Electron Commer Res (2013) 13:317328

DOI 10.1007/s10660-013-9115-2

The security service rating design for IT convergence

services
Hangbae Chang

Published online: 15 May 2013

Springer Science+Business Media New York 2013

Abstract There has been damage to users due to security problems such as personal
information leaks and spam etc. by IT convergence in various information communication industries. Since where the responsibility for this damage lies, compensation
systems and damage estimation criteria have not been prepared yet, its compensation
is solved by civil litigation between service providers and users. In addition, for security services provided, the standardized clauses of a contract with consumers are
provider-oriented articles to be disadvantageous to service users, and detailed compensation criteria have not been prepared in reality. Therefore, it is time to need to
prepare a damage compensation system and an estimation criterion for protecting
users against technical and legal troubles that could arise when providing security
services.
In order to solve these problems, this paper developed a damage compensation
index for sustainable security service. In detail, by analyzing damage compensation
criteria and cases for general information communication services, a damage compensation index on security services was developed for a goal of VoIP services. It
could offer voluntary improvement of service quality for service providers, and simplicity of damage compensation for users. Additionally, it could socially give benefits
of increasing the number of companies to apply the security SLA and mitigating legal
disputes.
Keywords IT convergence service Sustainable security service Security service
rating Security service index

H. Chang ()
Division of Business Administration, College of Business, Sangmyung University, Seoul,
Republic of Korea
e-mail: hbchang@smu.ac.kr

318

H. Chang

1 Introduction
As convergence between IT environments and various services becomes active, there
is a growing awareness of users as a main agent [36]. Accordingly, they do not remain in simple users of services, but they have rather reached at a stage asserting their
rights [1, 2]. Furthermore, security services become the subject of greater interest
along with personal information rights. However, the law and system simply lists enforcement and only penalties as a method to guarantee users rights [7, 8]. In addition,
it could not carry out an important role in encouraging service providers to voluntarily improve their security service level and realizing rights of service users [911].
Due to these problems, the security service level agreement (SLA), which makes an
agreement on the level of security service provision, has received attention, and service providers are operating a variety of SLA indices based on the SLA. Recently,
to solve differences in using various security SLA indices, a more objective security
SLA index has been calculated through a series of classification procedures.
However, when there is users damage due to security troubles such as personal
information leaks and spam etc. in the information communication related companies like major ISPs and Internet shopping malls etc., where the responsibility for
this damage lies, compensation systems and damage estimation criterion have not
been prepared yet, so that most of them are solved by civil litigation. In addition,
for security services provided, the standardized clauses of a contract with consumers
are provider-oriented articles to be disadvantageous to service users, and detailed
compensation criteria have not been prepared. Meanwhile, even in cases of offering
compensation, most of information communication companies specify compensation only for fault handling and maintenance, the service providers shift risks legally
chargeable to them onto customers for damages caused by intrusion accidents, and
even this is insufficient as a damage compensation method for service users because
the companies responsibility is not specified.
This study would like to develop a security index for the VoIP (Voice over Internet
Protocol) service among various services using Internet. In detail, it would be trying to develop a damage compensation index applicable to the intrusion prevention
service (IPS), firewall system, antivirus, anti-spam and virtual private networks for
sustainable security services.

2 Precedent studies
2.1 Service level agreement (SLA)
The SLA means an agreement that service providers make with service subscribers
about offering predefined level of services through a compromise. Here, service
providers could be divided into network service provider (NSP), Internet service
provider (ISP), application service provider (ASP) and system integration (SI) companies etc., and service subscribers (users) include individuals, companies or public
organizations etc. using various services [3].
The level of service supportable by service providers is agreed on in advance, and
the service providers would receive a penalty if the service provision level is inferior

