logistics services via positive
customer satisfaction on e-services as discussed above.

However, hypothesis H1a is accepted, which means to
some extent, e-service quality has impact on customer
satisfaction with the logistics services. This is an unexpected
finding in this research. Furthermore, this indicated that it will
in-directly impact on customer loyalty with the logistics
services through the positive link between CSL and CLL as
indicated by the acceptance of hypothesis H4.
(ESQ CSL CLL)

As expected, the findings for H3 prove that logistics service
quality also has positive impacts on customer satisfaction on
logistics services, and this customer satisfaction will impact on
customer loyalty on the logistics services as hypothesis H4 is
being accepted (LSQ CSL CLL), but it is not as strong as
the customer satisfaction on e-service did on the customer
loyalty on the e-service.

However, same as the e-service quality, logistics service
quality has no positive impacts on customer satisfaction and
loyalty with the e-services as indicated through the rejection of
hypothesis H3a and H3b. Meanwhile, with the rejection of
hypothesis H3c, it indicated that logistics service quality has no
direct impacts on customer loyalty with the e-services. But
logistics service quality will impact on customer loyalty with
the logistics services through customer’s satisfaction on the
logistics service as discussed above.

As indicated by the rejection of hypothesis H4b, it means
customer satisfaction with the logistics services has no direct
impacts on customer’s loyalty with the e-services. However, it
will in-directly impacts on the customer loyalty with e-service
with the positive customer satisfaction on e-services
(CSL CSE CLE) as indicated by the acceptance of
hypothesis H4a. This also means logistics service quality will
in-directly influence customer’s loyalty on e-services via the
path of (LSQ CSL CSE CLE).

Another interesting finding is that, logistics service quality
also will impact on customer’s loyalty with the e-services
through the path of LSQ CSL CLL CLE due the
hypothesis H5 is being accepted.

V. CONCLUSION
This research has tested the inter-relationships among

service quality (including e-service quality and logistics service
quality), customer satisfaction (on both e-services and logistics
services), and customer loyalty (on both e-services and
logistics services).

For the contribution to the service quality field, this
research developed and verified a service quality framework
for e-commerce context, the research results have emphasized
that service quality should integrate two dimensions including

both e-service quality and logistics service quality. This is also
a contribution to practitioners.

For the contribution to practice, many e-commerce
companies, they have realized the importance of both e-
services and logistics services and its quality to their
profitability, which is coincide with our research results. And
in particular, they have started to develop their own logistics
strategies and either manage their logistics by themselves or
outsource it to professional third party logistics service
providers in order to improve customer satisfaction and loyalty
to their e-services to maintain high profitability. With the
verified path from the research results, both e-commerce
companies and logistics companies could find several effective
and efficient ways to improve customer satisfaction and loyalty
on their services

One of the limitation of this research is that, the survey is
conducted in China only, future data could be collected in other
countries to verify whether different cultural backgrounds will
impact the research results or not. Comparative studies with
results from different countries could be more interesting to
global companies in order to improve their global customers’
satisfaction and loyalty with their services.

REFERENCES
[1] J.W.J. Weltevreden, “B2c e-commerce logistics: the rise of

collection-and-delivery points in The Netherlands”,
International Journal of Retail & Distribution Management, Vol.
36 No. 8, pp. 638-660, 2008.

[2] A.J. Rohm and V. Swaminathan, “A typology of online
shoppers based on shopping motivations”, Journal of Business
Research, Vol. 57 No.7, pp.748-757, 2004.

[3] H. Park and S. Baek, “Measuring service quality of online
bookstores with WebQual”, Human-Computer Interaction. HCI
Applications and Services, Heidelberg: Springer, 2007, pp. 95-
103.

[4] Y. Yang, P. Humphreys, and R. McIvor, “Business service
quality in an e-commerce environment”, Supply Chain
Management: An International Journal, Vol. 11 No. 3, pp.195 –
201, 2006.

[5] V. Zeithaml, “Service excellence in electronic channels”,
Managing Service Quality, Vol. 12 No.3, pp.135-138, 2002.

[6] V. Zeithaml, A. Parasuraman, and A. Malhotra, “Service quality
delivery through web sites: a critical review of extant
knowledge”, Journal of the Academy of Marketing Science,
Vol. 30 No.4, pp.362-375, 2002.

[7] J. Gummerus, V. Liljander, M. Pura, and A. van Riel,
“Customer loyalty to content-based websites: the case of an
online health care service”, Journal of Services Marketing, Vol.
18 No.3, pp.175-86, 2004.

[8] D. Ribbink, A.C.R. van Riel, V. Liljander, and S. Streukens,
“Comfort your online customer: quality, trust and loyalty on the
internet”, Managing Service Quality, Vol. 14 No. 4, pp. 446-
456, 2004.

[9] S.D. Kurt and B. Atrek, “The classification and importance of
E-S-Qual quality attributes: an evaluation of online shoppers,
Managing Service Quality, Vol. 22 No. 6, pp. 622-637, 2012.

[10] I. Santouridis, P. Trivellas, and G. Tsimonis, “Using E-S-QUAL
to measure internet service quality of e-commerce web sites in

Greece”, International Journal of Quality and Service Sciences,
Vol. 4 No. 1, pp. 86-98, 2012.

[11] J.T. Mentzer, D.J. Flint, and T.M. Hult, “Logistics service
quality as a segment-customized process”, Journal of Marketing,
Vol. 65 No. 4, pp. 82-104, 2001.

[12] CNNIC, “Statistical Report on Online Shopping in China 2012”,
available at
http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/dzswbg/201304/t2013
0417_39290.htm, accessed 01-05-2013.

[13] T.Y. Choi and Z.H. Wu, “Taking the leap from dyads to triads:
Buyer-supplier relationships in supply networks”, Journal of
Purchasing & Supply Management, Vol. 15, pp. 263-266, 2009.

[14] Z.H. Wu, T.Y. Choi, and M.J. Rungtusanatham, “Supplier-
supplier relationships in buyer–supplier–supplier triads:
Implications for supplier performance”, Journal of Operations
Management, Vol. 28 No. 2, pp. 115-123, 2010.

[15] M.M. Wilhelm, “Managing coopetition through horizontal
supply chain relations: Linking dyadic and network levels of
analysis”, Journal of Operations Management, Vol. 29 No. 7-8,
pp. 663-676, 2011.

[16] A. Parasuraman, V.A. Zeithaml, and L.L. Berry, “A concept
model of service quality and its implications for future
research”, Journal of Marketing, Vol. 49, pp.41-50, 1985.

[17] A. Parasuraman, V.A. Zeithaml, and L.L. Berry, “SERVQUAL:
a multiple-item scale for measuring customer perceptions of
service quality”, Journal of Retailing, Vol. 64 pp. 420-450,
1988.

[18] R.E. Anderson and S.S. Srinivasan, “E-satisfaction and e-
loyalty: a contingency framework”, Psychology & Marketing,
Vol. 20 No.2, pp.123, 2003.

[19] J. Santos, “E-service quality: a model of virtual service quality
dimensions”, Managing Service Quality, Vol. 13 No. 3, pp. 233-
246, 2003.

[20] A. Parasuraman, V.A. Zeithaml, and A. Malhotra, “E-S-QUAL:
a multiple-item scale for assessing electronic service quality”,
Journal of Service Research, Vol. 7 No. 3, pp. 213-234, 2005.

[21] J. Rowley, “An analysis of the e-service literature: towards a
research agenda”, Internet Research, Vol. 16 No. 3, pp. 339-359,
2006.

[22] J.T. Mentzer, R. Gomes, and R.E. Krapfel, “Physical
distribution service: a fundamental marketing concept?”, Journal
of the Academy of Marketing Science, Vol. 17 No. 1, pp. 53-62,
1989.

[23] C.J. Emerson and C.M. Grimm, “Logistics and marketing
components of customer service: an empirical test of the
Mentzer, Gomes and Krapfel model”, International Journal of
Physical Distribution & Logistics Management, Vol. 26 No. 8,
pp. 29-42, 1996.

[24] C.C. Bienstock, J.T. Mentzer, and M.M. Bird, “Measuring
physical distribution service quality”, Journal of the Academy of
Marketing Science, Vol. 25 No. 1, pp. 31-44, 1997.

[25] I.G. Saura, D.S. Francés, G.B. Contrí, and M.F. Blasco,
“Logistics service quality: a new way to loyalty”, Industrial
Management & Data Systems, Vol. 108 No. 5, pp. 650-668,
2008.

[26] CNNIC, “Statistical Report on Internet Development in China,
the 33th Survey Report”, available at
http://www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201301/P020
140116509848228756 , accessed 28-01-2014.

[27] J.C. Nunnly, “Psychometric Methods”, NY: McGraw-Hill,
1978.

[28] J.C. Anderson and D.W. Gerbing, “Structural equation modeling
in practice: a review and recommended two-step approach”,
Psychological Bulletin, Vol. 103 No. 3, pp. 411-423, 1988.

[29] R.F. DeVellis, “Scale development: Theory and Applications”,
Newbury Park: SAGE Publications, 1991.

[30] R.P. Bagozzi and Y. Yi, “On the evaluation of structural
equation models”, Journal of Academy Marketing Science, Vol.
6 No. 1, pp. 54-78, 1998.

[31] M.W. Browne and R. Cudeck, “Alternative Ways of Assessing
Model Fit”, Newbury Park: Sage Publications, 1993.

[32] L. Hu and P.M. Bentler, “Cutoff criteria for fit indexs in
covariance structure analysis: conventional criteria versus new
alternatives”, Structural Equation Modeling, Vol. 6 No. 1, pp. 1-
55, 1999.

