Oluwatosin Ilori,Nelly Tochi Nwosu,Henry Nwapali Ndidi Naiho

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1727

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:In the increasingly interconnected digital landscape, third-party vendors play a critical role in providing essential services and capabilities to organizations. However, these external partnerships also introduce significant IT security risks, making it imperative for organizations to implement robust strategies for managing third-party vendor risks. This paper provides a comprehensive audit review of third-party vendor risks in IT security and outlines effective mitigation strategies. The audit review identifies key risk areas associated with third-party vendors, including data breaches, inadequate security controls, and compliance issues. Real-world case studies highlight the severe consequences of insufficient vendor risk management, such as substantial financial losses, reputational damage, and regulatory penalties. Through these examples, the review underscores the critical need for organizations to prioritize vendor risk management in their IT security frameworks. Recommended mitigation strategies are detailed, focusing on enhancing security controls, implementing regular security assessments, and establishing clear contractual agreements. Enhancing security controls involves rigorous vetting of vendors, enforcing strong authentication and encryption protocols, and ensuring vendors adhere to the organization's security policies. Regular security assessments, including audits and penetration testing, are crucial for identifying vulnerabilities and ensuring continuous compliance with security standards. Establishing clear contractual agreements with vendors helps define security expectations, responsibilities, and penalties for non-compliance, thereby creating a legal framework that supports robust risk management. The importance of continuous monitoring and oversight is emphasized, highlighting that effective third-party risk management is not a one-time activity but an ongoing process. Continuous monitoring involves real-time tracking of vendor performance and security posture, supported by automated tools and regular audits to promptly address emerging threats. This paper concludes by stressing the necessity for organizations to adopt a proactive approach to third-party vendor risk management, integrating it as a core component of their overall IT security strategy. By doing so, organizations can mitigate the risks associated with third-party vendors, protect sensitive data, and ensure compliance with regulatory requirements, ultimately safeguarding their operations and reputation in the digital age.

Jia Zeng,Dan Han,Yaling Zhu,Yangzhong Wang,Fangchen Weng

2024-04-28

Abstract:In the current software development environment, third-party libraries play a crucial role. They provide developers with rich functionality and convenient solutions, speeding up the pace and efficiency of software development. However, with the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information, posing a severe threat to software security. Research on third-party libraries in software becomes paramount to address this growing security challenge. Numerous research findings exist regarding third-party libraries' usage, ecosystem, detection, and fortification defenses. Understanding the usage and ecosystem of third-party libraries helps developers comprehend the potential risks they bring and select trustworthy libraries. Third-party library detection tools aid developers in automatically discovering third-party libraries in software, facilitating their management. In addition to detection, fortification defenses are also indispensable. This article profoundly investigates and analyzes this literature, summarizing current research achievements and future development directions. It aims to provide practical and valuable insights for developers and researchers, jointly promoting the healthy development of software ecosystems and better-protecting software from security threats.

Software Engineering

Dusko Pavlovic

DOI: https://doi.org/10.48550/arXiv.0808.0732

2008-10-25

Abstract:Trust is often conveyed through delegation, or through recommendation. This makes the trust authorities, who process and publish trust recommendations, into an attractive target for attacks and spoofing. In some recent empiric studies, this was shown to lead to a remarkable phenomenon of *adverse selection*: a greater percentage of unreliable or malicious web merchants were found among those with certain types of trust certificates, then among those without. While such findings can be attributed to a lack of diligence in trust authorities, or even to conflicts of interest, our analysis of trust dynamics suggests that public trust networks would probably remain vulnerable even if trust authorities were perfectly diligent. The reason is that the process of trust building, if trust is not breached too often, naturally leads to power-law distributions: the rich get richer, the trusted attract more trust. The evolutionary processes with such distributions, ubiquitous in nature, are known to be robust with respect to random failures, but vulnerable to adaptive attacks. We recommend some ways to decrease the vulnerability of trust building, and suggest some ideas for exploration.

Cryptography and Security

Christine Utz,Sabrina Amft,Martin Degeling,Thorsten Holz,Sascha Fahl,Florian Schaub

DOI: https://doi.org/10.48550/arXiv.2203.11387

2022-10-05

Abstract:Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website's visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors' privacy. We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives third-party adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.