The security service rating design for IT convergence services

319

Fig. 1 Service Level

Agreement concept

to the agreed one or it periodically falls short of the predefined service one. In general,
the penalty is imposed in the form of refunding or reducing a certain portion of service
charges that the corresponding service user and company should pay to the service
provider. Figure 1 shows a quality assurance control structure of services that offers to
users through the SLA. Service providers could offer stable services to service users
through this control and assurance of service quality. In addition, service users could
receive the best service offered by service providers. When there is a case of violating
the quality contract between a service provider and a user, the service provider would
offer appropriate compensation services if the service user demands compensation.
To gain a competitive advantage in the communication market by satisfying customers, it is indispensably required to introduce and manage the SLA. The purpose of
SLA is to reduce expenses related to communication networks by introducing an objective evaluation criterion. Therefore, it sets up a desired value to collect and manage
the required data. For example, after establishing standard levels such as availability
of communication networks, transaction processing time or connection failure rates
etc. in advance, it collects and manages the relevant data. The types of SLA consist of
two ones such as service and management. In terms of service, communication service providers define authority and responsibility for services offered, and in terms
of management, they define how to measure/report service performance, procedures
to resolve conflicts, and authority and responsibility for changing contracts.
The first reason why the SLA is needed could be divided into providers and users
stances. First, from a users viewpoint, users think that services offered could receive
minimum assurance through the SLA. By having performance indices of services
offered by service providers and used by service users, it could evaluate service usage
environment based on specific performance rather than indefinite expectations for
service being used. It is ultimately effective to have recognition and expectation that
service users exploit stable communication networks in carrying out business.
Second, there could be a growing demand for service quality. In particular, because the existing best effort service is difficult to offer high-quality services due to
an explosive increase in the use of Internet, demand is more increasing for service
quality. There is a growing demand of users for real-time services such as VoIP, and
these services become more possible also from technological aspects. To offer realtime services, service providers should offer strict network services for delays and
packet loss, and a SLA index should be also defined for them.
Third, there is a demand for provision and use of differentiated services. It make
possible to ensure the end-to-end (E2E) QoS by using the DiffServ (Differentiated
Services) QoS (Quality of Service) model of IETF, switching technologies of cutthrough method such as MPLS (Multi-Protocol Label Switching), and ATM (Asyn-

320

H. Chang

Fig. 2 Terminal connection types for VoIP services

chronous Transfer Mode) etc. In particular, enterprise users would like to carry out
business using networks with stable and excellent performance even if they pay additional cost for ensuring QoS.
Finally, service providers could satisfy expectations for services demanded by
users through the SLA, and they could do goal-oriented network management and
operation. In addition, users could also decrease opportunity loss by enabling to prepare for potential faults.
Telecommunication service providers combine a diversity of performance indices to make a SLA depending on their network environments for each provider,
and for each kind of service. Controllable service fields such as leased lines,
frame relay and ATM etc. have been dominated by the SLA, however, it recently tends to expand the SLA service also for IP networks, Web hosting,
DSL (Digital Subscriber Lines), video conferencing services. In particular, expansion of IP-VPN (IP-Virtual Private Network) services amplifies more interest in
the SLA.
2.2 VoIP services
VoIP service is aiming to provide various value-added services (including multimedia
data communication) as well as voice services by exploiting IP networks and Internet
protocols unlike the existing telephone services. This service is offered by interconnecting wire telephones, IP phones and soft phones (provided as an application in a
computer) etc. using Internet as a medium. Looking at types of terminal connections
for VoIP services in detail, they could be divided into IP phone to IP phone,
soft phone to soft phone (IP phone), IP phone to wire telephone (including mobile
phones) and wire telephone to wire telephone as Fig. 2.
PSTN: public switched telephone network VoIP offers services based on the protocol (H.323/MGCP/SIP) controlling telephone calls, and there is a call server to
connect a call between both terminals (user agents.). The call server is called as a
gate keeper, proxy server or soft switch etc. depending on each protocol. When a
call is established between terminals through the call server, voice including realtime data such as audio and video is separated to transmit together with call control
data.

The security service rating design for IT convergence services

321

Fig. 3 VoIP Service Structure

Table 1 VoIP service section security vulnerability
Service section

Security vulnerability

Terminal

After acquiring authority by worm/virus etc., remote control (Worm/virus attack,

Backdoor installation attack)
Terminal eavesdropping
Terminal password vulnerability attack (user, administrator)

LAN

Line sharing traffic eavesdropping

ARP cache poisoning

WAN

Man in the middle attack

Eavesdropping by hacking routers and network systems
System vulnerability scan attack
DDoS attack
Vishing

Service

Charging path bypass attack

3 Analysis on VoIP vulnerability and Its countermeasures

3.1 Analysis on VoIP service vulnerability
All security threats being able to arise on the IP based networks could occur for VoIP
services, however, there are detailed threats as Table 1 for terminal section, LAN
section WAN section as Fig. 3.
Security threats for terminal sections are as follows. First, After acquiring authority by worm and virus etc., remote control means a security threat that accesses
the administrative Web pages from the outside to use them illegally by making bad
use of security vulnerability of administrators Web pages etc. And, it means a threat
that searches existence of Internet phones by using an IP scanner etc., or installs an
eavesdropping program to abuse it after using Windows vulnerability to acquire au-

