Académique Documents
Professionnel Documents
Culture Documents
DOI 10.1007/s10660-013-9115-2
Abstract There has been damage to users due to security problems such as personal
information leaks and spam etc. by IT convergence in various information communication industries. Since where the responsibility for this damage lies, compensation
systems and damage estimation criteria have not been prepared yet, its compensation
is solved by civil litigation between service providers and users. In addition, for security services provided, the standardized clauses of a contract with consumers are
provider-oriented articles to be disadvantageous to service users, and detailed compensation criteria have not been prepared in reality. Therefore, it is time to need to
prepare a damage compensation system and an estimation criterion for protecting
users against technical and legal troubles that could arise when providing security
services.
In order to solve these problems, this paper developed a damage compensation
index for sustainable security service. In detail, by analyzing damage compensation
criteria and cases for general information communication services, a damage compensation index on security services was developed for a goal of VoIP services. It
could offer voluntary improvement of service quality for service providers, and simplicity of damage compensation for users. Additionally, it could socially give benefits
of increasing the number of companies to apply the security SLA and mitigating legal
disputes.
Keywords IT convergence service Sustainable security service Security service
rating Security service index
H. Chang ()
Division of Business Administration, College of Business, Sangmyung University, Seoul,
Republic of Korea
e-mail: hbchang@smu.ac.kr
318
H. Chang
1 Introduction
As convergence between IT environments and various services becomes active, there
is a growing awareness of users as a main agent [36]. Accordingly, they do not remain in simple users of services, but they have rather reached at a stage asserting their
rights [1, 2]. Furthermore, security services become the subject of greater interest
along with personal information rights. However, the law and system simply lists enforcement and only penalties as a method to guarantee users rights [7, 8]. In addition,
it could not carry out an important role in encouraging service providers to voluntarily improve their security service level and realizing rights of service users [911].
Due to these problems, the security service level agreement (SLA), which makes an
agreement on the level of security service provision, has received attention, and service providers are operating a variety of SLA indices based on the SLA. Recently,
to solve differences in using various security SLA indices, a more objective security
SLA index has been calculated through a series of classification procedures.
However, when there is users damage due to security troubles such as personal
information leaks and spam etc. in the information communication related companies like major ISPs and Internet shopping malls etc., where the responsibility for
this damage lies, compensation systems and damage estimation criterion have not
been prepared yet, so that most of them are solved by civil litigation. In addition,
for security services provided, the standardized clauses of a contract with consumers
are provider-oriented articles to be disadvantageous to service users, and detailed
compensation criteria have not been prepared. Meanwhile, even in cases of offering
compensation, most of information communication companies specify compensation only for fault handling and maintenance, the service providers shift risks legally
chargeable to them onto customers for damages caused by intrusion accidents, and
even this is insufficient as a damage compensation method for service users because
the companies responsibility is not specified.
This study would like to develop a security index for the VoIP (Voice over Internet
Protocol) service among various services using Internet. In detail, it would be trying to develop a damage compensation index applicable to the intrusion prevention
service (IPS), firewall system, antivirus, anti-spam and virtual private networks for
sustainable security services.
2 Precedent studies
2.1 Service level agreement (SLA)
The SLA means an agreement that service providers make with service subscribers
about offering predefined level of services through a compromise. Here, service
providers could be divided into network service provider (NSP), Internet service
provider (ISP), application service provider (ASP) and system integration (SI) companies etc., and service subscribers (users) include individuals, companies or public
organizations etc. using various services [3].
The level of service supportable by service providers is agreed on in advance, and
the service providers would receive a penalty if the service provision level is inferior
319
to the agreed one or it periodically falls short of the predefined service one. In general,
the penalty is imposed in the form of refunding or reducing a certain portion of service
charges that the corresponding service user and company should pay to the service
provider. Figure 1 shows a quality assurance control structure of services that offers to
users through the SLA. Service providers could offer stable services to service users
through this control and assurance of service quality. In addition, service users could
receive the best service offered by service providers. When there is a case of violating
the quality contract between a service provider and a user, the service provider would
offer appropriate compensation services if the service user demands compensation.
