International Journal of Hospitality & Tourism Administration
ISSN: 1525-6480 (Print) 1525-6499 (Online) Journal homepage: http://www.tandfonline.com/loi/wjht20
To Be Secure or Not to Be Cihan Cobanoglu PhD & Frederick J. Demicco PhD To cite this article: Cihan Cobanoglu PhD & Frederick J. Demicco PhD (2007) To Be Secure or Not to Be, International Journal of Hospitality & Tourism Administration, 8:1, 43-59, DOI: 10.1300/J149v08n01_03 To link to this article: http://dx.doi.org/10.1300/J149v08n01_03
Published online: 22 Sep 2008.
Submit your article to this journal
Article views: 172
View related articles
Citing articles: 11 View citing articles
Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=wjht20 Download by: [University of South Florida]
Date: 27 December 2015, At: 22:08
Downloaded by [University of South Florida] at 22:09 27 December 2015
To Be Secure or Not to Be: Isn’t This the Question? A Critical Look at Hotel’s Network Security Cihan Cobanoglu Frederick J. DeMicco
ABSTRACT. A survey of 234 hotel information technology managers was conducted to find out security practices for hotel networks and prevention techniques. Twenty percent of the respondents had a computer network attack within the last 12 months. The size of the hotel seems to be positively correlated with the number of attacks observed within the last 12 months. Regarding attack types, virus attack (15.4%) was reported most frequently, followed by “Denial of Service” (7.7%). The most basic tools/techniques such as access control and anti-virus software are used by many hotels internally. However, there are several important network security tools/techniques such as vulnerability assessment scan or biometrics that are not used by hotels. doi:10.1300/ J149v08n01_03 [Article copies available for a fee from The Haworth Document Delivery Service: 1-800HAWORTH. E-mail address: Website: © 2007 by The Haworth Press, Inc. All rights reserved.]
Cihan Cobanoglu, PhD, is Assistant Professor of Hospitality Information Technology, and Frederick J. DeMicco, PhD, is Professor and ARAMARK Chair, Hotel, Restaurant, and Institutional Management, both at University of Delaware, Raub Hall, Newark, DE. Address correspondence to: Cihan Cobanoglu, Hotel, Restaurant, and Institutional Management, University of Delaware, 14 West Main Street, Raub Hall, Newark, DE 19716 (E-mail:
[email protected]). International Journal of Hospitality & Tourism Administration, Vol. 8(1) 2007 Available online at http://ijhta.haworthpress.com © 2007 by The Haworth Press, Inc. All rights reserved. doi:10.1300/J149v08n01_03 43
44
International Journal of Hospitality & Tourism Administration
Downloaded by [University of South Florida] at 22:09 27 December 2015
KEYWORDS. Hotel, network, security, information
INTRODUCTION To be or not to be secure: This is really the question in our contemporary world. Everything around us appears to be networked. Technology continues to be one of the fastest-changing aspects of the hospitality industry (Kasavana & Cahill, 2003). The rapid changes in corporate and ownership structures within the hospitality industry have had the side effect of forcing lodging companies to employ technology in new and more productive ways (Berchiolli, 1998). The major factors driving technological implementations in hospitality operations are increased transaction volumes through consolidations, complex reporting requirement, and international communication needs. Advances in the areas of guest services, reservations, food and beverage management, sales, food service catering, maintenance, security, and hospitality accounting have required the utilization of computer systems technology in every aspect of lodging operations. Many researchers who have studied technology in the hospitality industry agreed that technology made a significant change to the way the people work, interact, manage, and do business (Collins, Cobanoglu, & Malik, 2003). With the increased use of technology, thousands of major security breaches occur in the public and private sector every day, resulting in serious financial and property losses (Flink, 2002). No sector is safe from these endless attacks. In the context of network security, an attack is defined as a technique to exploit vulnerabilities (Canavan, 2001). Increasingly, organizations’ networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, hacking, system failures, fire, and flood. Sources of damage such as computer viruses, computer hacking, and denialof-service attacks have become more common, more ambitious, and increasingly sophisticated. Not only hospitality businesses but any kinds of businesses are negatively affected by security problems such as hacker attacks, viruses, and denial-of-service attacks. Most of the security problems do not come under day light because the companies that were attacked try to keep the incident to themselves for two main reasons: (1) to protect the loss of trust in the eye of public, and (2) not to encourage copycat hackers to hack into their systems. This particular fact makes it difficult for some of the precautions to be applied.
