Information Security (Chapter 4)

Information Security

 

Introduction to Information Security :

 Security : the degree of protection against criminal activity, danger, damage, and/or loss

Information security: all of the processes and policies designed to protect an organization’s information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

Information and information systems can be compromised by deliberate criminal actions and by anything that can impair the proper functioning of an organization’s information systems

Organizations collect huge amounts of information and employ numerous information systems that are subject to myriad threats

There are some videos publishers make to educate people about the benefits and importance of security to organizations and individuals. CLICK THE COLOURED TEXT BELOW TO SEE THE RELATED VIDEO.
INFORMATION SECURITY.. WHAT YOU NEED TO KNOW

 

Key Information Security Terms :

Threat:	any danger to which a system may be exposed
Exposure:	the harm, loss or damage that can result if a threat compromises that resource
Vulnerability:	the possibility that the system will suffer harm by a threat

 

Threats to Information Security :

Today five key factors are contributing to the increase vulnerability of organizational information resources, making it much more difficult to source them :

1)Today’s interconnected, interdependent, wirelessly-networked business environment	-complex, interconnected, interdependent, wirelessly networked business environment.  The internet now enables millions of computers and computer networks to communicate freely and seamlessly with one another.  Organizations and individuals are exposed to a world of untrusted networks and potential attackers. -A trusted network, in general, is any network within  your organization -An untrusted network, in general, is any network external to your organization. -Wireless technologies enable employees to compute, communicate, and access the internet anywhere and anytime.  Significantly, wireless is an inherently nonsecure broadcast communications medium
2) Smaller, faster, cheaper computers and storage devices (flash drives).	It reflects the fact that modern computers and storage devices( e.g., thumb drives or flash drives ) continue to become smaller, faster, cheaper, and more portable, with greater storage capacity.  These characteristics make it much easier steal or lose a computer or storage device that contains huge amounts of sensitive information.  Also, far more people are able to afford powerful computers and connect inexpensively to the internet, thus raising the potential of an attack on information assets
3)Decreasing skills necessary to be a computer hacker	-Is that the computing skills necessary to be a hacker are decreasing.  The reason is that the internet contains information and computer programs called scripts that users with few skills can download and use to attack any information system connected to the internet. -( security experts can also use these scripts for legitimate purposes, such as testing the security of various systems). Hacker: a person who finds out weaknesses in the computer system and exploits it
4)International organized crime turning to cybercrime	-Is that international organized crime is taking over cybercrime  -Cybercrime: refers to illegal activities conducted over computer networks, particularly the internet. iDefense
5)Lack of management support	For the entire organization to take security policies and procedures seriously, senior managers must set the tone.  Ultimately, however lower-level managers may be even more important. These  managers are in close contact with employees every day and thus are in a better position to determine whether employees are folloeing security procedures

Unintentional Threats to Information Systems :
Information systems are vulnerable to many potential hazards and threats

 

* The two major categories of threats are :

1) unintentional threats

2) Deliberate threats

·         Unintentional threats are acts performed without malicious intent that nevertheless represent a serious threat to information security

·         A major category of unintentional threats is human error

Human Errors:

• Carelessness with laptops and portable computing devices
• Opening questionable e-mails
• Careless Internet surfing
•  Poor password selection

Social Engineering:
It’s an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords.
The most common example of social engineering occurs when the attacker impersonates someone else on the telephone, such as a company manager or an information systems employee. The attacker claims he forgot his password and asks the legitimate employee to give him a password to use. Other common ploys include posing as an exterminator, an air-conditioning technician, or a fire marshal. Examples of social engineering abound.
In one company, a perpetrator entered a company building wearing a company ID card that looked legitimate. He walked around and put up signs on bulletin boards reading “ The help desk telephone number has been changed. The new number is 555-1234.” He then exited the building and began receiving calls from legitimate employees thinking they were calling the company help desk. Naturally, the first thing the perpetrator asked for was user name and password. He now had the information necessary to access the company’s information systems.
Two other social engineering techniques:
Tailgating:Is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind legitimate employee, and ,when the employee gains entry, the attacker asks him or her to “ hold the door.”