Human-Computer Interaction

Floris Jansen,Slinger Jansen,Fang Hou

DOI: https://doi.org/10.48550/arXiv.2101.06138

2021-01-15

Abstract:The software ecosystem is a trust-rich part of the world. Collaboratively, software engineers trust major hubs in the ecosystem, such as package managers, repository services, and programming language ecosystems. This trust, however, is often broken by vulnerabilities, ransomware, and abuse from malignant actors. But what is trust? In this paper we explore, through twelve in-depth interviews with software engineers, how they perceive trust in their daily work. From the interviews we conclude three things. First, software engineers make a distinction between an adoption factor and a trust factor when selecting a package. Secondly, while in literature mostly technical factors are considered as the main trust factors, the software engineers in this study conclude that organizational factors are more important. Finally, we find that different kinds of software engineers require different views on trust, and that it is impossible to create one unified perception of trust. Keywords: software ecosystem trust, empirical software engineering, TrustSECO, external software adoption, cross-sectional exploratory interview analysis, trust perception.

Software Engineering

Jonathan W. Palmer,Joseph P. Bailey,Samer Faraj

DOI: https://doi.org/10.1111/j.1083-6101.2000.tb00342.x

2006-06-23

Abstract:Developing trust between suppliers and consumers is critical for the continued growth of Internet commerce. This article presents an empirical investigation into how firms promote trust by exploring the use and prominence of Trusted Third Parties (TTPs) and privacy statements. The Web sites of 102 publicly held firms with predominantly Internet based businesses were examined for their use of TTPs and privacy statements, the number of links, currency of the Web site, length of time the Web site had been operating, traffic, and financial performance. Surprisingly, only 17 of the firms utilized trusted third parties and only 45 had privacy statements. The article presents a methodology for the analysis of four propositions that explore the relationship of embeddedness and a firm's length of time online to the use and prominence of TTPs and privacy statements. The exploratory data in this article clearly supports the proposition that the use of TTPs and privacy statements increase with the embeddedness of the Web site. This article then discusses the potential reasons for this finding including how TTPs strategically solicit firms and why trusted firms may be more likely to be embedded. The remaining three propositions show mixed results but provide insight into the strategic use of TTPs and privacy statements. One key insight is that TTPs and privacy statements are actually used quite differently by firms to promote trust in Internet commerce.

communication,information science & library science

Easton Kelso,Ananta Soneji,Sazzadur Rahaman,Yan Soshitaishvili,Rakibul Hasan

2024-09-05

Abstract:The education technology (EdTech) landscape is expanding rapidly in higher education institutes (HEIs). This growth brings enormous complexity. Protecting the extensive data collected by these tools is crucial for HEIs as data breaches and misuses can have dire security and privacy consequences on the data subjects, particularly students, who are often compelled to use these tools. This urges an in-depth understanding of HEI and EdTech vendor dynamics, which is largely understudied. To address this gap, we conducted a semi-structured interview study with 13 participants who are in EdTech leadership roles at seven HEIs. Our study uncovers the EdTech acquisition process in the HEI context, the consideration of security and privacy issues throughout that process, the pain points of HEI personnel in establishing adequate protection mechanisms in service contracts, and their struggle in holding vendors accountable due to a lack of visibility into their system and power-asymmetry, among other reasons. We discuss certain observations about the status quo and conclude with recommendations for HEIs, researchers, and regulatory bodies to improve the situation.

Computers and Society

Abraham Itzhak Weinberg,Kelly Cohen

2024-01-18

Abstract:This paper presents a comprehensive analysis of the shift from the traditional perimeter model of security to the Zero Trust (ZT) framework, emphasizing the key points in the transition and the practical application of ZT. It outlines the differences between ZT policies and legacy security policies, along with the significant events that have impacted the evolution of ZT. Additionally, the paper explores the potential impacts of emerging technologies, such as Artificial Intelligence (AI) and quantum computing, on the policy and implementation of ZT. The study thoroughly examines how AI can enhance ZT by utilizing Machine Learning (ML) algorithms to analyze patterns, detect anomalies, and predict threats, thereby improving real-time decision-making processes. Furthermore, the paper demonstrates how a chaos theory-based approach, in conjunction with other technologies like eXtended Detection and Response (XDR), can effectively mitigate cyberattacks. As quantum computing presents new challenges to ZT and cybersecurity as a whole, the paper delves into the intricacies of ZT migration, automation, and orchestration, addressing the complexities associated with these aspects. Finally, the paper provides a best practice approach for the seamless implementation of ZT in organizations, laying out the proposed guidelines to facilitate organizations in their transition towards a more secure ZT model. The study aims to support organizations in successfully implementing ZT and enhancing their cybersecurity measures.

