PERCEPTIONS OF SECURITY AND PRIVACY WHEN USING MOBILE COMMUNICATION SYSTEMS An Analysis of Administrative and Line Staff Congruence Cheon-Pyo Lee
[email protected] Carson-Newman College
Xin Luo
[email protected] The University of New Mexico
Merrill Warkentin
[email protected] Mississippi State University
ABSTRACT Mobile communication systems have revolutionized business communication and become common communication tools within business organizations. The dramatic increase in the use of mobile communication systems would not have been possible without the assumption of information security and privacy. However, in many workplaces, this assumption is wrong, and, in fact, mobile communications are vulnerable in many ways. The purpose of this paper is to evaluate whether administrators, IT directors, and general users (line staff) have similar or dissimilar expectations and perceptions of the level of security and privacy associated with communicating with internal and external individuals using mobile communication systems, and to explore the implications of these similarities or differences. Keywords: Security, Privacy, Mobile Communication Systems, Mobile Email, SMS
INTRODUCTION During the past decade, we have witnessed the paradigm shift in telecommunications from wired and fixed data exchange to wireless and mobile interaction and transmission which have triggered the new chapter of pervasive diffusion and implementation of mobile commerce (mcommerce). Mobile communication systems, including mobile email, short message service (SMS), and mobile data transfer, have revolutionized business communication by supplanting traditional and less efficient forms of communication, and have thereby become common tools within companies and organizations (Research in Motion, 2005). The dramatic increasing use of mobile communication systems in the workplace may mainly stem from the clear benefits such as mobility and efficiency, but it has not been possible without the assumption that anything sent by mobile devices is as secure and private as a personal meeting. However, this assumption is erroneous in many workplaces. Instead, mobile communication systems are de facto vulnerable in many ways. The inherent vulnerability to eavesdropping and external intervention in the open air waves is undoubtedly the weakest link to information security threats. Though other communication networks also face the same peril, the very nature of mobile communication systems -- transmission in the open air wave medium -- inevitably leads to an unmanageable channel for potential hackers. Notwithstanding the innovative wireless technologies including SMS, WAP and GRPS that have widened the range of data services and - 4281 -
have enabled access to corporate network resources and the Internet, disaster may strike because data traveling between wired network infrastructure and mobile devices can be potentially intercepted and altered by malicious individuals. Furthermore, according to McAfee (2006), the key trends impacting mobile security are: 1) continuous pervasion and increasing use of mobile devices in this globe; 2) 79 percent of IT managers believe mobile device supports disrupts the regular and intended services of the IT department; 3) 76 percent of IT managers say they have no formal IT management policy in place for mobile devices; and 4) 90 percent of mobile devices lack protection to ward off hackers. Despite the various internal and external risks of mobile communication systems, employees have overestimated the expectation of mobile communication systems security and privacy, and have underestimated the expectation of possible invasions. These expectations of mobile communication systems and invasions often lead employees to misuse mobile communication systems inside and outside of the workplace. While previous research has mainly focused on segregated subject groups (i.e. employee or employer), there is thereby a paucity of comprehensive investigation to thoroughly gauge and analyze congruent and divergent perspectives in this arena. In an effort to fill this void, the purpose of this paper is to evaluate whether administrators, IT directors, and general users (line staff) have similar or dissimilar expectations and perceptions of the level of security and privacy associated with communicating with internal and external individuals using mobile communication systems, and to explore the implications of these differences or similarities.
MOBILE COMMUNICATION SYSTEMS Mobile Communication Systems in the Workplace Mobile communication systems subscriptions, including short message service (SMS) and mobile email, have grown rapidly (Research in Motion, 2005). It is believed that the mobile communication systems market will experience rapid and sustained growth in the next decade (Malykhina, 2005). The advantages of using mobile communication systems are mainly mobility, flexibility, and dissemination (Nah, Siau, & Sheng, 2005). Mobility allows users to conduct business matters anytime and anywhere, while flexibility allows users to capture data at the source, or point of origin. In addition, mobile communication systems offer an efficient means of disseminating real-time information to a larger user population, while enhancing and improving customer service. Mobile communication systems have shown significant impact through generating enormous business value (Chen & Nath, 2004; Gebauer & Shaw, 2004).
