Security of Electronic Business Applications: Structure and Quantification

  • Konstantin Knorr
  • Susanne Röhrig
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1875)


The rapid growth of the commercial use of the Internet goes along with a rising need for security for both customer and merchant. As many parties and different systems are involved, security becomes a complicated issue. Therefore, the need for definition, structuring, and quantification of security arises. This paper proposes a structured approach to analyze security measures and to quantify the overall security of an electronic business application. The quantifier is calculated through a security matrix which breaks down the assessment of security into smaller parts. These parts correspond to the locations, security objectives, and implemented security mechanisms of the application. The security quantifier can be used to analyze, design the application, and to compare it with other applications.


security security quantifier electronic business application 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Jo Bager, Holger Bleich, Patrick Brauch, and Axel Kossel. Natürliche Abwehrkräfte: Windows-und Internet-Software richtig konfigurieren, c’t, Feb. 2000, pp. 214–223.Google Scholar
  2. [2]
    A. Bhargava and B. Bhargava. Measurement and quality of services in electronic commerce software. In Proc. of the IEEE Symposium on Application-Specific Systems and Software Engineering and Technology, 1999.Google Scholar
  3. [3]
    S. Brocklehurst, B. Littlewod, T. Olovsson, and E. Jonsson. On measurement of operational security. In Proc. of the 9th Annual Conference on Computer Assurance, COMPASS’94, 1994.Google Scholar
  4. [4]
    British Standards Institute. BS7799: Code of Practice for Information Security Management (CoP), 1995.Google Scholar
  5. [5]
    Bundesamt für die Sicherheit in der Informationstechnik (BSI), Bonn. IT-Grundschutzhandbuch: Maßnahmenempfehlungen für den mittleren Schutzbedarf, 3 edition, Juli 1997.Google Scholar
  6. [6]
    Common Criteria for Information Technology and Security Evaluation: Part 1: Introduction and general model. International Standard ISO/IEC 15408, May 1998.Google Scholar
  7. [7]
    William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security — Repelling the Wily Hacker. Professional Computing Series. Addison Wesley, 1994.Google Scholar
  8. [8]
    Cheskin Research and Studio Archetype/Sapient. eCommerce Trust Study, January 1999.Google Scholar
  9. [9]
    D. Damm, Ph. Kirsch, Th. Schlienger, S. Teufel, H. Weider, and U. Zurfluh. Rapid Secure Development: Ein Verfahren zur Definition eines Internet-Sicherheitskonzeptes. Tech. Report, Inst, für Informatik, Uni. Zürich, 02/1999.Google Scholar
  10. [10]
    Lutz Donnerhacke and Steffen Peter. Vorsicht Falle! ActiveX als Füllhorn für Langfinger. iX, März1997.Google Scholar
  11. [11]
    Dan Farmer and Wietse Venema. Improving the Security of Your Site by Breaking Into it., 1993.
  12. [12]
    Thomas Gaugier. Interorganisatorische Informationssysteme (IOS): Ein Gestaltungsrahmen für das Informationsmanagment. PhD thesis, Institut für Informatik, Universität Zürich, 1999.Google Scholar
  13. [13]
    A.K. Ghosh. Securing E-Commerce: A Systematic Approach. Journal of Internet Banking and Commerce, 1997.Google Scholar
  14. [14]
    Internet Security Systems. Network and Host-based Vulnerability Assessment, 1999.
  15. [15]
    Andrun Jøsang. A subjective metric of authentication. In Proc. of the 5th European Symposium on Reserach in Computer Security, LNCS 1485, pages 329–344, Belgium, Sep. 1998.Google Scholar
  16. [16]
    D. Kristol and L. Montulli. HTTP State Management Mechanism. RFC 2109, February 1997.Google Scholar
  17. [17]
    John Markoff. Security Flaw Discovered at Online Bank. The New York Times, January 2000.Google Scholar
  18. [18]
    Ueli Maurer. Modelling a public-key infrastructure. In Proc. of the 5th European Symposium on Reserach in Computer Security, pages 325–350, Italy, Sep. 1996.Google Scholar
  19. [19]
    V. Mc Carthy. Web-Security: How Much Is Enough? Datamation, January 1997.Google Scholar
  20. [20]
    Günter Müller and Detlef Schoder. Potentiale und Hürden des Electronic Commerce — Eine Momentaufnahme. Informatik Spektrum, August 1999.Google Scholar
  21. [21]
    Adam R. Nabil and Yelena Yesha, editors. Electronic Commerce: Current Research Issues and Applications. LNCS 1028, Springer, 1996.Google Scholar
  22. [22]
    Rolf Oppliger. Internet Security: Firewalls and Beyond. Communications of the ACM, 40(5), May 1997.Google Scholar
  23. [23]
    Arndt Schönberg and Wilfried Thoben. Ein unscharfes Bewertungskonzept für die Bedrohungs-und Risikoanalyse Workflow-basierter Anwendungen. In Sicherheit und Electronic Commerce — Konzepte, Modelle und technische Möglichkeiten (WS SEC’98), pp. 47–62, Vieweg-Verlag, 1998.Google Scholar
  24. [24]
    T. C. Ting. How secure is secure: Some thoughts on security metrics. In Proc. of the 9th annual IFIP WG 11.3 Working Conference on Database Security, pp. 3–7, Lake Tahoe, CA, Aug. 1995.Google Scholar
  25. [25]
    P.R. Zimmermann. The Official PGP User’s Guide. MIT Press, 1995.Google Scholar
  26. [26]
    V. Zwass. Electronic Commerce: Structures and Issues. International Journal of Electronic Commerce, 1(l):3–23, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Konstantin Knorr
    • 1
  • Susanne Röhrig
    • 2
  1. 1.Department of Computer ScienceUniversity of ZurichSwitzerland
  2. 2.SWISSiT Informationstechnik AGZurichSwitzerland

Personalised recommendations