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles true /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Error /CompatibilityLevel 1.7 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize true /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts true /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /AbadiMT-CondensedLight /ACaslon-Italic /ACaslon-Regular /ACaslon-Semibold /ACaslon-SemiboldItalic /AdobeArabic-Bold /AdobeArabic-BoldItalic /AdobeArabic-Italic /AdobeArabic-Regular /AdobeHebrew-Bold /AdobeHebrew-BoldItalic /AdobeHebrew-Italic /AdobeHebrew-Regular /AdobeHeitiStd-Regular /AdobeMingStd-Light /AdobeMyungjoStd-Medium /AdobePiStd /AdobeSansMM /AdobeSerifMM /AdobeSongStd-Light /AdobeThai-Bold /AdobeThai-BoldItalic /AdobeThai-Italic /AdobeThai-Regular /AGaramond-Bold /AGaramond-BoldItalic /AGaramond-Italic /AGaramond-Regular /AGaramond-Semibold /AGaramond-SemiboldItalic /AgencyFB-Bold /AgencyFB-Reg /AGOldFace-Outline /AharoniBold /Algerian /Americana /Americana-ExtraBold /AndaleMono /AndaleMonoIPA /AngsanaNew /AngsanaNew-Bold /AngsanaNew-BoldItalic /AngsanaNew-Italic /AngsanaUPC /AngsanaUPC-Bold /AngsanaUPC-BoldItalic /AngsanaUPC-Italic /Anna /ArialAlternative /ArialAlternativeSymbol /Arial-Black /Arial-BlackItalic /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialMT-Black /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialRoundedMTBold /ArialUnicodeMS /ArrusBT-Bold /ArrusBT-BoldItalic /ArrusBT-Italic /ArrusBT-Roman /AvantGarde-Book /AvantGarde-BookOblique /AvantGarde-Demi /AvantGarde-DemiOblique /AvantGardeITCbyBT-Book /AvantGardeITCbyBT-BookOblique /BakerSignet /BankGothicBT-Medium /Barmeno-Bold /Barmeno-ExtraBold /Barmeno-Medium /Barmeno-Regular /Baskerville /BaskervilleBE-Italic /BaskervilleBE-Medium /BaskervilleBE-MediumItalic /BaskervilleBE-Regular /Baskerville-Bold /Baskerville-BoldItalic /Baskerville-Italic /BaskOldFace /Batang /BatangChe /Bauhaus93 /Bellevue /BellGothicStd-Black /BellGothicStd-Bold /BellGothicStd-Light /BellMT /BellMTBold /BellMTItalic /BerlingAntiqua-Bold /BerlingAntiqua-BoldItalic /BerlingAntiqua-Italic /BerlingAntiqua-Roman /BerlinSansFB-Bold /BerlinSansFBDemi-Bold /BerlinSansFB-Reg /BernardMT-Condensed /BernhardModernBT-Bold /BernhardModernBT-BoldItalic /BernhardModernBT-Italic /BernhardModernBT-Roman /BiffoMT /BinnerD /BinnerGothic /BlackadderITC-Regular /Blackoak /blex /blsy /Bodoni /Bodoni-Bold /Bodoni-BoldItalic /Bodoni-Italic /BodoniMT /BodoniMTBlack /BodoniMTBlack-Italic /BodoniMT-Bold /BodoniMT-BoldItalic /BodoniMTCondensed /BodoniMTCondensed-Bold /BodoniMTCondensed-BoldItalic /BodoniMTCondensed-Italic /BodoniMT-Italic /BodoniMTPosterCompressed /Bodoni-Poster /Bodoni-PosterCompressed /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /Bookman-Demi /Bookman-DemiItalic /Bookman-Light /Bookman-LightItalic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolOne-Regular /BookshelfSymbolSeven /BookshelfSymbolThree-Regular /BookshelfSymbolTwo-Regular /Botanical /Boton-Italic /Boton-Medium /Boton-MediumItalic /Boton-Regular /Boulevard /BradleyHandITC /Braggadocio /BritannicBold /Broadway /BrowalliaNew /BrowalliaNew-Bold /BrowalliaNew-BoldItalic /BrowalliaNew-Italic /BrowalliaUPC /BrowalliaUPC-Bold /BrowalliaUPC-BoldItalic /BrowalliaUPC-Italic /BrushScript /BrushScriptMT /CaflischScript-Bold /CaflischScript-Regular /Calibri /Calibri-Bold /Calibri-BoldItalic /Calibri-Italic /CalifornianFB-Bold /CalifornianFB-Italic /CalifornianFB-Reg /CalisMTBol /CalistoMT /CalistoMT-BoldItalic /CalistoMT-Italic /Cambria /Cambria-Bold /Cambria-BoldItalic /Cambria-Italic /CambriaMath /Candara /Candara-Bold /Candara-BoldItalic /Candara-Italic /Carta /CaslonOpenfaceBT-Regular /Castellar /CastellarMT /Centaur /Centaur-Italic /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchL-Bold /CenturySchL-BoldItal /CenturySchL-Ital /CenturySchL-Roma /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /CGTimes-Bold /CGTimes-BoldItalic /CGTimes-Italic /CGTimes-Regular /CharterBT-Bold /CharterBT-BoldItalic /CharterBT-Italic /CharterBT-Roman /CheltenhamITCbyBT-Bold /CheltenhamITCbyBT-BoldItalic /CheltenhamITCbyBT-Book /CheltenhamITCbyBT-BookItalic /Chiller-Regular /Cmb10 /CMB10 /Cmbsy10 /CMBSY10 /CMBSY5 /CMBSY6 /CMBSY7 /CMBSY8 /CMBSY9 /Cmbx10 /CMBX10 /Cmbx12 /CMBX12 /Cmbx5 /CMBX5 /Cmbx6 /CMBX6 /Cmbx7 /CMBX7 /Cmbx8 /CMBX8 /Cmbx9 /CMBX9 /Cmbxsl10 /CMBXSL10 /Cmbxti10 /CMBXTI10 /Cmcsc10 /CMCSC10 /Cmcsc8 /CMCSC8 /Cmcsc9 /CMCSC9 /Cmdunh10 /CMDUNH10 /Cmex10 /CMEX10 /CMEX7 /CMEX8 /CMEX9 /Cmff10 /CMFF10 /Cmfi10 /CMFI10 /Cmfib8 /CMFIB8 /Cminch /CMINCH /Cmitt10 /CMITT10 /Cmmi10 /CMMI10 /Cmmi12 /CMMI12 /Cmmi5 /CMMI5 /Cmmi6 /CMMI6 /Cmmi7 /CMMI7 /Cmmi8 /CMMI8 /Cmmi9 /CMMI9 /Cmmib10 /CMMIB10 /CMMIB5 /CMMIB6 /CMMIB7 /CMMIB8 /CMMIB9 /Cmr10 /CMR10 /Cmr12 /CMR12 /Cmr17 /CMR17 /Cmr5 /CMR5 /Cmr6 /CMR6 /Cmr7 /CMR7 /Cmr8 /CMR8 /Cmr9 /CMR9 /Cmsl10 /CMSL10 /Cmsl12 /CMSL12 /Cmsl8 /CMSL8 /Cmsl9 /CMSL9 /Cmsltt10 /CMSLTT10 /Cmss10 /CMSS10 /Cmss12 /CMSS12 /Cmss17 /CMSS17 /Cmss8 /CMSS8 /Cmss9 /CMSS9 /Cmssbx10 /CMSSBX10 /Cmssdc10 /CMSSDC10 /Cmssi10 /CMSSI10 /Cmssi12 /CMSSI12 /Cmssi17 /CMSSI17 /Cmssi8 /CMSSI8 /Cmssi9 /CMSSI9 /Cmssq8 /CMSSQ8 /Cmssqi8 /CMSSQI8 /Cmsy10 /CMSY10 /Cmsy5 /CMSY5 /Cmsy6 /CMSY6 /Cmsy7 /CMSY7 /Cmsy8 /CMSY8 /Cmsy9 /CMSY9 /Cmtcsc10 /CMTCSC10 /Cmtex10 /CMTEX10 /Cmtex8 /CMTEX8 /Cmtex9 /CMTEX9 /Cmti10 /CMTI10 /Cmti12 /CMTI12 /Cmti7 /CMTI7 /Cmti8 /CMTI8 /Cmti9 /CMTI9 /Cmtt10 /CMTT10 /Cmtt12 /CMTT12 /Cmtt8 /CMTT8 /Cmtt9 /CMTT9 /Cmu10 /CMU10 /Cmvtt10 /CMVTT10 /ColonnaMT /Colossalis-Bold /ComicSansMS /ComicSansMS-Bold /Consolas /Consolas-Bold /Consolas-BoldItalic /Consolas-Italic /Constantia /Constantia-Bold /Constantia-BoldItalic /Constantia-Italic /CooperBlack /CopperplateGothic-Bold /CopperplateGothic-Light /Copperplate-ThirtyThreeBC /Corbel /Corbel-Bold /Corbel-BoldItalic /Corbel-Italic /CordiaNew /CordiaNew-Bold /CordiaNew-BoldItalic /CordiaNew-Italic /CordiaUPC /CordiaUPC-Bold /CordiaUPC-BoldItalic /CordiaUPC-Italic /Courier /Courier-Bold /Courier-BoldOblique /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /Courier-Oblique /CourierStd /CourierStd-Bold /CourierStd-BoldOblique /CourierStd-Oblique /CourierX-Bold /CourierX-BoldOblique /CourierX-Oblique /CourierX-Regular /CreepyRegular /CurlzMT /David-Bold /David-Reg /DavidTransparent /Dcb10 /Dcbx10 /Dcbxsl10 /Dcbxti10 /Dccsc10 /Dcitt10 /Dcr10 /Desdemona /DilleniaUPC /DilleniaUPCBold /DilleniaUPCBoldItalic /DilleniaUPCItalic /Dingbats /DomCasual /Dotum /DotumChe /EdwardianScriptITC /Elephant-Italic /Elephant-Regular /EngraversGothicBT-Regular /EngraversMT /EraserDust /ErasITC-Bold /ErasITC-Demi /ErasITC-Light /ErasITC-Medium /ErieBlackPSMT /ErieLightPSMT /EriePSMT /EstrangeloEdessa /Euclid /Euclid-Bold /Euclid-BoldItalic /EuclidExtra /EuclidExtra-Bold /EuclidFraktur /EuclidFraktur-Bold /Euclid-Italic /EuclidMathOne /EuclidMathOne-Bold /EuclidMathTwo /EuclidMathTwo-Bold /EuclidSymbol /EuclidSymbol-Bold /EuclidSymbol-BoldItalic /EuclidSymbol-Italic /EucrosiaUPC /EucrosiaUPCBold /EucrosiaUPCBoldItalic /EucrosiaUPCItalic /EUEX10 /EUEX7 /EUEX8 /EUEX9 /EUFB10 /EUFB5 /EUFB7 /EUFM10 /EUFM5 /EUFM7 /EURB10 /EURB5 /EURB7 /EURM10 /EURM5 /EURM7 /EuroMono-Bold /EuroMono-BoldItalic /EuroMono-Italic /EuroMono-Regular /EuroSans-Bold /EuroSans-BoldItalic /EuroSans-Italic /EuroSans-Regular /EuroSerif-Bold /EuroSerif-BoldItalic /EuroSerif-Italic /EuroSerif-Regular /EuroSig /EUSB10 /EUSB5 /EUSB7 /EUSM10 /EUSM5 /EUSM7 /FelixTitlingMT /Fences /FencesPlain /FigaroMT /FixedMiriamTransparent /FootlightMTLight /Formata-Italic /Formata-Medium /Formata-MediumItalic /Formata-Regular /ForteMT /FranklinGothic-Book /FranklinGothic-BookItalic /FranklinGothic-Demi /FranklinGothic-DemiCond /FranklinGothic-DemiItalic /FranklinGothic-Heavy /FranklinGothic-HeavyItalic /FranklinGothicITCbyBT-Book /FranklinGothicITCbyBT-BookItal /FranklinGothicITCbyBT-Demi /FranklinGothicITCbyBT-DemiItal /FranklinGothic-Medium /FranklinGothic-MediumCond /FranklinGothic-MediumItalic /FrankRuehl /FreesiaUPC /FreesiaUPCBold /FreesiaUPCBoldItalic /FreesiaUPCItalic /FreestyleScript-Regular /FrenchScriptMT /Frutiger-Black /Frutiger-BlackCn /Frutiger-BlackItalic /Frutiger-Bold /Frutiger-BoldCn /Frutiger-BoldItalic /Frutiger-Cn /Frutiger-ExtraBlackCn /Frutiger-Italic /Frutiger-Light /Frutiger-LightCn /Frutiger-LightItalic /Frutiger-Roman /Frutiger-UltraBlack /Futura-Bold /Futura-BoldOblique /Futura-Book /Futura-BookOblique /FuturaBT-Bold /FuturaBT-BoldItalic /FuturaBT-Book /FuturaBT-BookItalic /FuturaBT-Medium /FuturaBT-MediumItalic /Futura-Light /Futura-LightOblique /GalliardITCbyBT-Bold /GalliardITCbyBT-BoldItalic /GalliardITCbyBT-Italic /GalliardITCbyBT-Roman /Garamond /Garamond-Bold /Garamond-BoldCondensed /Garamond-BoldCondensedItalic /Garamond-BoldItalic /Garamond-BookCondensed /Garamond-BookCondensedItalic /Garamond-Italic /Garamond-LightCondensed /Garamond-LightCondensedItalic /Gautami /GeometricSlab703BT-Light /GeometricSlab703BT-LightItalic /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /GeorgiaRef /Giddyup /Giddyup-Thangs /Gigi-Regular /GillSans /GillSans-Bold /GillSans-BoldItalic /GillSans-Condensed /GillSans-CondensedBold /GillSans-Italic /GillSans-Light /GillSans-LightItalic /GillSansMT /GillSansMT-Bold /GillSansMT-BoldItalic /GillSansMT-Condensed /GillSansMT-ExtraCondensedBold /GillSansMT-Italic /GillSans-UltraBold /GillSans-UltraBoldCondensed /GloucesterMT-ExtraCondensed /Gothic-Thirteen /GoudyOldStyleBT-Bold /GoudyOldStyleBT-BoldItalic /GoudyOldStyleBT-Italic /GoudyOldStyleBT-Roman /GoudyOldStyleT-Bold /GoudyOldStyleT-Italic /GoudyOldStyleT-Regular /GoudyStout /GoudyTextMT-LombardicCapitals /GSIDefaultSymbols /Gulim /GulimChe /Gungsuh /GungsuhChe /Haettenschweiler /HarlowSolid /Harrington /Helvetica /Helvetica-Black /Helvetica-BlackOblique /Helvetica-Bold /Helvetica-BoldOblique /Helvetica-Condensed /Helvetica-Condensed-Black /Helvetica-Condensed-BlackObl /Helvetica-Condensed-Bold /Helvetica-Condensed-BoldObl /Helvetica-Condensed-Light /Helvetica-Condensed-LightObl /Helvetica-Condensed-Oblique /Helvetica-Fraction /Helvetica-Narrow /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique /Helvetica-Narrow-Oblique /Helvetica-Oblique /HighTowerText-Italic /HighTowerText-Reg /Humanist521BT-BoldCondensed /Humanist521BT-Light /Humanist521BT-LightItalic /Humanist521BT-RomanCondensed /Imago-ExtraBold /Impact /ImprintMT-Shadow /InformalRoman-Regular /IrisUPC /IrisUPCBold /IrisUPCBoldItalic /IrisUPCItalic /Ironwood /ItcEras-Medium /ItcKabel-Bold /ItcKabel-Book /ItcKabel-Demi /ItcKabel-Medium /ItcKabel-Ultra /JasmineUPC /JasmineUPC-Bold /JasmineUPC-BoldItalic /JasmineUPC-Italic /JoannaMT /JoannaMT-Italic /Jokerman-Regular /JuiceITC-Regular /Kartika /Kaufmann /KaufmannBT-Bold /KaufmannBT-Regular /KidTYPEPaint /KinoMT /KodchiangUPC /KodchiangUPC-Bold /KodchiangUPC-BoldItalic /KodchiangUPC-Italic /KorinnaITCbyBT-Regular /KozGoProVI-Medium /KozMinProVI-Regular /KristenITC-Regular /KunstlerScript /Latha /LatinWide /LetterGothic /LetterGothic-Bold /LetterGothic-BoldOblique /LetterGothic-BoldSlanted /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LetterGothic-Slanted /LetterGothicStd /LetterGothicStd-Bold /LetterGothicStd-BoldSlanted /LetterGothicStd-Slanted /LevenimMT /LevenimMTBold /LilyUPC /LilyUPCBold /LilyUPCBoldItalic /LilyUPCItalic /Lithos-Black /Lithos-Regular /LotusWPBox-Roman /LotusWPIcon-Roman /LotusWPIntA-Roman /LotusWPIntB-Roman /LotusWPType-Roman /LucidaBright /LucidaBright-Demi /LucidaBright-DemiItalic /LucidaBright-Italic /LucidaCalligraphy-Italic /LucidaConsole /LucidaFax /LucidaFax-Demi /LucidaFax-DemiItalic /LucidaFax-Italic /LucidaHandwriting-Italic /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSans-Typewriter /LucidaSans-TypewriterBold /LucidaSans-TypewriterBoldOblique /LucidaSans-TypewriterOblique /LucidaSansUnicode /Lydian /Magneto-Bold /MaiandraGD-Regular /Mangal-Regular /Map-Symbols /MathA /MathB /MathC /Mathematica1 /Mathematica1-Bold /Mathematica1Mono /Mathematica1Mono-Bold /Mathematica2 /Mathematica2-Bold /Mathematica2Mono /Mathematica2Mono-Bold /Mathematica3 /Mathematica3-Bold /Mathematica3Mono /Mathematica3Mono-Bold /Mathematica4 /Mathematica4-Bold /Mathematica4Mono /Mathematica4Mono-Bold /Mathematica5 /Mathematica5-Bold /Mathematica5Mono /Mathematica5Mono-Bold /Mathematica6 /Mathematica6Bold /Mathematica6Mono /Mathematica6MonoBold /Mathematica7 /Mathematica7Bold /Mathematica7Mono /Mathematica7MonoBold /MatisseITC-Regular /MaturaMTScriptCapitals /Mesquite /Mezz-Black /Mezz-Regular /MICR /MicrosoftSansSerif /MingLiU /Minion-BoldCondensed /Minion-BoldCondensedItalic /Minion-Condensed /Minion-CondensedItalic /Minion-Ornaments /MinionPro-Bold /MinionPro-BoldIt /MinionPro-It /MinionPro-Regular /MinionPro-Semibold /MinionPro-SemiboldIt /Miriam /MiriamFixed /MiriamTransparent /Mistral /Modern-Regular /MonotypeCorsiva /MonotypeSorts /MSAM10 /MSAM5 /MSAM6 /MSAM7 /MSAM8 /MSAM9 /MSBM10 /MSBM5 /MSBM6 /MSBM7 /MSBM8 /MSBM9 /MS-Gothic /MSHei /MSLineDrawPSMT /MS-Mincho /MSOutlook /MS-PGothic /MS-PMincho /MSReference1 /MSReference2 /MSReferenceSansSerif /MSReferenceSansSerif-Bold /MSReferenceSansSerif-BoldItalic /MSReferenceSansSerif-Italic /MSReferenceSerif /MSReferenceSerif-Bold /MSReferenceSerif-BoldItalic /MSReferenceSerif-Italic /MSReferenceSpecialty /MSSong /MS-UIGothic /MT-Extra /MT-Symbol /MT-Symbol-Italic /MVBoli /Myriad-Bold /Myriad-BoldItalic /Myriad-Italic /MyriadPro-Black /MyriadPro-BlackIt /MyriadPro-Bold /MyriadPro-BoldIt /MyriadPro-It /MyriadPro-Light /MyriadPro-LightIt /MyriadPro-Regular /MyriadPro-Semibold /MyriadPro-SemiboldIt /Myriad-Roman /Narkisim /NewCenturySchlbk-Bold /NewCenturySchlbk-BoldItalic /NewCenturySchlbk-Italic /NewCenturySchlbk-Roman /NewMilleniumSchlbk-BoldItalicSH /NewsGothic /NewsGothic-Bold /NewsGothicBT-Bold /NewsGothicBT-BoldItalic /NewsGothicBT-Italic /NewsGothicBT-Roman /NewsGothic-Condensed /NewsGothic-Italic /NewsGothicMT /NewsGothicMT-Bold /NewsGothicMT-Italic /NiagaraEngraved-Reg /NiagaraSolid-Reg /NimbusMonL-Bold /NimbusMonL-BoldObli /NimbusMonL-Regu /NimbusMonL-ReguObli /NimbusRomDGR-Bold /NimbusRomDGR-BoldItal /NimbusRomDGR-Regu /NimbusRomDGR-ReguItal /NimbusRomNo9L-Medi /NimbusRomNo9L-MediItal /NimbusRomNo9L-Regu /NimbusRomNo9L-ReguItal /NimbusSanL-Bold /NimbusSanL-BoldCond /NimbusSanL-BoldCondItal /NimbusSanL-BoldItal /NimbusSanL-Regu /NimbusSanL-ReguCond /NimbusSanL-ReguCondItal /NimbusSanL-ReguItal /Nimrod /Nimrod-Bold /Nimrod-BoldItalic /Nimrod-Italic /NSimSun /Nueva-BoldExtended /Nueva-BoldExtendedItalic /Nueva-Italic /Nueva-Roman /NuptialScript /OCRA /OCRA-Alternate /OCRAExtended /OCRB /OCRB-Alternate /OfficinaSans-Bold /OfficinaSans-BoldItalic /OfficinaSans-Book /OfficinaSans-BookItalic /OfficinaSerif-Bold /OfficinaSerif-BoldItalic /OfficinaSerif-Book /OfficinaSerif-BookItalic /OldEnglishTextMT /Onyx /OnyxBT-Regular /OzHandicraftBT-Roman /PalaceScriptMT /Palatino-Bold /Palatino-BoldItalic /Palatino-Italic /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Palatino-Roman /PapyrusPlain /Papyrus-Regular /Parchment-Regular /Parisian /ParkAvenue /Penumbra-SemiboldFlare /Penumbra-SemiboldSans /Penumbra-SemiboldSerif /PepitaMT /Perpetua /Perpetua-Bold /Perpetua-BoldItalic /Perpetua-Italic /PerpetuaTitlingMT-Bold /PerpetuaTitlingMT-Light /PhotinaCasualBlack /Playbill /PMingLiU /Poetica-SuppOrnaments /PoorRichard-Regular /PopplLaudatio-Italic /PopplLaudatio-Medium /PopplLaudatio-MediumItalic /PopplLaudatio-Regular /PrestigeElite /Pristina-Regular /PTBarnumBT-Regular /Raavi /RageItalic /Ravie /RefSpecialty /Ribbon131BT-Bold /Rockwell /Rockwell-Bold /Rockwell-BoldItalic /Rockwell-Condensed /Rockwell-CondensedBold /Rockwell-ExtraBold /Rockwell-Italic /Rockwell-Light /Rockwell-LightItalic /Rod /RodTransparent /RunicMT-Condensed /Sanvito-Light /Sanvito-Roman /ScriptC /ScriptMTBold /SegoeUI /SegoeUI-Bold /SegoeUI-BoldItalic /SegoeUI-Italic /Serpentine-BoldOblique /ShelleyVolanteBT-Regular /ShowcardGothic-Reg /Shruti /SimHei /SimSun /SimSun-PUA /SnapITC-Regular /StandardSymL /Stencil /StoneSans /StoneSans-Bold /StoneSans-BoldItalic /StoneSans-Italic /StoneSans-Semibold /StoneSans-SemiboldItalic /Stop /Swiss721BT-BlackExtended /Sylfaen /Symbol /SymbolMT /Tahoma /Tahoma-Bold /Tci1 /Tci1Bold /Tci1BoldItalic /Tci1Italic /Tci2 /Tci2Bold /Tci2BoldItalic /Tci2Italic /Tci3 /Tci3Bold /Tci3BoldItalic /Tci3Italic /Tci4 /Tci4Bold /Tci4BoldItalic /Tci4Italic /TechnicalItalic /TechnicalPlain /Tekton /Tekton-Bold /TektonMM /Tempo-HeavyCondensed /Tempo-HeavyCondensedItalic /TempusSansITC /Times-Bold /Times-BoldItalic /Times-BoldItalicOsF /Times-BoldSC /Times-ExtraBold /Times-Italic /Times-ItalicOsF /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Times-Roman /Times-RomanSC /Trajan-Bold /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /TwCenMT-Bold /TwCenMT-BoldItalic /TwCenMT-Condensed /TwCenMT-CondensedBold /TwCenMT-CondensedExtraBold /TwCenMT-CondensedMedium /TwCenMT-Italic /TwCenMT-Regular /Univers-Bold /Univers-BoldItalic /UniversCondensed-Bold /UniversCondensed-BoldItalic /UniversCondensed-Medium /UniversCondensed-MediumItalic /Univers-Medium /Univers-MediumItalic /URWBookmanL-DemiBold /URWBookmanL-DemiBoldItal /URWBookmanL-Ligh /URWBookmanL-LighItal /URWChanceryL-MediItal /URWGothicL-Book /URWGothicL-BookObli /URWGothicL-Demi /URWGothicL-DemiObli /URWPalladioL-Bold /URWPalladioL-BoldItal /URWPalladioL-Ital /URWPalladioL-Roma /USPSBarCode /VAGRounded-Black /VAGRounded-Bold /VAGRounded-Light /VAGRounded-Thin /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /VerdanaRef /VinerHandITC /Viva-BoldExtraExtended /Vivaldii /Viva-LightCondensed /Viva-Regular /VladimirScript /Vrinda /Webdings /Westminster /Willow /Wingdings2 /Wingdings3 /Wingdings-Regular /WNCYB10 /WNCYI10 /WNCYR10 /WNCYSC10 /WNCYSS10 /WoodtypeOrnaments-One /WoodtypeOrnaments-Two /WP-ArabicScriptSihafa /WP-ArabicSihafa /WP-BoxDrawing /WP-CyrillicA /WP-CyrillicB /WP-GreekCentury /WP-GreekCourier /WP-GreekHelve /WP-HebrewDavid /WP-IconicSymbolsA /WP-IconicSymbolsB /WP-Japanese /WP-MathA /WP-MathB /WP-MathExtendedA /WP-MathExtendedB /WP-MultinationalAHelve /WP-MultinationalARoman /WP-MultinationalBCourier /WP-MultinationalBHelve /WP-MultinationalBRoman /WP-MultinationalCourier /WP-Phonetic /WPTypographicSymbols /XYATIP10 /XYBSQL10 /XYBTIP10 /XYCIRC10 /XYCMAT10 /XYCMBT10 /XYDASH10 /XYEUAT10 /XYEUBT10 /ZapfChancery-MediumItalic /ZapfDingbats /ZapfHumanist601BT-Bold /ZapfHumanist601BT-BoldItalic /ZapfHumanist601BT-Demi /ZapfHumanist601BT-DemiItalic /ZapfHumanist601BT-Italic /ZapfHumanist601BT-Roman /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 2.00333 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages true /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/ColorImageDict << /QFactor 1.30 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 10 >>
/JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 10 >>
/AntiAliasGrayImages false
/CropGrayImages true
/GrayImageMinResolution 200
/GrayImageMinResolutionPolicy /OK
/DownsampleGrayImages true
/GrayImageDownsampleType /Bicubic
/GrayImageResolution 300
/GrayImageDepth -1
/GrayImageMinDownsampleDepth 2
/GrayImageDownsampleThreshold 2.00333
/EncodeGrayImages true
/GrayImageFilter /DCTEncode
/AutoFilterGrayImages true
/GrayImageAutoFilterStrategy /JPEG
/GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/GrayImageDict << /QFactor 1.30 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >>
/JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 10 >>
/JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 10 >>
/AntiAliasMonoImages false
/CropMonoImages true
/MonoImageMinResolution 400
/MonoImageMinResolutionPolicy /OK
/DownsampleMonoImages true
/MonoImageDownsampleType /Bicubic
/MonoImageResolution 600
/MonoImageDepth -1
/MonoImageDownsampleThreshold 1.00167
/EncodeMonoImages true
/MonoImageFilter /CCITTFaxEncode
/MonoImageDict << /K -1 >>
/AllowPSXObjects false
/CheckCompliance [
/None
]
/PDFX1aCheck false
/PDFX3Check false
/PDFXCompliantPDFOnly false
/PDFXNoTrimBoxError true
/PDFXTrimBoxToMediaBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXSetBleedBoxToMediaBox true
/PDFXBleedBoxToTrimBoxOffset [
0.00000
0.00000
0.00000
0.00000
]
/PDFXOutputIntentProfile (None)
/PDFXOutputConditionIdentifier ()
/PDFXOutputCondition ()
/PDFXRegistryName ()
/PDFXTrapped /False
/CreateJDFFile false
/Description << /ARA
/BGR
/CHS
/CHT
/CZE
/DAN
/DEU
/ESP
/ETI
/FRA
/GRE
/HEB
/HRV
/HUN
/ITA
/JPN
/KOR
/LTH
/LVI
/NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken die zijn geoptimaliseerd voor weergave op een beeldscherm, e-mail en internet. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.)
/NOR
/POL
/PTB
/RUM
/RUS
/SKY
/SLV
/SUO
/SVE
/TUR
/UKR
/ENU (Use these settings to create Adobe PDF documents best suited for on-screen display, e-mail, and the Internet. Created PDF documents can be opened with Acrobat and Adobe Reader 5.0 and later.)
>>
/Namespace [
(Adobe)
(Common)
(1.0)
]
/OtherNamespaces [
<< /AsReaderSpreads false /CropImagesToFrames true /ErrorControl /WarnAndContinue /FlattenerIgnoreSpreadOverrides false /IncludeGuidesGrids false /IncludeNonPrinting false /IncludeSlug false /Namespace [ (Adobe) (InDesign) (4.0) ] /OmitPlacedBitmaps false /OmitPlacedEPS false /OmitPlacedPDF false /SimulateOverprint /Legacy >>
<< /AddBleedMarks false /AddColorBars false /AddCropMarks false /AddPageInfo false /AddRegMarks false /ConvertColors /ConvertToRGB /DestinationProfileName (sRGB IEC61966-2.1) /DestinationProfileSelector /UseName /Downsample16BitImages true /FlattenerPreset << /PresetSelector /MediumResolution >>
/FormElements false
/GenerateStructure false
/IncludeBookmarks false
/IncludeHyperlinks false
/IncludeInteractive false
/IncludeLayers false
/IncludeProfiles true
/MultimediaHandling /UseObjectSettings
/Namespace [
(Adobe)
(CreativeSuite)
(2.0)
]
/PDFXOutputIntentProfileSelector /NA
/PreserveEditing false
/UntaggedCMYKHandling /UseDocumentProfile
/UntaggedRGBHandling /UseDocumentProfile
/UseDocumentBleed false
>>
]
>> setdistillerparams
<< /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice

