Web application vulnerability assessment and policy ...

Government Information Quarterly 31 (2014) S118–S125

Contents lists available at ScienceDirect

Government Information Quarterly journal homepage: www.elsevier.com/locate/govinf

Web application vulnerability assessment and policy direction towards a secure smart government Olusesan M. Awoleye a,⁎, Blessing Ojuloge b, Mathew O. Ilori a a b

African Institute for Science Policy and Innovation (AISPI), Faculty of Technology, Obafemi Awolowo University, Ile-Ife, Nigeria National Centre for Technology Management, Agency of the Federal Ministry of Science & Technology, Obafemi Awolowo University, Ile-Ife, Nigeria

a r t i c l e

i n f o

Available online 2 July 2014 Keywords: E-government Smart government Web vulnerability Policy Cross site injection SQL injection Cookie manipulation

a b s t r a c t This paper carried out technological analysis of e-government platforms with a view of assessing possible application flaws that can inhibit smooth running of the available web services provided. Two sets of data were collected with an interval of two years on 64 Nigerian government websites. Five web vulnerability variables known to be notorious for web attacks were purposively investigated. In the overall assessment for the two datasets, the average result showed that about 67% are affected by broken links (BL), 43.8% by unencrypted password (UP), 35% by cross site scripting (XSS) and about one out of every four are affected by each of Structured Query Language Injection (SQLi) and cookie manipulation (CM). An independent t test statistic showed that there is a significant difference between the groups for three of the variables investigated, these are: XSS, SQLi and CM at 95% confidence interval. The motivation for this study is premised on the risk that these results pose to the smooth running of the e-government services and the possibility of financial loss. The research thus suggests some useful policy directions to enhance the provision of a secure smarter government. © 2014 Elsevier Inc. All rights reserved.

1. Introduction The growth of the internet and its services has brought innovation in the use of many web applications. This has provided sources of information for citizens and has created opportunities for businesses to thrive (Zhao & Zhao, 2010). Organizations and government bodies have leveraged severally on new technologies provided by the web for improved efficiency in service delivery, transparency, increased revenue, costsaving and global competitiveness (Chen, 2002; Chen & Gant, 2001; Kim, Jeong, & Lee, 2009). Government services which have been characterized by rigid bureaucracy are gradually being taken over by egovernment. When e-government services become more flexible to access for user's satisfaction it culminates into smarter government which is desirable (Rokhman, 2011). Smart government has been described as “the implementation of a set of business processes and underlying information technology capabilities that enable information to flow seamlessly across government agencies”. Smart government as an advanced government presents opportunities that people can avail themselves of, including: services, participation and communication anytime, anywhere and with any device through convergence and integration of smart IT and government services. It provides a platform where the government proactively pushes relevant, unique data to citizens based on their profiles. This helps government to provide real ⁎ Corresponding author at: African Institute for Science Policy and Innovation (AISPI), Faculty of Technology, Obafemi Awolowo University, Ile-Ife, Nigeria. E-mail address: [email protected] (O.M. Awoleye).

http://dx.doi.org/10.1016/j.giq.2014.01.012 0740-624X/© 2014 Elsevier Inc. All rights reserved.

time information to her citizens. As changes occur to a citizen's circumstance, government processes are triggered to provide the appropriate service(s). Despite the benefits of communication through the internet, the proliferation of cyber crime activities has created a big concern (Zhao & Zhao, 2010). For example in a world ranking survey of the top cyber crime perpetrators by country, Nigeria is rated 3rd behind United States and United Kingdom according to the Internet Crime Control Centre.1 Since e-government projects are provided over an insecure channel like the internet, other important issues surface. In most countries (Nigeria inclusive), there are no governmental infrastructure that supports authentication, confidentiality, integrity and privacy issues (Moen, Klingsheim, Simonsen, & Hole, 2007). There are also other problems related to web applications that can give unexpected consequences when e-government solutions are deployed. It is worth noting to state that amid all these, the rate by which organizations and government are adopting the use of the web as useful resource is on the increase (Ebrahim & Irani, 2005; Gil-García & Martinez-Moyano, 2005; Wangpipatwong, Chutimaskul, & Papasratorn, 2005). It has been identified that some of the motivations for adopting egovernment have been largely technology pushed and benefit driven without given adequate attention to security issues. Quite a number of literatures have reiterated the consequence of porting ‘unverified’ web applications (Balduzzi, Gimenez, Balzarotti, & Kirda, 2010; Chien,

1

www.ic3.gov/media/annualreport/2009_ic3report.pdf.

