Security and Privacy Assurance in Advancing Technologies: New Developments

Security and Privacy Assurance in Advancing Technologies: New Developments

Hamid Nemati (The University of North Carolina – Greensboro, USA)
Release Date: November, 2010|Copyright: © 2011 |Pages: 494|DOI: 10.4018/978-1-60960-200-0
ISBN13: 9781609602000|ISBN10: 1609602005|EISBN13: 9781609602024
Hardcover:
Available
$144.00
List Price: $180.00
20% Discount:-$36.00
TOTAL SAVINGS: $36.00
E-Book:
Available
$144.00
List Price: $180.00
20% Discount:-$36.00
TOTAL SAVINGS: $36.00
Hardcover +
E-Book:
Available
$172.00
List Price: $215.00
20% Discount:-$43.00
TOTAL SAVINGS: $43.00
OnDemand:
(Individual Chapters)
Available
$37.50
No Current Special Offers
TOTAL SAVINGS: $37.50

Description

Recent advances in computing and communication networks allow us to utilize information technology in ways previously unimaginable. In order for us to take full advantage of the possibilities offered by these new technologies, organizations, governmental agencies, and individuals must find ways to address the associated security and privacy implications of their actions and behaviors.

Security and Privacy Assurance in Advancing Technologies: New Developments provides a comprehensive collection of knowledge from experts within the field of information security and privacy. This book explores the changing roles of information technology and how this change will impact information security and privacy. The evolving nature of information security and privacy brings additional challenges and opportunities for all of us to carry into the future.

Topics Covered

The many academic areas covered in this publication include, but are not limited to:

  • Consumer and business practices and trends
  • Database issues in privacy protection
  • Economic impact analysis
  • Encryption, authentication, and access control
  • File and file system security and privacy
  • Global issues
  • Hacking and corruptions
  • Identity and privacy confidentiality
  • Peer-to-Peer computing
  • Relationships and trade-offs between security and privacy
  • Security and privacy techniques, management, and protocols
  • Tools, techniques, methods, and frameworks
  • Trends and new developments

Reviews and Testimonials

Academics and professionals in the fields of computer science and informatics present twenty-three papers on contemporary issues in information and data security and privacy in networking technologies. Articles present research covering such topics as the efficacy of privacy statements, password-based cryptography, small business health information security, cultural impacts on privacy and data security, thwarting 'man-in-the-middle' attacks, preserving privacy in data-mining operations and multimedia transmission privacy and security. ...

– Sci Tech Book News, BookNews.com

Table of Contents and List of Contributors

Search this Book:
Reset

Preface

Information Security and Privacy In a Transitioning Technological Environment:  Challenges and Opportunities

It is unmistakably apparent that we in the midst of a “technological revolution” that has profound implications for all aspects of our lives. This revolution has transformed our lives in way unimaginable in less than a decade. We are able to communicate more freely and effortlessly with one another, make more informed decisions, and have a higher standard of living, all, resulting from advances in Information Technologies (IT).  More people are employed generating, collecting, handling, processing and distributing information than any other profession and in any other time (Mason 1986). IT has made us more productive in our workplaces, has brought us closer, transformed our lives and has helped in redefining who we are as humans.  Its impacts can be felt in the ways in which we relate, interact, and communicate not just with one another but also the way we interact with the technology itself.  To some extent, information technologies have become “information appliances”. Yet, we are only at the threshold of what is to come and many experts believe that we have only seen the tip of the iceberg. The dizzying pace of advances in information technology that characterize this revolution promises to transform our lives even more drastically than what we can conceive. Technology has redefined our relationships with businesses we interact with and governmental agencies representing us.  Our world has been altered so irrevocably that we are no longer able to conduct our lives without it. But perhaps the most sweeping aspect of this revolution can be found in how we perceive and identify ourselves as individuals and eventually in how we will interact with one another.  Consequently, we are on the verge of the biggest societal transformation in the history of mankind traced directly to advances in the information technology.  This transformation will most likely create new opportunities and challenges we have yet to fathom.  

Information defines us. It defines the age we live in and the societies we inhibit. Information is the output of our human intellectual endeavors which inherently defines who we are as humans and how we conduct our lives. New technologies make possible what was not possible before.  This alters our old value clusters whose hierarchies were determined by range of possibilities open to us at the time. By making available new options, new technologies can and will lead to a restructuring of the hierarchy of values (Mesthene, 1968). Mason (1986) claims that unique challenges facing our modern societies are the result of the evolving nature of information itself. This evolving nature of information requires us to rethink the way we interact with one another.  Although this technological revolution has brought us closer and has made our lives easier and more productive, paradoxically, it has also made us more capable of harming one another and more vulnerable to be harmed by each other. Our vulnerabilities are the consequence of our capabilities. Mason argues that in this age of information, a new form of social contract is needed in order to deal with the potential threats to the information which defines us. Mason (1986) states “Our moral imperative is clear. We must insure that information technology, and the information it handles, are used to enhance the dignity of mankind. To achieve these goals we much formulate a new social contract, one that insures everyone the right to fulfill his or her own human potential.” (Mason, 1986, p 26).  This new social contract has profound implications for the way our society views information and the technologies that support them. For technology to enhance the “human dignity”, it should assist humans in exercising their intellects ethically.  But is it possible to achieve this without assuring the trustworthiness of information and the integrity of the technologies we are using? Without security that guarantees the trustworthiness of information and the integrity of our technologies, ethical uses of the information cannot be realized.  This implies that securing information and ensuring its privacy are inherently intertwined and should be viewed synergistically.  In order for us to take full advantage of the possibilities offered by this new interconnectedness, organizations, governmental agencies, and individuals must find ways to address the associated security and privacy implications. As we move forward, new security and privacy challenges will likely to emerge. It is essential that we are prepared for these challenges in order to take full advantage of the opportunities. With the emergence of the new paradigm in information technology, the role of information security and privacy will evolve.  Therefore, whilst advances in information technology have made it possible for generation, collection, storage, processing and transmission of data at a staggering rate from various sources by government, organizations and other groups for a variety of purposes, concerns over security of what is collected and the potential harm from personal privacy violations resulting from their unethical uses have also skyrocketed. Therefore, understanding of pertinent issues in information security and privacy vis-à-vis technical, theoretical, managerial and regulatory aspects of generation, collection, storage, processing, transmission and ultimately use of information have never been more important to researchers and industry practitioners alike.  Understanding and studying salient issues of Information security and privacy is a complex and multifaceted undertaking.  As a result, it has received considerable attention from researchers, developers and practitioners from a verity of different perspectives and backgrounds. Information security and privacy have been viewed as one of the foremost areas of concern and interest by academic researchers and industry practitioners from diverse fields such as engineering, computer science, information systems, psychology, sociology, the law and management. In this preface, we will consider how advances in information technologies have ushered an unprecedented explosion in data that define us and discuss why understanding of the security and privacy issues relating to this data is essential in any meaningful examination the role of technology in our lives.  To achieve this, we will define information security and privacy and will discuss important defining issues currently dominating each. We will conclude by looking ahead in an attempt to seek clues as how this technological revolution will impact this field.    