Managing the dynamics of e/mCommerce

with a hierarchical overlapping

Business-Value-Framework

Andreas Rusnjak
Business Information Technology

Christian-Albrechts-Universität zu Kiel
Kiel, Germany

aru@informatik.uni-kiel.de

Hristomir Hristov
Business Economics

Christian-Albrechts-Universität zu Kiel
Kiel, Germany

hristochris@yahoo.com

Marwane El Kharbili
Model Driven Engineering
Université du Luxembourg
Luxembourg, Luxemburg

marwane.elkharbili@uni.lu

Andreas Speck
Business Information Technology

Christian-Albrechts-Universität zu Kiel
Kiel, Germany

aspe@informatik.uni-kiel.de

Abstract: Many e/mCommerce-Projects are failing because of
insufficient planning, poor management, conflicting ideals and
objectives between all involved stakeholders. In order to deal
with these conflicts, we need to manage these projects using easily
understandable business values over all hierarchical levels of
enterprises, in agile fashion. In our framework, business values
provide support for goal- and value-based eCommerce software
development. Due to the fact that there’s little to no empirical
research in eCommerce Business Value, this work is showing an
approach to a Business Value Framework which enables better
prioritization over multiple business domains, an enhanced focus
on strategic goals and a better understanding of market needs.

Keywords: Business Value, Project Management, eCommerce,
Website-Engineering

I. INTRODUCTION
A majority of innovative business models are technology-

driven. The customers in digital markets are predominantly
accessing companies via software-interfaces, e.g. a website.
Because of this and due to changing consumer behavior, a
technology- and innovation-orientation as well as an efficient
Project- Management (PM) are becoming more and more im-
portant as a critical success factor (CSF) for e/mCommerce
companies. Rusnjak & El Kharbili [1] state that CSFs “are
elements, determinants or conditions which are having a deci-
sive influence to success of entrepreneurial actions” and creat-
ing competitive advantages. [1; 2]

Usually eCommerce-Websites are representing a frame-
work for the realization of all electronic commerce activities of
a company in the WWW. They are an automated part of the
whole information system “company” to create and sell goods
and services. Nearly the whole turnover of eCommerce-based
business models is realized over information systems.

Beyond this, a website is an instrument for marketing, for
(e.g. legal) information, communication and processes. There-
fore it is a complex system and requires a Website-Engineering
in form of situation analysis, strategic goal setting, modeling
and implementation [5]. Besides hard- und software require-
ments Website-Engineering needs to focus also on findings in
marketing, communication design, graphic design, desktop
publishing, typography and multimedia science with a specific
significance given to external influences, high (speed of) adap-
tability to changing markets, actual information and integration
of different disciplines [8]. The application of Business Values,
e.g. used in agile software development, is an attempt to deal
with these different focuses. Business Value refers to any
measures of worth of a business entity [12].

This paper introduces the development of a new framework
for Business Value and shows a first approach for discussion.
Based on a literature review and interviews with (project) man-
agers it explains the usage of a capacious Business Value
which includes the findings mentioned before.

II. SITUATING THE PROBLEM
Project Management (PM) has become very important for

every possible way of modern corporate landscape but it’s not a
perfect process by itself. McLaughlin (2009) is showing in his
case study [7] typical problems causing the failure of eBusi-
ness-Projects. The problems were ambiguous objectives, unrea-
listic goals, unclear references to strategy, poor communication
and an insufficient leadership. In addition, concerned stake-
holders were not involved in the formulation of requirements
and not involved during the realization. The project was mostly
driven by technical employees without any exact knowledge of
the real requirements of the stakeholders/ market.

2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops

978-0-7695-4019-1/10 $26.00 © 2010 IEEE

DOI 10.1109/WAINA.2010.23

461

After three years with significant investments the project
was stopped without any result, and neither delivered compo-
nents nor clear dates for deployment. Remarkably, selling
complex technology-based business solutions was the core
business of the researched company. [7]

The reasons for the failure of eCommerce-Projects are vari-
ous. Both empirical experiences as well as scientific work are
showing that most of the reasons are insufficient planning
(time, costs, and resources), poor management and different
ideals and goals of the involved stakeholders. In order to suc-
cessfully manage eCommerce-Projects all stakeholders need to
understand the vision of the project, the strategic goals, the
ideals and the objectives of all concerned parties. Top-
Management-Support is a key factor for a successful realiza-
tion of eCommerce-Projects or implementation of eCommerce-
Systems. It helps to emphasize the need for technology or in-
novation and obtain strong commitment from all involved
parties in the project. If top management doesn’t provide a clear
direction or vision, involved stakeholders may get confused
and projects will fail [8; 9].

An important application for prioritization, project transpa-
rency and performance measurement is necessary to manage
the dynamics of e/mCommerce regarding to all involved stake-
holder.

III. BUSINESS VALUE
Mahmood et al. [4] state that there’s “little or no empirical

research in ecommerce business value, but some related con-
cepts already identified include business value; e-commerce
impact; and e-commerce businesses success and failure. We
drew useful insights from IT business value and other related
literature. There are studies on factors contributing to IT sys-
tems success or failure”. We agree on this point and want to
roughly describe this point way as a base for later discussion.
Defining Business Value seems to be a difficult task. In order
to do it adequately, it is imperative that one appreciates the
variety and complexity of factors that determine Business
Value and those that influence it at every hierarchical level
within an organization.

Williams & Williams (2003) define Business Value (of an
investment) in economic terms as “the net present value of the
after-tax cash flows associated with the investment” [10]. Matts
& Pols (2004) identify a possible creation of Business Value
from a certain project when “it increases or protects profit,
cash flow or return on investment in alignment with the com-
pany’s strategy” [11]. Tosic et al. (2007) recognise the Busi-
ness Value as “a broad concept that refers to any measures of
worth of business entity. It includes not only financial aspects
(e.g., income, costs, profit) but also many other aspects (e.g.,
market share, customer satisfaction) important for business
operations” [12].

The meaning of Business Value, depending on one’s per-
spective, spreads out into different dimensions of both tangible
and intangible values with structural significance to the differ-
ent stakeholders. Its implementation requires both financial
assets and human resources that can guarantee its achievement
and steer it in the right direction.

Business Value should be described as a model, rather than
a single statement or (just) a number. Considering the fact that
the Business Value of an organisation depends on numerous
influences, e.g. the level of information or environmental issues
that are dynamic in their nature, it would be easier for man-
agement to deal with a model that has assumptions, input and
output, instead of using some prognosticated statements. Possi-
ble determinants for success of eCommerce and part of Busi-
ness Value are performance, productivity and perception (e.g.
companies image and customer satisfaction).

Performance is measured by financial indicators (hard fac-
tors) like return on investment, return on equity, return on
sales, growth in revenue, etc. and productivity in sales to total
assets, total sales and sales by employee, etc. The perception
can be expressed by soft factors like company image as well as
customer satisfaction, product-service-innovation and number
of returned customers. Finally Business Value is understanda-
ble as an integrative parameter, expressing the relationship
between strategy, organizational performance and ICT via hard
factors (e.g. financial power, turnover, etc.) and soft factors
(e.g. market position, image, etc.). [4]

IV. BUSINESS-VALUE-FRAMEWORK (CET-MODEL)
“When designing an e-business, practitioners must pay at-

tention to creating a Web site that is visually attractive and
easily navigable. Practitioners must also focus on online sys-
tem quality and effectiveness. Attention must be paid beyond
online system components, toward establishing relationships
and networks that endure and thus provide real and sustainable
competitive advantage” [4].

This section describes a model to deal with the dynamics of
e/mCommerce and a short case about the proposition of a new
eCommerce-project in a small and medium-sized enterprise
(SME). To keep it anonymous we call it “Blue Travel” (BT).
The approach of the model (CET = Company – Environment –
Technology), which is presented in this paper, is based on the
work about “Website Engineering” of Schwickert [5] and Win-
ter et al. [6]. In relation to this model we classify the drivers of
Business Value over three domains into three basic dimen-
sions: Company, Environment and Technology. The hierar-
chical levels “Strategy”, “Tactics” and “Operation” are used as
domains.

Figure 1. CET-Model

462

Every Domain is having its special focus, named “Dimen-
sion” with own ideals, goals (general intentions) and precise
objectives. Dimensions are primary fields for decisions and
responsibility of domains. Therefore there is an own under-
standing of Value and priority on every domain, like a Busi-
ness Value but in this case named Domain Value (DV).

According to [13] it’s advisable to link every Domain Value
like CSFs to a responsible domain manager. A hierarchical
overlapping Business-Value-Framework regarding to the three
hierarchical levels (Strategy, Tactic and Operation) enables the
management as well as the stakeholders to identify where, how
and how much value is provided or destroyed, strategic re-
sources and the grid of projects and processes. Furthermore it
provides a clear view about the actual value-situation of a
company, a better communication and cooperation. It is sup-
porting a better satisfaction of all stakeholders, explaining the
correlations of Business Value and complex strategies becom-
ing transparent and explainable. [3]

It is an interesting fact that technology, which is a signifi-
cant factor for an eCommerce organisation, can be classified
with an internal as well as an external focus. An eCommerce
company depends strongly on technology, its innovations and
trends. The final decision as to whether an organisation wants
to implement a new technology or not, is made by the company
itself, depending on market trends, user adoption and consumer
behaviour. As a result a hierarchical overlapping Business
Value is an expression of the Domain Values.

A. Case of failed “Blue Travel”-Project
BT is running its core business in the tourism branch and

owning many travel agencies in different cities. Due to the
increasing popularity of eCommerce and increasing competi-
tion the owner decided to start an eCommerce-Initiative with
focus to actual trends in eCommerce.

Management Situation:

Top-Manager of BT is the Founder. A vision or mission
statement doesn’t exist in his company and all strategic deci-
sions are made by the Top-Manager himself. The Headquarter
owns five travel offices and is responsible for the allocation of
financial and human resources as well as for strategically and
organizationally guidelines. The managers of the travel offices
are representing the lower management and they are basically
responsible for operative tasks, e.g. customer care, local mar-
keting activities and the realization of the input from headquar-
ter. BT is having no middle management and all activities to
customer are managed by the travel offices.

Failed eCommerce-Project:

BT started a first eCommerce-Initiative in April, 2008. The
Top-Manager authorized an extern eCommerce-Agency with
the realization of an eCommerce-Service which enables the
selling of travels and related services (e.g. insurances) online.
The objectives were (1) winning 10.000 new customers and (2)
increasing the turnover and profit up to 30% within three years.
Only the Top-Manager and the managing director of the
eCommerce-Agency were involved in the project-planning and
–realization.

In May 2008 the agency presented the concept of a travel-
portal (i) for placement of travel services (ii) with special
community features. After a development time of seven
months the eCommerce-service (website) was implemented in
December 2008. The features were (a) enabling customers to
create a simple profile, reviews and recommendations, (b)
enabling customers to send travel inquiries direct to the head-
quarter of BT and (c) enabling the headquarter of BT to publish
travel offers via a content management system on the website.

Result:

After six months of operation the preliminary conclusion
was disappointing. (1) The number of visits was approx. 7.000,
(2) the number of new customers less than 50, (3) the turnover
approx. 20.000 EUR, (4) the organizational effort to forward
the travel inquiries into the right travel offices was huge with
unclear processes and responsibilities (5) and there was no
coherent marketing concept. The project failed on broad-front.
A problem-analysis shows that (i) the Top-Manager wasn’t
present enough, (ii) the priority, concrete goals and ideals were
not communicated adequate, (iii) the employees with their
special know-how about market and internal processes were
not involved, (iv) the project-manager of the eCommerce-
Agency had underestimated the goals and ideals, (v) the project
reached a momentum of its own and (vi) it was predominantly
developed by technical employees without any knowledge of
market mechanisms, customer needs, etc. By the end of July
2009 the eCommerce-Website was turned offline. At this time
the costs were more than 50.000 EUR and a lot of employees,
confused, frustrated and demotivated.

Possible Solution:

The objectives and ideals, formulated by the Top-Manager
as well as the strategic meaning of the project for BT are legi-
timating the installation of a new business unit named “eSer-
vices”. With this business unit a new “middle” management
level will be created as well. The manager of eServices, named
“eCommerce-Manager” is responsible for tactical tasks of
eCommerce regarding all involved stakeholder, resources, etc.

Figure 2. Organizational Structure of “Blue Travel”

His job is to coordinate the development of the eCom-
merce-Initiative with the Top-Manager and the managers of the
travel offices (lower management) with the responsibility to
achieve the strategic goals, objectives and ideals. Some impor-
tant points of his coordination activities are the alignment of
existing processes to new eCommerce-processes, identifying
CSFs, customer needs as well as achieving eCommerce-
readiness within the BT-organization.

463

Concerning to as-is-analysis and a reference concept as
well as the concrete implementation the manager of the travel
office with the highest turnover is becoming the manager for
operational responsibilities regarding to the eCommerce-
Initiative.