 Shoulder surfing:
Occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes

Deliberate Threats to Information Systems:

Espionage or trespass:
Espionage or trespass occurs when an unauthorized individual attempts to gain illegal access to organizational information. It is important to distinguish between competitive intelligence and industrial espionage.
- competitive intelligence consists of legal information-gathering techniques, such as studying a company’s website and press releases. Attending trade shows, and so on.
- industrial espionage, in contrast, it crosses the legal boundary

 Information extortion:
Information extortion occurs when an attacker either threatens to steal, or actually steals, information from a company.
The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information

Sabotage or vandalism:Sabotage or vandalism are deliberate acts that involve defacing an organization’s website, possibly damaging the organization’s image and causing its customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist operation. These are cases og high-tech civil disobedience to protest the operations, policies, or actions of an organization or government agency

Theft of equipment or information

Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage (for example, laptops, BlackBerry units, personal digital assistants, smartphones, digital cameras, thumb drives, and iPods). As a result, these devices are becoming easier to steal and easier for attackers to use to steal information.
One type of human mistake is carelessness with laptops. In fact, many laptops have been stolen due to such carelessness. The cost of stolen laptop includes the loss of data, the loss of intellectual property, laptop replacement, legal and regulatory costs, investigation fees, and loss productivity.
One form of theft, known as dumpster diving, involves the practice of rummaging through commercial or residential trash to find information that has been discarded. Paper files, letters, memos, photographs, IDs, passwords, credit cards, and other forms of information can be found in dumpsters. Unfortunately, many people never consider that the sensitive items they throw in the trash may be recovered. Such information, when recovered, can be used for fraudulent purposes.
Dumpster diving is not necessarily theft, because the legality of this act varies. Because dumpsters are usually located on private premises, dumpster diving is illegal in some parts of the United states. Even in these cases, however, these laws are enforced with varying degrees of rigot.

Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information
Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded

Identity theft :
Identify theft is the deliberate assumption of another person’s identity, usually to gain access to his or her financial information or to frame him or her for a crime. Techniques for illegally obtaining personal information include:

· Stealing mail or dumpster diving
· Stealing personal information in computer databases
· Infiltrating organizations that store large amounts of personal information(e.g., data aggregators such as Acxiom)
· Impersonating a trusted organization in an electronic communication (phishing)
Recovering from identity theft is costly, time consuming, and difficult. Victims also report problems in obtaining credit and obtaining or holding a job, as well as adverse effects on insurance or credit rates. In addition, victims state that it is often difficult to remove negative information from their records, such as their credit reports.
Your personal information can be compromised in other ways. For example, your identity can be uncovered just by examining your searches in a search engine. The ability to analyze all searches by a single user can enable a criminal to identify who the user is and what he or she is doing. To demonstrate this fact, The New York Times tracked down a particular individual based solely on her AOL searches
Compromises to Intellectual Property (IP):

•  Trade secret: an intellectual work such as business plan, that is a company secret and not based on public information 
•  Patent: a document that grants the holder exclusive rights on an invention or process for 20 years. 
• Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years
• Piracy: the illegal copying of software

 
Software attacks :

Virus:
a segment of computer code that performs malicious actions by attaching to another computer program.

Worm:
 a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program

Trojan horse:
 a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

Logic Bomb:
 a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

Phishing attacks
use deception to acquire sensitive personal information by masquerading as official-looking e-mails

Denial-of-service attack
Attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes .

Alien Software:

Spyware: software that collect personal information about users without their consen.

• Keystroke loggers: record your keystrokes and your Web browsing history
•  Screen scrapers: record a continuous “movie” of what you do on a screen

Spamware: alien software that is designed to use your computer as a launchpad for spammers. Spam is unsolicited (unwanted) e-mail

 Cookies

Supervisory Control and Data Acquisition (SCADA) Attacks:
SCADA refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, SCADA systems provide a link between the physical world and the electronic world.
SCADA systems consist of multiple sensors, a master computer, and communications infrastructure. The sensors connect to physical equipment. They read status data such as the open/closed status of a switch or a valve, as well as measurements such as pressure, flow, voltage, and current. They control the equipment by sending signals to it, such as opening or closing a switch or value or setting the speed of a pump.
The sensors are connected in a network, and each sensor typically has an internet address( Internet Protocol, or IP, address ). If attackers gain access to the network, they can cause serious damage, such as disrupting the power grid over a large area or upsetting the operations of a large chemical or nuclear plant. Such actions could have catastrophic results



Cyber-terrorism and Cyber-warfare :
Attackers use a target’s computer systems, particularly via the Internet, to cause physical, real-world harm or sever disruption, usually to carry out a political agenda

In 2008, the Cyber- invasion of Georgia by the Russian

What Organizations Are Doing to Protect Information Resources:

Risk: the probability that a threat will impact an information resource
Risk management: to identify, control and minimize the impact of threats.
Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation: is when the organization takes concrete actions against risk.
It has two functions:
       (1) implement controls to prevent identified threats from occurring.