Workplace Privacy Invasions The sources and types of threats to mobile information privacy in the workplace are similar to those for any information. The various privacy invasions in workplaces are characterized along two dimensions: (1) source of invasion (internal and external interception), and (2) types of - 4282 -
invasion (authorized and unauthorized interception) (Sipior & Ward, 1995). A majority of employers are reading and monitoring their employees‟ communication legally with employee‟s awareness (employee performance monitoring) or illegally without employee‟s awareness (eavesdropping), and employees‟ communication is at risk for external interceptions such as hackers (illegal) and law enforcement investigation (legal) (Sipior & Ward, 1995). Internal Interception As owners of the workplace technology resources, employers assume that monitoring is justifiable since the company owns the electronic communication systems and the data they contain (Chociey, 1997; Sipior & Ward, 1995). Enterprises are not only concerned with preventing potential legal exposure due to organizational information breach via mobile communication systems, but also want to ensure that employees are working productively. Thus, for example, when excessive amounts of personal messages obstruct traffic on the networks, monitoring is necessary to maintain the efficiency of the system (Chociey, 1997). Other reasons offered by employers for monitoring mobile communication systems are prevention of personal use, prevention or investigation of corporate espionage or theft, and cooperation with lawenforcement officials in investigations (Sipior & Ward, 1995). However, monitoring internal information flow without notification to employees may lead to lack of employee‟s trust in the integrity of the organization. In addition, a recent ruling by a U.S. court has established new privacy rights for employees by finding that if an employer contracts with an outside provider for messaging, it does not have the right to ask the service provider for transcripts of the text messages employees send out (Morphy, 2008). This ruling also can be applied to e-mail communications if the employer outsources that service instead of maintaining it on an internal server. External Interception In recent years, new legislation, such as The Health Insurance Portability and Accountability Act of 1996 (HIPAA), The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Services Modernization Act of 1999, and the Sarbanes Oxley Act of 2002, is spurring companies, especially financial institutions and healthcare firms, to pay closer attention to information security by deploying cutting-edge defense systems to shield their organizational assets. On one hand, companies are required by this legislation to provide electronic evidence in court for investigation. Lacking relevant and necessary electronic surveillance applications, companies might not be able to fully comply with the security-related legislation upon request. On the other hand, law enforcement can leverage computer forensic techniques to acquire and intercept information flow inside the organizations. This procedure involves using the organization‟s existing surveillance infrastructures, such as stored email messages and SMS conversation logs, and external resources, such as forensic analysis applications and experts. Unauthorized people, such as mischievous or malicious hackers, can intercept the information flow by means of a variety of “tools” without physically sneaking into the organization.
- 4283 -
Security Faced with increased internal and external security threats, organizations endeavor aggressively to safeguard their technology infrastructures from hackers, malware, and malicious attacks. Despite the fact that such mobile devices as mobile/smart phones, personal digital assistants, and handheld computers can augment corporate productivity, they also inexorably introduce increasing security risks and privacy concerns to the organization. For example, according to a recent security survey (Chickdwski, 2008), „missing devices‟ is one of the five big current security treats in organizations. Many organizations are concerned about the loss or theft of mobile devices, which are easily misplaced or stolen, and their likelihood to contain sensitive or confidential data that can be accessed by unauthorized persons. The dilemma for most organizations is that, because mobile devices are increasingly adopted by various organizational constituents and because the mobile technology platform is becoming open and standardized, mobile environments may become increasingly vulnerable and represent a new weak link to malicious attacks (Ghosh and Swaminatha, 2001). As the power and capabilities of client handset devices expand, and as networks move toward inter-operability, the platform will continue to challenge managers with new security and privacy threats. Undoubtedly, in order for organizations to further enhance the working efficiency, the need for mobile communication systems is desirable and security solutions and improved device management is also undeniable. In fact, according to McAfee (2006), 79 percent of IT managers believe mobile device support disrupts the regular and intended services of the IT department because many mobile users don‟t take the proper precautions to ensure secure communications in the workplace. Indeed, it is reported that approximately 90 percent of mobile devices lack protection to ward off hackers. As such, malicious individuals can exploit these technological and behavioral vulnerabilities to, for instance, impersonate legitimate users to access sensitive corporate information on a corporate server or infect mobile devices with destructive viruses. In the era of 3G (third generation), there are still risks to conduct mobile business communications because many networks will not offer a consistent level of encryption that meets confidentiality requirements for m-commerce (Gindraux, 2002). Additionally, the adoption of the standard TCP/IP protocol will inevitably make these wireless networks vulnerable to the many attacks encountered on the Internet. In the same vein, user terminals running Java Virtual Machine and using Mobile IP could open the mobile device to potential mobile code vulnerabilities and viruses, exposing mobile devices to common Internet-based attacks such as denial of service and intrusion attacks (Gindraux, 2002)