322

H. Chang

Fig. 4 Security vulnerability in

Service section

thority for soft phones. Second, Terminal eavesdropping means a threat that abuses
terminal vulnerability such as insertion of malicious codes to replay a telephone conversation between users. Finally, Terminal password vulnerability attack (user, administrator) means a threat that acquires authority by default password inference or
brute force attacks and abuses it as Fig. 4.
Security threats for LAN sections are as follows. First, Line sharing traffic eavesdropping means a threat that eavesdrops by a sniffing tool for networks sharing lines.
Second, ARP (Address Resolution Protocol) cache poisoning means a threat that
makes service attacks by a wrong ARP address by inserting a non-existent or wrong
ARP address into the ARP cache in a system as Fig. 4.
Security threats for WAN sections are as follows. First, Man in the middle attack means a threat that an attacker arbitrarily reads/inserts/modifies messages between users exchanging them. Second, System vulnerability scan attack means a
threat that finds vulnerability of a system to exploit for attacks. Third, DDoS (Distributed Denial-of-Service) attack means a threat that could not offer services of the
corresponding system by depleting, monopolizing or destroying resources of major
information systems. Finally, Vishing (VoIP + Phishing) means a threat that acquires personal information etc. through a social engineering method such as fraud
exploiting human psychology as Fig. 4.
Charging path bypass attack that may occur on a service section means a threat
of bypassing a VoIP service authentication system to illegally exploit the service like
normal users as Fig. 4.
3.2 Classification of countermeasures for VoIP service vulnerability
To technically solve security threats identified for each VoIP service section, information on precedent studies was collected for technologies designing a security service
index such as firewall, IPS, anti-virus, anti-spam, VPN and so on. And, countermeasures for VoIP services vulnerability were classified after passing the experts group
meeting and verifying practical applicability.
Vulnerability by security threats for each VoIP service section presented in Table 1 was reclassified into misuse, eavesdropping, DDoS and spam etc. as Table 2

The security service rating design for IT convergence services

323

Table 2 Results of reclassifying vulnerability for potential security threats

VoIP security vulnerability by security threats

Vulnerability type

Charging path bypass attack

Solve misuse

System vulnerability scan attack

After acquiring authority by worm/virus etc., remote control

Eavesdropping

Terminal eavesdropping
Terminal password vulnerability attack (user, administrator)
Line sharing traffic eavesdropping
ARP cache poisoning
Eavesdropping by hacking routers and network systems
Man in the middle attack
DDoS

DDoS

Vishing

Spam

Objects of study

depending on their characteristics. In addition, to solve misuse and eavesdropping

etc., additional security technologies could be applied more effectively besides security technologies that a security service index is designed. In this study, however,
objects of study were limited to DDoS and spam etc. because it was difficult to measure security rating for them.

4 Security service rating design for VoIP service

4.1 Security service rating group for VoIP service
Security technologies to solve DDoS and vishing, which are weak points by security
threats, could be limited to IPS and anti-spam etc. It was set as a specialized index,
and results of precedent studies were referred to design a candidate group of security
service rating indices for VoIP services as Table 3. And sections for services of the
designed index were divided into first, second and third classes.
4.2 Security service rating design for VoIP service
In order to actually measure the candidate group for indices and design an effective
security service rating index, Delphi meetings for each group had been conducted
five times for VoIP service providers and security technology developers etc. Delphi
meeting means one that attempts prediction based on collective decision of experts.
As a result of the meeting, a security service index had been designed for VoIP services as Table 4.
The common index and index rating designed to measure quality levels for general
equipment used in VoIP services are as follows. First, Log backup cycle is set as
log backup for service, security and call servers etc. to clarify objects for log backup,
and is measured as yes/no considering reality of index measurement. Second, Log
backup retention period has a relatively insufficient meaning as a security service

324

H. Chang

Table 3 A candidate group of security service rating indices for VoIP services
Index type

Index name

Common

Backup

Log backup cycle

Log backup retention period

Reporting

Availability, Performance, Security event monitoring,

Result reporting period
Fault notification time limit

Specialization

Support

Security patch (urgency) application period

Security incident
response

Security incident notification time limit

IPS quality

Response delay time (time required to decide intrusion)