Cryptography and Security

Sebastian Forkmann,Jonathan Webb,Stephan C. Henneberg,Lisa K. Scheer

DOI: https://doi.org/10.1007/s11747-022-00844-z

IF: 18.2

2022-03-02

Journal of the Academy of Marketing Science

Abstract:Boundary spanner corruption—voluntary collaborative behavior between individuals representing different organizations that violates their organizations’ norms—is a serious problem in business-to-business (B2B) marketing relationships. Drawing on insights from the literatures on the dark side of business relationships and deviance in sales and service organizations, the authors identify boundary spanner corruption as a potential dark side complication inherent in close B2B marketing relationships. The same elements that generate benefits in interorganizational relationships, such as those between customer and seller firms, also enable the development of boundary-spanning social cocoons that can foment corrupt activities under certain conditions. A conceptual framework illustrates how trust at the interpersonal, intraorganizational, and interorganizational levels enables corrupt behaviors by allowing deviance-inducing factors stemming from the task environment or from the individual boundary spanner to manifest in boundary spanner corruption. Interpersonal trust between representatives of different organizations, interorganizational trust between these organizations, and intraorganizational agency trust of management in their representatives foster the development of a boundary-spanning social cocoon—a microculture that can inculcate deviant norms leading to corrupt behavior. Boundary spanner corruption imposes direct and opportunity costs on the involved organizations, with the additional burden of latent financial risk associated with potential exposure. The authors substantiate their multi-level framework and propositions with field-based insights from qualitative interviews with senior executives. The multi-level framework of boundary spanner corruption extends beyond extant marketing literature, highlights intriguing directions for future research, and offers new managerial insights.

business

Saeid Ghasemshirazi,Ghazaleh Shirvani,Mohammad Ali Alipour

DOI: https://doi.org/10.48550/arXiv.2309.03582

2023-09-07

Cryptography and Security

Abstract:The escalating complexity of cybersecurity threats necessitates innovative approaches to safeguard digital assets and sensitive information. The Zero Trust paradigm offers a transformative solution by challenging conventional security models and emphasizing continuous verification and least privilege access. This survey comprehensively explores the theoretical foundations, practical implementations, applications, challenges, and future trends of Zero Trust. Through meticulous analysis, we highlight the relevance of Zero Trust in securing cloud environments, facilitating remote work, and protecting the Internet of Things (IoT) ecosystem. While cultural barriers and technical complexities present challenges, their mitigation unlocks Zero Trust's potential. Integrating Zero Trust with emerging technologies like AI and machine learning augments its efficacy, promising a dynamic and responsive security landscape. Embracing Zero Trust empowers organizations to navigate the ever-evolving cybersecurity realm with resilience and adaptability, redefining trust in the digital age.

Deepti Gupta,Lavanya Elluri,Avi Jain,Shafika Showkat Moni,Omer Aslan

2024-11-21

Abstract:In an era of heightened digital interconnectedness, businesses increasingly rely on third-party vendors to enhance their operational capabilities. However, this growing dependency introduces significant security risks, making it crucial to develop a robust framework to mitigate potential vulnerabilities. This paper proposes a comprehensive secure framework for managing third-party vendor risk, integrating blockchain technology to ensure transparency, traceability, and immutability in vendor assessments and interactions. By leveraging blockchain, the framework enhances the integrity of vendor security audits, ensuring that vendor assessments remain up-to-date and tamperproof. This proposed framework leverages smart contracts to reduce human error while ensuring real-time monitoring of compliance and security controls. By evaluating critical security controls-such as data encryption, access control mechanisms, multi-factor authentication, and zero-trust architecture-this approach strengthens an organization's defense against emerging cyber threats. Additionally, continuous monitoring enabled by blockchain ensures the immutability and transparency of vendor compliance processes. In this paper, a case study on iHealth's transition to AWS Cloud demonstrates the practical implementation of the framework, showing a significant reduction in vulnerabilities and marked improvement in incident response times. Through the adoption of this blockchain-enabled approach, organizations can mitigate vendor risks, streamline compliance, and enhance their overall security posture.