HYPOTHESES Because of the potential for organizational problems stemming from the misapplication of these communication technologies, and because the resulting costs (to efficiency and effectiveness) may be very great, this topic deserves in-depth investigation. A study will be conducted to explore the issues discussed above. This study will proceed as follows. - 4284 -
First, this study presents several hypotheses. The first is that regardless of job position (senior administration or line staff), employees grossly overestimate the security and privacy of mobile communication systems. The respondents‟ perceptions about the security and privacy of these communication technologies will be compared against independent evaluations of the technologies found in the trade literature. The second hypothesis is that since administrators (top managers) tend to be closer to an organizations’ perspective when making decisions, they are less likely to underestimate the possible interceptions, especially internal interceptions, than line staff. More generally, then, the second hypothesis states that the perception of security and privacy is different between administrative and line staff. This issue will be explored in depth, especially as it relates to administrative mandates regarding mobile communication systems. The third hypothesis is that IT managers will express greater knowledge and awareness of the limitations of the security and privacy of mobile communication systems than either administrative or line staff, again when compared against independent measures. The fourth hypothesis is that IT managers will also have lower expectations of privacy and security of mobile communication systems than either administrative or line staff. Other hypotheses may be developed upon further investigation before administering the pilot study.
RESEARCH PLAN To investigate these hypotheses, we propose a research plan in which a broad sample of current mobile communication systems users within a variety of organizations (in different industries, of different sizes, and of various levels of technological maturity and centralization) will be surveyed to identify their perceptions of security and privacy with respect mobile communication systems usage. Initially, the research team will conduct a pilot study of mobile communication systems users in several university environments, seeking improvements to the instrument. Then, following ethical board approval of the instrument and research protocol, the research team will administer the survey to employees of other organizations, including health care and financial services firms. The resulting data will be analyzed, and results of this analysis will be presented at the conference in November 2008. The findings will illuminate the distinctions between the perspectives of various stakeholders regarding mobile information security. Further, the findings should provide valuable insights to IS professionals and organizational leaders addressing mobile privacy concerns. Finally, the results of this study should guide future researchers who are pursuing further research in this domain.
- 4285 -
REFERENCES Chen, L.-d., & Nath, R. (2004). A framework for mobile business applications. International Journal of Mobile Communications, 2(4), 368-381. Chickowski, E. (2008). Closing the Security Gap. Baseline, 85, 32-37. Chociey, P. A. (1997). Who's reading my e-mail?: A study of professionals' e-mail usage and privacy perceptions in the workplace, IEEE Trans. Profess. Commun., 40(1), 34-41. Gebauer, J., & Shaw, M. J. (2004). Success Factors and Impacts of Mobile Business Applications: Results from a Mobile e-Procurement Study. International Journal of Electronic Commerce, 8(3), 19-41. Ghosh, A.K., and Swaminatha, T.M. (2001). Software security and privacy risk in mobile Ecommerce. Communications of the ACM, 44(2), 51-57. Gindraux, S. (2002). From 2G to 3G: a guide to mobile security.Third International Conference on 3G Mobile Communication Technologies. IEEE, London, UK, 308-311. Malykhina E (2005) Everyone wants one – demand for BlackBerrys and similar devices is growing even faster than anticipated. But as mobile e-mail booms, so do the challenges. InformationWeek 1069, 24. McAfee (2006). The Future of Mobile Security - Here Today. Accessed on March 28, 2008 from http://www.mcafee.com/us/local_content/case_studies/cs_future_mobile_security.pdf Morphy E. (2008). Workplace Text-Messaging Ruling Wows Privacy Advocates. Accessed on July 7, 2008 from http://www.linuxinsider.com/story/security/63492.html Nah, F. F.-H., Siau, K., & Sheng, H. (2005). The value of Mobile Applications: A Utility Company Study. Communications of the ACM, 48(2), 85-90. Research in Motion (2005) Research in Motion reports third quarter results. http://www.rim.com/news/press/2005/pr-21_12_2005-01.shtml Sipior, J. C., & Ward, B. T. (1995). The ethical and legal quandary of email privacy. Communications of the ACM, 38(12), 48-54.
- 4286 -