       (2) develop a means of recovery should the threat become a reality.

Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.
Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups

 

Controls evaluation

 Physical controls: physical protection of computer facilities and resources (Guards, doors, alarm systems)

Access controls: restriction of unauthorized user access to computer resources

Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization. 

 

(1) Authentication

Determines/confirms the identity of the person requiring access

Something the user is: access controls that examine a user's physiological or behavioral characteristics

 

Biometrics 

• Voice verification
• Fingerprints
• Retina scan

Something the user has : these access controls include regular ID cards, smart cards
Something the user does : these access controls include voice and signature recognitio
Something the user knows

• Password : a private combination of characters that only the user should know                example: nam3-beeS
• Passphrases: a series of characters that is longer than a password but can be memorized easily example: omanFT2brazilworldcup

Multifactor authentication


(2) Authorization Determines which actions, rights or privileges the person has to do certain activities with information resources, based on his/her verified identity
Privilege: a collection of related computer system operations that can be performed by users of the system
Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

 Application controls: protect specific applications

Communications control ( network controls )
Secure the movement of data across networks. Communications control consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), secure socket layer (SSL), employee monitoring systems.
· Firewalls :
System that enforces access-control policy between two networks.
· Anti-malware Systems :
software packages that attempt to identify and eliminate viruses, worms, and other malicious software .
· Whitelisting and Blacklisting:

      Whitelisting : 

a process in which a company identifies the software that it will allow to run and does not try to recognize malware

      Blacklisting :
a process in which a company allows all software to run unless it is on the blacklist

· Encryption : Process of converting an original message into a form that cannot be read by anyone except the intended receiver.

 
Digital Certificate: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.
 Certificate authorities: trusted intermediaries between two organizations, issue digital certificates

· Virtual Private Networking.
· Secure Socket Layer (SSL).
· Employee Monitoring Systems. 

Ethics and Privacy (chapter 3)

 Ethics and Privacy

Ethics:
deals with what is considered to be right and wrong.

Deciding what is right or wrong is not always easy or clear cut

Code of Ethics:

A collection of principles that are intended to guide decision making by members of an organization

http://www.acm.org/about/code-of-ethics

Ethical Issues:
Ethical Frameworks

Four widely representative used standards of ethical framework :
#Utilitarian Approach:

An ethical action is the one that provides the most good or does the least harm for all affected parties-customers, employees, shareholders, the community, and the environment.

#Rights Approach:

An ethical action is the one that best protects and respects the moral rights of affected people e.g. Ethical organization action .

Moral Rights⇨can include the right to make one’s own choices about one kind of life to lead
✔The right to make your own choices.
✔The right to be told the truth.
✔The right of privacy.

#Fairness Approach:
Ethical actions treat all human beings equally, or, if unequally, then fairly , based on some defensible standard or imbalance of power and hence in unfair.

Examples: - fair to pay people higher salaries if they work harder contribute a greater amount to the firm

#Common good Approach:
Highlights the interlocking relationships that underlie all societies.
This approach argues that respect and compassion for all is the basis for ethical actions.
It emphasizes the common conditions that are important to the welfare of everyone.

These conditions can include a system of laws, effective policy and fire departments, health care, a public educational system and even public recreation areas.

We can develop a general framework for ethics or for ethical decision making.
This framework consists of five steps:

1) Recognize an ethical issue

3) Evaluate alternative actions.

4) Make a decision and test it.

5) Act and reflect on the outcome of your decision.

Ethics in the Corporate Environment:

Code of ethics: is a collection of principles intended to guide decision making by members of the organization. (e.g. the Association for Competing Machinery, an organization of computing professional, has a thoughtful code of ethics for its members.)

Different codes of ethics are not always consistent with one another.
Fundamental Tenets of Ethics:
➡Responsibility:
means that you accept the consequences of your decisions and actions.

➡Accountability:
a determination of who is responsible for actions that were taken

➡Liability:
a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems

Unethical is not necessarily illegal
improvements in information technologies have generated a new set of ethical problems.

-organizations are more dependent than ever on information system.

With information system

- Organizations can store increasing amount of data at decreasing cost.

- Enabling organizations to store more data on individuals for longer periods of time.

- Computer networks, particularly the internet, enable organization to collect, integrate, and distribute enormous amounts of information on individuals, groups, and institutions.

