How To Understand The Concerns Of Home Based Small Business Owners About The Internet Security

Transcription

1 Computer Security Risks in the Internet Era: Are Small Business Owners Aware and Proactive? David W. Johnson Dept. of Information Systems & Technology Utah Valley State Harold Koch Department of Marketing Utah Valley State Abstract This article empirically examines the awareness, concern, and actions of home-based small business owners regarding Internet-based computer security risks. A scientific, Internet-based survey was administered to measure attitudes toward specific computer security risks and the self-reported defenses taken by respondents. Analysis of the survey data shows that while home-based small business owners are highly aware of and concerned with existing threats, their level of action to guard against the threats is relatively low as is their willingness to pay for adequate protection. 1. Introduction There is a plethora of current trade and popular literature on the topic of uninvited computer security invasions in the form of identify and data theft, pornography, and spam [4,11,12,13]. Such literature is a response to the increasing level of alarm at all business and government levels regarding Internetbased threats. For example, Foster [5] estimated that by June of % of all traffic would be spam, rising from 50% in 2003 when in fact more recent data show that level to be 82% [9]. A study by Koch and Liechty [7] found that the average small to medium-sized design agency received between 100 and 300 uninvited spam messages per day, an onerous invasion that not only consumes scarce managerial time but exposes those small businesses to risk of the mentioned threats. The uniqueness of this study is that it brings the small business person, especially the home-based, up to the moment and recommends practical suggestions to the small business owner in order to prevent loss from such virtual threats. 2. The Problem Previous empirical studies prior to the networked era [1,8] found dramatic gaps between small business knowledge of computer security threat and the reality of the situation. This 2004 study probes deeply into the knowledge, apprehensions, attitudes, and opinions of 230 practicing small businesses to move this knowledge forward. As information technology has advanced, so has the threat of security problems for the small business owner. In a recent focus group conducted for the present study, all of the participants felt that the threats to their home computer systems were increasing. Data gathered by the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University show an exponential increase in the number of incidences over the past decade [3]. CERT notes that an incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time. This is not good news to the small business owner who wants to take advantage of technological advances, yet who often lacks the knowledge and expertise to deal with these threats. For example, only about 50 percent of the participants in the above mentioned computer security focus group had heard about threats such as Trojan horses or spyware. A majority of the focus group members felt that there was a 100 percent chance that their computer would be affected in the near future. Figure 1 depicts a model showing several increasingly complex levels of information technology available to the small business owner. Security issues surrounding an isolated computer system (Stand-alone PC) have been addressed previously [1,8]. Results of their research showed a moderate level of security awareness (60-70%) and a rather low level of implementation (34-45%) for the simplest of all technology levels. With the increased use of the Internet, small businesses began exposing themselves to new types of computer security threats. Although at a relatively slow speed, dial-up access provided and the ability to download files. New annoyances such as SPAM, pop-ups, and uninvited pornography required extra time on the part of small business owners to deal with extra transactions and to attempt to minimize the disruptions. In addition, deadly viruses /06/$20.00 (C) 2006 IEEE 1

2 often cost unprepared owners major efforts to rebuild lost databases and files because of a lack of backups. The availability of high-speed Internet access only acerbated the problems (Statistics show that at least of 85 percent of small businesses use the Internet [10]). In addition, new major threats began to appear. Since home computer systems were now almost always connected, hackers found new fertile ground for their mischief often undetected by the small business owner. Whether leaving Trojan horses for future damage or spyware for tracking usage, hackers began making illegal use of home computers. Even more dangerous hackers were able to access private data such as social security numbers and customer data for identity theft. More recently, wireless networks have made the connection of several computers within a small business location possible. Owners now had to contend