A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks

A Quantitative Investigation of the Security Factors Affecting the Use of IT Systems in Public Networks
Sanjeev Mitra
College of Business Administration, Trident University International,Cypress, CA USA

Dr Indira R. Guzman, Ph.D.
Program Director, College of Information Systems, Trident UniversityInternational Cypress , CA, USA

Dr Gurpreet Dhillon, Ph.D.
Professor of Information Security at the School of Business
VirginiaCommonwealth University, Virginia, USA

Dr Kiet Tran, Ph.D.
Professor, College of Business Administration
Trident University International, Cypress , CA, USA

Abstract
This research will investigate whether the System Security Quality of IT Systems like mobile technologies when used in public networks like the Wi-Fi Internet has a positive effect on their users’ behavioral intentions to use such systems. The motivation for doing this research from the need to investigate what is the System Security Quality of mobile technologies and how is it perceived by users of those technologies when used in public networks like the Internet (Wi-Fi). The relevant theories are Unified Theory of Acceptance and Use of Technology, Technology Acceptance Model, Theory of Reasoned Action, Technology Threat Avoidance Theory, Theory of Planned Behavior, Self-Efficacy in Information Security, Protection Motivation Theory and ‘IS’ Success Model. The main constructs are System Security Quality of IT Systems, Users’ perceptions about System Security Quality of IT Systems, Users’ Behavioral Intentions to use IT Systems, Users’ Self-Efficacy about IT Systems Security, Users’ Response Efficacy about IT Systems security. Paper and web based questionnaire using Likert scale will be used for data collection in restaurants/coffee-shops/bookstores. Statistical analysis will be done using Confirmatory Factor Analysis, Anova and multiple regression analysis. Hypotheses testing will be done for reflective variables by techniques like Structural Equation Modeling, using AMOS or LISREL. For indicators of the formative construct the analysis will be done using PLS. This research study will benefit the vendors of IT Systems like mobile technologies by helping them to increase their users’ satisfaction with the security of such systems for being used in public networks like the Wi-Fi based Internet, possibly resulting in their more actual usage and increase in business for their respective smartphone brands. The same study will be done in future in secured wired networks in universities in US and other countries to assess the validity of the results obtain in another context and to establish their generalizability.

Introduction

In order to survive in the modern business world, individuals working in organizations use various ways of information management since information is now recognized as an asset of organizations. The technology used for managing and disseminating information includes computers, personal digital assistants, smart phones and tablets, storage devices, virtual machines, and servers, etc. These artifacts of Information Technology have one aspect in common for majority of their users in many countries of the developed world like the USA. They are connected to some type of network, either wired or wirelessly, at homes, offices or on the road.

Problem Statement

While retrieval and distribution of information has been made easy by this, nevertheless serious concerns have sprung up about the effectiveness of their security for their individual users in organizations. This is because persistent incidents of malware infection and data breaches experienced by users in organizations continue to be on the rise, pointing to possible gaps in the effectiveness of IT security practices being followed for individual users as a whole in companies. The ‘State of Endpoint risk 2011’ survey by Ponemon Institute (2010) found that “The most frequently encountered IT network incidents are general malware attacks (92 percent of respondents), web-borne malware attacks (75 percent of respondents), botnet attacks (64 percent of respondents) and SQL injections (38 percent of respondents)”. The salient findings of “2013 State of the Endpoint” survey research report by Ponemon Institute (2012), relevant to this research study, were as follows

  • “Eighty percent of respondents believe laptops and other mobile data-bearing devices such as smart phones pose a significant security risk to their organization’s networks or enterprise systems because they are not secure.
  • Malware attacks are increasing. Fifty-eight percent of respondents say their organizations have more than 25 malware attempts or incidents each month and another 20 percent are unsure”
  • Out of these both general malware (86%) and Web-borne malware attacks (79%) and Rootkits (65%) are the most occurring in organizations.
  • Advanced Persistent Threats (25%) and Hacktivism (15%), Zero Day Attacks (13%) and SQL Injection (12%) are the ones most annoying.”