Ethics and Information Technology:
Many of business decisions will have ethical dimension. Consider the decisions that you might have to make such as:

>Monitor employees’ web surfing and e-mail.>Sell customer information to other companies.

>Audit employees’ computers for unauthorized software or illegally download music or video files.
Privacy:

The diversity and ever-expanding use of information technology applications have created a variety of ethical issues which fall into four general categories:
1. Privacy Issues:
involve collecting, storing, and disseminating about individuals’
information Privacy: is the right to be left alone and to be free of unreasonable personal intrusions.
Privacy rights apply to :individuals/ groups/ institutions

Information Privacy: the right to determine when, and to what extent, information about yourself can be gathered and/or communicated

Court decisions in many countries have followed two rules fairly closely which determine and enforce why privacy regulations can be difficult :-The right of privacy is not absolute .
- privacy must be balanced against the needs of society.
-The public’s right to know is superior to the individual’s right of privacy.

2. Accuracy Issues:
involve the authenticity, fidelity and accuracy of information that is collected and processed

3. Property Issues :
involve the ownership and value of information.

4. Accessibility Issues:
revolve around who should have access to information and whether they should have to pay for this access
Threats to privacy :
☆Data aggregators
companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers

☆Digital dossiers
an electronic description of you and your habits

☆Profiling
use of computers to combine data from multiple sources and create digital dossiers of detailed information on individuals

☆NORA (nonobvious relationship awareness)
new data analysis technique for even more powerful profiling.

☆Electronic surveillance:
The tracking of people‘s activities ,online or offline,with the aid of computers. that conducted by employers, government, and other institutions (e.g. reading by employers of employees’ e-mail and other documents ).

It is major privacy-related problem.

# Cookies

# URL filtering :tow-third use software to block connection to inappropriate websites.

Personal Information in Databases:
Information about individuals is being kept in many databases:
Ø Banks
Ø Utility companies
Ø Government agencies
Ø Credit reporting companies

Social Networking Sites:

Social Networking Sites: often include electronic discussions such as chat rooms. These sites appear on the Internet, within corporate intranets, and on blogs.

Social Networking Sites Can Cause You Problems:

 1-Anyone can post derogatory information about you anonymously.

 2-You can also hurt your live or job by posting your information.
These information can be text or images, etc.

 What you can do when you are facing these problem:
First, be careful what information you post on social networking sites.
Second, a company, Reputation Defender, says it can remove derogatory information from the Web.
A blog (Weblog) is an informal, personal journal that is frequently updated and intended for general public reading.
http://www.msnbc.msn.com/id/20202935/ns/business-school_inc_/t/job-candidates-getting-tripped-facebook

 

Privacy Codes and Policies:

Privacy Codes and Policies:
 An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.
Opt-out Model
informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.

Opt-in Model
informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.

 

P3P Platform for Privacy Preferences Project:
Platform for privacy preference (P3P): is platform that automatically communicates privacy policies between an electronic commerce website and visitors to that site.

(P3P): -enable visitors to determine the types of personal data that can be extracted by the websites they visit.
-allows visitors to compare a website’s privacy policy to the visitors’ preference or to other standards such as Federal Trade Commission’s (FTC) fair information practices standard / or European Directive on Data Protection.

International Aspects of Privacy:
Privacy issues that international organizations and governments face when information spans countries and jurisdictions ( transfer data among nations without the knowledge of either the authorities or the individuals could raises the privacy issues).
Trans border data flows :the absence of consistent or uniform standards for privacy and security obstructs the flow of information among countries.
European union (EU): in 1998 the European Community Commission (ECC) put laws for it’s members about the right of individuals to access their information.
The EU data-protection laws are more stricter than US laws which create problems for multinational corporations and face lawsuits for privacy.
EU developed a “safe harbor” framework to regulate the way that US companies export and handle the personal data of European citizens.

Privacy Policy Guidelines :

 

Data Collection:

◆Data should be collected on individuals only for the purpose of accomplishing a legitimate business objective.
◇Data should be adequate, relevant, and not excessive in relation to the business objective.
◆Individuals must give their consent before data pertaining to them can be gathered.
◇Such consent may be implied from individual’s version should be noted and included with any disclosure of the file.

Data accuracy :

◆Sensitive data gathered on individuals should be verified before they are entered into the database.
◇Data should be kept current, where and when necessary.
◆The file should be made available so that the individual can ensure that the data are correct.
◇In any disagreement about the accuracy of the data, the individual’s version should be noted and include with any disclosure of the file.