with their employees wasting time surfing the Internet just like the big companies. In addition, the new threat of outside access to their wireless network increased. More sophisticated hackers began war driving using a van with mobile computers and wireless network detectors to break into the network and access private files. Finally, the need for small business to connect to remote computer systems at various locations has made wide-area networking (WAN) popular. Using the Internet for these connections can open transactions to hackers who constantly monitor the digital traffic. Because of the newness of wireless networking and WAN usage, it was decided to focus this paper on Internet-based threats facing home business owners. The following research questions were the drivers for our current study. 1. To what extent are home-based small business owners (HBSBO) aware of the increased threats facing their business because their computer system is connected to the Internet? 2. How serious are the Internet-based threats to HBSBO? 3. To what extent have HBSBO been affected by Internet-based threats? 4. To what extent have HBSBO taken steps to proactively counter the Internet-based threats? 5. How successful do HBSBO feel that their current security measures are? 6. How important would a comprehensive package that counters Internet-based threats be to the HBSBO? 7. What would HBSBO be willing to pay for such a comprehensive threat deterrent? 8. Are there differences in the above opinions based on various demographics such as gender, age, income, hours using PC, and geographic location? 3. Methodology A formal focus group of 12 home computer users who used the computer more than 20 hours per week was conducted to probe general knowledge of computer security problems, intentions to purchase and/or subscribe to services that would treat the noninvited intrusions, and price sensitivity to potential solutions. Four marketing research and IT managers of a large, local multinational corporation observed the focus group from the control room to ensure that the right type of questions were present on the script and suggested interventions when appropriate during the live session. Afterwards, analysis of the videotaped results provided the framework for a quantitative questionnaire that was developed for uploading as an Internet-based survey. The questionnaire consisted of 52 questions with demographic data to determine if there were a relationship between age, gender, amount of time spent on the computer per week, and geographic area. The survey was pilot-tested with five randomlyselected home-based businesses. A follow-up phone call was made to clarify wording, meaning, and usefulness of the questions. The survey was sent out to 800 randomly-selected US small home-businesses from the data base files of the sponsoring company. An message promising confidentiality and a copy of the results in exchange for their participation in the study was included. Because of the relationship with the multinational a 29 percent return was achieved, a possible source of bias which will be discussed later in this paper. 4. Analysis of the Data The 232 completed surveys were entered into SPSS (Version 12) for analysis. It was determined that the most important analytical tools were descriptive analysis; Chi-square; t-tests; and multiple regression. The following tables reflect the raw findings. Table 1 shows the population demographics. As can be seen, the survey respondents represent a broad range of home-based small business owners across a broad range on educational, income, age, and geographic categories. In the following sections, we address the research questions posed previously. 2

3 4.1 Awareness The first research question addresses the extent to which home-based small business owners (HBSBO) are aware of the increased threats facing their business because their computer system is connected to the Internet. To answer this question, we analyzed awareness responses to the items shown in Table 2. Responses to the survey categories Don t know/never heard of and Heard of but could not explain were combined under the Unaware heading. Responses to the survey category Know a little about appear under the Somewhat Aware heading, and responses to the Know quite a bit under the Aware heading. The most knowledgeable categories were Spam , Virus Attacks, and Pop-ups while the highest Unaware categories involved Trojan Horse and Spyware. The average awareness percentages were 19 percent Unaware, 37 percent Somewhat Aware, and 44 percent Aware. When the Somewhat Aware and Aware categories are combined, an upper bound on overall awareness of 81 percent is obtained. If we postulate that only about half of the Somewhat Aware group was really aware, a lower bound of 63 percent results. 