An Ocean of Data

A byproduct of pervasiveness of Information Technology in our daily lives is the amazingly large amount of data currently being generated. According to IBM, worldwide data volumes are currently doubling every two years (IDC, 2010). Data experts estimate that in 2002 the world generated 5 exabytes of data.  This amount of data is more than all the words ever spoken by human beings.  The rate of growth is just as staggering – the amount of data produced in 2002 was up 68% from just two years earlier.  The size of the typical business database has grown a hundred-fold during the past five years as a result of internet commerce, ever-expanding computer systems and mandated recordkeeping by government regulations.  The rate of growth in data has not slowed.  International Data Corporation (IDC) estimates that the amount of data generated in 2009 was 1.2 million Petabytes (IDC, 2010).  (A Petabyte is a million gigabytes.) (IDC Report, 2010). Although this seems to be an astonishingly large amount of data, it is paled in compression to what IDC estimates that amount to be in 2020.  IDC estimates that the amount of data generated in 2010 will 44 times as much as this year to an  incomprehensible amount of 35 Zettabytes (A Zettabyte is 1 trillion gigabytes).  IDC reports that by 2020, we will generate 35 trillion gigabytes of data.  Moreover, that amount probably doubles every two years (Hardy, 2004).   This astonishingly large growth in data, according a survey by US Department of Commerce, can be traced to the ever increasing number of Americans who are online on daily basis and are engaged in several activities, including engaging in online purchases and e-commerce, conducting banking online, learning, entertaining each other and being entertained by others and above all interacting socially.  According the Neilson (Neilson 2010), Americans spend almost 25% of their time online on social networking sites and blogs, up 43 percent from one year earlier and they spend a third their online time (36 percent) communicating and networking across social networks, blogs, personal email and instant messaging (Lawson, 2010). A recent Neilson study (Nielson 2010) revealed that activities that generate larger and more private data are on the rise.  The following table 1 summarizes the findings.

Almost everything that we do in our daily lives can generate a digital footprint. Whether we are using credit cards, surfing the Internet or viewing a YouTube video, we are generating data.  IDC senior vice president, John Gantz states: "About half of your digital footprint is related to your individual actions—taking pictures, sending e-mails, or making digital voice calls. The other half is what we call the 'digital shadow'—information about you—names in financial records, names on mailing lists, web surfing histories or images taken of you by security cameras in airports or urban centers. For the first time your digital shadow is larger than the digital information you actively create about yourself." Our digital shadow, the sum of all the digital information generated about us on a daily basis, now exceeds the amount of digital information we actively create ourselves (IDC, 2010).  This digital footprint including our digital shadow represents us, as humans, it represents who we are, and how we conduct our lives.  It needs to be secured, protected, and managed appropriately.

The growth in Internet usage has offered businesses and governmental agencies the opportunity to collect and analyze information in ways never previously imagined.  “Enormous amounts of consumer data have long been available through offline sources such as credit card transactions, phone orders, warranty cards, applications and a host of other traditional methods. What the digital revolution has done is increase the efficiency and effectiveness with which such information can be collected and put to use” (Adkinson, Eisenach, & Lenard, 2002).  

The proclamation about data volume growth is no longer surprising, but continues to amaze even the experts. For businesses, more data isn't always better. Organizations must assess what data they need to collect and how to best leverage it. Collecting, storing and managing business data and associated databases can be costly, and expending scarce resources to acquire and manage extraneous data fuels inefficiency and hinders optimal performance. The generation and management of business data also loses much of its potential organizational value unless important conclusions can be extracted from it quickly enough to influence decision making while the business opportunity is still present. Managers must rapidly and thoroughly understand the factors driving their business in order to sustain a competitive advantage. Organizational speed and agility supported by fact-based decision making are critical to ensure that an organization remains at least one step ahead of its competitors. According to Kakalik and Wright (1997), a normal consumer is on more than 100 mailing lists and at least 50 databases. A survey of 10,000 Web users conducted by Georgia Institute of Technology concludes that "Privacy now overshadows censorship as the No. 1 most important issue facing the Internet" (Machlis 1997). A UCLA study released on February 2003, reported that 88.8% of the respondents said that they were somewhat or extremely concerned when purchasing online.   

The gathering of data for data mining purposes was initially an attempt by companies to learn as much as possible about their customers so that they could provide customized or personable service and increase sales.  The development and use of computer/data technology helped speed this process as it made the gathering and analyzing process easier.  However, recent developments have caused the individual to lose control over that data about them. As technology advanced, the tools became more invasive, thorough and accuracy increased.  It is possible that this data, available to anyone (individuals, businesses, governments) can be manipulated in such a way as to produce an in-depth profile of an individual or group.

Concerns have arisen regarding the use of data mining, as an individual has to interpret the results and data or knowledge gained can be taken out of context. For example, the US government utilizes some very powerful surveillance tools to gather data about its citizens.  There are legitimate concerns regarding accuracy of data and privacy of the material these tools produce. The use of data mining technologies to make sense of this fata can provide limited and inaccurate results. What is the cost of a mistake? Is it a type one or type two error? What if you wrongly accuse an innocent person or allow a guilty person to go free? What percentage of accurate results is acceptable? Is an 85% accuracy rate good? If you are sending out a flyer or picking a stock then yes it is. If you are deciding if a person should be questioned and possibly detained by the police is that percentage still acceptable? What if you are one of the 15% wrongly accused? What are the implications? (Under the Patriot Act, if the accused is an immigrant they may be detained indefinitely). These are questions that must be seriously considered. The end-users of the technology must understand these concerns and the limitation of the technology they employ.

Information Security

Until recently, information security was exclusively discussed in terms of mitigating risks associated with data and the organizational and technical infrastructure that supported it. A common motivation for corporations to invest in information security is to safeguard their confidential data. This motivation is based on the erroneous view of information security as a risk mitigation activity rather than a strategic business enabler. No longer should information security be viewed solely as a measure to reduce risk to organizational information and electronic assets, it should be viewed as way the business needs to be conducted. To achieve success in information security goals, an organization’s information security program should support the mission of the organization. Information security is concerned with the identification of an organization's electronic information assets and the development and implementation of tools, techniques, policies, standards, procedures and guidelines to ensure the confidentiality, integrity and availability of these assets. Although Information Security can be defined in a number of ways, the most salient definition is set forth by the U.S. government. The National Institute of Standards and Technology (NIST) defines Information Security based on the 44 United States Code Section 3542(b)(2), which states “Information Security is protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” (NIST, 2003, p3). The Federal Information Security Management Act (FISMA, P.L. 107-296, Title X, 44 U.S.C. 3532) defines Information Security as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction” and goes on to further define Information Security activities as those “carried out in order to identify and address the vulnerabilities of computer system, or computer network” (17 U.S.C. 1201(e), 1202(d)). The United States’ National Information Assurance Training and Education Center (NIATEC) defines information security as “a system of administrative policies and procedures for identifying, controlling and protecting information against unauthorized access to or modification, whether in storage, processing or transit” (NIATEC, 2006).  The overall goal of information security should be to enable an organization to meet all of its mission critical business objectives by implementing systems, policies and procedures to mitigate IT-related risks to the organization, its partners and customers (NIST, 2003). The Federal Information Processing Standards Publication 199 issued by the National Institute of Standards and Technology (NIST, 2004) defines three broad information security objectives: “Confidentiality”, “Integrity” and “Availability”.  This trio of objectives sometimes is referred to as the “CIA Triad”.