Security incident response time limit

Attack detection and blocking rate
Mis-detection rate
Time to notify abnormality or down of IPS
Time to notify after detecting and blocking major
intrusion events

Anti-spam quality

Spam blocking rate (rate to block spam as a spam)

Mis-blocking rate (rate to block normal signals as a spam)
Virus mail blocking rate
Hacking mail blocking rate
Signature integrity verification period
Latest signature list update period

rating index to delete it because each provider carries out a different policy according
to its own circumstance. Third, Availability, performance, security event monitoring results reporting period is modified to Internal reporting time limit for security
events considering providers actual business processes, and the relevant rating index
is also changed. Fourth, Fault notification time limit is suitable to the quality index for general function services rather than security services, and providers actually
measure it in this respect, so that it is deleted. Fifth, Security patch (urgent) application period is deleted considering reality of carrying out it after stopping all services
for performing the security patch due to the services characteristic. Sixth, Security
incident notification time limit is partly modified as Incident notification time limit
(time to inform a fact for an incident to users after it occurred) for clarity of measurement, Security incident response time limit is also modified as (Case of proving
the fact that a security incident occurred) security incident response time from its
occurrence to service recovery in such a reason, and modifies its scale practically.
The result of designing an index to measure quality levels for security equipment
as a specialized index limited to VoIP services is as follows. It designs Response
delay time (time required to decide intrusion), Attack detection and blocking rate,
Mis-detection rate, Time to notify abnormality or down of IPS, Time to notify
after detecting and blocking major intrusion events for IPS equipment. And, it is
practically difficult to measure Spam blocking rate (rate to block spam as a spam),
Mis-blocking rate (rate to block normal signals as a spam), Virus mail blocking

Backup

Reporting

Common

Spam detection/blocking

RTP (Real-Time transport Protocol) Flooding detection/blocking

SIP (Session Initation Protocol) Flooding detection/blocking

Instant Messaging detection/blocking

Call Spam detection/blocking

Abnormal Call Flow detection/blocking

Whether or not to encrypt users personal information

Whether or not to establish user account and password management technology and policy

Whether or not to authenticate terminals for each user (MAC, terminal management server etc.)

Whether or not to change terminals initial password

DDoS quality

Anti spam Quality Flooding detection/blocking

Abnormal Message detection/blocking SIP/RTP detection/blocking

(Case of proving the fact that a security incident occurred) security incident response time from its occurrence to service recovery

IPS quality

Existence of guidelines for security incidents such as security violation incident response systems

Security incident Support Whether or not to conduct education related to information security for internal service administrators

User Security

Terminal Security

Specialization Security Equipment

Security incident response Incident notification time limit (time to inform a fact for an incident to users after it occurred)

(Service, security, call) Existence of log backup

Internal reporting time limit for security events

Index name

Index type

Table 4 Security service index for VoIP services

The security service rating design for IT convergence services

325

326

H. Chang

Table 5 Relative weights of security services for VoIP services

Index type
Common

Index name
Backup 0.14
Reporting 0.13
Support 0.24
Security incident response 0.49

Specialization

Security Equipment

IPS quality 0.16

Anti spam Quality 0.06
DDoS Quality 0.24

Terminal Security 0.20

User Security 0.20
Security incident Support 0.14

rate, Hacking mail blocking rate, Signature integrity verification period, Latest
signature list update period etc. for anti-spam equipment (insufficient reliability for
measured results), and difficult to present distinction for designed ratings, so that
it would like to add DDoS equipment to measure whether or not to possess core
functions for each equipment.
It designs Whether or not to change terminals initial password and Whether or
not to authenticate terminals for each user (MAC, terminal management server etc.)
in the terminal security part, Whether or not to establish user account and password
management technology and policy and Whether or not to encrypt users personal
information in the user security part, and Whether or not to conduct education
related to information security for internal service administrators and Existence of
guidelines for security incidents such as security violation incident response systems
in the security incident support part together with the relevant rating scale.
4.3 Calculation of relative weights for VoIP security services
In order to differentially calculate the extent of damage compensation resulting from
security incidents, it calculates weights for the security service index designed as
Table 5. The method to calculate the weights is to measure relative importance for the
index area by utilizing the hierarchical decision making method (analytic hierarchy
process) based on a survey. The hierarchical decision making method is one that
partially approaches step by step to set relative weights for each component after
hierarchically structuring a complicated decision making problem. To achieve this,
relative weights are calculated for the index designed for VoIP service providers and
developers. For reference, the reason why uses index areas rather than index items is
that it considers the index items may be changed continuously through later studies.
Looking into relative importance results of security service indices for VoIP services, Specialized security service is indicated more relatively important than
Common security service, and the relative importance within Common security
service area is indicated in order of Incident response, Support, Backup and
Reporting. The relative importance within Specialized security service area is

The security service rating design for IT convergence services

327

represented in order of DDoS quality, User security, Terminal security, IPS

quality, Security incident support and Anti-spam quality.