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

2006; Moen, Klingsheim, Simonsen, & Hole, 2006, Zhao & Zhao, 2010). It is therefore expedient to investigate web related security threat(s) that may inhibit smooth running of e-government services. In this attempt, some useful research questions are raised viz: (i) what is the state of government websites relative to web vulnerability? (ii) Is there bias for category of organizations for the vulnerabilities? (iii) Is there any difference in the level of vulnerability of the websites over time? The following objectives are therefore drawn for this study: (i) to assess the level of vulnerability on government websites, (ii) to investigate vulnerability bias(es) for category of organizations, and (iii) to investigate the difference in web vulnerability over time. The rest of the study is organized as follows: the concept of evolutionary theory of change and egovernment dynamics are discussed in Section 2. Section 3 discusses web application vulnerability while the methodology of the work is elucidated in Section 4. Section 5 present the findings of the two datasets collected. Section 6 discusses the summary and conclusion and presents some policy suggestions. 2. Evolutionary theory of technological change and e-government dynamics This section discusses the theory adapted for this work, the evolutionary theory as posited by Nelson and Winter (1982). This is well placed since the process of e-government involves dynamic processes that require continuous development. The section also enumerates the dynamics of e-government; its overview and the situation in a few countries, especially Nigeria. 2.1. Evolutionary theory of technological change The evolutionary theory of technological change as posited by Nelson and Winter (1982) and adapted by Metcalfe (1994) for technology policy and by Malerba, Nelson, Orsenigo, and Winter (1999) for the U.S. computer industry is well placed in our approach of smarter government which is evolutionary in nature. The process of evolution of e-government evolves from developing a web page to integrating government systems behind the web interface (Gil-García & MartinezMoyano, 2005). Layne and Lee (2001) also described e-government as an evolutionary phenomenon which changes frequently with time. Some of the changes that have come over years have resulted in creating more complex websites beyond platforms that provides only information for the citizens. The process of creating more robust web platforms for additional services beyond informational services has culminated into an interactive and transactional system (Chan, Lau, & Pan, 2008). This system thus necessitates the creation of input fields on the websites such as web forms, logins, search, feedback. These efforts thus open the window of infiltration especially when the website is not properly checked for possible application errors (e.g. input validation). 2.2. E-government dynamics Schelin (2003) described the evolvement of e-government from one stage to the other as necessitated by the quest for unhindered service. Each of these stages represents different levels of technological sophistication (Moon, 2002) towards improvement in quality of service delivery to the citizens. Describing the concept of e-government, we found diverse but related descriptions in literature. For example Backus (2001) defined e-government as the art of online administration of government activities. Whitson and Davis (2001) described it as a system that integrates cost-effective models for citizens, industries, federal employees, and other stakeholders to conduct business transactions online. Layne and Lee (2001) viewed e-government as government's use of technology, particularly web-based internet applications to enhance the access to and delivery of government information and service to citizens, business partners, employees, other agencies, and government entities. In the context of what this paper is set to address, Layne and