The Information Systems Security Association (ISSA) has been developing a set of Generally Accepted Information Security Principles (GAISP). GAISP include a number of information security practices, including the need for involvement of top management, the need for customized information security solutions, the need for periodic reassessment, the need for an evolving security strategy and the need for a privacy strategy. This implies that information security should be viewed as an integral part of the organizational strategic mission and therefore, requires a comprehensive and integrated approach. It should be viewed as an element of sound management in which cost-effectiveness is not the only driver of the project. Management should realize that information security is a smart business practice. By investing in security measures, an organization can reduce the frequency and severity of security-related losses. Information security requires a comprehensive approach that extends throughout the entire information life cycle. The management needs to understand that without a physical security, information security would be impossible. As a result, it should take into considerations a variety of issues, both technical and managerial and from within and outside of the organization. The management needs to realize that this comprehensive approach requires that the managerial, legal, organizational policies, operational, and technical controls work together synergistically. This requires that senior managers be actively involved in establishing information security governance.  

Effective information security controls often depend upon the proper functioning of other controls, but responsibilities must be assigned and carried out by appropriate functional disciplines. These interdependencies often require a new understanding of the tradeoffs that may exist, which means achieving one may actually undermine another. The management must insist that information security responsibilities and accountability be made explicit and the system owners have responsibilities that may exist outside their own functional domains. An individual or work group should be designated to take the lead role in the information security as a broad organization wide process. This requires that security policies be established and documented, and the awareness among all employees be increased through employee training and other incentives. This requires that information security priorities be communicated to all stakeholders, including customers, and employees at all levels within the organization to ensure a successful implementation. The management should insist that information security activities be integrated into all management activities, including strategic planning, capital planning. Management should also insist that an assessment of needs and weaknesses should be initiated and security measures and policies should be monitored and evaluated continuously.  Information security professionals are charged with protecting organizations against their information security vulnerabilities. Given the importance of securing information to an organization, this is an important position with considerable responsibility. It is the responsibility of information security professionals and management to create an environment where the technology is used in an ethical manner. Therefore, one cannot discuss information security without discussing the ethical issues fundamental in the development and use of the technology.  According to a report by the European Commission (EC, 1999, p. 7) “Information Technologies can be and are being used for perpetrating and facilitating various criminal activities. In the hands of persons acting with bad faith, malice, or grave negligence, these technologies may become tools for activities that endanger or injure the life, property or dignity of individuals or damage the public interest.” Information technology operates in a dynamic environment. Considerations of dynamic factors, such as advances in new technologies, the dynamic nature of the user, the information latency and value, systems’ ownerships, the emergence of a new threat and new vulnerabilities, dynamics of external networks, changes in the environment, the changing regulatory landscape, should be viewed as important. Therefore the management should insist on an agile, comprehensive, integrated approach to information security.

Information is a critical asset that supports the mission of an organization. Protecting this asset is critical to survivability and longevity of any organization. Maintaining and improving information security is critical to the operations, reputation, and ultimately the success and longevity of any organization. However, information and the systems that support it are vulnerable to many threats that can inflict serious damage to an organization resulting in significant losses. The concerns over information security risks can originate from a number of different security threats. They can come from hacking and unauthorized attempts to access private information, fraud, sabotage, theft and other malicious acts or they can originate from more innocuous sources, but no less harmful, such as natural disasters or even user errors.
David Mackey, IBM’s Director of security intelligence estimates that IBM recorded more than 1 billion suspicious computer security events in 2005. The damage from these “security events” can range from loss of integrity of the information to total physical destruction or corruption of entire infrastructure that support it. Damages can stem from the actions of a variety of sources, such as disgruntled employees defrauding a system, careless errors committed by trusted employees, to hackers gaining access to the system from outside of the organization. Precision in estimating computer security-related losses is not possible because many losses are never discovered, and others are "swept under the carpet" to avoid negative publicity. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. Broadly speaking, the main purpose of information security is to protect an organization's valuable resources, such as information, hardware, and software. Any information security initiative aims to minimize risk by reducing or eliminating threats to vulnerable organizational information assets. The National Institute of Standards and Technology (NIST, 2003, p. 7) defines risk as “…a combination of: (i) the likelihood that a particular vulnerability in an agency information system will be either intentionally or unintentionally exploited by a particular threat resulting in a loss of confidentiality, integrity, or availability, and (ii) the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability will have on agency operations (including mission, functions, and public confidence in the agency), an agency’s assets, or individuals (including privacy) should there be a threat exploitation of information system vulnerabilities,”. “Risks are often characterized qualitatively as high, medium, or low” (NIST, 2003, p 8). The same publication defines threat as “…any circumstance or event with the potential to intentionally or unintentionally exploit a specific vulnerability in an information system resulting in a loss of confidentiality, integrity, or availability,” and  vulnerability as “…a flaw or weakness in the design or implementation of an information system (including security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely affect an agency’s operations (including missions, functions, and public confidence in the agency), an agency’s assets, or individuals (including privacy) through a loss of confidentiality, integrity, or availability” (NIST, 2003, 9). NetIQ (2004) discusses five different types of vulnerabilities that have direct impact on the governance of information security practices. They are: exposed user accounts or defaults, dangerous user behavior, configuration flaws, missing patches and dangerous or unnecessary service. An effective management of these vulnerabilities is critical for three basic reasons.  First, an effective vulnerability management helps reducing the severity and growth of incidents. Second, it helps in regulatory compliance. And third and the most important reason can be summed by simply saying, it is a “good business practice” to be proactive in managing the vulnerabilities rather than be reactive by trying to control the damage from an incident.  

The importance of securing our information infrastructure also applies to the government of the United States. The U.S. Department of Homeland Security (DHS) identifies a Critical Infrastructure (CI) as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” According a recent report by the DHS titled The National Strategy for Homeland Security, which identified thirteen CI’s, disruption in any component of a CI can have catastrophic economic, social and national security impacts. Information Security is identified as a major area of concern for the majority of the thirteen identified CI’s. For example, many government and private-sector databases contain sensitive information which can include personally identifiable data such as medical records, financial information such as credit card numbers, and other sensitive proprietary business information or classified security-related data. Securing these databases, which form the back bone of a number of CI’s, is of paramount importance.

Losses due to electronic theft of information and other forms of cybercrime against such databases can amount to tens of millions of dollars annually.  In addition to specific costs can be incurred as the result of malicious activities such as identity theft as a result of data breaches (such as theft of hardware or system break ins, or virus attacks or denial of service attacks), one of the major consequences of dealing with a security attacks is the decrease in customer and investor confidence in the company. This is an area of major concern for the management. According to an event-study analysis using market valuations to assess the impact of security breaches on the market value of breached firms, announcing a security breach is negatively associated with the market value of the announcing firm. The breached firms in the sample lost, on an average, 2.1 percent of their market value within two days of the announcement – an average loss in market capitalization of $1.65 billion per breach. The study suggests that the cost of poor security is very high for investors and bad for business. Financial consequences may range from fines levied by regulatory authorities to brand erosion. As a result, organizations are spending a larger portion of their IT budget in information security. A study by the Forrester Research Group estimated that in 2007 businesses across North America and Europe will spend almost 13% of their IT budgets on security related activities. The same report shows the share of security expenditure was around 7% in 2006.