 

Data confidentiality:

◆ Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These procedures should include physical, technical, and administrative security measures.
◇ Third parties should not be given access to data without individual’s knowledge or permission, except as required by law.
◆Disclosures of data, other than the most routine, should be noted and maintained for as long as the data are maintained.
◇ Data should not be disclosed for reasons incompatible with the business objective for which they are collected.
 

Electroic Commerce: Applications and Issues (Chapter 7)

Electronic Commerce: Applications and Issues

Overview of E-Business and E-Commerce

Electronic Commerce(EC or E-Commerce) :describe the process of buying, selling, transferring, or exchanging products, services, or information via computer networks, including the internet.

Electronic Business(EB or E-Business) :is a broader definition of EC, including :  

• buying and selling of goods and services.
• servicing customers.
• collaborating with partners.
• conducting e-learning.
• conducting electronic transactions within an organization.

 Electronic Commerce can take several forms depending on the degree of digitization involved.

the degree of digitization  is the extent to which the commerce has been transformed from physical to digital. so the:

The product can be physical or digital.

The process can be physical or digital.

The delivery agent can be physical or digital

Pure vs Partial EC:

Brick-and-Mortar Organization : also called (Purely Physical Organization) in which the product, the process, and the delivery agent are all physical.

e.g.: buy books at family bookshop.

Click-and-Mortar Organization : are those that conduct some e-commerce activates, yet carry out their primary business in the physical world (a common alternative to the term "click-and-mortar" is "brick-and-mortar"), Therefore it is example of partial EC.
it also known as organization that do business in both the physical and digital dimensions. (multichanneling).
 e.g. order physical book from Amazon.


Pure-Play Organization : also called (virtual organizations) in which the product, the process, and the delivery agent are all digital. These are the organizations that are engaged only in EC.
e.g. order and download book from Amazon.


Types of E-Commerce:
☆Business-to-Consumer(B2C)⇨ In B2C, the sellers are organizations, and the buyers are individuals.
☆Business-to-Business(B2B)⇨ In B2B,both the sellers and buyers are business organizations. The vast  majority of  EC volume is of this type.  
☆Consumer-to-Consumer(C2C)⇨ In C2C (also called " customer-to-customer''), an individ-ual sells products or services to other individuals. The major strategies for conducting C2C on the Internet are auctions and classified ads.

☆Business-to-employee(B2E)⇨In B2E, an organization uses EC internally to provide information and services to its employees. For example, companies allow employees to manage their benefits and to take training classes electronically. In addition, employees can buy discounted insurance, travel packages, and tickets or events on the corporate intranet. They also can order supplies and materials electronically. Finally, many companies have electronic corporate stores that sell the company's products to its employees, usually at discount.
☆E-Government⇨ E-government is the use of internet technology in general and ehcommerce in particular to deliver information and public services to citizens (called government-to-citizen or G2C EC) and to business partners and suppliers(called government-to-business or G2B EC).
E-government is also an efficient way of conducting business transactions with citizens and within the governments themselves.E-government makes government more efficient and effective, especially in delivery of public service.
☆Mobile commerce (m-commerce)⇨the term m-commerce refers to e-commerce that is conducted entirely in a wireless environment.
e.g⇨ using cell phones to shop over the internet.
Each of the above types of EC is executed in one or more business models.
Business model⇨ is the method by which a company generates revenue to sustain itself.

E-Commerce and search:
The development of e-commerce has proceeded in phases. Offline and online brands initially were kept distinct and then were awkwardly merged. Initial e-commerce efforts consisted of flashy brochure sites, with rudimentary shopping carts and checkout systems. They were replaced with systems that tried to anticipate customer needs and accelerate checkout.

Major E-commerce Mechanisms
There are many mechanisms through which businesses and customers can buy and sell on the internet. The most widely used are electronic catalogs, electronic auctions, e-storefronts, e-maills,and e-marketplaces.

↘Electronic catalogs⇨ consist of a product database, directory and search capabilities, and a presentation function. They are the backbone of most e-commerce sites.

↖Electronic auction⇨(e-auctions) an auction which held over the internet.

e-auction generally increase revenues for sellers by broadening the customer base and shortening the cycle time of the auction. Buyers generally benefit from e-auction because they can bargain for lower
price. In addition, they don't have to travel to an auction at a physical location.