S119

Lee's (2001) description of e-government is accepted as our operational definition. E-government has the potential to help build better relationships between government and the public by making interaction with citizens smoother, easier, and more efficient. Indeed, the government can reach more citizens without boundary irrespective of their locations at any point in time. And in turn, the citizens can also reach the government without any bureaucracy barrier (Awoleye, Oluwaranti, Siyanbola, & Adagunodo, 2008). To mention a few countries that have benefited from e-government activities, one will not hesitate to bring Korea into the picture. Korea is a good example that has used this service extensively and quite a lot of literatures about the approaches and the success of the Korean egovernment project (Hee-joon, 2002a, 2002b; Sang-ho, 2002) are available. It was reported in the Korea e-Customs Service (KCS) that the trade volume of Korea increased by a multiple of 3.5. Also, duties and taxes collected as well grew by three times, while the number of KCS employees decreased by 6% (infoDev/World Bank, 2009). Taiwan has eased the difficulty of processing their income tax returns, which annually will process an average of over 4 million individual's tax returns manually (Wang, 2002). As reported by Wang (2002) during the taxfiling period, taxpayers perform complex calculations and fill out a standard printed form either by hand or typewriter. The tax return and related documentation are submitted to the tax agency over the counter or by postal mail. When using the manual filing method, taxpayers need to understand the individual income tax laws, and the tax return is subject to errors through writing and/or calculations. Internet filing was launched in Taiwan by the tax agency in 1998, which thus provide the taxpayers the platform to file their income tax returns via the internet and this eliminated the risk of computational errors which usually occurs when the tax is processed manually. Some other studies have shown positive rewards for e-government applications by different countries. For example, the one-stop shop portal (FirstGov) of the United States have aided many types of transactions ranging from Government to Consumer, Government to Business, and Government to Government and have been used for form downloads for most of public services and many more. Also in the United Kingdom, some of these services are in operation through the UK government online portal as presented by Anthopoulos, Siozos, and Soukalas (2007). Making services available online presents a better and easy way of government–citizen relationship, most especially on discharging obligations to the society. However, the concern now is the fear of adequate technical capability to handle possible susceptibility of the design of such platforms (websites), without which successful and smooth operation may be hampered.

2.3. E-governments in Nigeria The emergence of e-government in Nigeria can be traced to the advent of democracy in 1999. Part of the responsibility of the National Information Technology Development Agency (NITDA) is to implement the Nigerian e-government initiative in conjunction with the National e-Government Strategy Limited (NeGSt) under a Public Private Partnership (PPP) model to guide the evolution of digital government solutions with consistent standards, operating platforms and applications across agencies and government systems in Nigeria (Fatile, 2012). More commitment has thereafter been shown by the federal government towards promoting ICT and e-culture through organizing several conferences and workshops to promote e-society awareness in the country (Ajayi, 2003; Ifenedo, 2006). These fora as reported by Ifenedo (2006) bring together local academia, businessmen, software multinationals and IT professionals and others from abroad. Some efforts by the government as well to facilitate the use of e-government have been identified. The government has created public awareness for e-government by providing Mobile Internet Units (MIU) for public use (Ifenedo, 2006). These are locally manufactured buses equipped with communication

