Security Risk Assessment of Decentralized, Mobile Applications: An Analysis of Location Aware Systems

Technological improvements, declining costs and mandates to suppliers from large entities such as Wal-Mart and the Department of Defense are driving investments in RFID and other location aware systems (LAS). Expected benefits from LAS investments include improvements in supply chain integration and streamlined operations. However, LAS may introduce a number of new information security vulnerabilities into organizations that must be carefully considered. LAS are highly decentralized and mobile, yet must connect to existing transactional systems to function. Decentralized, mobile applications are especially difficult to secure, and connections between LAS and internal applications can put those systems at risk too. The additional complexity of overall systems architectures also makes identifying security risks more challenging. We assert that current guidelines for information security are increasingly insufficient for organizations with highly decentralized systems and that more attention to how systems are employed is needed. We demonstrate this point with logical process models that illustrate how two different uses of one LAS technology result in different information security risks.

[1]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[2]  Steven L. Alter,et al.  A General, But Readily Adaptable Model of Information System Risk , 2004, Commun. Assoc. Inf. Syst..

[3]  Beena George,et al.  SECURITY IN TODAY'S E-WORLD , 2001 .

[4]  Ashutosh Deshmukh A Framework for Online Internal Controls , 2004, AMCIS.

[5]  Dov Dori,et al.  System function and architecture: OPM-based definitions and operational templates , 2003, CACM.

[6]  Robert Cole A model for security in distributed systems , 1990, Comput. Secur..

[7]  Robert Boncella Wireless Security: An Overview , 2002, Commun. Assoc. Inf. Syst..

[8]  Joan Hash,et al.  Security Guide for Interconnecting Information Technology Systems , 2002 .

[9]  Bijoy Bordoloi,et al.  Evaluating security threats in mainframe and client/server environments , 1997, Inf. Manag..

[10]  Steven L. Alter,et al.  Information Systems Risks and Risk Factors: Are They Mostly About Information Systems? , 2004, Commun. Assoc. Inf. Syst..

[11]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[12]  K. Mitchell,et al.  Location based services: locating the money , 2003 .

[13]  J. Mike Jacka,et al.  Business Process Mapping: Improving Customer Satisfaction , 2002 .

[14]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[15]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[16]  Robert F. Otondo,et al.  Information Systems and Health Care-II: Back to the Future with RFID: Lessons Learned - Some Old, Some New , 2005, Commun. Assoc. Inf. Syst..

[17]  Detmar W. Straub,et al.  An Investigation into the Use and Usefulness of Security so Tware in Detecting Computer Abuse , 1988, ICIS.

[18]  V. Daniel Hunt,et al.  Process Mapping: How to Reengineer Your Business Processes , 1996 .

[19]  George M. Giaglis,et al.  Towards a classification framework for mobile location services , 2003 .

[20]  Tom Rodden,et al.  A lightweight approach to managing privacy in location-based services , 2002 .

[21]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[22]  Marilyn M. Greenstein,et al.  Holistic, Continuous Assurance Integration: e-Business Opportunities and Challenges , 2002, J. Inf. Syst..

[23]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .

[24]  Gerti Kappel,et al.  Object-Oriented Modeling of Security Semantics , 2007 .