Cryptography and Security

Tian Yunfan,Zhang Xiang

DOI: https://doi.org/10.48550/arXiv.1812.06226

2018-12-15

Abstract:Over the last two decades, the scale and complexity of Anonymous networks and its associated technologies grows exponentially as privacy has become a major concern of individuals. Also, some cyber attackers make use of privacy infrastructures including botnets and Tor to do illegal activities like drug, contraband or DDoS attack. However, anonymous networks are not perfect, there are some methods could exploit the vulnerabilities and track user information. In this paper, we analyze few of privacy infrastructures and their vulnerabilities.

Cryptography and Security

Svetlana Abramova,Rainer Böhme

2023-08-01

Abstract:Media reports show an alarming increase of data breaches at providers of cybersecurity products and services. Since the exposed records may reveal security-relevant data, such incidents cause undue burden and create the risk of re-victimization to individuals whose personal data gets exposed. In pursuit of examining a broad spectrum of the downstream effects on victims, we surveyed 104 persons who purchased specialized devices for the secure storage of crypto-assets and later fell victim to a breach of customer data. Our case study reveals common nuisances (i.e., spam, scams, phishing e-mails) as well as previously unseen attack vectors (e.g., involving tampered devices), which are possibly tied to the breach. A few victims report losses of digital assets as a form of the harm. We find that our participants exhibit heightened safety concerns, appear skeptical about litigation efforts, and demonstrate the ability to differentiate between the quality of the security product and the circumstances of the breach. We derive implications for the cybersecurity industry at large, and point out methodological challenges in data breach research.

Cryptography and Security

He Li,Sungjin Yoo,William J. Kettinger

DOI: https://doi.org/10.1080/07421222.2021.1870390

IF: 7.582

2021-01-02

Journal of Management Information Systems

Abstract:<span>This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations' embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.</span>

information science & library science,management,computer science, information systems

Zhen Guo,Jin-Hee Cho,Ing-Ray Chen,Srijan Sengupta,Michin Hong,Tanushree Mitra

DOI: https://doi.org/10.48550/arXiv.2004.07678

2020-04-16

Cryptography and Security

Abstract:We are living in an era when online communication over social network services (SNSs) have become an indispensable part of people's everyday lives. As a consequence, online social deception (OSD) in SNSs has emerged as a serious threat in cyberspace, particularly for users vulnerable to such cyberattacks. Cyber attackers have exploited the sophisticated features of SNSs to carry out harmful OSD activities, such as financial fraud, privacy threat, or sexual/labor exploitation. Therefore, it is critical to understand OSD and develop effective countermeasures against OSD for building a trustworthy SNSs. In this paper, we conducted an extensive survey, covering (i) the multidisciplinary concepts of social deception; (ii) types of OSD attacks and their unique characteristics compared to other social network attacks and cybercrimes; (iii) comprehensive defense mechanisms embracing prevention, detection, and response (or mitigation) against OSD attacks along with their pros and cons; (iv) datasets/metrics used for validation and verification; and (v) legal and ethical concerns related to OSD research. Based on this survey, we provide insights into the effectiveness of countermeasures and the lessons from existing literature. We conclude this survey paper with an in-depth discussions on the limitations of the state-of-the-art and recommend future research directions in this area.

Donald L. Ferrin,Kurt T. Dirks,Pri P. Shah

DOI: https://doi.org/10.1037/0021-9010.91.4.870

IF: 11.8025

2006-01-01

Journal of Applied Psychology

Abstract:Past studies of the determinants of interpersonal trust have focused primarily on how trust forms in isolated dyads. Yet within organizations, trust typically develops between individuals who are embedded in a complex web of existing and potential relationships. In this article, the authors identify 3 alternative ways in which a trustor and trustee may be linked to each other via third parties: network closure (linked via social interactions with third parties), trust transferability (linked via trusted third parties), and structural equivalence (linked via the similarity of their relationships with all potential third parties within the organization). Each of these is argued to influence interpersonal trust via a distinct social mechanism. The authors hypothesized that network closure and structural equivalence would predict interpersonal trust indirectly via their impact on interpersonal organizational citizenship behaviors performed within the interpersonal relationship, whereas trust transferability would predict trust directly. Social network analyses of data gathered from a medium-sized work organization provide substantial support for the hypotheses and also suggest important directions for future research.

psychology, applied,management

Morgan Reece,Theodore Lander Jr.,Sudip Mittal,Nidhi Rastogi,Josiah Dykstra,Andy Sampson

2023-11-02

Abstract:As organizations increasingly use cloud services to host their IT infrastructure, there is a need to share data among these cloud hosted services and systems. A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. When an organization grows their multi-cloud environment, the threat vectors and vulnerabilities for their cloud systems and services grow as well. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures to best defend a multi-cloud environment against attacks. Utilizing multiple industry standard risk analysis tools, we conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures. The prioritizations from the analysis showed that authentication and architecture are the highest risk areas of threat vectors. Armed with this data, IT managers are able to more appropriately budget cybersecurity expenditure to implement the most impactful mitigations and countermeasures.