4.2 Concern and Incidence of Threats Table 3 summarizes the data pertaining to research questions two (How serious are the Internet-based threats to HBSBO?) and three (To what extent have HBSBO been affected by Internet-based threats?). Threats in the table are ordered by the median of the concern rankings. Percent Extremely Concerned consisted of respondents that answered a 7 on a 7- point scale. Percent Highly Concerned includes respondents who answered 5, 6, or 7 on the 7-point scale. Virus Attacks and Identity Theft top the list as the most serious concerns. Hacker Attacks and, interestingly enough, Uninvited Pornography are next in the rankings. Spyware and Trojan Horse are in the bottom half of the list, perhaps because over 40 percent of the survey respondents were unaware of their existence. Spam and Pop-ups were the highest in the incidence column but were of least concern. Identity Theft and Hacker Attacks were lowest on the incidence level column but ranked second and third in the concern rankings. Table 4 shows the incidence of combined problem occurrences of the threats shown in Table 4. Nearly 67 percent of the respondents indicated having to deal with at least four different types of computer security threats. When asked what they felt the likelihood of being affected by a threat within the next three months, the average response was five on a seven-point scale. Only 23 percent felt that the likelihood was Extreme (7) and 44 percent felt the likelihood was high (5, 6, or 7). On the other hand, when asked about the importance of protection against Internet-based threats, the average response was 6.67 on a sevenpoint scale with 79 percent reporting Extreme (7) and 97 percent High (5, 6, or 7). 4.3 Current Security Packages and their Success We turn our attention next to the extent to which HBSBO are proactive in their attempts to protect their businesses from the Internet-based threats that they are concerned about (Research question four - To what extent have HBSBO taken steps to proactively counter the Internet-based threats?) As may be expected, 92 percent of the owners had installed some form of virus scanner; however, only 50 percent of these get the latest upgrades. Forty-four percent of the owners had installed some type of firewall, 72 percent did SPAM filtering,15 percent had web-page content filtering, 54 percent downloaded operating system patches regularly, 29 percent had pop-up blockers in place, and a mere three percent had installed spyware protection. When the Virus scanner percentage is reduced to 46 percent because respondents did not get the latest updates, the overall average percentage of respondents taking protective measures is 37 percent if Spyware is included and 43 percent if Spyware is excluded. Table 5 shows the percentage of respondents implementing multiple types of the protective measures (excluding sypware) shown in Table 4. Over 61 percent of the respondents had implemented at least three different types of security measures. Several of the respondents indicated in their comments that they avoided using Microsoft products as a protective measure, preferring instead to use a Mac or the Linux Operating System. When asked how well their current security measures were working, 14 percent indicated the Best Possible, 49 percent indicated Adequate, 19 percent Not Enough, and 17 percent Don t Know. Thus 63 percent of the respondents appeared comfortable with their security efforts while 86 percent felt that there was room for improvement. 3

4 4.4 Interest in a Comprehensive Security Service One sure way to understand the value that is placed on anything is to ascertain what someone would be willing to pay. In this section, we focus on research questions six (How important would a comprehensive package that counters Internet-based threats be to the HBSBO?), and seven (What would HBSBO be willing to pay for such a comprehensive threat deterrent?). As part of the survey, respondents were given the description of a comprehensive security service that protected them from all the Internet-based threats discussed earlier. Respondents were then asked questions about such a service. When asked to rate their interest in such a service, respondents averaged 5.93 on a 7-point interest scale. Forty-seven percent were Extremely Interested (7) and 87 percent expressed a High interest (5, 6, or 7). When asked if they would subscribe to such a service, 22 percent of the respondents indicated that they Definitely would subscribe, 43 percent indicated that they Probably would subscribe and 31 percent indicated that they May or may not subscribe. Figure 2 shows what the respondents felt that such a comprehensive security service would be worth as a monthly fee. If one uses the midpoint of the ranges to calculate an average monthly cost that respondents were willing to pay for an ideal protection service the result is a mere $ Differences by Demographic Factors In this section we explore the answer to research question eight (Are there differences in the above opinions based on various demographics such as gender, age, income, hours using PC, and geographic location?). The categories for each demographic factor are shown in Table 1. For Geographic Location: We grouped the state of the respondents business