Cihan Cobanoglu and Frederick J. DeMicco
45
Downloaded by [University of South Florida] at 22:09 27 December 2015
Problem Statement In every level of hotel management, networks are involved. At the property level, there are local area networks where reservation, front office, restaurant management, payroll, accounting, human resources, and other systems reside (Cobanoglu & Cougias, 2003). In addition, hotels may offer wireless or wired high speed Internet access to their guests in the room or other areas in the hotel. This has produced another threat to create a backdoor which is a mechanism surreptitiously introduced into a computer system to facilitate unauthorized access to the system for computer security (Zhang & Paxson, 2000). At the corporate level, all members of the chain hotel send information either continuously (realtime) or several times during the day (polling) to the corporate office. This is also made possible by networks. At the user level, the user accesses the hotel Web site to make reservations and to get information about the hotel. This level of interaction in a network environment increases the accessibility of the whole computer system, thus creating enormous potential for information and network security problems because any information sent on Transmission Control Protocol/Internet Protocol (TCP/IP) can be potentially captured by unauthorized people if not protected well and encrypted. The magnitude of the problem is made even larger by the fact that the person who is responsible for information technology in hotels is usually somebody who does not have expertise in technology but someone who happens to be familiar and comfortable with computers such as front office managers or accountants (Cobanoglu, 2005). Purpose and Research Questions The purpose of this study is to analyze security practices of electronic information, network threats, and prevention techniques in multi-unit hotels. The objective of this study is to help information technology directors or chief information officers develop policy for security of electronic information in hotels in the United States and offer suggestions regarding the tools and techniques of computer network security. The following research questions were created: 1. What are the current practices used by hotels to protect computer networks? 2. What are the current threats to computer network security in hotels?
Downloaded by [University of South Florida] at 22:09 27 December 2015
46
International Journal of Hospitality & Tourism Administration
3. How do these computer security threats in hotels happen? 4. What are the ways of handling computer network security intrusions? 5. How should hotel managers manage hotel network security? REVIEW OF LITERATURE Information technology (IT) is defined as the science and activity of using computers and other electronic equipment to store and send information. Stern and Stern (1993) reported that computers and information technology changed the world more than any machine invented during the entire two hundred years of the Industrial Revolution. Today, information has become one of society’s most important resources (Daler et al., 1989). Since the introduction of computers to the business environment, there have been significant changes in the way they are used (Vermeulen et al., 2002). It has been calculated that the total volume of information is increasing at the rate of some 12 percent a year; and managing this information has become a major challenge to public authorities, to companies, and to private individuals (Daler et al., 1989). Information can be about sales, customers, employees, market information, stocks and shares, accounts, routine agreements, goods, notes, competitors’ information, airplane tickets, or booking information. The integration of information technology into today’s business and personal life has improved efficiency and the welfare of hundreds of millions of people around the world. Specially, Internet technologies are radically changing the way that businesses are organized and the expectations that customers have of the services that businesses offer. Today, the World Wide Web (WWW) allows rapid access to every kind of information, and even school-age children in many countries are now Internet aware. Therefore, the Internet now goes into over 120 nations around the world and has approximately 605 million users in 2003 (Nua Internet Survey, 2004). During the last few decades, the use of information technology has become more extensive in all areas including hospitality environment, and the types of activities that it performs or supports have become more and more important (Brooks, Warren, & Hutchinson, 2002). Thus, information systems are now heavily utilized by all organizations, and relied on to the extent that it would be almost impossible to manage without them. As a result, in the business environment, managing electronic information has become a major challenge for administrators. They must be able to handle and to administer
Downloaded by [University of South Florida] at 22:09 27 December 2015
Cihan Cobanoglu and Frederick J. DeMicco
47
electronic information safely and securely (Daler et al., 1989). It should come as no surprise to company administrative managers that they are responsible for the protection of company assets (Computer Fraud & Security, 2002). Information Security Information security is characterized as the preservation of: 1. Confidentiality: ensuring that information is accessible only to those authorized to have access; 2. Integrity: safeguarding the accuracy and completeness of information and processing methods; 3. Availability: ensuring that authorized users have access to information and associated assets when required. Information is an important asset which, like other imperative business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investments and business opportunities (Computer Fraud & Security, 2002). Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures, and software functions. These controls need to be established to ensure that the specific security objectives of the organization are met (ISO, Information Technology, 2000). Threats During the past several years, modern organizations have come to rely on computers for a multitude of tasks, including electronic messaging, transaction processing, information retrieval and storage, and electronic commerce (Haugen & Selin, 1999). The use of computer technology itself hardly creates any more criminals than before (Daler et al., 1989). There will always be certain people on the lookout for opportunities to commit crimes. Every day data errors, thefts, burglaries, fires, sabotage, fraud, and hacking are reported. These may not be catastrophes for society, but they are certainly serious enough for those firms that are affected. One should never feel comfortable, thinking, “It won’t happen to our company.”