S120

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

infrastructure such as VSAT, computer terminals, printers. They travel from town-to-town disseminating e-government information to Nigerians. The federal government of Nigeria now has a web portal (http:// www.nigeria.gov.ng/) and also ensured that the administration of its Country code Top Level Domains (ccTLD) is done locally (.ng). Some of the thirty-six states in Nigeria have their web portals as well (Ifinedo, 2005). These websites provide the general public with information about activities of the government and also contain some downloadable forms. Some components of e-governance have already commenced in Nigeria e.g. automated duty collection by the Nigerian Customs, the resident permit computerization by the Nigerian Immigration Service, computerization of land and certificate of occupancy by the federal capital territory administration (FCTA). Online checking of examination results such as: West Africa Examination Council (WAEC), National Examination Council (NECO) and Joint Admission and Matriculation Board (JAMB) results as well as the National Youth Service Corps (NYSC) online registration are part of real time and cost effective services which are part of e-government (Akunyili, 2010; Fatile, 2012). Some of the identified challenges facing successful running of egovernment projects in Nigeria include: high duty and tax on Information Technology (IT) related importations and vandalization of IT facilities and equipment and unavailability or poor condition of the enabling infrastructure such as: power supply, internet connectivity (Fatile, 2012; Mohammed, Abubakar, & Bashir, 2010). 3. Web application vulnerabilities A website is said to be vulnerable when it has the propensity for infiltration which may be a result of flaws within the codes that made up the website, this is referred to as application level or server side attacks (Moen et al., 2007). Other issues of concern have to do with some underlying limiting technicalities that can prevent the successful operation of the websites. It has been reported in literature that dynamic web applications contain a wide range of input validation vulnerabilities such as cross site scripting (Bates, Barth, & Jackson, 2010; Christey & Martin, 2007; Cook, 2003; Higgins, 2006; Moen et al., 2006) and SQL injection among others (Halfond, Viegas, & Orso, 2006; Huang, Huang, & Lin, 2003; Bandhakavi et al., 2010; Lee, Jeong, Yeo, & Moon, 2011; Xie & Aiken, 2006). Because of the web popularity relative to the number of millions of internet users, the internet has become a prime target for attackers (Balduzzi et al., 2010). Today they are motivated by financial gains rather than just being destructive (Zhao & Zhao, 2010). Attacks against web applications constitute more than 60% of the total attack attempts observed on the internet as shown in a report delivered by SANS Institute (2009). Also, in the study carried out by Moen et al. (2006), it was reported that 82% of the e-government websites around the globe were vulnerable to cross site scripting (XSS) and Structure Query Language injection (SQLi). SQL injection and cross-site scripting may be used by attackers to alter back-end tables from databases and to launch phishing attacks on vulnerable servers. It was further discovered in the study that 90% of European, 85% of Asian, 76% of the North American and 49% of African government websites are vulnerable to common web application attacks (Moen, 2007). Apart from the specified web application attacks earlier mentioned, there are several others such as: denial of service (DoS), cookie theft, session riding, browser hijacking, self-propagating worms in web based email, social networking sites, unauthorized access to networks, theft of employee or customer information, and online financial fraud are also known prevalent attacks (Chien, 2006; OWASP, 2004; Zhao & Zhao, 2010). The DoS is the process of repeated accesses (queries) to non-existing resources e.g. broken links (Almgren, Debar, & Dacier, 2000). Cookie theft: Cookies can in some applications contain actual business specific information, like items stored in a shopping cart and their prices. This information can easily be changed and if no authentication mechanisms are in place to check the validity of the cookie in

the server side, this leads to compromise of the application (Huang et al., 2003). Session riding/hijacking is an approach in which an attacker sniffs and captures packets on the network in order to extract user information like username, password to be used for malicious intention (Pauli, Engebretson, Ham, & Zautke, 2011). Hsieh, Wang, Tsai, and Tseng (2006) described session riding as a process of handing over history of a web session which enables a user to review the pages he just viewed on the same device. One reason for the popularity of these web application security threats is that most of web-based application developers often have no or little internet security background (Howard & LeBlanc, 2003). Moreover, the pressure of designing and delivering the web application under strict time constraints forces these developers to focus on the functionality for the end-user without the resources (or the knowledge) necessary to perform a thorough security analysis of the application being developed. This results to deployment of a poorly developed code that is riddled with security flaws to the whole internet (Kirda, Jovanovic, Kruegel, & Vigna, 2009). Moreover, most website owners fail to validate their application for common flaws. As much as we know there is no study that has provided empirical data on the level of vulnerability of Nigerian government websites, let alone a study using longitudinal data. It is in this context that this research is well placed. It provides useful information that will equip the government and other related stakeholders to effectively manage the systems. It also presents some policy suggestions to safeguard possible occurrences and to present measures to avert continued susceptibility. Web applications are becoming the dominant way to provide access to online services. It provides end users with client access to server functionality through a set of web pages. These web pages often contain script code to be executed dynamically within the client web browser (Erlingsson, Livshits, & Xie, 2009). Despite the enforcement of simple, intuitive security policies in web applications, it has become a fertile ground for cyber attackers, attempting to penetrate systems and misuse private data (Kirda et al., 2009). Cenzic (2009) reported that almost 90% of web-related flaws are caused by deficiency in web application. He identified three most common types of such vulnerabilities as: SQL injection, cross-site scripting, and authentication issues. Also, the SAN Institute a worldwide security organization, reported XSS, SQL injection and cross site forgery as major web vulnerabilities (Halkidis, Chtzigeorgiou, & Stephanides, 2006). XSS therefore has been identified as the most dangerous and easily found web application security issue (OWASP, 2007). Some common consequences of this may result in: hijacking of user's session, defacement of websites, insertion of hostile content, phishing attacks and can allow hackers to take over a client's browser. 3.1. Cross site scripting (XSS) Cross site scripting is a vulnerability that allows an attacker to bypass client-side security mechanisms normally imposed on web content by the browsers. By finding ways of injecting malicious scripts, usually in the form of JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application, an attacker may gain privileges to sensitive pagecontent of the web pages (CERT, 2000; Endler, 2002; OWASP, 2007) and this can lead to website defacement (Zhao & Zhao, 2010). Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context and give attacker access to cookies or session tokens retained by the browser. Common attack vectors are search applications which reflect the search string and parameters supplied in the Uniform Resource Locator—URL (Gundy & Chen, 2012). Cook (2003) opined that there are three distinct classes of XSS attack: Stored, DOM-based, and reflected attacks. In a stored XSS attack, the malicious JavaScript code is permanently stored on the target server (e.g., in a database, in a message forum, or in a guestbook). In a DOMbased attack, the vulnerability is based on the Document Object Model (DOM) of the page. Such an attack can happen if the JavaScript in the