into the following four areas: East, Mid-West, South, and West. For each demographic factor we ran a series of Chi-Square tests based on questions pertaining to the areas of security awareness (A), security concerns (C), and proactive actions (P). Table 6 summarizes the results of statistically significant differences (Alpha <.10). For gender differences, more women than men had Heard of but could not explain the indicated threats while men professed to Knowing quite a bit more about all the threats than women. In addition, more women were Extremely concerned about the indicated threats. Finally, women tended to report having fewer types of security incidences than men. For the educational differences, there were no differences in awareness and only one difference in concern levels where those with professional degrees expressed a slightly higher degree of being Extremely concerned than those of lower educational levels. On the other hand, professionally degreed respondents expressed a higher degree of belief that they would be attacked by a serious problem, while those with educational levels less than a bachelor s degree reported a higher number of security incidences and a lower number of security packages utilized. For the income demographic, no differences in awareness or concern were found, however medium income businesses ($35K - $75K) expressed a higher interest in a comprehensive security package even though they reported a significantly lower level in the number of reported attacks. Finally, the number of security tools utilized by higher income owners (> $75K) was greater than all other categories. The only age difference reported involved concern about hacker attacks. Here younger aged owners (18-34) showed the lowest level of concern; middle aged owners (35-54) expressed more Extreme concern and showed the lowest in the Not concerned category. Mature aged owners (55+) expressed less Low and Extreme concern than the other age groups. Finally, for the region category, several significant differences were found, however no consistent pattern emerged to distinguish between the regions in all cases. 5. Discussion Are home-based small business owners aware and proactive when it comes to Internet-based security threats to their computers? A previous study by Bardbard et al. (1990) concluded that for stand alone systems, the first phase in our security model, survey respondents had a moderate level of awareness (60-70 percent) and a low level of implementation (34-45 percent). Some 14 years later with their computers connected to the Internet (phases two and three of our security model) survey respondents reported comparable results. The current awareness range of percent is somewhat higher than the previous study probably because of the higher level of media publicity on the subject of Internet security problems. The highest level of respondent awareness is in the areas of 4

5 SPAM, virus attacks, and pop-ups. Incidentally, these same three areas are among the four highest in reported problem incidence. The lowest levels of awareness involve Trojan horses and spyware, which again are part of the four lowest in reported problem incidences. Among the eight problem areas, the highest percentage (34.5%) of respondents reported having had problems in four different areas. The percent of those reporting at least five different problem areas was 32.1 percent. The top three areas of concern, according to the median rankings, were virus attacks, identity theft and hacker attacks. It is interesting to note that these same areas had the lowest levels of problem incidents. Also interesting to note is the fact that uninvited pornography was fourth in concern rankings yet only 15 percent of respondents indicated using a Webpage filter as a protective measure. When looking at proactive security steps taken by respondents, 92 percent indicated owning virus scanning software (virus attacks were the number one area of concern). However, of these only 50 percent reported getting the latest updates for their virus software, thus negating much of their investment in this area. Overall, an average range of percent of the respondents had taken full security measures to protect their computer systems, numbers which are very comparable to the Bardbard study. While 63 percent of the respondents felt comfortable with their current security efforts, 86 percent felt that there was room for improvement. If there were a comprehensive security package that would protect against all Internet-based threats, only 22 percent of the respondents said that they definitely would subscribe. When asked what they would be willing to pay for such a service, the average bid was only $8.55 giving us a low financial dimension to survey respondents estimates of the value of Internet-based security protection. There were differences in responses based on demographic factors. The most interesting involved gender, where females were less aware and more concerned with security threats than males, however this did not translate into more proactive responses or to their willingness to pay more for protection than males. Also of interest was the result that respondents with higher educational levels tended to be more concerned about threats and more proactive in their defenses. Those with lower levels of education reported a lower level of proactive measures and a higher level in the number of attacks than the other educational levels a not too surprising result. 