It is obvious that information security is a priority for the management, as it should be.  Regardless of the source, the impact on organization can be severe ranging from interruption in delivery of services and goods, loss of physical and other assets, loss of customer good will and confidence in the organization to disclosure of sensitive data. Such sensitive data breaches can be very costly to the organization. However, recent research shows that investing and upgrading information security infrastructure is a smart business practice. By doing so, an organization can reduce the frequency and severity of losses resulting from security breaches in computer systems and information technology infrastructure. Information Security is not just a technology issue. It encompasses all aspects of business from people to processes to technology. Bruce Schneier founder and editor of Schneier.com states that "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." Information Security involves consideration of many interrelated fundamental issues to consider. Among them are technological, developmental and design, and managerial considerations. The technology component of information security is perhaps the easiest to develop and implement. The technological component of information security and privacy is concerned with the development, acquisition, and implementation of hardware and software needed to achieve information security. The developmental and design component of information security deals with issues related techniques and methodologies used to proactively design and develop systems that are secure.  The managerial and personnel component focuses on the complex issues of dealing with the human elements in information security and privacy. It deals with policies, procedures and assessments required for the management of the operation of security activities. Undoubtedly, this is the hardest part of the information security to achieve since it requires a clear commitment to security by an organization’s leadership, assignment of appropriate roles and responsibilities, implementation of physical and personnel security measures to control and monitor access, training that is appropriate for the level of access and responsibility, and accountability.

Information Privacy

Privacy is defined as “the state of being free from unsanctioned intrusion” (Dictionary.com, 2010). Westin (Westin, 1967) defined the right to privacy as “the right of the individuals… to determine for themselves when, how, and to what extent information about them is communicated to others.”  The Fourth Amendment to the U.S. Constitution’s Bill of Rights states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This belief carries back through history in such expressions from England, at least circa 1603, “Every man's house is his castle.”  The Supreme Court has since ruled that “We have recognized that the principal object of the Fourth Amendment is the protection of privacy rather than property, and have increasingly discarded fictional and procedural barriers rested on property concepts.” Thus, because the Amendment “protects people, not places,” the requirement of actual physical trespass is dispensed with and electronic surveillance was made subject to the Amendment's requirements (Findlaw.com, 2010). Generally the definitions of privacy in regards to business are quite clear. On the Internet, however, privacy raises greater concerns as consumers realize how much information can be collected without their knowledge. Companies are facing an increasingly competitive business environment which forces them to collect vast amounts of customer data in order to customize their offerings. Eventually, as consumers become aware of these technologies, new privacy concerns will arise, and these concerns will gain a higher level of importance. The security of personal data and subsequent misuse or wrongful use without prior permission of an individual raise privacy concerns and often end up in questioning the intent behind collecting private information in the first place (Dhillon & Moores, 2001). Privacy information holds the key to power over an individual. When privacy information is held by organizations, which have collected the information without the knowledge or permission of the individual, the rights of the individual are at risk. By 1997, consumer privacy had become a prominent issue in the United States (Dyson, 1998). In practice, information privacy deals with an individual’s ability to control and release personal information. The individual is in control of the release process: to whom information is released, how much information is released and for what purpose the information is to be used. “If a person considers the type and amount of information known about them to be inappropriate, then their perceived privacy is at risk” (Roddick & Wahlstrom, 2001). Consumers are likely to lose confidence in the online marketplace because of these privacy concerns. Businesses must understand consumers’ concern about these issues and aim to build consumer trust. It is important to note that knowledge about data collection can have a negative influence on a customer’s trust and confidence level in online businesses.  
Privacy concerns are real and have profound and undeniable implications on people’s attitude and behavior (Sullivan, 2002). The importance of preserving customers’ privacy becomes evident when we study the following information: In its 1998 report, the World Trade Organization projected that worldwide Electronic Commerce would reach a staggering $220 billion. A year later, Wharton Forum on E-commerce revised that WTO projection down to $133 billion. What accounted for this unkept promise of phenomenal growth? Census Bureau, in its February 2004 report states that “Consumer privacy apprehensions continue to plague the Web and hinder its growth.” In a report by Forrester Research, it is stated that privacy fears will hold back roughly $15 billion in e-commerce revenue. In May 2005, Jupiter Research reported that privacy and security concerns could cost online sellers almost $25 billion by 2006. Whether justifiable or not, consumers have concerns about their privacy and these concerns have been reflected in their behavior. The Chief Privacy Officer of Royal Bank of Canada said “Our research shows that 80% of our customers would walk away if we mishandled their personal information.” Privacy considerations will become more and more important to customers interacting electronically with businesses. As a result, privacy will become an import business driver.  People (Customers) feel “violated” when their privacy is invaded. They respond to it differently, despite the intensity of their feelings. Given this divergent and varied reaction to privacy violations, a lot of companies still do not appreciate the depth of consumer feelings and the need to revamp their information practices, as well as their infrastructure for dealing with privacy. Privacy is no longer about just staying within the letter of the latest law or regulation. Sweeping changes in attitudes of people regarding their privacy will fuel an intense political debate and put once-routine business and corporate practices under the microscope. Two components of this revolution will concern businesses the most, rising consumer fears and a growing patchwork of regulations. Both are already underway. Regulatory complexity will grow as privacy concerns surface in scattered pieces of legislation. Companies need to respond quickly and comprehensively. They must recognize that privacy should be a core business issue. Privacy policies and procedures that cover all operations must be enacted. Privacy Preserving Identity Management should be viewed as a business issue, not a compliance issue.

Information Security and Privacy Issues

Information security and privacy will be everyone’s business, not just IT’s. This change in the way companies view and approach information security and privacy will be driven primarily due to consumer demand. Consumers will demand more security for information about them and will insist on better ethical uses of that information. This demand will drive business profitability measures and will ultimately manifest itself as pressure on the government and other regulatory agencies to pass tougher and more intrusive legislation and regulations, resulting in greater pressure on the business organizations to comply and to demonstrate a commitment to information security and privacy. Therefore to be successful, organizations need to focus on information security not just as an IT issue rather as a business imperative. They need to develop business processes that align business, IT and security operations. For example, information security considerations will play more of a prominent role while considering offshoring, collaborations and outsourcing agreements. In the same vein, business partners must prove that their processes, databases and networks are secure. This will also have an important implication for the outsourcing/offshoring agreements and collaborations. The need for more vigilant and improved policies and practices in monitoring insiders who may be leaking or stealing confidential information will become more apparent. The black hat will become the norm.  Hacking will be increasingly become a criminal profession and will no longer be the domain of hobbyists. Attacks will be more targeted, organized and will have a criminal intent meant to steal information for profit.  

Regulatory and compliance requirements will continue to plague organizations. Regulations and laws will have direct impact on IT implementations and practices. Management teams will be held accountable. Civil and criminal penalties may apply for non-compliance. Security audits will become more widespread as companies are forced to comply with new regulations and laws.  The regulatory agencies and law enforcement will become more vigilant in enforcing existing laws such as HIPAA, Sarbanes-Oxley Act, etc.  