Downloaded by [University of South Florida] at 22:09 27 December 2015
48
International Journal of Hospitality & Tourism Administration
National Cyber Security Leadership Act of 2003 defines the term “vulnerability,” in the case of information technology, as an error or defect in coding, configuration, or installation of such information technology that increases its susceptibility to a cyber threat. The definition of computer crime is constantly evolving as technology advances. However, computer crimes may include (The Breaulier Law Office, 2003): 1. Hacking (also known as Cracking). Knowingly accessing a computer without authorization or exceeding authorization of a government computer or intentionally accessing a computer without authorization or exceeding authorization to acquire financial information of a bank, business, or consumer (i.e., denial-of-service attacks). 2. Theft of technology: Knowingly accessing a computer with the intent to access or acquire technological information or secrets. 3. Fraud: Knowingly, and with intent to defraud, accessing a federal interest computer without authorization or exceeding authorization to further a fraud or obtain anything of value. There are obviously more computer crimes, but the ones listed above are the focus of this research. When computer systems communicated with each other via dedicated one-to-one communications links before 1990s, the scope for attacks was limited. The Internet and its global connectivity have dramatically increased the threat from outside organizations because of electronic pathways it offers into organizations and by removing constrains of geography for attackers. Network and Information Security Practices Network and information security relates to the protection of valuable assets against loss, disclosure, or damage. Protecting information against harm from threats that will lead to loss or wrongful disclosure is achieved through a layered series of technological and non-technological safeguards such as physical security measures, user identifiers, passwords, smart cards, biometrics, and firewalls. Some of the network and information security tools and techniques are defined as follows: 1. Digital IDs. Digital IDs are the electronic counterparts to driver’s licenses, passports, and membership cards (VeriSign, 2003). One
Downloaded by [University of South Florida] at 22:09 27 December 2015
Cihan Cobanoglu and Frederick J. DeMicco
2.
3. 4.
5.
6.
7.
49
can present a Digital ID electronically to prove your identity or your right to access information or services online. Digital IDs, also known as digital certificates, bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. Digital IDs can be used for a variety of electronic transactions including e-mail, electronic commerce, groupware, and electronic funds transfers. Netscape’s popular Commerce Server requires a Digital ID for each secure server. Intrusion detection system. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions (Judge, 2003). Intrusions are defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. They are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. Physical security. It refers to keeping the network equipment and other computer systems in a secure physical environment. Software and hardware firewall: A firewall is a combination of hardware and/or software used to implement a security policy governing the network traffic between two or more networks (Cert, 2001). Reusable passwords. Reusable Passwords (sometimes called fixed passwords or static passwords) are one of the oldest authentication mechanisms in information technology. The strength and security of reusable passwords vary among different operating systems and applications. Encryption. The world encryption is derived from the Greek “kryptos” meaning “hidden” or “secret.” Information can be protected against unauthorized use, by making it hidden: changing it to encrypted form, which will be impossible to understand (Daler et al., 1989). Biometrics. The scientific term “biometric” is that the automated technology of measuring a physical or behavioral characteristic of an individual, and then comparing the captured characteristic with ones that have been previously stored to determine if the characteristic are similar enough to confirm the owner’s identity (Flink et al., 2002). What the brain does very well, the computer does faster, more accurately and objectively.