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

page accesses a URL parameter and uses this information to write HTML to the page. In a reflected XSS attack, on the other hand, the injected code is “reflected” off the web server, such as in an error message or a search result that may include some or all of the input sent to the server as part of the request. Reflected XSS attacks are delivered to the victims via e-mail messages or links embedded on other web pages. When a user clicks on a malicious link or submits a specially crafted form, the injected code travels to the vulnerable web application and is reflected back to the victim's browser. The implication of this is that data such passwords, social security numbers, credit card information can be stealthily collected and thereafter used against the wish of the owners.

3.2. Structured query language injection (SQLi) An SQL injection attack consists of insertion or “injection” of a SQL query (Anley, 2002; Barrantes et al., 2003; Kc, Keromytis, & Prevelakis, 2003). SQL injection attack is a technique to introduce code into a computer program or system via the input data from the client to the application without proper filtering of dangerous script characters (Mitropoulos & Spinellis, 2009; Yves, Wouter, & Frank, 2005). There are many forms of SQL injection attacks. The most common involve taking advantage of: incorrect passed parameters, incorrect filtered quotation character or incorrect type handling (Mitropoulos & Spinellis, 2009). A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the Data Base Management System—DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system (Anley, 2002; Halfond & Orso, 2005; Halkidis et al., 2006; OWASP, 2007).

3.3. Cookie manipulation A cookie is a small piece of information usually created by the web server and stored in the web browser. Each time the user accesses the web server, this data is passed back to the server. The cookie contains information used by web applications to persist and pass variables back and forth between the browser and the web application. Client-side cookies can be persistent i.e. files stored on the client computer until an expiry date; or session i.e. files kept in the memory of the client computer until the session is ended. As a result of the cookie structure and their usage, all data stored in a client-side cookie could be easily read or manipulated.

3.4. Unencrypted password One of the security features employed in a web application is password. Sensitive data such as credit card numbers, and social security numbers sent into the server without using encrypted connection such as secure socket layer (SSL), can be intercepted by hackers. Encrypting the transmission of data makes it difficult to intercept sensitive information as it travels between two parties.

3.5. Broken link Broken links in the World Wide Web are hyperlinks pointing to an unavailable page, they are usually the result of pages that have disappeared or have been moved. Broken links affect page rank and discourage page visitors, who might regard the page containing these links as obsolete or unprofessional (Martinez-Romo & Araujo, 2012). Broken links create security hole to a website; this can lead to denial of service (DoS) attack.