6. Limitations and Suggestions for Future Study The data for this study was collected as part of a market research survey for a large western corporation. As such, the researchers were limited to those questions which the company wanted on the survey. The fact that the respondents were all homebased distributors also limits the generalization of the study results. In addition, since the survey was administered via the Internet, the results may also be biased toward those types of individuals willing to participate in such a survey. Finally, according to government definitions, home-based businesses are not considered in the small business category by definition, thus the study results do not necessarily reflect the thoughts and actions of all small businesses. Nevertheless, the study does contain a broad geographic representation of home-based business owners who struggle with Internet security issues on a regular basis. The data collected as part of this study constitutes a rich knowledge-base of the attitudes and opinions of home-based business owners regarding Internet security. This paper has reported on one set of research questions in this area. Other questions and data analysis are possible beyond those reported here. Additional work could also take place in replicating the survey for true small business organizations across the country and comparing the findings to the results of this study, Finally, as wireless and widearea networking become more common place in small businesses, additional studies should take place pertaining to security issues in these areas. 7. Conclusion Computer security is a growing problem for all businesses large and small and, according to Hulme [6], the hackers are winning. In 1998, 50 percent of businesses survey reported no attack-related downtime. This year only 6 percent make such a claim [6]. This study has shown that small business owners are well aware of this problem, yet less than half of them are proactively taking appropriate steps to adequately protect their computer systems. As a business grows and advances across the technology phases of the model shown in Figure 2, owners should recognize the increasing need for vigilance and the increasing cost for computer security protection. The average business spends 12 percent of its IT budget on security [6]. This includes the cost of in-house computer security experts. While most home-based small business owners can not afford their own computer security expert, it is not 5

6 hard to search the Internet for advice on what to do (see [2] for example). The basic foundation should be a computer security plan and the determination to meticulously stick with its implementation [11]. There are, undoubtedly, numerous conclusions that could be drawn from the results of this study. One thing seems clear. In spite of all the news stories, government efforts, and educational programs, small business owners attitudes and actions toward computer security have not improved significantly in the past decade. One might well ask the question, Why aren t small business owners more proactive in taking steps to counter computer security risks? While this study did not directly address this issue, an analysis of the general comments area of the survey suggests that the owners felt content with the fact that they had taken some steps in the past to ward off the security threats. Many also felt that the likelihood of their business having a serious problem was low and that if a problem did arise; it would be relatively easy and inexpensive to deal with. Overall, these owners, as entrepreneurs, are mainly focused on making money and unless and until they begin to understand the business costs in wasted time, unhappy customers, and lost sales due to computer security attacks their attitudes will probably not change. That is, not until they learn by sad experience the increasing reality of such attacks, which will most likely be sooner than later. 