Via the CET-Model – based on Business Value and some
selected examples – we want to show an approach for an effi-
cient communication as well as prioritization of objectives and
ideals over each management-level of BT in an easy unders-
tandable and transparent way. The illustration of the objective-,
ideal- and value-dependencies is based on Eric Yu’s i*-
framework [14; 15] with an own notation for ideals (rounded
rectangle with four triangles) and values (small circles). Goals/
objectives are regular modeled via rounded rectangles.

B. Strategic Domain
(Dimension: Company)

Task and responsibility of top-management is to realize the
vision/ mission of a company via the formulation of strategic
programs and goals. Every strategic program or goal is
representing a value for this domain and a goal for other do-
mains. Due to the fact that the management is having an overall
view to a company, this Domain Value is mainly having an
internal focus expressing values about vision/ mission, corpo-
rate culture, strategy, leadership system, shareholder, stake-
holder, organization, etc. A direct alignment between strategy
and information system is having a significant positive influ-
ence to workflows and eCommerce-Programs and to the
achievement of online efficiency, e.g. online presence in a
higher quality. A strategic commitment brings a substantial and
significant importance to the development of a Website and
therefore this causes a better performance and marks a critical
success factor for software development [4].

Due to the case of the SME the strategic objectives (1) in-
creasing SMEs profit/ turnover up to 30% and (2) number of
new customers up to 10.000 during the next three years for a
new eCommerce-Initiative were formulated by the top-
management. The ideals, goals of the top management are (1)
improving the market position and the return on investment of
the SME, (2) satisfying its shareholders and (3) an efficient
organization as well as (4) motivated and qualified employees
which are carrying the new eCommerce-culture in best way.

Figure 3. 2 Goals & 4 Ideals of Strategic Domain

DVS(eComm) = OBJECTIVESS1,2 | IDEALSS1,2,3,4

C. Tactical Domain
(Dimensions: Environment, Company and Technology)

The tactical domain with a focus on all dimensions is the
central body of our framework. As the rule it is represented by
the middle and lower management and linking the top man-
agement level to the operative level. Beside its tasks, e.g. im-
plementing strategic programs and goals, coordination, infor-
mation and controlling, the primary focus of this domain is to
set its Domain Value of eCommerce-Projects and processes
with a view for stakeholders involved outside a company, e.g.
customers, supplier, co-operation partner and market-based
innovations. This domain is also responsible for a clear, simple,
transparent communication and measurement of Business Val-
ue over all hierarchical levels of a company. Tactical decisions
served for concretion of strategic goals and reference to every
involved sub domain of a company (e.g. areas of operation,
business processes, branches, etc.). At this level web-based
objectives of tactical fields will be selected to develop goal-
focused plans for design and structure of a website. [5]

According to our case the eCommerce-Manager of the
SME – who got the ideals, goals and objectives from the stra-
tegic domain – analyzed the market situation and CSFs. He
decides to launch an eCommerce-Service for consumer and
travel offices with special services and features. This service
shall enable customers creating a (semantic) profile with per-
sonal data and special travel data in an easy way. It shall also
enable travel agencies to match consumer travels with their
portfolio and allowing offerings in a transparent form. Some
tactical objectives are (1) eCommerce-instruction for 10% of
the employees during the first year, (2) establishing the eCom-
merce-service within one year and an investment of 300.000
EUR, (3) reducing marketing costs up to 20% via special
community-features during the next two years and (4) offering
a full-service-application-programming-interface for the
processing of travel bookings to reduce transaction costs up to
15% by start of the eCommerce-service.

The ideals, goals of the eCommerce-Manager are (1) win-
ning more customers, (2) establishing an eCommerce-service
with best usability and transparency, (3) cooperating with ser-
vice partner for content and more products as well as (4) reduc-
ing process and transaction costs.

Figure 4. 4 Goals & 4 Ideals of Tactical Domain

DVT(eComm) = OBJECTIVEST1,2,3,4 | IDEALST1,2,3,4

464

D. Operative Domain
(Dimension: Technology)

For technology-based companies this domain is understood
as a very critical “Enabler” for entrepreneurial activities with
an important impact on the value chain. Products, services and
processes of eCommerce-companies are created, established,
improved via projects. Besides the concrete design, structure,
development and implementation of an eBusiness-Project the
focus and Business Value-expression of the operative domain
is mainly aimed to technological innovations and software-
requirements like scalability, performance, security, impact on
existing processes, etc. Based on the goals of the strategic and
tactical domain and a vision briefing in our case the manager
for technical development creates a requirements sheet.

Among other things his operative objectives are (1) as-is
analysis and reference concept of all involved processes and
features within 2 months, (2) develop a technical eCommerce-
infrastructure with new server for web, database,
communication, development, replication, backup and security
within three months and maximum cost of 30.000 EUR, (3)
recruitment of a project team with core competences in
JavaScript, Ruby on Rails, (User-centered-)Design within
three months, (4) development of widgets for social networks
to generate traffic from other websites (1.000.000 Visits
during the first two years) and an application programming
interface (API) for easy processing and automated transactions
with travel agencies to reduce transaction time and costs up to
10%.

The ideals, goals of this manager are (1) delivering a scala-
ble and secure system, (2) easy to use and understand which (3)
allows high loads on traffic and performance as well as an (4)
efficient support of processes and information of the organiza-
tion by technology.

Figure 5. 4 Goals & 4 Ideals of Operative Domain

DVO(eComm) = OBJECTIVESO1,2,3,4 | IDEALSO1,2,3,4

V. LINKING DOMAIN-VALUES TO BUSINESS-VALUE
To speak and measure with a hierarchical overlapping

Business Value it is necessary to link each Domain Value to
one Business Value which can be related to a strategic pro-
gram, a special product development, a software-project, etc. In
our case the Business Value of the eCommerce-Project is the
inclusion of all related Domain Values:

BV(eComm) = DVS(eComm) + DVT(eComm) + DVO(eComm)

In the form of a well structured Business Value-Sheet every
involved stakeholder is able to see his Domain Value, the Do-
main Value of other domains and the overall Business Value
referring to its focus, e.g. a software project, a product, a strat-
egy, etc. This helps to understand the ideals and goals of the
other stakeholders as well as enable stakeholders to set prioriti-
zations in their objectives regarding to other domains. Due to
the case of the SME the top management and the managers of
the tactical and operative domain can identify how value is
created over the three hierarchies, what the preferences, the
main tasks and ideals of every domain and their contribution to
value.

Figure 6. Linking Domain Values to Business Value

VI. CONLUSION & FUTURE WORK
Our first approach seeks to allow better prioritization re-

garding other domains, e.g. in agile software development-
projects, an enhanced focus on strategic goals and develop-
ments, a better understanding of market needs (especially for
technical employees), a strategic/value-control- and a strateg-
ic/value-feedback-system over all hierarchical levels.

465

With a widespread view over all important business fields,
the CET-Model leads to a better business/strategy-orientation
in agile software/process development in eCommerce as well
as other branches. The introduced framework aims to bridge
the existing gap between business strategy and e/mCommerce-
Development. Tasks in the development process are planned (i)
in a timeline, (ii) following priorities according to the interests
of the different business domains (hierarchical levels)/ market
views/ technical views (iii) and results/ increments are better
traceable/ checkable (e.g. for controlling, improvement, busi-
ness planning) by every domain.

In future iterations of this work, we will discuss the interac-
tion of Business Values and Domain Values as well as further
study value drivers and influence factors. Our next steps will be
a more precisely evaluation of the measurement possibilities of
Ideals as well as Domain Value and Business Value as a priori-
ty-setting and a performance-measurement-tool to build a
common meta model of Business Value and Domain Value
followed by an analytic and empirical validation of the CET-
Model.

REFERENCES
[1] Rusnjak, Andreas; El Kharbili, Marwane (2009): On Leveraging

Business Processes to deal with Critical Success Factors; Workshop on
Business Process Modeling and Realization, Informatik 2009, Luebeck,
Germany, 2009; to be published

[2] Böing, Christian (2001): Erfolgsfaktoren im Business-to-Consumer-E-
Commerce; Wiesbaden: Gabler (Schriftenreihe Unternehmensführung
und Marketing, 38)

[3] Sussland, Willy A.: Business Value & Corporate Governance: a new
approach; Journal of business strategies, Emerald Group Publishing
Limited, 2004; Retrieved 07.09.2009 online from:
http://www.emeraldinsight.com/10.1108/02756660410516029

[4] Mahmood et al.: Measuring E-Commerce Technology Enabled Business
Value: An Exploratory Research; International Journal of E-Business
Research, Vol. 4, Issue 2, IGI Global, 2008; Retrieved 07.09.2009 from
http://www.infosci-
journals.com/downloadPDF/pdf/ITJ4209_ICYdW2bbcf

[5] Schwickert, Axel C.: Web Site Engineering – Ein Komponentenmodell;
Arbeitspapiere WI Nr. 12/ 1998, Universität Mainz, 1998; Retrieved
07.09.2009 online from: http://geb.uni-
giessen.de/geb/volltexte/2004/1685/pdf/Apap_WI_1998_12

[6] Winter et al.: Business Engineering – Der St. Galler Ansatz zum
Veränderungsmanagement; in OrganisationsEntwicklung 27 (2008),
Universität St. Gallen; Retrieved 07.09.2009 online from
http://www.alexandria.unisg.ch/EXPORT/PDF/Publikation/44583

[7] McLaughlin, Stephen: The imperatives of e-business: case study of a
failed project; Journal Of Business Strategy Vol. 30 No. 1 (2009),
Emerald Group Publishing Limited, 2009; Retrieved 07.09.2009 online
from: www.emeraldinsight.com/10.1108/02756660910926966

[8] Lee, Sungjae; Kim Kyoung-jae: Factors affecting the implementation
success of Internet-based information systems; Elsevier Ltd., 2007;
Retrieved online on 18.10.2009 from:
http://dx.doi.org/10.1016/j.chb.2005.12.001

[9] Sung, Tae Kyung; Gibson, David V.: Critical Success Factors for
Business Reengineering and Corporate Performance: The Case of
Korean Corporations; Elsevier Science Inc., 1998; Retrieved online on
18.10.2009 from: http://dx.doi.org/10.1016/S0040-1625(98)00027-4

[10] Williams, Steve; Williams, Nancy: The Business Value of Business
Intelligence, 2003; Retrieved on 17.09.2009 online from:
http://www.decisionpath.com/docs_downloads/BIJarticle

[11] Matts, Chris; Pols, Andy: Business Value Driven Software
Development, 2004; Retrieved on 17.09.2009 online from:
http://cdn.pols.co.uk/papers/businessvaluedrivendevelopment

[12] Tosic, Vladimir; Suleiman, Basem; Babar, Abdul: Specification of
Business Value with and in Software Patterns, 2007; Retrieved on
18.09.2009 online from: http://patterns-
wg.fuka.info.waseda.ac.jp/SPAQU/proceedings/20-
TosicSuleimanBabar-SPAQu07-Final

[13] Fishman, Allen: Critical Success Factors key to attaining goals; Inside
Tucson Business; 07/20/98, Vol. 8 Issue 17, p10, 1/2p, 1998; Retrieved
online on 18.10.2009 from:
http://search.ebscohost.com/login.aspx?direct=true&db=bwh&AN=8983
34&site=ehost-live

[14] Yu, Eric: Presentation: Strategic Actor Relationships Modelling with i*;
December 13-14, 2001, IRST, Trento, Italy; Retrieved on 08.04.2009
from: http://www.cs.utoronto.ca/pub/eric/tut1.2-v2.ppt

[15] Yu, Eric: i* an agent oriented modelling framework; Toronto; Retrieved
on 16.04.2009 from: http://www.cs.toronto.edu/km/istar/

466

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Perceptions and attitudes about eCommerce development in China: An exploratory study
Stylianou, Antonis C;Robbins, Stephanie S;Jackson, Pamela
Journal of Global Information Management; Apr-Jun 2003; 11, 2; ProQuest Central
pg. 31

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

A Framework for Enhancing Systems Security

A Framework for Enhancing Systems Security

Srinarayan Sharma, Indian Institute of Management, Ranchi, India
sriOsharma(a),gmail.cotn

Vijayan Sugumaran , Oakland University, Rochester, USA, and
Service Systems Management and Engineering, Sogang University, Seoul, South Korea

sugumara(a),oakland.edu

ABSTRACT

Security concerns have grown in sync with the growth of ecommerce. This paper
presents a framework for analyzing systems security in terms of three dimensions,
namely, technology, process, and people. The paper also advocates a systems
development life cycle view of security. It describes different activities that need to be
carried out throughout the development cycle in order to improve overall systems
security. It also discusses the theoretical and practical implications of the study, and
identifies future research directions.

KEY WORDS

Systems Security, Systems Development Life Cycle, Security, Ecommerce,
Security Framework

INTRODUCTION

Like all sectors of the economy, e-commerce has also been negatively impacted by the
worldwide economic downturn. While other sectors have seen their growth suddenly
move down in the reverse gear, e-commerce has held its ground well. According to
the latest published e-commerce statistics (US Department of Commerce,

20

11

),
online spending in 20

10

in the United States increased 8.1 percent from that of 2009,
while in 2011, retail ecommerce was expected to grow

13

.7% on sales of $

18

8 billion
from that of 2010 (eMarketer, 2011).