Downloaded by [University of South Florida] at 22:09 27 December 2015
50
International Journal of Hospitality & Tourism Administration
8. Access control. Access control techniques determine what objects an individual may access, and what type of access the user has been granted (e.g., read and/or write permissions). 9. Vulnerability assessment scan. A system is considered to be vulnerable when there is an opportunity for damage or loss to occur on the system. Vulnerability Assessment Scan is software that scans for possible opportunities for damage or loss to occur on the system and lets system administrator know in case of a threat. A summary of definitions for all network security techniques and tools are provided in Table 1. Hotel Network Most hotels use networks in their operations in the property level or corporate level (Collins et al., 2003). The most basic software network in a hotel may consist of property management system (PMS), point of sale system (POS), call accounting system (CAS), and accounting system. The most basic hardware components of a hotel network are front desk computers, POS terminals, back office computers, printers, routers, switches, firewalls, and network cables. POS terminals, front and back office computers, and printers are connected to routers and switches with network cables. Switches and routers allow communication between these devices. Routers also provide connectivity of the network with other networks and the Internet. Finally, firewalls protect the network from outside attacks. This basic structure is called a hotel local area network (LAN) (see Figure 1). LANs are connected to each other creating a wide area network (WAN) (see Figure 2). WANs are generally used by the companies which are geographically dispersed. WANs are built by Internet Service Providers (ISP) and of leased lines. The communication in a WAN is usually much slower than in a LAN. In a hotel chain environment, each individual hotel will have its own LAN, and these LANs are connected to each other and to the headquarters through a WAN (see Figure 2). This structure provides a high degree of communication. With the recent advances in technology, a new concept has evolved: Virtual Private Networks (VPN). VPNs allow setting up WANs using the Internet. Companies are no longer required to use leased lines. VPNs are also suitable for the use of hotels.
Cihan Cobanoglu and Frederick J. DeMicco
51
Downloaded by [University of South Florida] at 22:09 27 December 2015
TABLE 1. Definitions of Network Security Tools and Techniques Anti-virus software
A utility that searches a hard disk for viruses and removes any that are found.
Physical security
Physical access control of computer equipment so that unauthorized people can not access. System designed to prevent unauthorized access to or from a private network. The translation of data into a secret code. Short for Personal Computer Memory Card International Association, and pronounced as separate letters, PCMCIA is an organization consisting of some 500 companies that has developed a standard for small, credit card-sized devices, called PC Cards. Used as a computer security device. A secret series of characters that enables a user to access a file, computer, or program. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. A utility that searches a network for vulnerabilities and suggests patches. A utility that creates the exact server disk image for complete server backup. The server disk backup file includes all the server disk data including system, programs, databases, and the like. After a system crash, one can restore the complete server drive contents or replace lost files and folders. A utility that searches Internet traffic for viruses and attacks. An encrypted file containing your personal security data, including your private keys. Biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked.
Firewall Encryption PCMCIA
Reusable passwords Intrusion detection system
Vulnerability assessment scan Image servers
Internet security systems scanner Digital IDs Biometrics
Source: Webopedia.internet.com
METHODOLOGY In this study, a descriptive, online cross-sectional survey research design was employed. The survey has been adapted and expanded from 2003 CSI/FBI Computer Crime and Security Survey (CSI, 2003). The target population consisted of 1,143 technology managers that were current subscribers of Hospitality Technology magazine as of November 2003. The list of the respondents is provided by Hospitality Tech-
52
International Journal of Hospitality & Tourism Administration
Downloaded by [University of South Florida] at 22:09 27 December 2015
FIGURE 1. A Typical Hotel Local Area Network (LAN)
Electronic Locking System
Front Office Terminals Call Accounting System
Energy Management System POS PMS Accounting GDS Interface GDS
CRS Interface
PBX Switch CRS
nology magazine. All of the sample members had an e-mail address, therefore, only the online version of the survey was conducted. The survey instrument had four sections. The first section asked questions related to security technologies, such as what information security technologies are used in respondents’ hotel. The second section consisted of questions related to network security threats and hacking attempts within the last 12 months. The third section listed sixteen attributes related to perceived information security practices. In this section, survey participants were asked to rate the importance of network and information security practices in their organizations. A five-point Likert scale response format (1 = strongly disagree: 5 = strongly agree) was used in the importance measurement portion of section three. The final section of the survey consisted of demographic questions and property characteristics. FINDINGS Out of 1,143 sample members’ e-mails, 178 emails were returned as “undeliverable,” reducing the effective sample size to 965. Two hun-