8. References [1] Bradbard, David A., D.R. Norris, and P.H. Kahai, Computer Security in Small Business: An Empirical Study, Journal of Small Business Management (January 1990), Vol. 28 (1), pp [2] CERT, Home Computer Security, Retrieved 7/13/04 from ity/ [5] Foster, K., Spam will be 60% of all by mid 2004, Blooberg News, September 29, 2003 [6] Hulme, George, Under Attack, Information Week, July 5, 2004, pp [7] Koch, Harold L. and C.L. Liechty, Reducing Disconnects in the Design Agency-Client Relationship: Process Management can be the Solution, published in the Conference Proceedings of the International Business Research Society (May, 2003), pp [8] Pendegraft, Norman, L. Morris and K. Savage, Small Business Computer Security, Journal of Small Business Management (October, 1987), Vol. 25 (4), pp [9] Roberts, P., Spam Influx Reaches New Heights, PC World, Sept. 10, 2004 [10] SCORE, Small Business Internet Trends, Retrieved 7/6/2004 from [11] Spinellis, D., S. Kokolakis, and S. Gritzalis, Security requirements, risks and recommendations for small enterprise and home-office environments, Information Management & Computer Security, 1999,Vol. 7 (3), p [12] Stone, Brad, Soaking in Spam, Newsweek (November 24, 2003), pp [13] The Economist, A survey of e-commerce (Unlimited opportunities? The internet offers huge scope for both business and leisure, but security urgently needs to be improved), May 2004, pp [14] Wildstrom, Stephen H., Fighting Viruses Begins at Home: Every PC owner should take a few protective steps to buttress security, Business Week (September 8, 2003), p. 18. [3] CERT/CC. Statistics , Retrieved on 6/7/04 from [4] Dreazen, Yochi J., Workplace Security (A Special Report); The Sky is Falling? Software and tech-security companies are sounding the warning and hoping to profit from the fears, The Wall Street Journal (September 29, 2003), p. 4. 6

7 Figures Security Risk, Vulnerability, Cost of Protection, Effort Required Stand- Alone PC Dial-Up Internet High-Speed Internet Wireless Network Wide-Area Network Extent of Technology Figure 1: Increasing Security Requirements for Increases in Technology $0 $1-$5 $6-$10 $11-$15 $16-$20 $21-%25 %26-$30 >$30 Monthly Fee Figure 2: Willingness to Pay for Comprehensive Security Service 7

8 Tables Table 1: Population Demographics Gender Males Females Education H.S. Or Less Associates Degree or Some College A Bachelor s Degree Master s Degree Professional Degree (Ph.D., M.D.) Income Less than $24,999 $25,000 to $49,999 $50,000 to 74,999 $75,000 to $99,999 $100,000 or over Number of Hours Per Week on 6 hours or less per week The Computer 7-13 hours hours hours 35 or more hours/week Age State of Residence 41 States Represented Texas - 38 California - 37 New York - 16 Florida 15 Utah 11 Washington 11 Illinois, Virginia, Indiana, Minnesota 29 Remaining States 50% 50% 6.5% 36.6% 31.9% 16.8% 8.2% 8.6% 17.6% 21.6% 16.8% 23.7% 14.7% 23.7% 22.4% 18.1% 21.1% 2.6% 8.2% 19.4% 29.3% 29.7% 10.8% 16.4% 15.9% 6.9% 6.5% 4.7% 4.7% 12.5% 33.4% Table 2: Awareness of Internet-based Threats Unaware Somewhat Aware Aware Count Percent Count Percent Count Percent Trojan Horse % 64 28% 67 29% Spyware 95 41% 76 33% 61 26% Hacker Attacks 53 23% % 76 33% Uninvited Pornography 26 11% % % Virus Attacks 19 8% 84 36% % Identity Theft 33 14% % 98 42% Spam 15 6% 72 31% % Pop-ups 17 7% 84 36% % Total % % % 8

9 Table 3: Threat Concern and Incidence Median Average Percent Percent Percent Concern Concern Extremely Highly Had Rankings Level Concerned Concerned Problem Virus Attacks % 91% 74% Identity Theft % 80% 6% Hacker Attacks % 72% 9% Uninvited Pornography % 80% 80% Spyware % 81% 26% Trojan Horse % 78% 17% Spam % 81% 88% Pop-ups % 78% 89% Table 4: Multiple Types of Security Incidences Number Different Problem Areas Percent of Respondents Table 5: Use of Multiple Types of Security Measures Number Different Types of Protection Percent of Respondents Table 6: Significant Demographic Differences Area - Item Pearson Chi-square Significance Level Gender A -How aware are you about the Internet-borne threat of virus attacks? A - How aware are you about the Internet-borne threat of uninvited pornography? A - How aware are you about the Internet-borne threat of identity theft? A - How aware are you about the Internet-borne threat of Spyware attacks? A - How aware are you about the Internet-borne threat of Trojan Horse attacks? A - How aware are you about the Internet-borne threat of Pop-ups? C - How concerned are you about the Internet-borne threat of virus attacks? C - How concerned are you about the Internet-borne threat of identity theft? P - How many types of security attacks have you experienced? Education C - How concerned are you about the Internet-borne threat of Pop-ups? P - How likely is it that you will be attacked by a security problem w/in 90 days? P - What is your level of interest in the ideal security software package? P - How many security measures (tools) have you adopted for protection? P - How many types of security attacks have you experienced? Income P - What is your level of interest in the ideal security software package? P - How many security measures (tools) have you adopted for protection? P - How many types of security attacks have you experienced? Age C - How concerned are you about the Internet-borne threat of Hacker attacks? Region A - How aware are you about the Internet-borne threat of Spyware attacks? A - How aware are you about the Internet-borne threat of Trojan Horse attacks? C - How concerned are you about the Internet-borne threat of Spam s? P - How well does your current security package(s) protect your computer? P - How many security measures (tools) have you adopted for protection?