Two types of auctions :
Forward auctions→ are auctions that sellers use as a channel to many potential buyers. Usually, sellers place items at sites for auction, and buyers bid continuously for them. The highest bidder wins the auction. both sellers and buyers can be individuals or businesses.
e.g. → eBay.com.

Reverse auctions→ an auction in which one buyer, usually an organization, seeks to buy a product or a service, so they post a request for quotation(RFQ) on its website or an third party site. The RFQ provides detailed information on the desired purchase. The suppliers study the RFQ and then submit bids electronically. The lowest-price bidder wins the  auction. the revers auction is the most common auction model for large purchases.

↘Electronic storefront⇨ is website that represents a single store.

↖Electronic mall⇨ also known as a cybermall  or e-mall, is a collection of individual shops under one internet address. E-storefronts and e-malls are closely associated with B2C EC.

↘Electronic marketplace(e-marketplace)⇨is a central, virtual market space on the web where many buyers and many sellers can conduct e-commerce and e-business activates. Electronic marketplaces are associated with B2B EC.

↖Name-your-own-price⇨ customers decide how much they want to pay.
 e.g.→ www.priceline.com
↘Find-the-best-price⇨ customers specify a need and an intermediary compares providers and shows the lowest price.
↖Affiliate marketing⇨ vendors ask partners to place logos or banners on partners site. If customers click on logo, go to the vendors site, and buy, then the vendor pays commission to partners.

↘Viral marketing⇨ receivers send information about your product to their friends.

↖Group purchasing⇨ small buyers aggregate demand to get a large volume discount.
e.g.→ E-Coops.
↘Product customization⇨ customers use the internet to self-configure products or services. Sellers then price them and fulfill them quickly.
e.g.→www.dell.com & www.bluenile.com .
↖Deep discounters⇨ company offers deep price discounts. Appeals to customers who consider only price in their purchasing decisions.
↘Membership⇨ only members can use the services provided, including access to certain information, conducting trade, etc.

Benefits of E-Commerce :
Benefits to organizations:
✔Makes national and international markets more accessible.
✔Lowering costs of processing, distributing, and retrieving information.
Benefits to customers :
✔Access a vast number of products and services around the clock(24/7/365).
Benefits to society :
✔Ability to easily and conveniently deliver information, services and products to people in cities, rural areas and developing countries.

Limitations of E-Commerce :
Technological Limitations:
✘Lack of universally accepted security standards.
✘Insufficient telecommunications bandwidth.
✘Expensive accessibility.
Non-Technological Limitation :
✘Perception that EC is unsecure.
✘Unresolved legal issues.
✘Lacks a critical mass of sellers and buyers.

Business-to-Consumer (B2C) Electronic Commerce :

Electronic retailing (e-tailing)⇨ the direct sale of products and services through storefronts or electronic malls, usually designed around an electronic catalog format and/or auctions.

Electronic Storefronts :

As noted earlier, electronic storefront⇨ is a website that represents a single store. Some electronic storefronts are extensions of physical stores such as Hermes, The Sharper Image, and Wal-Mart. Other are new businesses started by entrepreneurs who discovered a niche on the web.e.g.→(Resturant.com & Alloy.com). Manufacturers→ ( www.dell.com) and retailers→(www.officedepot.com) also use storefronts.

Electronic Malls :

Electronic mall⇨ also known as cybermall or an e-mall, is a collection of individual shops grouped under is a single internet address.

e.g.→http://www.e-mall.com.sa/

There are two types of cybermalls:

 ✳The first type, known as referral malls → e.g.→(www.hawaii.com), you cannot buy anything. Instead, you are transferred from the mall to a participating storefront.

 ✳The second type, e.g.→(http://shopping.yahoo.com), you can actually make only a purchase. At this type of mall, you might shop at several stores, but make only one purchase transaction at the end. You use an electronic shopping cart to gather items from different vendors and pay for all of them in a single transaction. The mall organizer such as

Yahoo! take commission from the sellers for thus service.

Online Service Industries :

Online services such as buying an airline ticket and purchasing stocks or insurance can be delivered entirely through e-commerce, often with considerable cost reduction.

One of the most pressing EC issues relating to online services is disintermediation.

The intermediaries have two functions :

(1) They provide information.

(2) They perform value-added services such as consulting.

The first function can be fully automated and the most likely will be assumed by e-marketplaces and portals that provide information for fee. When this occurs, the intermediaries who perform only (or primarily) this function are likely to be eliminated. This process called disintermediation.

Disintermediation⇨ Elimination of intermediaries in electronic commerce.