5 Conclusion
As a society is currently built to provide services what users want to them anytime and
anywhere due to development and investment for various services, users requirement
is also increasing for receiving them more safely and efficiently. This users requirement reflects demand for improvement of service quality and safety of services etc.,
and service providers make various efforts for that purpose.
When there is users damage caused by security troubles of personal information
leaks and spam etc. in the information communication related companies like major
ISPs and Internet shopping malls etc., however, most of them are solved by civil litigation because where the responsibility for this damage lies, compensation systems
and damage estimation criteria have not been prepared yet. Accordingly, it is time
to need to prepare a damage compensation system and an estimation criterion for
protecting users against technical and legal troubles that could arise when providing
security services.
This study developed a damage compensation index for sustainable security services when there is users damage such as failuresdisruptions of VoIP services, deterioration in quality and spam etc. due to faults of security services or action of
inappropriate security classes etc. It could be used as a basic data to prepare an objective and appropriate compensation criterion for consumers damages when there
are consumers damages. In addition, it could be used to protect users and to smoothly
solve disputes between users and service providers.
In this study, there is a consideration for quality of IPS and anti-spam etc., but it
does not consider the case of not satisfying the minimum quality condition of VoIP
services, so that an additional study is needed for the relevant target items, reference
values and compensation criteria etc. in the future.
Acknowledgements
sity.

This research was supported by a 2013 Research Grant from Sangmyung Univer-

References
1. Stubblefield, A., Rubin, A. D., & Wallach, D. S. (2005). Managing the performance impact of web
security. Electronic Commerce Research, 5(1), 99116.
2. Ganna, F. (2007). Service level agreements: web services and security. In Proceedings of the 7th
international conference on web engineering (pp. 556562).
3. Frankova, G. (2007). Service level agreements: web services and security. In Proc. of the 7th international conference on web engineering (Vol. 4607, pp. 556562).
4. Chang, H., Kwon, H., Kang, J., & Kim, Y. (2008). A case study on intelligent service design in
ubiquitous computing. Computing and Informatics, 30(3), 513529.
5. Scarle, S., Arnab, S., Dunwell, I., Petridis, P., Protopsaltis, A., & de Freitas, S. (2012). E-commerce
transactions in a virtual environment: virtual transactions. Electronic Commerce Research, 12(3),
379407.
6. Rhrig, S., & Knorr, K. (2004). Security analysis of electronic business processes. Electronic Commerce Research, 4(12), 5981.

328

H. Chang

7. Verkaik, P., Agarwal, Y., Gupta, R., & Snoeren, A. C. (2009). Softspeak: making VoIP play well in
existing 802.11 deployments. In Proceedings of the 6th USENIX symposium on networked systems
design and implementation (pp. 409422).
8. Franke Kleist, V. (2004). A transaction cost model of electronic trust: transactional return, incentives
for network security and optimal risk in the digital economy. Electronic Commerce Research, 4(12),
4157.
9. Mazurczyk, W., & Kotulski, Z. (2008). In Covert channel for improving VoIP security, advances in
information processing and protection, part II (pp. 271280).
10. Liu, X., & Tu, C. (2011). Research on security of VoIP network. Communications in Computer and
Information Science, 231, 5965.
11. Kim, Y., Kang, J., Na, Y., & Chang, H. (2012) In Lecture notes in electrical engineering: Vol. 164.
Study on development of appraisal business performance indicator (pp. 417423).

Hangbae Chang received the Ph.D. degree in Information System Management from Yonsei University,
Korea, in 2006. Since 2012, he has been with the faculty of the Department of Business Administration,
Sangmyung University, Seoul, Korea. His research interests include intelligent service, security governance, human centric industrial security and service. He participated in many IT service and security research projects and contributed to the development of various IT service and security management modules
for industry. He has presented research papers at international and national conferences mostly focusing
on IT service and security and assisted in the organization and management of international conferences
in IT service and security.

Copyright of Electronic Commerce Research is the property of Springer Science & Business
Media B.V. and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.