To gain a competitive advantage in the communication market by satisfying customers, it is indispensably required to introduce and manage the SLA. The purpose of
SLA is to reduce expenses related to communication networks by introducing an objective evaluation criterion. Therefore, it sets up a desired value to collect and manage
the required data. For example, after establishing standard levels such as availability
of communication networks, transaction processing time or connection failure rates
etc. in advance, it collects and manages the relevant data. The types of SLA consist of
two ones such as service and management. In terms of service, communication service providers define authority and responsibility for services offered, and in terms
of management, they define how to measure/report service performance, procedures
to resolve conflicts, and authority and responsibility for changing contracts.
The first reason why the SLA is needed could be divided into providers and users
stances. First, from a users viewpoint, users think that services offered could receive
minimum assurance through the SLA. By having performance indices of services
offered by service providers and used by service users, it could evaluate service usage
environment based on specific performance rather than indefinite expectations for
service being used. It is ultimately effective to have recognition and expectation that
service users exploit stable communication networks in carrying out business.
Second, there could be a growing demand for service quality. In particular, because the existing best effort service is difficult to offer high-quality services due to
an explosive increase in the use of Internet, demand is more increasing for service
quality. There is a growing demand of users for real-time services such as VoIP, and
these services become more possible also from technological aspects. To offer realtime services, service providers should offer strict network services for delays and
packet loss, and a SLA index should be also defined for them.
Third, there is a demand for provision and use of differentiated services. It make
possible to ensure the end-to-end (E2E) QoS by using the DiffServ (Differentiated
Services) QoS (Quality of Service) model of IETF, switching technologies of cutthrough method such as MPLS (Multi-Protocol Label Switching), and ATM (Asyn-
320
H. Chang
chronous Transfer Mode) etc. In particular, enterprise users would like to carry out
business using networks with stable and excellent performance even if they pay additional cost for ensuring QoS.
Finally, service providers could satisfy expectations for services demanded by
users through the SLA, and they could do goal-oriented network management and
operation. In addition, users could also decrease opportunity loss by enabling to prepare for potential faults.
Telecommunication service providers combine a diversity of performance indices to make a SLA depending on their network environments for each provider,
and for each kind of service. Controllable service fields such as leased lines,
frame relay and ATM etc. have been dominated by the SLA, however, it recently tends to expand the SLA service also for IP networks, Web hosting,
DSL (Digital Subscriber Lines), video conferencing services. In particular, expansion of IP-VPN (IP-Virtual Private Network) services amplifies more interest in
the SLA.
2.2 VoIP services
VoIP service is aiming to provide various value-added services (including multimedia
data communication) as well as voice services by exploiting IP networks and Internet
protocols unlike the existing telephone services. This service is offered by interconnecting wire telephones, IP phones and soft phones (provided as an application in a
computer) etc. using Internet as a medium. Looking at types of terminal connections
for VoIP services in detail, they could be divided into IP phone to IP phone,
soft phone to soft phone (IP phone), IP phone to wire telephone (including mobile
phones) and wire telephone to wire telephone as Fig. 2.
PSTN: public switched telephone network VoIP offers services based on the protocol (H.323/MGCP/SIP) controlling telephone calls, and there is a call server to
connect a call between both terminals (user agents.). The call server is called as a
gate keeper, proxy server or soft switch etc. depending on each protocol. When a
call is established between terminals through the call server, voice including realtime data such as audio and video is separated to transmit together with call control
data.
321
Security vulnerability
Terminal
LAN
WAN
Service
322
H. Chang
thority for soft phones. Second, Terminal eavesdropping means a threat that abuses
terminal vulnerability such as insertion of malicious codes to replay a telephone conversation between users. Finally, Terminal password vulnerability attack (user, administrator) means a threat that acquires authority by default password inference or
brute force attacks and abuses it as Fig. 4.
Security threats for LAN sections are as follows. First, Line sharing traffic eavesdropping means a threat that eavesdrops by a sniffing tool for networks sharing lines.
Second, ARP (Address Resolution Protocol) cache poisoning means a threat that
makes service attacks by a wrong ARP address by inserting a non-existent or wrong
ARP address into the ARP cache in a system as Fig. 4.
Security threats for WAN sections are as follows. First, Man in the middle attack means a threat that an attacker arbitrarily reads/inserts/modifies messages between users exchanging them. Second, System vulnerability scan attack means a
threat that finds vulnerability of a system to exploit for attacks. Third, DDoS (Distributed Denial-of-Service) attack means a threat that could not offer services of the
corresponding system by depleting, monopolizing or destroying resources of major
information systems. Finally, Vishing (VoIP + Phishing) means a threat that acquires personal information etc. through a social engineering method such as fraud
exploiting human psychology as Fig. 4.