Cihan Cobanoglu and Frederick J. DeMicco
53
Downloaded by [University of South Florida] at 22:09 27 December 2015
FIGURE 2. A Typical Wide Area Network for a Multi-Chain Hotel Company
Individual Hotel Printers
Corporate Level
Accounting VPN
PMS Router
Computers
Internet POS
Web Server
VP
File Server
Firewall
N
Router
Firewall
Router Accounting
Email Server Printers
PMS POS File Server
Individual Hotel
dred thirty-four filled out the questionnaire, thus yielding 24.2% response rate. The majority of the respondents (74.3%) were individuals who were responsible for information technology in their organizations. Research question 1: What are the current practices used by hotels to protect computer networks? Table 2 shows the network and information security techniques/tools used by hotels. The most used tool is the use of anti-virus software (91.9%). This is not surprising since majority of the computer systems come with anti-virus software and the cost of them are usually not high. However, it is still in question if the anti-virus software is updated regularly with the most up-to-date virus definitions. It is surprising to hear that 8.1% of the respondents reported that they do not use anti-virus software to protect their computer systems. Physical security is the second most reported tool for network security followed by software and hardware firewall. The least used network security tools with no plans to buy/use in the future are biometrics (66.7%), digital IDs (54.1%),
54
International Journal of Hospitality & Tourism Administration
Downloaded by [University of South Florida] at 22:09 27 December 2015
TABLE 2. Network Security Tools and Techniques Used by Hotels Use (Internal Sources)
Use (Outsourced)
Freq.
%
Freq.
%
Anti-virus software
162
73.0
42
18.9
Physical security
138
63.9
12
5.6
Software firewall
138
62.2
24
Access control
132
59.5
18
Hardware firewall
132
62.9
Encrypted files
126
56.8
Plan to Buy/ Use
No Plans to Buy/Use
Freq.
Freq.
%
18
8.1
%
6
2.8
60
27.8
10.8
6
2.7
54
24.3
8.1
12
5.4
60
27.0
24
11.4
12
5.7
42
20.0
18
8.1
12
5.4
66
29.7
PCMCIA
120
55.6
24
11.1
6
2.8
66
30.6
Encrypted login
108
48.6
18
8.1
24
10.8
72
32.4
Reusable passwords
78
37.1
18
8.6
12
5.7
102
48.6
Intrusion detection system
72
32.4
36
16.2
48
21.6
66
29.7
Vulnerability assessment scan
66
29.7
24
10.8
18
8.1
114
51.4
Image servers
60
27.0
12
5.4
42
18.9
108
48.6
Internet security systems scanner
60
27.8
42
19.4
18
8.3
96
44.4
Digital IDs
48
21.6
6
2.7
48
21.6
120
54.1
Biometrics
24
11.1
48
22.2
144
66.7
Other
24
21.1
–
–
84
73.7
6
5.3
vulnerability assessment scan (51.4%), and image servers (48.6%). It is surprising that 48.6% of the respondents reported that they do not use “reusable passwords.” This figure seems very low based on the researchers’ expectation. This may be due to the fact that some hoteliers define “reusable passwords” as fixed passwords and the way they manage passwords (i.e., requiring the user to change the password every other month, requiring an upper case, alphanumeric characters, and minimum length) may lead to believe that these are not “reusable passwords.” Research question 2: What are the current threats to computer network security in hotels? Twenty percent of the respondents had a computer network attack within the last 12 months. The size of the hotel seems to be positively correlated with the number of attacks observed within the last 12 months (r = .72; p = .001). In terms of attack types, “Virus Attack”
Downloaded by [University of South Florida] at 22:09 27 December 2015
Cihan Cobanoglu and Frederick J. DeMicco
55
(15.4%) was reported most frequently, followed by “Denial of Service” (7.7%), sabotage of data networks (7.7%), system penetration by an outsider (7.7%), and spoofing (5.1%). Independent hackers were responsible for 57.1% of these attacks while disgruntled employees were responsible for 21.4% of these attacks. The average financial loss created by these attacks was $10,375. Research question 3: What are the ways of handling computer network security intrusions? Out of the 48 respondents that reported an attack to their network systems, all of them patched holes after attack, 50% did not report to any organizations. Only 12.5% reported to law enforcements and legal counsel (Table 3). About 20% of the respondents hired reformed hackers or ethical hackers as consultants. When asked why they prefer not to report network attacks and intrusions, respondents reported “negative publicity,” “competitors would use to advantage,” and “civil remedy seemed best” in order of frequency. CONCLUSIONS This study is one of the first attempts to analyze computer network attacks and prevention techniques in the hotel industry. The results showed that computer network attacks create serious threats to hotels. Although hotel companies use some prevention techniques, we observed a distributed solutions mix. Some hoteliers prefer to outsource their network and information security systems. This may have twofold impacts on hotels: (1) If the outsourcing company is a network and information security expert, then, the hotel network systems may be protected better; (2) The dependency on a different company in such an important issue may create some problems such as data privacy and TABLE 3. Ways of Handling Computer Network Security Intrusions Freq.