Identity management will continue to be the sore spot of information security. The use of identity federations will increase. With advances in technology and the need for more secure and accurate identity management, biometrics will become mainstream and widely used. Additionally, the use of “federated identity management systems” will become more widespread.  In a federated identity management environment, users will be able to link identity information between accounts without centrally storing personal information. The user can control when and how their accounts and attributes are linked and shared between domains and service providers, allowing for greater control over their personal data.

Advanced technical security measures, such as data-at-rest encryption, granular auditing, vulnerability assessment, and intrusion detection to protect private personally identifiable data will become more wide spread. Database security continues to be a major concern for developers, vendor and customers. Organizations demand more secure code and vendors and developers will try to accommodate that demand. In addition to more secure code, the demand for an explicit focus on unified application security architecture will force vendors and developers to seek further interoperability. This is the direct result of increase in sophistication of malware. Malware will morph and become more sophisticated than ever. The new breed of malware will be able to take advantage of operating systems and browsers’ vulnerabilities to infect end user computers with malicious codes for key logging that monitor and track end users’ behaviors such as web surfing habits and other behaviors. Malware sophistication will include vulnerability assessment tools for scanning and penetrating corporate network defenses to look for weaknesses. Phishing will grow in frequency and sophistication and phishing techniques will morph and become more advanced. Phishing is defined as a method where private information such as social security numbers, usernames, and passwords are collected from users under false pretenses by criminals masquerading as legitimate organizations. Malicious websites that are intended to violate end users’ privacy by intentionally modifying end users’ configurations such as browser settings, bookmarks, homepage, and startup files without their consent will gain popularity among the hacker community. Sophisticated malware code can infect the users’ computers simply by users visiting these sites. These infections can range from installing adware and spyware on a user’s computers, installing dialers, keyloggers and Trojan horses on a user’s machine. Keyloggers have the ability to be installed remotely by bypassing firewalls and email scanners and in most cases may not be detected by antivirus software. The most sophisticated keyloggers will be able to capture all keystrokes, screenshots, passwords encrypt them and send these information to remote sites undetected. Malicious code such as BOTs will be a growing problem for network administrators. BOT applications are used to capture users’ computers and transform them into BOT networks (botnets). These BOT networks can then be used for illegal network uses such as SPAM relay, generic traffic proxies, Distributed Denial of Service (DDoS) attacks, and hosting phishing (and other malicious code) websites.

The proliferation of Internet use will accelerate. People, companies, governments will conduct more and more of their daily business on the Internet. Not only will the Internet be used for more, but it will also be used for more complex and previously unimagined purposes. This will be partly fueled by advances in the Internet technologies that will be more complex and far reaching. However, the pace of advances in security technology will be able to keep pace with the Internet's growth and complexity. As social computing networks such Peer-to-Peer, Instant Messaging, and Chat gain more popularity and continued adoption of these technologies, organizations will be exposed to new and more disruptive threats. These social computing networks will drain more and more of the corporate bandwidth and will require additional technologies to combat. For example, it was estimated that in 2007, Instant Messaging would surpass e-mails as the most dominate form of electronic communication. Yet, Instant Messaging is not regulated in most companies and is not subject to the same level of scrutiny as the e-mail systems are. Similarly, individuals are not as vigilant when using Instant Messaging tools. Therefore, these social computing technologies are fast becoming very popular with attackers.  According to a recent study, the most popular malicious use of Instant Messaging is to send the user a link to a malicious, phishing or fraudulent website which then installs and runs a malicious application on the user’s computer in order to steal confidential information.

There are serious concerns that current technology and technology being developed, will allow governments extraordinary ability to monitor their citizens. There is a legitimate concern that “Big Brother” has arrived. Proper oversight and usage is essential to limit abuses.  Concerns about surveillance tools were abundant prior to 9/11, since then they have lessened with the understanding that the technology will be used for national security. However the new legislation increasing law enforcement and governmental powers are not limited solely to terrorism. In our rush to protect ourselves we must be certain not to trample on individual rights in such a way that we regret it in the future. The balance between individual rights vs. national security should be carefully weighed. Those mining data obtained by business or governmental surveillance tools need to consider how the data is obtained, its accuracy and the limitations of the tools. They must be especially aware of the potential use of their analysis. Reliance on inaccurate results could have profound effects on individuals or our society as a whole.

Yet Another Security and Privacy Concern: Medical Data

Another area of concern is the growth in the use of information technology for medical purposes. Confidentiality is sacrosanct in any physician-patient relationship and rules governing this relationship going back millennia are meant to protect patient’s privacy. Confidentiality, a major component of information security, is a significant mechanism by which a patient's right to privacy is maintained and respected. However, in the era of Electronic Medical Record (EMR), it is hard to achieve. Although the use of information technologies for medical purposes shows potential for substantial benefits, it is fraught with concern related to security and privacy. Since there are so many points along the EMR life cycle where security and or privacy of medical data can be compromised, wide spread use of EMR is not possible without a thorough understanding and resolution of such issues (Hunt, et. al, 1998; Johnston, et. al, 1994).