Cyberbanking :

 

Cyberbanking⇨ also known as electronic banking, it involve various banking activities conducted electronically from home, business, or on the road instead of at a physical bank location.

Electronic banking →For customers → it save time and is convenient.

                                  →For banks → it offers an inexpensive alternative to branch banking.

                                                        →It also enables banks to attract remote customers.

In addition to regular banks with added online services, virtual banks, which are dedicated solely to internt transactions are emerging.

e.g. of virtual bank→First Internet Bank of Indiana (www.firstib.com).

An example of support for EC global trade is provided by TradeCard in conjection with MasterCard.

TradeCard→is an international company that provides a secure method for buyers and sellers to make digital payments anywhere on the global.

 Online Securities Trading :

 

Emarketer.com estimates that some 40 million people in the United States use computers to trade stocks, bonds, and other financial instruments. In fact, several well-known securities companies, including E*Trade, Ameritrade, and Charles Schwab offer only online trading. In South Korea more than half of stock traders are already using the internet for that purpose, because it is cheaper than full-service or discount broker. Further, on the web, investors can find a considerable  amount of information regarding specific companies or mutual funds in which to invest.

e.g.→(http:// money.cnn.com & www.bloomberg.com).

The Online Job Market :

The internet offers promising new environment for job seekers and for companies searching for hard-to-find employees.Thousands of companies and government agencies advertise avaliable positions, accept resumes, and take applications via the internet.

e.g.→(www.monster.com & www.simplyhired.com).

Travel Services :

 

The internet is an ideal place to plan, explore, and arrange almost  any trip economically. Online travel services allow you to purchase airline tickets, reserve hotel rooms, and rent cars. Most sites also offer a fare-tracker feature that sends you e-mail massages  about low-cost flights. Example of comprehensive online travel services are :

        →Expedia.com

        →Travelocity.com

        →Orbitz.com

Other e.g. of Online  Travel Services:

        →Real Estate→http://www.findaproperty.com

        →Hotels→www.hotels.com

Online Advertising :

Advertising⇨ is the practice of disseminating information in an attempt to influence a buyer- seller transaction.

Internet advertising ⇨ redefines the advertising process, making it media-rich, dynamic, and interactive.

The benefits of internet advertising:

   →Internet ads can be updated any time at minimal cost and therefore can be kept current.

   →these ads can reach very large number of potential buyers all over the world.

   →They are cheaper than radio, television, and print ads.

   →Internet ads can be interactive and targeted to specific interest groups and/or individuals.

Advertising Methods :

➡Banners⇨ simply electronic billboards. A banner contains a short text or graphical message that promotes a product or a vendor.it may contain a video clips and sound. 

Advantages of banners :

✔They can be customized to the target audience. 

Disadvantages of banners :

✘They can convey only limited information due to their small size.

✘Many viewers simply ignore them.

➡pop-up ad⇨ appear in front of the current browser window.

➡pop-under ad⇨ appears underneath the active window and whem the active window is closed the ad appears.

Many users strongly object to these ads which they consider intrusive. Modern browsers let users block pop-up ads but this feature must be used with caution because some websites depend on pop-up capabilities to present content other than advertising.

➡E-mail⇨ is emerging as an Internet advertising and marketing channel . It is generally cost effective to implement and it provides a better and quicker response rate than other advertising channels.

➡Spamming ⇨ is the indies-criminate distribution of electronic ads without the permission of the receiver .Unfortunately spamming is becoming worse over time.

Two important responses to spamming are :

→permission marketing→ asks consumers to give their permission to voluntarily accept online advertising and e-mail. Permission marketing it the basis of many Internet marketing strategies. Permission marketing is also extremely important for market research .  

In one particularity interesting form of permission marketing, companies such as Clickdough.com, express Paid Surveys.com, and CashSurfers.com have built customer lists of millions of people who are happy to receive advertising massages whenever they are on the web. 

→Virtual marketnig→ refers to online "word-of-mouth" marketing. The strategy behind viral marketing is to have people forward messages to friends, family, members, and other acquaintances suggesting they "check this out". For example, a marketer can distribute a small game program embedded with a sponsor's e-mail that is easy to forward. 

➡Online Advertising on Social Networks⇨ online advertising on social networks has become more successful over time. This type of advertising takes several forms, including:

     →Self-service advertising.

     →Brand advertising.

     →Performance-based advertising.

     →Impression based advertising.