%
Patched holes
48
100.0
Did not report
24
50.0
Reported to law enforcements
6
12.5
Reported to legal counsel
6
12.5
N = 48.
Downloaded by [University of South Florida] at 22:09 27 December 2015
56
International Journal of Hospitality & Tourism Administration
ownership. Also, when outsourcing is used, a clear contract is needed in the case of outsourcing company bankruptcy. Surprisingly, a significant number of hotels do not use and plan to use in the future some important network and information security tools and techniques such as Internet security systems scanners, biometrics, and intrusion detection systems. Some of these tools are so vital to network security that not using them is an open invitation to internal and external hackers. For example, we have observed that 8.1% of the hoteliers indicated that they do not use anti-virus software. This is surprising because virus protection should be on the top list of every information technology manager even the company network is not attached to the Internet. Workers will, later or sooner, will need to transfer some files from each other or outside sources. This is potential invitation to virus attacks. In addition, when the cost of the anti-virus software is considered, we see that it is not a main investment for any kind of company. We believe that the reason for not using such a vital tool is just ignorance and lack of knowledge. From our personal experiences, we know that hotel IT manager usually some other manager or employee who happen to know more about technology and computers than others. When this is the case, they have already a busy schedule with their main responsibility and they manage technology only reactively, not proactively. We suggest that hotels should employ an individual who is in charge of IT within hotel, select their IT managers carefully and the person who has the IT responsibility should keep themselves up with recent technological advances and implement them. Hotel managers would do well by reviewing the findings of this study and comparing the tools used by them and implement and use multiple tools. Additional focus should be given on the emerging technologies, such as biometrics, especially in an era in which security has become very important. APPLICATIONS TO THE HOSPITALITY INDUSTRY AND RECOMMENDATIONS Based on the findings of this study, the following actions are recommended to ensure the best possible security in networks: 1. Have the best security protection you can afford. Hotels collect sensitive data about their guests. Protecting the networks that have the extensive data about guests must be a priority for hotels.
Downloaded by [University of South Florida] at 22:09 27 December 2015
Cihan Cobanoglu and Frederick J. DeMicco
57
2. Identify significant vulnerabilities in your computer networks. Make a serious effort to do your own hotel security audit. This can be done by an external consulting firm or using the hotel’s resources and labor. However, this step will help to employ the tools needed to detect such vulnerabilities. 3. Develop your own company’s security policy and guidelines. A security policy and guidelines should be developed and communicated to every employee. Serious consequences should be included in the event of an employee’s intentional fault. 4. Employ an Information Technology professional. Hotels usually fill in the IT positions with somebody else such as accountant in the hotel whose expertise is not IT. This is a big mistake. Hotels should employ a professional who understands the hospitality industry and information technology. 5. Report computer breaches. Even it may seem embarrassing for your property, this will ensure that the protection tools be developed to prevent future breaches. 6. Avoid using “reusable passwords”. Reusable passwords served the users well in the age of closed environments where terminals were hard wired to mainframes. Clear text password traveling over Local and Wide Area Networks and the Internet can be grabbed from networks using sniffers. Hardware or software keyloggers can be installed in computers to steal passwords. However, a dynamic encrypted password along with a persistent password policy can prevent these problems. LIMITATIONS AND ASSUMPTIONS Like any study, this study is not without limitations. The first limitation is the population itself. The findings of this study can not be generalized beyond the population although the results will reflect responsibly the hotel industry. In addition, some of the results seem low compared with general business practices. This may be due to fact that the security techniques were not defined in the questionnaire and some of the terms may not be understood the same by every respondent. Companies are reluctant to reveal computer network attacks to the public with the fear of public trust damage and encouraging hackers to attack the company networks. We assumed that respondents answered the questions objectively and accurately. We assured full anonymity and confidentiality for the study results.