One of the most far reaching laws with privacy implication impacting electronic medical data research and practitioner communities is Health Insurance Portability and Accountability Act of 1996.  It provides a standard for electronic health care transactions over the Internet. As the integrity and confidentiality of patient information is critical, this requires being able to uniquely identify and authenticate an individual. Health information is subject to HIPPA. The original legislation went into effect in 2001 and the final modifications took effect in April, 2003. A core aspect of HIPAA is to appropriately secure electronic medical records. The act applies to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses.  The Office for Civil Rights (OCR) is responsible for implementing and enforcing the HIPPA privacy regulation.  HIPAA has strict guidelines on how healthcare organizations can manage private health information. This includes: Authentication: A unique identification for individuals using the health care system; Access control: Manage accounts and restrict access to health information; Password management: Centrally define and enforce a global password policy; Auditing: Centralize activity logs related to the access of health information.   The act sets standards to protect privacy in regards to individuals’ medical information. The act provides individuals access to their medical records, giving them more control over how their protected health information is used and disclosed, and providing a clear avenue of recourse if their medical privacy is compromised (Anonymous, 2006). Improper use or disclosure of protected health information has the potential for both criminal and civil sanctions. For example, fines up to $25,000 for multiple violations of a single privacy standard in a calendar year and the penalties for intentional or willful violations of the privacy rule are much more severe with fines up to $250,000 and/or imprisonment up to 10 years for knowing misuse of personal health data.  There are more immediate risks of private lawsuits relying on the HIPAA standard of care. Security and privacy of electronic medical records constitute major regulatory compliance issues. Security must be in compliance with the “security rule” of the Health Insurance Portability and Accountability Act (HIPAA). There are five guiding principles of HIPPA’s security rule: scalability, comprehensives, technological neutrality, and consideration of both external and internal security threats, and risk analysis (HIPPA, 2010).  Scalability ensures that compliance with security does not depend on the size or scope of the medical entity and requires that covered entities (CE), regardless of their size, must comply with rules.  Comprehensiveness requires for a CE to develop a “comprehensive” approach to all aspects of electronic medical records’ security.  Neutrality of the technology provides flexibility to a CE in determining the most appropriate technology and the onus is on the CE to justify the technology that is used.  The CE is required to protect its data from both internal and external security threats, to regularly conduct security risk analysis and to provide appropriate documentation.  In addition, the security rule requires the CE to be in full compliance; partial compliance is not acceptable.  There are a number of other key concepts to assure the security of medical records.  One requirement is the establishment and formal documentation of security processes, policies, and procedures. Another is the “reasonableness” requirement. Reasonableness requires the CE to certify and document that reasonable measures have been taken to protect electronic medical records. Lastly, CEs must provide regular security training, awareness to its workforce and revise its security policies and procedures as needed.  These compliance security challenges stem from the fact that patient data sets are large, complex, heterogeneous, hierarchical, time series, nontraditional, and originate from a verity of sources with differing levels of quality and format. Further, data sources may have incomplete, inaccurate and missing elements, some may be erroneous due to human and equipment error and lastly, the data may lack canonical consistencies within and between sources (Ciosa, et al, 2002). Patient data are voluminous and are collected from various sources including medical images, patient interviews, laboratory data, and the physicians’ observations and interpretations of patients’ symptoms, and behavior (Ciosa, et al, 2002). Securing such diverse and voluminous type of data housed on multiple heterogeneous systems with diverse data stewardship is not a trivial task and requires a whole set of different and difficult considerations.  For example, medical data lack the underlying data structures needed for mathematically based data encryption techniques.  Unlike data collected using other processes, medical data consists of word descriptions by physician and nurses, with very few formal constraints on the vocabulary, medical images, hand written charts and others. Additionally, medical data also lack a canonical form that encapsulates all equivalent forms of the same concept and is the preferred notation used in most encryption algorithms.  For example, all the following are medically equivalent: Colon adenocarcinoma, metastatic to liver; Colonic adenocarcinoma, metastatic to liver; Large bowel adenocarcinoma, metastatic to liver. (Ciosa, et al, 2002). Lastly, medical data are time sensitive and may have been collected at different times using different data collection methodologies. As a result, they may reside on heterogeneous systems with differing representation and stewardship.   Massive quantities of patient data are generated as patients undergo different medical and health care processes and procedures. As a result, these large patient databases may contain large quantity of useful information about patients and their medical conditions, possible diagnoses, prognosis and treatments. A major challenge in using these large patient databases is the ability to properly secure and anonyomize the data.

Another security and privacy issue deals with data mining of medical data.  Careful and systematic mining of patient databases may reveal and lead to the discovery of useful trends, relationships and patterns that could significantly enhance the understanding of disease progression and management. This process is referred to as Data mining (DM). DM is an exciting new facet of decision support systems.  Data mining derived from the disciplines of artificial intelligence and statistical analysis and covers a wide array of technologies. Using data mining, it is possible to go beyond the data explicitly stored in a database to find nontrivial relationships and information that would not have been discovered by way of standard analysis methods.  Medical Data Mining (MDM) is data mining applied to patient data and has been shown to provide benefits in many areas of medical diagnosis, prognosis and treatment (Lavrac, 1999).  By identifying patterns within the large patient databases, medical data mining can be used to gain more insight into the diseases and generate knowledge that can potentially lead to development of efficacious treatments. Unfortunately, given the difficulties associated with mining patient databases, the potential of these systems are yet to be realized (Lavrac, 1999).  Medical Data Mining is the process of discovering and interpreting previously unknown patterns in medical databases (Lavrac, 1999).  It is a powerful technology that converts data into information and potentially actionable knowledge.  However, obtaining and using new knowledge in a vacuum does not facilitate optimal decision making in a medical setting. In order to develop a successful final patient treatment management, the newly extracted useful medical knowledge from MDM that appears in form of relationships and patterns should be integrated with existing knowledge and expertise that of the physician to enhance patient care. The significance of data security and privacy has not been lost to the data mining research community as was revealed in Nemati and Barko (Nemati et al., 2001) of the major industry predictions that are expected to be key issues in the future (Nemati et al., 2001). Chiefly among them are concerns over the security of what is collected and the privacy violations of what is discovered (Margulis, 1977; Smith, Milberg, & Burke, 1996).

Final Thoughts

Consider this, the privacy policy of Facebook is now longer than the US Constitution with almost 50 settings and more than 170 options available to the users. Given this large number of options and setting, how likely is for an average user to understand and to make an informed decision about which settings are most appropriate to their needs.  The complexities of these privacy policies make it very difficult, if not impossible, for ordinary users to comprehend the consequences of their privacy choices. Consider this; in an attempt to make the Facebook the “social center of the web”, in April 2010, Facebook announced the development of “Open Graphs”, as a platform for developers to exchange ideas and information. Open Graphs is an extension of the idea of “semantic networks”, which according to Tim Berners-Lee (1999),  is an attempt to "bring structure to the meaningful content of Web pages thus enabling computers to understand that content and how it relates to other sites and information across the internet”. Using Open Graphs, Facebook can integrate websites and web apps within its existing social network environment by allowing its partner sites to create categories based on users' interests and then exchange that information with one another. For example, Open Graph would allow the following scenario to occur.  A Facebook user visits Netflex, a movie rental site, and searches for a movie to rent.  Netflex, an Open Graph partner of Facebook, develops a customized review for this user based on the reviews of that movie uploaded by the user’s Facebook friends. Once the user makes the final selection, Netflex in turn, can notify the user’s Facebook friends that their movie reviews were used by the user and thereby revealing what movie the user rented.  The privacy consequence of Open Graphs is far reaching and not yet well understood, not even by the experts, let alone the average user.  The most significant privacy consequence of Open Graphs is the redefinition of what “public” means. Users need to understand that public no longer means public within the Facebook only (Warren, 2010). As Christine Warren states, “users need to assume that if [they] do something that is considered public, that action can potentially end up on a customized stream for everyone in [their] social graph”(Warren, 2010).  Users need to know that they should be vigilant about protecting their privacy on-line and not just Facebook. The user needs to be confident that just because she has updated her Facebook profile saying that she is feeling down, she should not expect to receive e-mail solicitation for her to purchase Prozac. Although, ultimately, the user is responsible for protecting her own privacy, she should have some measure of confidence that the protection of her privacy is a valued objective of the on line vendors. Otherwise the user may engage in privacy protecting behaviors that may be detrimental to usefulness of the services and therefore reduce the profitability. One such behavior is misrepresentation of one’s identity.  Consider the following example.  One of my graduate students excitedly called me one day to tell me about her Facebook experience. Being concerned about her privacy, she had created a new Facebook profile for herself and purposely had given an erroneous birth date in which her aged was calculated to be 63. To her amazement, she recalled, that within hours she had received an e-mail from AARP (American Association of Retired Persons) inviting her to join that organization.  Her misrepresentation of her age, nullifies any value that AARP would get from knowing her age.  This is not a criticism of Facebook’s or any other company’s privacy policies per-se; it is a reminder of changing landscape of privacy and its impact on our daily lives. It is a call to action.  No longer should we debate whether our privacy is in danger, it is time to assume that and seek ways to protect it.  Companies should remember that a good privacy policy is good business and users should never assume that their privacy is protected. They need to become a more active participant in protecting their own privacy. In practice, information privacy deals with an individual’s ability to control and release personal information.  The individual is in control of the release process: to whom information is released, how much is released and for what purpose the information is to be used.  Consumers are likely to lose confidence in the online marketplace because of these privacy concerns. Business must understand consumers’ concern about these issues and aim to build consumer trust. It is important to note that knowledge about data collection can have a negative influence on a customer’s trust and confidence level online.  