The long term U.S. retail e-commerce sale is still forecast to grow in high single digits
to low double digits from an estimated $

16

5.4 billion in 2010 to $269.8 in 20

15

(eMarketer, 2011). Security concerns have grown in sync with the growth of
ecommerce (Richardson, 2010). According to the 2010 Computer Security Institute
Computer Crime and Security Survey (Richardson, 2010), though the security
breaches at the respondent companies have decreased, they remain high. Episodes of
hacking at the headquarters of the software giant Microsoft and other companies have
only heightened the need for systems security (Gross, 2011). Online privacy and
security are the most important issues for Internet users and will remain so in the
foreseeable future (Bennett, 2006). Identity theft, credit card fraud, and virus attacks

A Framework for Enhancing Systems Security

affect virtually all areas of Intemet use. Security breaches can lead to lower
confidence and heightened fear for consumers resulting in fewer customers buying
online (Cybersource, 2009). Consumer fears resulted in estimated online sales losses
of $4.0 billion in 2008, an increase of 11 percent from the previous year (Cybersource,
2009).

In this paper, we argue that only a systematic approach to security can protect
companies from Intemet and other security breaches. Towards that end, we describe
generic systems security concems, and generic security technologies available to
address these concems. We provide a framework for analyzing systems security in
terms of three dimensions, namely technology, process, and people. We also advocate
a systems development life cycle approach to security and identify some of the key
activities that need to be carried out throughout the development cycle in order to
improve overall systems security.

The paper is organized as follows. In the next section, we briefly provide a review of
the security concems and technologies. Following this we review the information
security literature to survey existing security frameworks. Then we provide our own
framework to integrate different security issues along with key activities needed to be
performed in a systems development life cycle. In the next section, we provide a
discussion of how our framework could be applied to a generic company. Finally, we
conclude with implications for theory and practice.

SYSTEMS SECURITY ISSUES AND SECURITY TECHNOLOGIES

Systems Security Issues

Security is a multidimensional concept and needs to be examined on several
dimensions such as privacy, physical access restrictions, application availability,
network confidentiality, content integrity, and access policy (Olson & Olson, 2000).
Security generally refers to authentication, access control, audit trail, confidentiality,
integrity, availability, and nonrepudiation {Internet Society., 2000).

Most common security problems in electronic commerce can be classified into four
categories: operating system weaknesses, application vulnerabilities, improper
configuration, and lack of training and resources (Connolly, 2001). Ironically, the last
category, lack of training and resources, contributes to the first three problems. The
following are some of the e-commerce security issues discussed in the literature.

(a) Misallocation of resources: In the majority of organizations, security spending has
been lagging compared to migration of corporate information from legacy systems
to new client/server and web-based systems (Myers, 2011; Richardson, 2010).
While the critical corporate data has been moved to Unix and NT systems,
companies are still spending resources to secure mainframes (Hines, 2007;
Messmer, 2008; Paris, 2009).

A Framework for Enhancing Systems Security

(b) Broadband Remote Access Applications: Keeping mission control applications up
and running 24-hours a day 7 days a week has become a business necessity. If
they are not secure, hackers will find them and possibly gain control with
malicious intent. Some hackers use empty hard drives on these systems for storing
illicit files, while others may use remote access as a backdoor into enterprise
systems. Cable systems use Ethernet “party-line” architecture and put a
neighborhood on a single subnet. Each packet is broadcast to everyone, and only
the addressee is supposed to process it. However, neighborhood hackers can use
Sniffer technologies to tap into this subnet (Panko, 2010). Once they have access
to the subnet, they also have easy access to the other systems on it.

(c) Lack of Incident Response Plan: Organizations often lack an Incident Response
Plan to cope with security breaches (May, 2011; Richardson, 2010). A good
Incident Response Plan usually includes policies on when to shut down an
affected server and when to quarantine it. It also outlines how to contact vendors,
company executives, and response team members, as well as ISP and law
enforcement officials. The plan explicates logs to be kept and steps to be
performed to track the hacker’s activities and location. It also describes how the
affected parties will be contacted. In the absence of such a plan, organizations try
to address any security breaches in an impromptu manner, which leads to chaos
and delay.

(d) Lack of customizable automated tools to fix security holes: Plugging every
security hole is extremely resoure-consuming. Scripting tools available to
automate the process are not customizable. Thus skilled security professionals are
needed to do the job by hand (Schwartz, 2011).

(e) Lack of security awareness: Organizations lack a strong security culture to ward
off unexpected hacker attack (Grimes, 2009; Richardson, 2010). Complexity and
variety of security attacks have made the management of employee attitude
toward security a paramount concern. Increasing numbers of companies are
becoming dependent on Intemet access from their desktop for personal and daily
business and as a result, bring exposure to company data and information to new,
intensely dangerous levels. While some employees may be acutely aware of
security dangers, others may need constant reminders. Building a security-
conscious culture may be a daunting task, but companies need to instill it to
minimize security breaches.

(f) Heavy emphasis on just IT: There is a general perception that system security is
the responsibility of the information systems department and is independent of the
business processes. Factors that control the information flow between sub-systems
shouldn’t just come from a technical view if it is to be effective companywide
(Grimes, 2009). Business risk control mechanisms are needed to meet the overall
security objectives.

A Framework for Enhancing Systems Security

(g) Lack of security education and Training: Employees need to be educated to
understand the need for information security and what it means to the organization
(Richardson, 2010). They have to be encouraged and motivated to follow
standard security procedures (Myers, 2011).

(h) Lack of Ownership: Employees must also be assigned responsibility and
ownership of the information they manage (Panko, 2010). Early involvement of
employees in the process is necessary for their taking ownership of the process.

Security Technologies

Having briefly described different systems security concems in companies, in this
section we provide a brief overview of the technologies available for addressing these
security concems.

(a) Digital Certificates: Digital certificates which are a key part of Intemet
security, received federal legal authority in June 2000. These certificates can
serve as a trusted and verified means of identification that cannot be
repudiated (Gerdes Jr., Kalvenes & Huang, 2009).

(b) Public Key Infrastructure (PKI): It has been difficult to establish proper trust
and verily credentials with electronic trading partners in the realm of B2B
electronic commerce. Vendors have developed PKI management services and
products that are designed to eliminate this problem (Millan et al., 2010).
However, vendors’ ultimate goal of having a system to handle the entire end-
to-end authentication and payment process is still to be achieved (Millan et
al., 2010).

(c) Intmsion Detection: Examination of a number of high profile security
breaches such as those at Microsoft, TJ Max, and Bank of America has
revealed that most successful intmders escape casual surveillance. This has
made intrusion detection technology one of the most used security
technologies. Intrusion-detection systems monitor an organization’s network
and hosts (Xenakis, Panos & Stavrakakis, 2011). They detect intrusions by
watching for certain actions that resemble characteristics of known attacks. A
downside of this technology is that it cannot detect attacks which are not
resident in its knowledge base.

(d) Security in Web Applications: Progress has been made in preventing attacks
that exploit security weaknesses in Web applications. Perfecto Technologies’
AppShield, for example, sits between the network firewall and web server,
allowing Web surfers to access the Web site only from authorized entry points
and verifying that all incoming client requests are legitimate. If a request
violates the defined security policy, browsers are denied access to the
application (Caceres & Teshigawara, 2010).

A Framework for Enhancing Systems Security

(e) Personal Firewall: Explosion of broadband networking option has made
desktops vulnerable. Hackers can gain access to these desktops with assigned
IP addresses and launch attacks on other systems. Personal firewalls can mask
these desktops from casual probing. Well-known anti-virus players such as
Symantec and McAfee along with specialty vendors such as Network ICE and
Syborgen are providing personal firewall solutions (Schultz, 2005).

(f) Disposable IDs: Complex encryption algorithms used by web browsers have
made the theft of credit card numbers in transit almost impossible (Buccafurri
& Lax, 2011). However, vendor databases containing these numbers remain
vulnerable. Disposable ID mechanism makes it possible to issue one-use
credit card numbers to render stealing of credit card numbers from vendor
databases useless (Experiencefreak, 2010).

(g) Biometrie Security: Biometrie security technologies have become easier to
implement. These technologies make use of individual’s unique fingerprints,
face, and voice to ensure authorized entry (Uzoka & Ndzinge, 2009).

(h) Single Sign-On Technologies: Many security systems in past have required
multiple sign-ons from users to ensure security. Single sign-on technology
allows users to browse through network resources without entering several
passwords (Orr, 2005). When combined with biometrics, it can be a powerful
security tool. Novell’s NDS directory device uses this technology.

SECURITY FRAMEWORK FOR ENHANCING SYSTEMS SECURITY

In the previous two sections we have discussed the common security issues that are
being faced by the IT departments in companies engaged in e-commerce and the
technologies that are currently available for securing mission critical applications. A
closer examination of the issues and the available technologies reveal that, while
technical solutions exist to provide adequate security, organizations still experience
considerable difficulty in securing their applications from intruders. Most of the
security measures implemented by organizations rely heavily on technology alone
without considering other factors that have a greater impact on the overall security of
their systems. According to PwC (2011), companies have been increasing their
security spending since 2007. But despite the multibillion-dollar spending, they fall
short of achieving business-process security (Nosworthy, 2000; PwC, 2011). To
address these shortcomings many researchers have provided various frameworks. A
brief review of these frameworks is given below.

Chang et al (2011) provide a technology driven framework that uses (extemal)
environment information to enhance computer security. The advantage of this
framework is that the environment information is collected by sensors that are outside
the control of a host and communicate to an extemal monitor via an out-of-band
channel (with respect to the host), thus it cannot be compromised by malware on a

A Framework for Enhancing Systems Security

host system. The information gathered still remains intact even if malware uses rootkit
techniques to hide its activities. This framework is applicable to a number of security
applications: (1) intrusion detection, (2) rate monitoring/control of external resources,
and (3) access control. Chang et al (2011) show that this framework is useful even
with coarse-grained and simple information. They present some experimental
prototypes that employ the framework to detect/control email spam, detect/control
DDoS zombie attacks and detect misuse of compute resources. Experimental
evaluation shows that the framework is effective in detecting or limiting the activities
of such malware. The shortcoming of this framework is that it does not address
process and people aspect of security that may have a greater impact on overall
security.

Abbas et al (2011) propose a framework based on options theory borrowed from
corporate finance and adapt it to evaluation of security architecture and decision
making for handling issues at organizational level. This framework addresses three
main problems resulting from uncertainty in information security management:
dynamically changing security requirements of an organization, externalities caused
by non-secure system, and obsolete evaluation of security concerns. The framework is
relevant to information security management in organizations, particularly issues on
changing requirements and evaluation in uncertain circumstances created by progress
in technology. This is a process driven framework and does not address technology
and people aspect of security.

Tsohou et al (2010) provide a classification framework for categorizing available
information security standards. Recent information security surveys indicate that both
the acceptance of international standards and the relative certifications increase
continuously. However, the majority of organizations still does not know the
dominant security standards or fully implement them. The aim of this framework is to
facilitate the awareness of information security practitioners regarding globally known
and accepted security standards. Clearly the focus of this framework is on a narrow
aspect of technology, that is, technology standards. This does not address broader
technological issues, process issues and people issues.

There is a need to provide secure and safe information security systems through the
use of firewalls, intrusion detection and prevention systems, encryption,
authentication, and other hardware and software solutions. Patel, Qi, and Wills (2010)
propose a framework which includes safe, secure, trusted, and auditable services, as
well as forensic mechanisms to provide audit trails for digital evidence of transactions
and protection against malicious and illegal activities. This framework focuses on
technology and process aspects of security.
Gurung, Luo, and Liao (2009) develop a research framework and empirically analyze
the factors that motivate the consumers to adopt and use anti-spyware tools when they
are faced with security threats. The research model was tested with data obtained
through online survey questionnaires. The results do not find statistically significant
relationships for hypotheses related to perceived vulnerability and response cost with

A Framework for Enhancing Systems Security

the dependent variable. Perceived severity, self-efficacy, and response efficacy was
found to be significantly related to use of anti-spyware tools. This framework focuses
on people aspect of security.

Using two-stage framework Mouratidis, Jahankhani, and Nkhoma (2008) empirically
found that personnel from general management have different perspectives towards
network security than personnel from the network security management. In particular,
the study indicates that such differences are demonstrated on a number of areas such
as the effectiveness and the efficiency of the networked system, control of network
security, security-related decision-making processes, and users of the network. The
latter being the most controversial issue with one side indicating that users should be
allowed to use the network in an efficient manner, and the other side emphasizing that
users pose one of the greatest security risks to the system. This framework also
focuses on people aspect.

Hong, et al. (2003) propose a framework to integrate security policy theory, risk
management theory, control and auditing theory, management system theory and
contingency theory in order to build a comprehensive theory of information security
management (ISM). This framework suggests that an integrated system theory is
useful for understanding information security management, explaining information
security management strategies, and predicting management outcomes. This
framework is focused on process aspect.

Siponen (2002) provides a framework synthesized from the information systems (IS)
and software engineering literatures for articulating security maturity criteria and
examining existing information security maturity criteria. This framework is focused
on process aspect.

Debar and Viinikka (2006) provide an architecture for the outsourcing of security
information management (SIM). They posit that the day-to-day operation of a SIM is
beyond the financial capabilities of all but the largest organizations, as the SIM must
be monitored constantly to ensure timely reaction to alerts. Many managed security
services providers (MSSP), therefore, have merged for outsourcing the alert
management activities. Sensors are deployed within the customer’s inñ-astructure, and
the alerts are sent to the outsourced SIM along with additional log information. This
framework focuses on process and technology aspects.