Issues in E-Tailing :

Channel conflict: occurs when manufacturers disinter mediate their channel partners such as distributors, retailers, dealers, and sales representatives, by selling their products directly to consumers, usually over the Internet through e-commerce.

[Ford allows customers to configure a car online but requires them to pick it up from a dealer, where they arrange financing, warranties and services]

Multichanneling: is a process in which a company integrates its offline and online channels.

Order fulfillment: finding the product to be shipped; packaging the product; arrange for speedy delivery to the customer; and handle the return of unwanted or defective products.

Business-to-Business (B2B) Electronic Commerce :
In B2B e-commerce, the buyers and sellers are organizations.
There are several business models for B2B applications:

Sell-Side Marketplaces :

In the sell-side marketplace, organizations sell their products or services to other organizations electronically from their own Web site and/or from a third-party Web site.
This model is similar to the B2C model in which the buyer comes to the seller’s site, views catalogs, and places an order. In the B2B sell-side marketplace, the buyers are organizations.

Buy-Side Marketplace :

 

The buy-side marketplace is a model in which organizations buy needed products and services from other organizations electronically.
A major method of buying goods and services in the buy-side model is reverse auction.
E-Procurement ⇨purchasing by using electronic support. E-procurement uses revers auction, particularly group purchasing.
Group Purchasing⇨ multiple buyers combine their orders so they constitute a large volume  and therefore attract more seller attention.

Electronic Exchanges :
Private exchanges have one buyer and many sellers. E-marketplace called public exchanges or just exchange.
Exchanges⇨are independently own by a third party and connect many buyers and many sellers.

Vertical Exchanges: connects buyers and sellers in a given industry
www.plasticsnet.com www.papersite.com
Horizontal Exchanges: connects buyers and sellers across many industries, and are used mainly for MRO materials
www.alibaba.com
Functional Exchanges: needed services
such as temporary help or extra office
space are traded on an “as-needed” basis
www.employease.com

Electronic Payments :
Implementing EC typically requires electronic payments.
Electronic payment systems⇨ enable you to pay for goods and services electronically rather than by writing a check or using cash.
Electronic Checks:

 Electronic checks (e-checks) : are similar to regular paper checks. They are used primarily in B2B. A customer who wishes to use e-checks must established a checking account with a bank. Like regular checks, e-checks carry a signature in digital form that can be verified. 

Electronic Credit Cards :
Electronic credit (e-credit) cards : allow customers to change online payments to their credit card account. These cards are used primarily in B2C and in shopping by small-to-medium enterprises(SMEs).
Several major credit cards issuers are offering customers the option of shopping online with virtual, single-use credit cards numbers. The goal is to thwart criminals by using a different, random card number every time you shop online.

Purchasing Cards :

Purchasing Cards : The B2B equivalent of electronic credit cards. In some countries, purchasing cards are the primary form of payment between companies. Purchasing cards typically are used for unplanned B2B purchases and corporations generally limit the amount per purchase usually $1000 to $2000. Purchasing cards can be used on Internet, much like regular credit cards. 

 Electronic Cash :

Stored-value money cards  They are form of e-cash. Allow you to store a fixed amount of prepaid money and then spend it as necessary. For example this card can be used to pay for photocopies in the library, for transportation, and for telephone calls.
Smart cards contain a chip called a microprocessor that can store a considerable amount of information and are multipurpose – can be used as a debit card, credit card or a stored-value money card.
Person-to-person payments are a form of e-cash that enables two individuals or an individual and a business to transfer funds without using a credit card. they can be used for sending money to students at college, paying for an item purchased at an online auction, or sending gift for a family member.
e.g. of the companies that offer this service : PayPal(an eBay company). AOL Quick Cash, One's Bank eMoneyMail and WebCartificate.
E-wallet
Ethical and legal Issues in E-Business :
Ethical Issues :
Privacy: ecommerce provides opportunities for businesses to track online consumers using cookies or special spyware Legal and Ethical Issues Specific to E-Commerce :
Fraud on the Internet :
It has grown faster than Internet use itself ..

Domain Name :
are assigned by central nonprofit organizations that check for conflict and possible infringement of trademarks.

Cybersquatting :
 refers to the practice of registering domain names solely for the purpose of selling them later at a higher price.
www.ou.edu.om
The original owner of www.tom.com received $8 million for the name
Domain tasting: its not illegal practice but many well be unethical.

Taxes and other Fees:
when and where (and in some cases whether) electronic sellers should pay taxes

Copyright:
 protecting intellectual property in e-commerce and enforcing copyright laws is extremely difficult