Privacy concerns are real and have profound and undeniable implications on people’s attitude and behavior (Sullivan, 2002).  Privacy considerations will become more important to customers interacting electronically with businesses.  As a result, privacy will become an import business driver.  People (Customers) feel ‘violated’ when their privacy is invaded. They respond to it differently, despite the intensity of their feelings.  Given this divergent and varied reaction to privacy violation, a lot of companies still do not appreciate the depth of consumer feelings and the need to revamp their information practices, as well as their infrastructure for dealing with privacy. Privacy is no longer about just staying within the letter of the latest law or regulation. As sweeping changes in attitudes of people their privacy will fuel an intense political debate and put once-routine business and corporate practices under the microscope. Two components of this revolution will concern business the most, rising consumer fears and a growing patchwork of regulations. Both are already underway. Regulatory complexity will grow as privacy concerns surface in scattered pieces of legislation. Companies need to respond quickly and comprehensively. They must recognize that privacy should be a core business issue. Privacy policies and procedures that cover all operations must be enacted. Privacy Preserving Identity Management should be viewed as a business issue, not a compliance issue.

Hamid R. Nemati
The University of North Carolina, USA


REFERENCES:

Adkinson, W., Eisenach, J., & Lenard, T. (2002). Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites. Retrieved August, 2006, from http://www.pff.org/publications/privacyonlinefinalael.pdf

Adkinson, W., Eisenach, J., & Lenard, T. (2002). Privacy Online: A Report on the Information Practices and Policies of Commercial Web Sites. Retrieved August 2009, from http://www.pff.org/publications/privacyonlinefinalael.pdf

American Institute of Certified Public Accountants (AICPA) information security tops the list of ten most important IT priorities, 2007. Accessed from: http://infotech.aicpa.org/Resources.

Anonymous. (2006). Office for Civil Rights. Retrieved August 2009, from http://www.hhs.gov/ocr/index.html

Anonymous. (2006). Privacy Legislation Affecting the Internet: 108th Congress. Retrieved August 2008, from http://www.cdt.org/legislation/108th/privacy/

Barker, William and Lee, Anabelle, Information Security, Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories,  National Institute of Standards and Technology, , NIST Special Publication 800- 60 Version II, 2004. Accessed from:  http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf

Barker, William, Guide for Mapping Types of Information and Information Systems to Security Categories, National Institute of Standards and Technology, NIST Special Publication 800- 60 Version 1.0, 2004, Accessed from: http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf

Berners-Lee, Tim, The Semantic Web, 2007. Accessed from Scientific American at www.sciam.com.

Brancheau, J. C., Janz, B. D., & Wetherbe, J. C. (1996). Key issues in information systems management: 1994-95 SIM Delphi Results. MIS Quart., 20(2), 225-242.

Brown, E. (2002, April 1). Analyze This. Forbes, 169, 96-98.

Businessweek. (2001), Privacy in an Age of Terror. Businessweek.

Chew, L., Swanson, M., Stine, K., Bartol, N., Brown, A., and Robinson, W., Performance Measurement Guide for Information Security, National Institute of Standards and Technology, NIST Special Publication 800-55 Revision 1. 2008. Accessed from:  http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.

Ciosa, K.J., & Mooree, W. (2002). Uniqueness of medical data mining. Artificial Intelligence in Medicine, 26, 1–24

Classen, D. C. (1998). Clinical Decision Support Systems to Improve Clinical Practice and Quality of Care. JAMA, 280(15),1360-1361.

Clifton, C., Kantarcioglu, M., Vaidya, J., Lin, X., & Zhu, M. (2002). Tools for privacy preserving distributed data mining. ACM SIGKDD Explorations Newsletter, 4(2), 28-34.

Committee on National Security Systems (CNSS), National Security Agency, “National Information Assurance (IA) Glossary,” CNSS Instruction No. 4009, May 2003, Accessed from: http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf.  

Culnan, M. J. (1993). How did they get my name?" An exploratory investigation of consumer attitudes toward secondary information use. MIS Quart., 17(3), 341-363.

Culnan, M. J. (1993). How did they my name? An exploratory investigation of consumer attitudes toward secondary information use. MIS Quart., 17(3), 341-363.

Dhillon, G., & Moores, T. (2001). Internet privacy: Interpreting key issues. Information  Resources Management Journal, 14(4).
Dictionary.com. (2010). Privacy. Retrieved from http://dictionary.reference.com/browse/privacy

Dyson, E. (1998). Release 2.0: A Design for Living in the Digital Age. Bantam Doubleday Dell Pub.

European Commission (1999). Creating a safer information society by improving the security of information infrastructures and combating computer-related crime. Accessed from http://www.cybercrime.gov/intl/EUCommunication.0101.pdf.

Eckerson, W., & Watson, H. (2001). Harnessing Customer Information for Strategic Advantage: Technical Challenges and Business Solutions, Industry Study 2000, Executive Summary. In The Data Warehousing Institute.

Economist. (2001, February 17). The slow progress of fast wires (p. 358).

Eshmawi, A., & Sadri, F. (2009). Information Integration with Uncertainty. In Proceedings of the 2009 International Database Engineering and Applications Conference (IDEAS’09).

Estivill-Castro, V., Brankovic, L., & Dowe, D. L. (1999). Privacy in Data Mining. Retrieved August 2006, from http://www.acs.org.au/nsw/articles/1999082.htm

Evfimievski, A., Srikant, R., Agrawal, R., & Gehrke, J. (2002). Privacy preserving mining of association rules. In Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 2002, Edmonton, Alberta, Canada (pp. 217-228).

Findlaw.com (2010).

Garg, A.X., Adhikari, N.K.J., McDonald, H. (2005). Effects of Computerized Clinical Decision Support Systems on Practitioner Performance and Patient Outcomes:  A Systematic Review. , JAMA, 293(10), 1223-1238.

Grance, T., Stevens, M., and Myers M., Guide to Selecting Information Technology Security Products, National Institute of Standards and Technology, NIST Special Publication 800-36. 2003. Accessed from: http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800-36.pdf.
Gross, H. (1967). The Concept of Privacy, 42 New York University Law. Review. 34, 35 (1967).

Han, J., & Kamber, M. (2001). Data Mining: Concepts and Techniques. Morgan Kaufmann Publishers.

Hardy, Q. (2004). Data of Reckoning. Forbes, 173, 151-154.

Hodge, J. G., Gostin, L. O., & Jacobson, P. (1999). Legal Issues Concerning Electronic Health Information: Privacy, Quality, and Liability. The Journal of the American Medical Association, 282(15), 1466-1471.