Cryptography and Security

Vincenzo DiLuoffo,William R. Michalson

DOI: https://doi.org/10.54364/aaiml.2023.1155

2023-01-01

Advances in Artificial Intelligence and Machine Learning

Abstract:This paper surveys the area of “Trust Metrics” related to security for autonomous robotic systems. As the robotics industry undergoes a transformation from programmed, task oriented, systems to Artificial Intelligence-enabled learning, these autonomous systems become vulnerable to several security risks, making a security assessment of these systems of critical importance. Therefore, our focus is on a holistic approach for assessing system trust which requires incorporating system, hardware, software, cognitive robustness, and supplier level trust metrics into a unified model of trust. We set out to determine if there were already trust metrics that defined such a holistic system approach. While there are extensive writings related to various aspects of robotic systems such as, risk management, safety, security assurance and so on, each source only covered subsets of an overall system and did not consistently incorporate the relevant costs in their metrics. This paper attempts to put this prior work into perspective, and to show how it might be extended to develop useful systemlevel trust metrics for evaluating complex robotic (and other) systems.

English Else

Yi Yi Thaw,Ahmad Kamil Mahmood,P. Dhanapal Durai Dominic

DOI: https://doi.org/10.48550/arXiv.0909.1145

2009-09-07

Abstract:The development of electronic commerce is characterized with anonymity, uncertainty, lack of control and potential opportunism. Therefore, the success of electronic commerce significantly depends on providing security and privacy for its consumers sensitive personal data. Consumers lack of acceptance in electronic commerce adoption today is not merely due to the concern on security and privacy of their personal data, but also lack of trust and reliability of Web vendors. Consumers trust in online transactions is crucial for the continuous growth and development of electronic commerce. Since Business to Consumer (B2C) ecommerce requires the consumers to engage the technologies, the consumers face a variety of security risks. This study addressed the role of security, privacy and risk perceptions of consumers to shop online in order to establish a consensus among them. The analyses provided descriptive frequencies for the research variables and for each of the study s research constructs. In addition, the analyses were completed with factor analysis and Pearson correlation coefficients. The findings suggested that perceived privacy of online transaction on trust is mediated by perceived security, and consumers trust in online transaction is significantly related with the trustworthiness of Web vendors. Also, consumers trust is negatively associated with perceived risks in online transactions. However, there is no significant impact from perceived security and perceived privacy to trust in online transactions.

Computers and Society

Gregory D. Moody,Dennis F. Galletta,Paul Benjamin Lowry

DOI: https://doi.org/10.1016/j.elerap.2014.05.001

IF: 6

2014-07-01

Electronic Commerce Research and Applications

Abstract:Trust and distrust are both considered to be crucial in online truster–trustee relationships. Although some research has proposed that trust and distrust are distinct, other research continues to hold that they are merely opposite ends of the same continuum. Given this debate, it is important to consider how distrust is distinguished from trust. To that end, this paper extends the nomological network of distrust and introduces two novel antecedents never introduced in online behavior literature: situational abnormalities and suspicion. For this nomological network, we also propose that trust and distrust coexist in online e-commerce relationships and can result in ambivalence when they both have high attitudinal values (represented in emotions, beliefs, or behaviors). Using an empirical study of online consumer behavior with 521 experienced online consumers, we found strong empirical validation for our newly proposed model. We provide evidence that suspicion and situational abnormalities are separate, important antecedents to distrust. We also examine the effect of ambivalence on the truster’s intentions toward the website and find a small positive effect that increases the user’s intentions toward the website. Finally, we empirically demonstrate the coexistence of trust and distrust as separate constructs and emphasize that distrust has a much larger impact on the truster’s intentions than does trust. We conclude with implications for theory and practice, along with a discussion of the limitations of and future opportunities revealed by this study.

business,computer science, information systems, interdisciplinary applications