Charging path bypass attack that may occur on a service section means a threat
of bypassing a VoIP service authentication system to illegally exploit the service like
normal users as Fig. 4.
3.2 Classification of countermeasures for VoIP service vulnerability
To technically solve security threats identified for each VoIP service section, information on precedent studies was collected for technologies designing a security service
index such as firewall, IPS, anti-virus, anti-spam, VPN and so on. And, countermeasures for VoIP services vulnerability were classified after passing the experts group
meeting and verifying practical applicability.
Vulnerability by security threats for each VoIP service section presented in Table 1 was reclassified into misuse, eavesdropping, DDoS and spam etc. as Table 2
323
Vulnerability type
Solve misuse
Eavesdropping
Terminal eavesdropping
Terminal password vulnerability attack (user, administrator)
Line sharing traffic eavesdropping
ARP cache poisoning
Eavesdropping by hacking routers and network systems
Man in the middle attack
DDoS
DDoS
Vishing
Spam
Objects of study
324
H. Chang
Table 3 A candidate group of security service rating indices for VoIP services
Index type
Index name
Common
Backup
Reporting
Specialization
Support
Security incident
response
IPS quality
Anti-spam quality
rating index to delete it because each provider carries out a different policy according
to its own circumstance. Third, Availability, performance, security event monitoring results reporting period is modified to Internal reporting time limit for security
events considering providers actual business processes, and the relevant rating index
is also changed. Fourth, Fault notification time limit is suitable to the quality index for general function services rather than security services, and providers actually
measure it in this respect, so that it is deleted. Fifth, Security patch (urgent) application period is deleted considering reality of carrying out it after stopping all services
for performing the security patch due to the services characteristic. Sixth, Security
incident notification time limit is partly modified as Incident notification time limit
(time to inform a fact for an incident to users after it occurred) for clarity of measurement, Security incident response time limit is also modified as (Case of proving
the fact that a security incident occurred) security incident response time from its
occurrence to service recovery in such a reason, and modifies its scale practically.
The result of designing an index to measure quality levels for security equipment
as a specialized index limited to VoIP services is as follows. It designs Response
delay time (time required to decide intrusion), Attack detection and blocking rate,
Mis-detection rate, Time to notify abnormality or down of IPS, Time to notify
after detecting and blocking major intrusion events for IPS equipment. And, it is
practically difficult to measure Spam blocking rate (rate to block spam as a spam),
Mis-blocking rate (rate to block normal signals as a spam), Virus mail blocking
Backup
Reporting
Common
Spam detection/blocking
Whether or not to establish user account and password management technology and policy
Whether or not to authenticate terminals for each user (MAC, terminal management server etc.)
DDoS quality
(Case of proving the fact that a security incident occurred) security incident response time from its occurrence to service recovery
IPS quality
Existence of guidelines for security incidents such as security violation incident response systems
Security incident Support Whether or not to conduct education related to information security for internal service administrators
User Security
Terminal Security
Security incident response Incident notification time limit (time to inform a fact for an incident to users after it occurred)
Index name
Index type
326
H. Chang
Index name
Backup 0.14
Reporting 0.13
Support 0.24
Security incident response 0.49
Specialization
Security Equipment
rate, Hacking mail blocking rate, Signature integrity verification period, Latest
signature list update period etc. for anti-spam equipment (insufficient reliability for
measured results), and difficult to present distinction for designed ratings, so that
it would like to add DDoS equipment to measure whether or not to possess core
functions for each equipment.
It designs Whether or not to change terminals initial password and Whether or
not to authenticate terminals for each user (MAC, terminal management server etc.)
in the terminal security part, Whether or not to establish user account and password
management technology and policy and Whether or not to encrypt users personal
information in the user security part, and Whether or not to conduct education
related to information security for internal service administrators and Existence of
guidelines for security incidents such as security violation incident response systems
in the security incident support part together with the relevant rating scale.
4.3 Calculation of relative weights for VoIP security services
In order to differentially calculate the extent of damage compensation resulting from
security incidents, it calculates weights for the security service index designed as
Table 5. The method to calculate the weights is to measure relative importance for the
index area by utilizing the hierarchical decision making method (analytic hierarchy
process) based on a survey. The hierarchical decision making method is one that
partially approaches step by step to set relative weights for each component after
hierarchically structuring a complicated decision making problem. To achieve this,
relative weights are calculated for the index designed for VoIP service providers and
developers. For reference, the reason why uses index areas rather than index items is
that it considers the index items may be changed continuously through later studies.