Hunt, D. L., Haynes, R.B., Hanna, S.E., & Smith, K. (1998). Effects of Computer-Based Clinical Decision Support Systems on Physician Performance and Patient Outcomes:  A Systematic Review.  JAMA, 280, 1339-1346

IDC Report (2010). The Digital Universe Decade: Are You Ready? Retrieved May 2010 from  http://www.emc.com/collateral/demos/microsites/idc-digital-universe/iview.htm

Iyengar, V. S. (2002). Transforming data to satisfy privacy constraints. Paper presented at the KDD.

Johnston, M. E., Langton, K. B., Haynes, R. B., & Mathieu, A. (1994). Effects of Computer-based Clinical Decision Support Systems on Clinician Performance and Patient Outcome: A Critical Appraisal of Research. Ann Intern Med, 120(2), 135-142

Kakalik, MA and Wright, JS. (1997), “The Erosion of Privacy,” Computers and Society, 22-26.

Kantarcioglu, M., & Clifton, C. (2004). Privacy-Preserving Distributed Mining of Association Rules on Horizontally Partitioned Data. IEEE Trans. Knowledge Data Eng., 16(9), 1026-1037.

Lavrac, N. (1999). Selected techniques for data mining in medicine. Artif Intell Med, 16, 3-23.

Lawson, J. (2010), “What Do People Actually Do Online?” “ColderICE” Blog, accesses from: http://3rdpoblogs.com/colderice/press/

Lindell, Y., & Pinkas, B. (2002). Privacy Preserving Data Mining. J. Cryptology, 15(3), 177-206.

Liu, J. T., Marchewka, J. L., & Yu, C. S. (2004). Beyond concern: a privacy-trust-behavioral intention model of electronic commerce. Information & Management, 42, 127-142.

Machlis, S. (1997). Web sites rush to self-regulate. Computerworld, 32, 19.

Margulis, S. T. (1977). Conceptions of privacy: current status and next steps. J. of Social Issues (33), 5-10.

Mason, R. O. (1986). Four ethical issues of the information age. MIS Quart., 10(1), 4-12.
HIPPA (2010), Accessed from http://www.hhs.gov/ocr/privacy/

McKinsey, 2007. How Businesses are using Web 2.0: A McKinsey Global Survey. Accessed from http://www.mckinseyquarterly.com/.

Miklau, G., & Suciu, D. (2004). A Formal Analysis of Information Disclosure in Data Exchange. In SIGMOD 2004 (pp. 575-586).

Milberg, S. J., S. J., B., Smith, H. J., & Kallman, E. A. (1995). Values, personal information privacy, and regulatory approaches. Comm. of the ACM, 38, 65-74.

Milberg, S. J., S. J., B., Smith, H. J., & Kallman, E. A. (1995). Values, personal information privacy, and regulatory approaches. Comm. of the ACM, 38, 65-74.

National Information Assurance Training and Education Center (NIATEC), 2006. Accessed from http://niatec.info/index.aspx?page=215&glossid=2265.

Nemati, H., Barko, R., & Christopher, D. (2001). Issues in Organizational Data Mining: A Survey of Current Practices. Journal of Data Warehousing, 6(1), 25-36.

NetIQ, (2004) Controlling your Controls: Security Solutions for Sarbanes-Oxley, Accessed at: http://download.netiq.com/Library/White_Papers/NetIQ_SarbanesWP.pdf , 2004.

Niederman, F., Brancheau, J. C., & Wetherbe, J. C. (1991). Information systems management issues for the 1990's. MIS Quart., 15, 474-500.

Nielson (2010) “Top 10 Sectors by Share of U.S. Internet Time,” Accessed from: (http://blog.nielsen.com/nielsenwire/online_mobile/what-americans-do-online-social-media-and-games-dominate-activity/)

NIST, Special Publication 800-12: (2003) An Introduction to Computer Security - The NIST Handbook National Institute of Standards and Technology. Accessed from http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/index.html

OWASP, Testing for Authentication. Accessed from http://www.owasp.org/index.php/Testing_for_authentication.

Pan, S. L., & Lee, J.-N. (2003). Using E-CRM for a Unified View of the Customer. Communications of the ACM, 46(4), 95-99.

Pinkas, B. (2002). Crytographic techniques for privacy-preserving data mining. SIGKDD Exploreations, 4(2), 12-19.

Pitofsky, R. (2006). Privacy Online: Fair Information Practices in the Electronic Marketplace, a Report to Congress. Retrieved August 2006, from http://www.ftc.gov/reports/privacy2000/privacy2000.pdfFTC

Richards, G., Rayward-Smith, V.J., Sonksen, P.H., Carey, S., & Weng, C. (2001). Data mining for indicators of early mortality in a database of clinical records. Artif Intell Med, 22, 215-31.

Ripley, B.D. (1996). Pattern recognition and neural networks. Cambridge: Cambridge University Press.

Rockart, J. F., & DeLong, D. W. (1988). Executive Support Systems: The Emergence of Top Management Computer Use. Paper presented at the Dow Jones-Irwin, Homewood, IL.
Smith, H. J. (1993). Privacy policies and practices: Inside the organizational maze. Comm. of the ACM, 36, 105-122.

Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals' concerns about organizational practices. MIS Quart., 167-196.

Sullivan, B. (2002). Privacy groups debate DoubleClick settlement. Retrieved August, 2006, from http://www.cnn.com/2002/TECH/internet/05/24/doubleclick.settlement.idg/index.html.

Vaidya, J., & Clifton, C. (2004). Privacy-Preserving Data Mining: Why, How, and When. IEEE Security and Privacy, 2(6), 19-27.

Van Bemmel, J., & Musen, M. A. (1997). Handbook of Medical Informatics. New York: Springer-Verlag.

Verykios, V. S., Bertino, E., Fovino, I. N., Provenza, L. P., Saygin, Y., & Theodoridis, Y. (2004). State-of-the-art in privacy preserving data mining. SIGMOD Record, 33, 50-57.

Watson, H. J., Rainer Jr, R. K., & Koh, C. E. (1991). Executive information systems: a framework for development and a survey of current practices. MIS Quart., 13-30.

Wells, David (1996). Accessed from http://www.objs.com/survey/authent.htm.

Westin, A. (1967). Privacy and Freedom. New York: Atheneum.

Whitman, Michael and Mattord, Herbert, Principles of Information Security, Course Technology, 2004.

World Wide Web Consortium (W3C), 2004. Accessed from http://www.w3.org/TR/ws-gloss/

Author(s)/Editor(s) Biography

Dr. Hamid Nemati is an Associate Professor of Information Systems at the Information Systems and Operations Management Department of The University of North Carolina at Greensboro. He holds a doctorate from the University of Georgia and a Master of Business Administration from The University of Massachusetts. Before coming to UNCG, he was on the faculty of J. Mack Robinson College of Business Administration at Georgia State University. He also has extensive professional experience as a consultant with a number of major corporations. Dr. Nemati is the Editor-in-Chief of International Journal of Information Security and Privacy and the Advances in Information Security and Privacy (AISP) Book Series. His research specialization is in the areas of decision support systems, data warehousing and mining, and information security and privacy. His research articles have appeared in a number of premier journals. He has presented numerous research and scholarly papers nationally and internationally.