58
International Journal of Hospitality & Tourism Administration
Downloaded by [University of South Florida] at 22:09 27 December 2015
FUTURE STUDY Disaster recovery is an important topic for network security not only for hotels but for any businesses. This study did not include disaster recovery practices of hotels. Therefore, we suggest that future study should focus on disaster recovery practices of hotels. In addition, another study for the effects of computer viruses and protection tools and techniques might be useful to the hospitality industry. REFERENCES Beaulier Law Office. (2003). White Collar Crime. [Available Online]. Retrieved from http://www.nvo.com/beaulier/whitecollarcrime/#Overview Berchiolli, D. (1998). Technology–making a mark in the hospitality industry. Hotel Online. [Online]. Retrieved January 16, 2004 from http://www.hotelonline.com:80/Neo/ Trends/PMG/Articles/1998_TechnologyMark.htm Brooks W.J., Warren M.J., & Hutchinson W. (2002) A security evaluation criteria. Logistics Information Management. 15 (5/6), pp. 377-384. Canavan, J.E. (2001). Fundamentals of Network Security. Norwood, MA: Artech House. Cetron, M., DeMicco, F.J., & Davies, O. (2004). Hospitality 2010: The Future of Hospitality and Travel. (In Press. Prentice Hall Publishers). Cobanoglu, C. (2005). Securing Hotel Networks: Potentially a Hacker’s Paradise. Hospitality and Foodservice Technology Tradeshow and Conference (HOSTEC-ASIA), Hong Kong, China. Cobanoglu, C. & Cougias, D. (2003). Security: What to watch for and how to prevent attacks. The Annual International Foodservice Technology Conference and Exhibition. Long Beach, CA. Collins, G.R., Cobanoglu, C., & Malik, T. (2003). Hospitality Information Technology: Learning How to Use it. (5th Ed.) Kendall/Hunt Publishing Co: Dubuque, Iowa. Computer Fraud & Security (2002). What Company Managers Should Know About Information Security. Computer Fraud & Security. 2002 (2), pp. 18-19. CSI/FBI Survey. (2003). Eighth Annual Computer Crime And Security Survey CSI/FBI 2003. [Online] Retrieved December 12, 2003 from http://www.security.fsu.edu/ docs/FBI2003.pdf Cougias, D. & Heiberger, L. (2003). The Backup Book. IPG: Chicago, IL. Daler, T., Gulbrandsen, R., Melgard, B., & Sjolstand, T. (1989). Security of Information and Data. pp. 13-14, 82-83. Flink, Y. (2002). Who holds the key to IT security? Information Security Technical Report. 7 (4), pp. 10-22. Haugen, S. & Selin, R.J. (1999). Identifying and controlling computer crime and employee fraud. Industrial Management & Data Systems. 99 (8), pp. 340-344.
Downloaded by [University of South Florida] at 22:09 27 December 2015
Cihan Cobanoglu and Frederick J. DeMicco
59
Kasavana, M.L. & Cahill J.J. (2003). Managing Technology in the Hospitality Industry. 4th Ed. East Lansing, MI: Educational Institute of the American Hotel and Motel Association. National Cyber Security Leadership Act. 2003. Nua Internet Survey. (2004). How many online? Retrieved on June 4, 2004 online at: http://www.nua.ie/surveys/how_many_online/ Stern, N. B. & Stern, R. (1993). Computing in the Information Age. (2nd Ed.). New York: John Wiley & Sons. VeriSign (2003). About Digital IDs. [Online] Retrieved September 03, 2003 from https://digitalid.verisign.com/client/help/id_intro.htm#what_is_id Vermeulen, C. & Solms, V.R. (2002). The information security management toolbox: Taking the pain out of security management. Information Management & Security. 10 (3), pp. 119-125. Zhang Y. & Paxson V. (2000). Detecting Backdoors. Procedings of the 9th USENIX Security Symposium.
RECEIVED: 12/20/04 REVISIONS RECEIVED: 05/14/05 ACCEPTED: 06/20/05 doi:10.1300/J149v08n01_03