Looking into relative importance results of security service indices for VoIP services, Specialized security service is indicated more relatively important than
Common security service, and the relative importance within Common security
service area is indicated in order of Incident response, Support, Backup and
Reporting. The relative importance within Specialized security service area is
327
5 Conclusion
As a society is currently built to provide services what users want to them anytime and
anywhere due to development and investment for various services, users requirement
is also increasing for receiving them more safely and efficiently. This users requirement reflects demand for improvement of service quality and safety of services etc.,
and service providers make various efforts for that purpose.
When there is users damage caused by security troubles of personal information
leaks and spam etc. in the information communication related companies like major
ISPs and Internet shopping malls etc., however, most of them are solved by civil litigation because where the responsibility for this damage lies, compensation systems
and damage estimation criteria have not been prepared yet. Accordingly, it is time
to need to prepare a damage compensation system and an estimation criterion for
protecting users against technical and legal troubles that could arise when providing
security services.
This study developed a damage compensation index for sustainable security services when there is users damage such as failuresdisruptions of VoIP services, deterioration in quality and spam etc. due to faults of security services or action of
inappropriate security classes etc. It could be used as a basic data to prepare an objective and appropriate compensation criterion for consumers damages when there
are consumers damages. In addition, it could be used to protect users and to smoothly
solve disputes between users and service providers.
In this study, there is a consideration for quality of IPS and anti-spam etc., but it
does not consider the case of not satisfying the minimum quality condition of VoIP
services, so that an additional study is needed for the relevant target items, reference
values and compensation criteria etc. in the future.
Acknowledgements
sity.
This research was supported by a 2013 Research Grant from Sangmyung Univer-
References
1. Stubblefield, A., Rubin, A. D., & Wallach, D. S. (2005). Managing the performance impact of web
security. Electronic Commerce Research, 5(1), 99116.
2. Ganna, F. (2007). Service level agreements: web services and security. In Proceedings of the 7th
international conference on web engineering (pp. 556562).
3. Frankova, G. (2007). Service level agreements: web services and security. In Proc. of the 7th international conference on web engineering (Vol. 4607, pp. 556562).
4. Chang, H., Kwon, H., Kang, J., & Kim, Y. (2008). A case study on intelligent service design in
ubiquitous computing. Computing and Informatics, 30(3), 513529.
5. Scarle, S., Arnab, S., Dunwell, I., Petridis, P., Protopsaltis, A., & de Freitas, S. (2012). E-commerce
transactions in a virtual environment: virtual transactions. Electronic Commerce Research, 12(3),
379407.
6. Rhrig, S., & Knorr, K. (2004). Security analysis of electronic business processes. Electronic Commerce Research, 4(12), 5981.
328
H. Chang
7. Verkaik, P., Agarwal, Y., Gupta, R., & Snoeren, A. C. (2009). Softspeak: making VoIP play well in
existing 802.11 deployments. In Proceedings of the 6th USENIX symposium on networked systems
design and implementation (pp. 409422).
8. Franke Kleist, V. (2004). A transaction cost model of electronic trust: transactional return, incentives
for network security and optimal risk in the digital economy. Electronic Commerce Research, 4(12),
4157.
9. Mazurczyk, W., & Kotulski, Z. (2008). In Covert channel for improving VoIP security, advances in
information processing and protection, part II (pp. 271280).
10. Liu, X., & Tu, C. (2011). Research on security of VoIP network. Communications in Computer and
Information Science, 231, 5965.
11. Kim, Y., Kang, J., Na, Y., & Chang, H. (2012) In Lecture notes in electrical engineering: Vol. 164.
Study on development of appraisal business performance indicator (pp. 417423).
Hangbae Chang received the Ph.D. degree in Information System Management from Yonsei University,
Korea, in 2006. Since 2012, he has been with the faculty of the Department of Business Administration,
Sangmyung University, Seoul, Korea. His research interests include intelligent service, security governance, human centric industrial security and service. He participated in many IT service and security research projects and contributed to the development of various IT service and security management modules
for industry. He has presented research papers at international and national conferences mostly focusing
on IT service and security and assisted in the organization and management of international conferences
in IT service and security.
Copyright of Electronic Commerce Research is the property of Springer Science & Business
Media B.V. and its content may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.