There was a recent report (Richmond, 2011) which stated that “RSA security suffered a sophisticated hacker attack that resulted in the theft of sensitive information related to its popular SecurID two-factor authentication products”. Though the RSA SecurID two-factor authentication is used in addition to the username and password to connect securely to IT system networks, the fact that it has now been successfully hacked may have a significant impact on whether users would feel confident about using the IT Systems using this authentication method. Based on the above stated facts it can be concluded that the number of malware attacks via Internet websites have increased on IT Systems like the Mobile Technologies and has also resulted in compromise of their users’ confidential personal information. Hence the motivation to do this research stems from the need to investigate what is the Systems Security Quality of IT Systems and how is it perceived by users of IT Systems like Mobile Technologies when used in public networks like the Internet (Wi-Fi). The justification of this motivation is based on Choobineh, Dhillon, Grimaila, and Rees (2007) who have identified that “conceptualizations of information security has been largely atheoretical” as one of the three “challenging issues in management of information security”. This research study will attempt to address this issue by generating testable hypotheses and creating a research model about use of IT Systems such as Mobile Technologies in the public networks like the insecure Wi-Fi, based on the actual security effectiveness of such IT Systems. This study will help the users by letting them know how effective is the security of IT Systems they are using.

In turn this could help the IT departments in companies to increase their users’ satisfaction with the security effectiveness of their IT Systems, possibly resulting in their more actual usage by those users and hence more business and better efficiencies for those companies.

The Context of this Research Study

The context of this research study is usage of IT system like the mobile technologies when used in wireless public network like the Wi-Fi (Wireless Fidelity) based Internet. Mobile technologies is used as a context of this study as “Fifty-six percent of U.S. adults own a smartphone of some type — up from 35% of adults two years ago according to Pew Research Center survey” (Browdie, 2013). Majority of people in the US who work in companies and the federal government use personal or provided smart-phone like iPhone, Androids, BlackBerry, LG and Samsung. In this process they either use the 3G/4G data plans offered by major carriers like Verizon, T-Mobile, Sprint-Nextel, AT&T and others to make phone calls or connect to the Internet or they use the Wi-Fi based Internet to do such tasks. Since Internet is the largest and most prolifically used wide area network system, hence this research study intends to focus on the actual usage of the IT System like the Smartphone when using wireless public network like the Wi-Fi Internet. “The federal government is in the process of creating a national mobility strategy that will attempt to replace ad hoc policies with a coordinated cost-saving plan” (Hoover, 2012). This means consolidation of ad-hoc policies that presently address the various aspects of the Wi-Fi based Internet access with a view to cost savings for the plans used by federal employees while using their smart-phones are considered important by the Federal Government. As an example, “the Department of Agriculture consolidated 843 wireless plans (and more than 32,000 service lines) to three purchasing agreements. As a result, USDA reduced its telecom expenses by 18%, or $4 million, annually” (Hoover, 2012).

There are various input factors that contribute to such costs incurred by users while using smart-phones. These include the costs of data, time and productivity loss due to virus/spyware/malware. This is because smart-phones are “easily lost or stolen, and prone to the vulnerabilities of downloadable software and the Web. Malware is a growing concern on mobile devices, one that some agencies have yet to address. ATF, for example, doesn’t run antivirussoftware on smartphones, and instead relies on MDM software to block threats” (Hoover, 2012). As part of the firmware Wi-Fi chips can be vulnerable to attack from bugs in the coding. An example of this type of vulnerability was disclosed by ‘Core Security’ in Oct 2012 with the issue of an advisory detailing how the Wi-Fi NIC could be prevented from responding (Armin, 2013). Two modes of wireless networking operations are in prevalence. One is the infrastructure mode and the other is the ad-hoc mode. Yaniv (2006) stated that ad-hoc network mode obviates the necessity for having an access point. It works using a 'peer-to-peer' (P2P) style of communication. Only wireless adapters are needed to communicate. It does not depend on presence of routers, for example. This reduces the cost and maintenance significantly as compared to that in a network designed around an access point. However due to the P2P type of communication, ad-hoc mode should only be used for smaller networks. In many small homes the ad-hoc network type wireless access is used. The big risk on the cellular networks is that many users won't be as cognizant of the risks as when, for instance, they connect to a Wi-Fi network. However, using the cellular network is generally more secure than using an open public Wi-Fi hotspot (Shinder, 2011).