Eloff and von Solms (Eloff, 2000) provide a hierarchical framework for information
systems management from the security standpoint. Their multilevel model includes
two major aspects of security management, namely, technology and process. Despite
the fact that considerable emphasis has traditionally been placed on the technical
aspect, they have introduced the process aspect of security and discuss the importance
of developing guidelines, code of practice, standards, legislation, and benchmarking.
While these processes are essential, equally important is the consideration of the
changing nature of the overall business processes and their security requirements. For

A Framework for Enhancing Systems Security

example, in the dynamic B2B environment, partnerships between participating entities
are forged and terminated frequently. These partners collaborate and cooperate on
certain projects, while maintaining individual trade secrets and competitive edge. In
such a scenario, the security requirements for the systems and interfaces are driven by
the specific business processes and the data that are exchanged between them. Thus,
we argue that identifying and articulating the security requirements for important
business processes is critical in coming up with a comprehensive security solution.

Most of the security framework reviewed above focus on technical and/or process
aspects of security. However, an important piece of the security puzzle is the human
aspect. Recent literature indicates that maximum threat of security breach comes from
within the organization (Panko, 2010; Richardson, 2010). A joint study by the
Computer Security Institute (CSI) and the FBI indicates that the most serious losses in
companies are done by unauthorized insider access (Richardson, 2010). As aptly
pointed out by Dhillon and Backhouse (2000), information system security is a social
and organizational problem because they are used by people. Thus, it is the human
beings that interact with, and are responsible for systems that have the biggest impact
on security of individual systems and the organization as a whole (Andress, 2000). In
this context, personal traits such as responsibility, integrity, trust, and ethicality are
deemed critical in securing information assets (Dhillon & Backhouse, 2000).

In light of the above discussion, we contend that for any systems security solution to
be effective, it should take into account the following three dimensions, as depicted in
Figure 1: a) technology, b) process, and c) people. In fact, these three equally
important dimensions are tightly coupled, and should serve as the comer stone of
every systems security solution architecture. A weakness in one dimension not only
affects the system security but also has a severe detrimental impact on the other
dimensions and thus has a compounding effect. Hence we argue that a balance and
congruence between these three dimensions is critical for providing a secure systems
environment. We identify important factors within each of these dimensions in Table
1 below. These factors are derived from the frameworks reviewed above.

Table 1: Important Technical, Process, and People Factors for Enhancing
Systems Security

Technical

• Standards
• Security models
• Specific security

technologies
• Privacy
• Physical access

restrictions

Process

• Guidelines
• Code of practice
• Controls
• Certification
• Accreditation
• Benchmarking
• Self-assessment

People

• Responsibility
• Integrity
• Trust
• Ethicality

10

A Framework for Enhancing Systems Security

• Application availability
• Network confidentiality
• Content integrity

• Legislation
• Evaluation

Another drawback discussed in the literature regarding current security solutions is
that most of the security measures are “after thoughts” (Panko, 2010). In other words,
the security layer is just an add-on to systems without taking into consideration the
assets to be secured and the business processes that they support. During the
development life cycle of the system, security requirements and the design of
appropriate solutions are not an integral part of the development process.

Technology

Sfcufe
Environment

Ptocess

People

Figure I. Framework for Enhancing Systems Security

For the most part, system security is limited to user authentication and limiting access
to certain resources through rudimentary techniques. We contend that a thorough
analysis of the security requirements based on the assets and the business processes to
be secured, ensuring that there is a good fit between the chosen security mechanisms
and the processes, is crucial for the effectiveness of system security. In order to
achieve a high level of success, we advocate that security related issues be considered
at every phase of the system development life cycle and not just at the post-
implementation phase. In other words, organizations have to develop and commit to a
systems development life cycle view of security. Furthermore, during each phase of
the systems development, the issues related to the three dimensions of security have to
be delineated and addressed. Table 2 presents some of the security related activities
that have to be carried out during each phase of the systems life cycle. Without

11

A Framework for Enhancing Systems Security

claiming comprehensiveness, we suggest that these activities provide a systematic
way to incorporate security aspects into the overall systems development process.

Table 2. Security Related Activities in Systems Development Life Cycle Phases

^^^^^Jimensions
SDLC Phas^-^^^

Planning

Analysis

Design

Implementation
and Testing

Technology

Survey existing
security
technologies
(intemal and
external).
standards, and
models.

Identify
technologies and
their requirements
to secure business
processes.

Design security
architecture
including privacy
and physical access
restrictions.

Procure security
technologies
(hardware and
software to meet
security
requirements
identified in
analysis phase).
Ensure application
availability.
network

Process

Study codes of
practice.
Review existing
security policy.
Identify assets to
secure.
Identify their high
level security
needs.

Perform SWOT
analysis for
security.
Determine process
level security
requirements and
controls.

Design
organizational
security policies.
Ensure that
policies are
consistent with
legislation.

Establish security
interfaces between
sub-systems.
Identify domain
specific test
scenarios.
Perform unit
testing, system
testing.

People

Identify security
champion.
Seek participation
of high level
managers.
Identify
manager(s) for
security
operations.

Involve security
analysts, and
process users (end
users).

Identify and
involve technical
people who will
design security
solutions.

Involve
technology
vendors.
consultants.
designers, and
system integrators.

12

A Framework for Enhancing Systems Security

Post
Implementation

confidentiality, and
content integrity.
Fix bugs.
Enhance security
Features.

Train end users.
Promote security.
Actively monitor
security breaches.
Identify new
security risks
Evaluate, perform
self-assessment
and benchmark.
Get accreditation
and certification

Get end users’
trust.
Inculcate end user
responsibility.
securify personnel
integrity and
ethicality.

DISCUSSION

In this section, we provide detailed actions that organizations can take in order to
mitigate the woes of “security blues” based on our framework and systems
development life cycle view of security. The actions presented below are grouped
based on the SDLC phases related to technology, process and people dimensions of
systems security.

Planning

A sound planning paves the way for effectiveness and efficiency for security and
compliance. In the planning phase of the SDLC, a company needs to survey existing
security policies, codes of practice, standards, procedures, technologies, and models
which are available both intemally and extemally. Information security policies are
high-level statements about securing systems. A standard is a detailed rules or
statement to enforce the given policy. As an example, a company will use passwords
to secure its systems might be a policy statement, while passwords must be eight
characters in length, should include both capital and small letters and a number might
be a standard. A procedure can describe a step-by-step method to implementing
various standards. As an example, the company will enable password length controls
on all production systems. The company also needs to review extemal security
standards such as ISO/IEC 27002 which is an information security standard published
by the Intemational Organization for Standardization (ISO) and by the International
Electrotechnical Commission (IEC) to find out codes of practice for information
security management. If necessary, it needs to make changes to its existing policy.
Effective security begins with a solid understanding of the protected asset and its
value. The company needs to identify assets to secure. Since it will be prohibitive to
secure all the assets a company possesses, it should prioritize asset based on the
existing securify guidelines, codes of practice, and risk analysis. As an example, risk
analysis will allow the company to weigh the cost of securing the asset versus the loss

13

A Framework for Enhancing Systems Security

if the asset’s security is breached. If the cost of securing the asset is more than the
value of the compromised asset, it may not be beneficial to secure the asset. As an
example, assume that the value of an asset is $10,000, and the probability of the
security breach for this asset is 10%. The loss associated with this security breach will
be $10,000 X 10% = $1000.00. If securing this asset cost more than $1000.00, then it
should not be secured. High level security needs of the identified assets also need to
be identified in this stage. Such needs could be categorized as access control, physical
security, endpoint security, infrastructure security, application security, and data
security.

Security needs to be recognized by IT managers as an important issue. The best
technologies and wisest policies will take security only so far without extensive
management buy-in (Tipton & Krause, 2004). It is heartening to know that in the CSI
survey, a majority of managers regard security as a top priority (Richardson, 2010).
The remaining IT managers must also recognize security as a top priority, if they want
to see their web-systems secure (Tipton & Krause, 2004). In the planning phase, the
company also needs to identify security champion who will provide resources and
support the security effort even in case of resistance from other stakeholders.
Participation of high level managers should be sought in the planning phase within
whose purview the security function falls. Lower level managers who will oversee the
operations of the security should also be identified.

Analysis

The company needs to perform strength-weakness-opportunity-threat (SWOT)
analysis for security. Such a SWOT analysis should identify the strength of the
existing securify mechanisms (technologies, processes, and personnel) and their
weaknesses. It should also identify any opportunities that may be there to strengthen
the existing securify and institute new securify. It should also identify any current and
possible new threats such as company allowing its employees to use wirelessly
connected hand-held devices for enterprise communication. Other possible threats can
come from policy breach, data theft, equipment theft/damage, social engineering,
DoS, unauthorized access, etc.
In the analysis phase, the company would identify appropriate technology
requirements (such as hardware and software) to secure assets and business processes
that need securing. Use of such technologies should be based on the high level
securify requirements identified in the planning phase. An outcome of the analysis
phase could be the decision to outsource securify because of the lack of skilled
securify personnel (Richardon, 2010). Of course, personnel could be acquired and
trained in-house, but it may be cost prohibitive. Any securify outsourcing decision
should be made with utmost caution, as companies must trust handling of their most
critical data to an outsider, namely, an Managed Securify Provider (MSP). Before
choosing an MSP, a company must thoroughly analyze its securify needs and
determine if the MSP meets their needs. The company should also be mindful of the
adverse reactions of their customers (Messmer, 2008).

14

A Framework for Enhancing Systems Security

To secure business processes, the company would need to identify process level
security requirements. The company would also require to identify relevant security
standards such as ISO 27002 (previously known as ISO

17

799) or COBIT and
benchmarks for business processes. Such standards and benchmarks could be obtained
from standards certifying bodies such as Intemational Organization for
Standardization (ISO), the Intemational Electrotechnical Commission (IEC), and
industry best practices from sources such as Information Systems Audit and Control
Association (ISACA), the SANS institute, CSI survey, etc. As an example, in B2B
environments, where business partners may collaborate on different business
processes, there is a need for very detailed access and content control. A new security
challenge is the complexity and granularity of protection needed for business
processes in these environments. The process level requirements will necessitate
confidentiality, integrity, and authenticity in data flows. Different business processes
or transactions may require different data. These data may require different level of
security for different business processes. While SSL may be sufficient for some data,
digital certificates must be used for others. Though when these data flow across
different systems, they are in the same bit and byte format. Thus, the same security
technologies potentially could be applied to the same stream of data; however,
different security technologies would be required for different streams of data. A joint
collaboration between RSA and Netegrity is aimed at providing a multilevel access-
control expertise to produce a security system that can accommodate many types of
users and scopes of access rights (Parris, 2009).

The company must involve security analysts and process users (end users) early on in
this phase. Early involvement of these stakeholders makes them take the ownership of
security requirements of the business processes they are involved with.

Design

In the design phase the company needs to design its security architecture. Security
Architecture can be defined as the design artifacts that describe how the security
controls (security countermeasures) are positioned, and how they relate to the overall
information technology architecture (OpenSecurityArchitecture.org, 2006). These
controls serve the purpose to maintain the system’s quality attributes, among them
confidentiality, integrity, availability, accountability, and assurance. The security
architecture should be holistic and encompassing, make suggestions on how different
controls can be synchronized and integrated to achieve maximum effect, include a
comprehensive approach to security risk management, and be measurable to
demonstrate adherence to the requirements (Eloff & Eloff, 2005) and federal and state
laws, such as the Federal Information Security Act of 2002 (P.L. 107-347, Title III),
National Security Directive 42 (NSD-42), etc.

The company also needs to design its security policies, particularly. Incident Response
Plan. An information security policy statement expresses management’s commitment
to the implementation, maintenance, and improvement of its information security

15

A Framework for Enhancing Systems Security

management system (ISO 27000). Though there is a need for reviewing security
policy in the planning phase as discussed above, the approach needs to be repetitive
given that any security program will never be 100% complete. The rapidly changing
technologies require continuous adaptation. If the organization has a security policy, it
should be evaluated to determine whether it is valid and appropriate. This phase
should include all updates and changes to the policy as well as identification of all
controls and procedures that are needed to implement the policy.

In this phase the company also needs to identify technical people who will design
security solutions. Such people should be carefully chosen to ensure that they bring a
holistic perspective and are not wedded to some particular security policy approach.
They should also exhibit integrity and ethicality.

Implementation and Testing

The company would need to procure security technologies (hardware and software to
meet security requirements identified in analysis phase) if it does not have the
technologies already. Appropriate security technologies could be obtained by
contacting technology vendors and consultants. If in-house security systems are to be
deployed, appropriate systems security designers and systems integrators should be
identified and assigned. Special care should be taken to ensure security of interfaces
between systems. The individual systems may themselves be secure, however, when
interacting with other system security could be breached.

To ensure security of individual systems, the company would need to identify domain
specific test scenarios, and then test its security. Unit testing will be appropriate for
such scenarios. However, system testing should be perfonned to ensure the securify of
interfaces between subsystems.

After testing, the security architecture needs to be implemented. Implementation could
be carried out following any of direct cut-off, parallel, or pilot approaches. An
analysis should be done to figure out suitability of these approaches before following
them as every one of them has unique strengths and weaknesses. As an example,
direct cut-off approach allows one to move the entire system to new architecture.
However, if there are security glitches, then entire system is affected. In contrast,
parallel approach allows both old and new architecture to be in place for some period
of time, but creates confusion among users. Pilot approach allows implementation in
only small segment. This approach helps in ironing out any kinks the security
architecture may have before going for full-fiedged implementation.
Post-Implementation

It is inevitable that there would be some security bugs in the implemented system. In
this phase, such bugs need to be identified and fixed. It is also inevitable that security
will be breached at some point in time. If a security breach takes place, the company

16

A Framework for Enhancing Systems Security

should follow its Incident Response Plan developed as a part of overall security policy
in prior phases.