Overall security of cellular data transmission depends on the security of all the four major components of such networks which include the wireless network and the Internet connection. When signals go through the airwaves, it's easier to intercept them because physically tap into a line is not required. Anyone having a transmitter/receiver could intercept those signals. It is very difficult to prevent the interception of the signals; the key to securing a wireless network is encrypting those signals. Then the signals will be useless for any unauthorized party who does intercept them. Early cellular networks did not adequately secure the wireless signals in transit. However, 3G (and above) networks use strong cipher keys to encrypt the signals. Two way authentication is used to prevent the use of cloned cellular devices. 3G networks are still vulnerable to Denial of Service (DoS) attacks.

Shinder (2011) stated that threats like malware, DoS, intrusion and virus attacks can affect Internet connections in Mobile Technologies just like they affect computers with Internet connections. Device specific vulnerabilities also exist in Internet connection devices for Mobile Technologies (Shinder, 2011). For instance, 3G MiFi mobile hotspots were vulnerable to unauthorized enabling of GPS on them (Shinder, 2011). Similarly, the latest Near Field Communications or NFC technology being introduced in Mobile Technologies used to exchange information between any two such devices using Radio Frequencies without the Wi-Fi could be susceptible to interception or distortion of those radio waves and hence the information passing between them.

In McAfee's report on mobile security Griffin (2011) stated that the Mobile and Security report was split into two surveys - one for consumers, and the other for senior IT decision makers in companies with an employee count of over 100. It shows a general lack of awareness for safekeeping of mobile data. Although more than half of organisations are “heavily reliant on the use of mobile devices', and 95 per cent have some sort of mobile security policy in place, less than one in three employees are aware of it. Less than 50 per cent of employees understand their mobile device access/permissions. Although mobile security is a major problem and one that is only set to increase based on the current trajectory of Smartphone adoption, losing the Smartphone is still the biggest fear for consumers and IT directors, alike. According to the report, 19 per cent of users store credit card details on their phone. Alarmingly, 23 per cent store passwords and pin codes as well, without any form of remote locking or a password lock on a device to keep the thief away from your details" (Griffin, 2011).

Shema (2011) stated that “even though T-mobile has WPA level of secure access it is not offering the WPA2 level encryption security which is available in our home networks. Whereas it is easy to set up WPA2 on the home network, it is missing on the ubiquitous public Wi-Fi services of cafes and airplanes. They usually avoid encryption altogether. Even still, encrypted networks that use a single password for access merely reduce the pool of attackers from everyone to everyone who knows the password (which may be a larger number than one would expect).” T-Mobile provides the wireless services at Starbucks. In addition to Starbucks, T-Mobile hotspots are available in Borders, Kinko's, the Hyatt, Red Roof Inn, Barnes & Noble, Dallas-Fort Worth International Airport, Los Angeles International Airport, San Francisco International Airport, Hyatt Hotels and Resorts, Sofitel and Novotel Hotels, the airline clubs of American, Delta, United and US Airways, and other select airports and hotels" (

In addition to this is the emerging threat of sophisticated malware attack capable of being carried out by well organized and equipped hackers from the mainstream travel, shopping and gaming websites (Liebowitz, 2010). Users surfing these websites may not even know that they have been infected with malware until after the fact. Stealth malware attacks are likely in future to “steal identities, co-opt personal relationships and imitate people’s natural behaviors to avoid detection in future, due to increasing use of social networking sites by people” (Fox, 2010) and increasingly greater sophistication of the hackers. This is even more so because the Security Intelligence Report from Microsoft (2010) has confirmed the increase of botnet type of web security threats in the United States in the last few quarters as compared to the other parts of the world.

Enck, Ongtang and McDaniel (2009) have identified seven possible categories of malware in mobile phones like “Proof-of-Concept, Destructive, Premeditated spyware, Direct Payoff, Information scavengers, Ad-aware and Botnets”. Information scavengers and Botnet can provide “direct monetary gain to the malware writer” and hence are likely to become more prevalent in mobile phones. (Enck et al., 2009). Hence these types of malware, if downloaded from insecure public Wi-Fi on Mobile Technologies, may also impact the actual use of the public Wi-Fi on such Mobile Technologies.

A research study by iBAHN (2010) on use of Internet by users who travelled found that though “80 percent of iTRAVELLERS considered data security as important to them, and were not satisfied with it, yet they were willing to pay a premium for high quality, high-speed hotel Internet access (HSIA) service”. Thus, users who travelled were skeptical about the security of data available to them in this type of networked IT system. Yet, they were induced by the available speeds and quality of Internet connection to pay a higher price to use this networked IT system. A study by Cornell University School of Hotel Administration found that “Hotels in the U.S. are generally ill-prepared to protect their guests from network security issues” (Jackson, 2008). Though it is not their job to do so, yet this can be a factor that may discourage users from using their Mobile Technologies if they cannot use it on secure Internet connection in such places. Hence this study intends to investigate the factors affecting the use of the Wi-Fi Internet based IT system in the context of the hospitality industry comprising coffee-shop/bookstore/restaurants. The coffee-shop/bookstore/restaurants have been selected as surrogate for the hospitality industry for ease of data collection for this research study. This is also because the Internet access is now available extensively in the form of Wi-Fi access in coffee-shop/bookstore/restaurants where people tend to use the wireless Internet access on their smart-phones, iPads, tablets or laptops.

Hence it is possible that if coffee-shops/bookstores/restaurants cannot provide suitable protection to their guests’ Internet connections on their Mobile Technologies from such sophisticated attacks, then those guests may not perceive the security of their Mobile Technologies to be effective. In this context a Google/IPSOS OTX MediaCT (2011) study on smart-phone users found that 93% users use the smart-phone in home, 73% use them in restaurants, 72% use them at work and 54% use them in Café and Coffee-Shops. 81% users used smart-phones to browse the Internet and 77% used it to search information using search engine on the Internet. Hence Internet related use was found to be the largest percentage use by users of smart-phones. 43% users were willing to give up beer and 36% were willing to give up chocolate and 34% were willing to give up super-bowl tickets in exchange for using the Internet on the Smartphone. The smart-phone is slated to replace the wallet in the near future as has been demonstrated by use of Google wallet and is also slated to be used as the payment option in place of credit cards with terminals for this already in use in area of New York (CNN, 2012). Hence secure storage and transmission of confidential data like credit card numbers via the applications like ‘Square’ will become of increasing importance in future. The very fact that valuation of the Square, Inc manufacturing the ‘Square’ device for credit card transactions in smart-phone was to the tune of one billions of dollars in June 2011 shows the importance which the industry attaches to this data storage feature in smart-phones. Starbucks announced that it will start using Square to enable customer pay with credit or debit cards using their smart-phones. However the Merchant User Agreement for a Square account at present prohibits its use in twenty nine different areas, like “buyers or membership clubs, credit counseling or repair agencies” etc. (Square, Inc., 2013). This could be due to possible security concerns about transmission of confidential credit card data for these areas in particular, among other factors, from the Square device via the Internet connection on the smart-phones. Hence the security effectiveness of such smart-phones using Wi-Fi Internet public networks and NFC (near field communication) for communication of financial data will be of high concern in the minds of customers (CNN, 2012).