All end users of all the systems need to be educated and trained about using proper
security protocols to promote security. Complexity and variety of security attacks
have made the management of employee attitude toward security a paramount
concem. While some employees may be acutely aware of security dangers, others
may need constant reminders. Building a security-conscious culture may be a
daunting task, but companies need to instill it to minimize security breaches. As a part
of security culture, users have to see the benefits to themselves if they are to buy in
these security technologies and policies. (Tipton & Krause, 2004). Therefore, it is
important to make user education a top priority. Getting end-users to understand the
importance of security and making them conscious of areas in which they can help
increases the security of the company as a whole. Employee education buttresses
security solutions installed to protect a company from attack. Unfortunately, people
working inside the company are considered higher security risks than those outside
the company (Panko, 2010). The need to address employee breaches is often obscured
by all the solutions for physical and network security. While web-browsers and
servers do a good job of encrypting data they exchange, traffic on intranet and LAN is
often unencrypted. Managers need to pay special attention to insider security
breaches. Employees need to be educated to understand the need for information
security and what it means to the organization (Richardson, 2010). They have to be
encouraged and motivated to follow standard security procedures (Myers, 2011).
Employees must also be assigned responsibility and ownership of the information they
manage (Panko, 2010). Early involvement of employees in the process is necessary
for their taking ownership of the process. Future security risks should also be
identified.

In this stage, companies will do well by self-assessing their overall security. They
should also benchmark themselves against ISO27000 or similar standard. If it is found
wanting, they should take action to rectify it. A good way to meet common
benchmarking standards is to get certified and accredited by certifying and
accreditation agencies such Verisign.

CONCLUSIONS

Though organizations are spending vast sums of money towards securing their
mission critical applications, they are unable to completely protect their applications
and systems from malicious attacks and intrusions. More importantly, they are not
able to improve the perception of lack of privacy and security in their applications
from the consumers’ point of view. This has resulted in very high opportunity cost,
estimated to be in billions of dollars. To a large extent, the lack luster performance of
security mechanisms is attributed to heavy reliance on technology while ignoring
other factors. Consequently, there is a big push towards taking a holistic approach to
designing security solutions.

17

A Framework for Enhancing Systems Security

This study contributes to the theory by providing a holistic securify framework which
addresses the shortcomings of the existing frameworks. In particular, existing
frameworks address only one or two of the three dimensions of people, process, and
technology, while this framework incorporates all three dimensions for analyzing and
subsequently implementing systems securify. Existing framework also do not provide
a holistic way of incorporating securify in business processes. This paper advocates a
systems development life cycle view of securify and provides some of the key
activities that have to be carried out throughout the development life cycle in order to
improve overall securify of business processes and corresponding applications and
systems. A systematic approach to system security will greatly enhance customer
confidence and thus provide competitive advantage. The paper also contributes to
practice by providing a detailed discussion of how this framework could be
implemented in a given company. Future research could investigate how and if
organizations are using systems development life cycle approach to secure their
business processes. They could also examine if all three dimensions are equally
involved in such an endeavor, or companies give priorities to one dimension over
others.

ACKNOWLEDGEMENT

The work of the second author has been partly supported by Sogang Business
School’s World Class Universify Program (R31-20002) ftmded by Korea Research
Foundation and the Sogang Universify Research Grant of 2011.

REFERENCES

Aberdeen Group. (2008) Aberdeen Group Research Benchmark Report. Passwords,
Privileged Passwords and Password Lifecycle Management.

Andress, M. and Fonseca, B. (2000) Manage people to protect data. InfoWorld, Nov.
10.
Bennett, M. (2006) Communify poll forum: Biggest concem about switching to online
applications . CNet Forums, May 2.

Buccafurri, F. and Lax, G. (2011). Implementing disposable credit card numbers by
mobile phones. Electronic Commerce Research, 11(3), 271-296.

Caceres, G.H.R. & Teshigawara, Y. (2010). Securify guideline tool for home users
based on intemational standards. Information Management & Computer Security,
18(2), 101-123.
Chang, E.-C, Lu, L., Wu, Y., Yap, R.H., and C. and Yu, J. (2011). Enhancing host
securify using extemal environment sensors. International Journal of Information
Security, 10(5), 285-299.

18

A Framework for Enhancing Systems Security

Connolly, P.J. (2001) Securify steps into the spotlight InfoWorld.com, Jan.

21

.

CyberSource. (2009) 10th Annual, 2009 Edition, “Online Fraud Report.”
http://forms.cvbersource.com/forms/FraudReport2009NACYBSwww020309

Debar, H. and Viinikka, J. (2006). Securify information management as an
outsourced service. Information Management & Computer Security, 14(5), 416.

Dhillon, G., Backhouse, J. (2000) Information System Securify Management in the
New Millennium, Communications of the ACM, Vol. 43, No. 7, July, pp. 125 – 128.
Ellof, J.H.P. and Eloff, M.M. Information Securify Architecture. Computer Fraud &
Securify, Novemebr 2005, pp. 10-16.

Eloff, M. M., and von Solms, S. H. (2000) Information Securify Management: A
Hierarchical Framework for Various Approaches, Computers and Security, Vol.

19

,
No. 3, pp. 2 4 3 – 2 5 6 .

eMarketer. (2011) US Retail Ecommerce Forecast: Growth Opportunities in a
Maturing Channel. March.

Experiencefreak. (2010) Disposable Identify?
http://experiencefreak.posterous.com/disposable-identity. April 23.

Gerdes Jr., J.H., Kalvenes, J., Huang, C.-T. (2009) Multi-dimensional credentialing
using veiled certificates: Protecting privacy in the face of regulatory reporting
requirements. Computers &Security, July, Vol. 28, Iss. 5; pp. 248-259.

Grimes, R. (2009) How to manage IT securify – without a tech background.
InfoWorld, Sept. 25.

Gross, G. (2011) U.S. needs cyber-emergency response, lawmaker says.
Computerworld, April 11.

Gurung, A., Luo, X., and Liao, Q. (2009). Consumer motivations in taking action
against spyware: an empirical investigation. Information Management & Computer
Security, 17(3), 276-289.

Haider, A., Magnusson, C , Yngstrom, L., and Hemani, A. (2011) Addressing
dynamic issues in information securify management. Information Management &
Computer Security, 19 (1), 5-24.

Hines, M. (2007) Securify outsourcing on the rise. InforWorld, Sept. 20.

19

A Framework for Enhancing Systems Security

Hong, K.-S., Yen-Ping, C , Chao, L.R, and Tang, J.-H. (2003). An integrated system
theory of information security management. Information Management & Computer
Security, 11(5), 243-248.

Intemet Society, RFC 2828. (2000) Intemet Security Glossary, 2000.
http://w\vw.ietforg/rfc/rfc2828.txt.

Kirk, J. (2005) Oracle password protection is weak, experts say.. Infoworld, October.

Krebs, B. (2009) Payment Processor Breach May Be Largest Ever. Washington Post.
Retrieved Jan. 20, 2009, from
http://voices.washingtonpost.eom/securitvfix/2009/01 /pavment processor breach ma
V b.html?hpid=topnews.

May, T.A. (2011) IT needs to plan for what comes between now and later.
Computerworld, March 31.

Messmer, E. (2008) Outsourcing securify tasks brings controversy. NetworkWorld,
March 20.

Millán, G., Pérez, M., Pérez, G., and Skarmeta, A. (2010). PKI-based tmst
management in inter-domain scenarios. Computers & Security, 29(2), pp. 278-290.

Mouratidis, H., Jahankhani, H., and Nkhoma, M Z. (2008). Management versus
security specialists: an empirical study on security related perceptions. Information
Management & Computer Security, 16(2), 187-205.

Myers, L. (2011) Security Education: We are doing it Wrong. SC Magazine, April 11.

Nosworthy, J. (2000) Implementing Information Security in the 21^’ Century – Do you
have the Balancing Factors? Computers and Security, Vol. 19, No. 4, pp. 337 – 347.

Olson, J.S. and Olson, G.M. (2000) I2i trust in e-commerce. Communications of the
ACM, Vol. 32, No. 12, Dec. p. 41.

Orr, B. (2005). A single sign-on for all supply chain members? American Bankers
Association. ^ 5 ^ Banking Journal, 97(9), p. 82.

Panko, R. (2010) Corporate Computer and Network Security, 2/e . Prentice Hall.

Parris, K. (2009) 3 Tips for Brushing Up B2B Security. TechNewsWorld, 7/2/09.

Patel, A., Qi, W., and Wills, C. (2010). Information Management & Computer
Security, 18(3), 144-161.

20

A Framework for Enhancing Systems Security

PwC. Global state of information security survey. (2011) A worldwide survey by CIO
magazine, CSO magazine, and PwC.

Richardson, R. (2010) CSI Computer Crime and Security Survey.

Schultz, E. (2005). Study shows home computer users are ignorant about security.
Computers & Security, 24(1), 5-6.

Schwartz, M.J. (2011) Secure coing or bust. InformationWeek, April 7.
SecurifyArchitecture.org. Definitions: IT Securify Architecture., Jan, 2006.
http://wvvw.opensecuritvarchitecture.org/cms/index.php.

Siponen, M. (2002). Towards maturify of information securify maturify criteria: Six
lessons leamed from software maturify criteria. Information Management &
Computer Security, 10(5), 210-

22

4.

Tipton, H.F. and Krause, M. (2004) Information security management handbook.
Fifth Edition, CRC Press.

Tsohou, A., Kokolakis, S., Lambrinoudakis, C , and Gritzalis, S. (2010). A securify
standards’ framework to facilitate best practices’ awareness and conformify.
Information Management & Computer Security, 18(5), 350-365.

US Department of Commerce. (2011) US census Bureau News. Feb., 17.
http://vvww.census.gov/retail/mrts/www/data/pdf/ec current

Uzoka, F., & Ndzinge, T.. (2009). Empirical analysis of biométrie technology
adoption and acceptance in Botswana. The Journal of^ Systems and Software, 82(9),
1550-1564.

Xenakis, C , Panos, C , & Stavrakakis, I.. (2011). A comparative evaluation of
intrusion detection architectures for mobile ad hoc networks. Computers & Security,
30(1), 63-80.

21

A Framework for Enhancing Systems Security

AUTHOR BIOGRAPHY

Dr. Srinarayan Sharma is a Professor of Information Systems in the Indian
Institute of Management, Ranchi, India. His past work has involved studies of
various IT innovations such as open source software, computer-aided software
engineering, data warehousing, mobile commerce, etc. His current interest Ues in
the application of IT to solve contemporary problems such as global warming,
water scarcity, and world poverty. His past work has been published in various IT
journals and conferences such as Communications of the ACM, Information Systems
Journal, Information <& Management, Annual Conferences of the Association of Information Systems, Annual Conferences of the Decision Sciences Institutes, etc.

Dt, Vijayan Sugumatan (Corresponding Author) is a Professor of Management
Information Systems in the Department of Decision and Information Sciences at
Oakland University, Rochester, Michigan, USA. He is also WCU Professor in the
Department of Service Systems Management and Engineering at Sogang
University, Seoul, South Korea. His research interests are in the areas of Service
Systems, Ontologies and Semantic Web, Intelligent Agent and Multi-Agent
Systems, and Component Based Software Development. He has published over
150 peer-reviewed articles in Journals, Conferences, and Books. He has edited ten
books and serves on the Editorial Boards of eight journals. His recent
publications have appeared in Information Systems Research, ACM Transactions on
Database Systems, IEEE Transactions on Education, IEEE Transactions on Engineering
Management, Communications of the ACM, and Healthcare Management Science. D r .
Sugumaran is the E d i t o r – i n – C h i e f of the International Journal of Intelligent Information
Technologies. He is the Chair of the Intelligent Agent and Multi-Agent Systems
mini-track for Americas Conference on Information Systems (AMCIS 1999 –
2012). He served as the Program Co-Chair for the 13th International Conference
on Applications of Natural Language to Information Systems (NLDB 2008). He
also regularly serves as a program committee member for numerous national and
international conferences.

22

Copyright of Journal of Information Privacy & Security is the property of Ivy League Publishing and its content

may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express

written permission. However, users may print, download, or email articles for individual use.

Calculate your order
275 words
Total price: $0.00

Top-quality papers guaranteed

54

100% original papers

We sell only unique pieces of writing completed according to your demands.

54

Confidential service

We use security encryption to keep your personal data protected.

54

Money-back guarantee

We can give your money back if something goes wrong with your order.

Enjoy the free features we offer to everyone

  1. Title page

    Get a free title page formatted according to the specifics of your particular style.

  2. Custom formatting

    Request us to use APA, MLA, Harvard, Chicago, or any other style for your essay.

  3. Bibliography page

    Don’t pay extra for a list of references that perfectly fits your academic needs.

  4. 24/7 support assistance

    Ask us a question anytime you need to—we don’t charge extra for supporting you!

Calculate how much your essay costs

Type of paper
Academic level
Deadline
550 words

How to place an order

  • Choose the number of pages, your academic level, and deadline
  • Push the orange button
  • Give instructions for your paper
  • Pay with PayPal or a credit card
  • Track the progress of your order
  • Approve and enjoy your custom paper

Ask experts to write you a cheap essay of excellent quality

Place an order