S121

4. Methodology In an attempt to investigate the level of immunity of e-government web platforms, this work has probed some government websites for some common vulnerabilities. In this paper all web pages with a ‘.gov.ng’ sub-domain are considered as e-government web platforms. Thus, sixty four websites of some agencies of government and parastatals were randomly selected using an advanced feature of Google to sieve data from the websites that have adopted the use of Nigerian government sub-domains i.e. the “.gov.ng” with a ‘php & html’ extension (Moen, 2007). Google retrieved a number of results but priority was given to the websites with the highest page rank, this is with a view to using websites which files have been highly populated in the search engine database. Two sets of data were collected under the same condition with an interval of about two years. The first dataset was collected in August, 2011 and the second in November, 2013. The report was thus generated using the selected five measuring variables which are: cross site scripting (XSS), structured query language injection (SQLi), cookie manipulation (CM), unencrypted password (UP) and broken links (BL). The selection of these variables is based on some classifications, as they have been rated among top web application vulnerabilities (CWE-SANS, 2010; OWASP, 2007). The sites tested were categorized into Agencies, Judiciary, Law Enforcement/Defence, Media, Ministries, Parastatals, States and Others categories. The websites chosen span 8 categories of sectors with a view to evaluating their propensity to cyber attacks which could jeopardize the original intent of providing seamless service that could foster smooth communication between the government and the citizens. This study delimited the research scope by using vulnerability assessment to address the research questions of the study. To assess the Nigerian e-government websites for security and possible vulnerability to cyber attacks. 4.1. Testing tool A popular web scanner–Acunetix–was employed based on the past record of successes with the software as well as the available features to test different web application vulnerability issues including: XSS, SQLi, CM, UP and BL (Zhao & Zhao, 2010), since these are the main targets in this work. 4.2. Procedure The Acunetix web scanner is launched and each of the website addresses is entered in the wizard box provided and the request is made to the server hosting the domain. This test requires internet connection in order to be able to carry out the test, a broadband may be preferable. A successful link to the server thus provides the scanner (Acunetix) the opportunity to virtually crawl the website of any given URL and it will thereafter present the analysis of the vulnerability for every instance of the URL. Manual test for XSS as well as SQLi were carried out to confirm the results generated by the vulnerability scanner. This can be experimented with the following script bscriptNalert (‘This is a test on your website’) b/script N. When this is inputted into any available input field such as: search, feedback and form fields on the website and the request is sent to the server, if the website is vulnerable, the Java script enabled browser will display a java script pop-up alert window containing the text in the parenthesis, ‘This is a test on your website’. The procedure to manually test for SQL injection vulnerabilities is by using a single quote ('). This will be used as input within an input field on the website. The single quote is a special character in SQL, and if included in the SQL query it will most likely generate an SQL statement error. The implication of this is that, the injection will give an attacker the chance to manipulate the database and to execute arbitrary code on the server.

S122

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

4.3. Data analysis The web scanner provided some data for the websites and the specific number of vulnerabilities found was recorded. We did not give special attention to the number of vulnerabilities found in each of the web domains, rather; the data were normalized. This was done by using binary representation, where ‘1’ represents ‘presence’ and ‘0’ represents ‘absence’ for each of the five variables assessed.. The research also distinguished the two sets of data by using a nominal measure where the first dataset (previous) was coded as ‘1’ and the second dataset (current) as ‘2’. The coding and analysis were done in IBM Statistical Package for Social Sciences (SPSS) version 20. Both descriptive and inferential statistics were used to analyze the data. To be specific, percentages were used which show the proportion of the infiltrations across the categories of organizations for each of the variables investigated. Independent sample t test was also employed for the analysis, and it is assumed that the variances of the two groups are equal. Therefore to test this assumption, Levene's test for equality of variances was employed. 5. Findings The findings of the study are reported in the following sequence (a) vulnerability level of e-government websites, (b) vulnerabilities in categories of organization and (c) vulnerabilities in e-government over time. 5.1. Vulnerability level of e-government websites In Fig. 1, the research observed that the level of infiltration of the websites across the five vulnerabilities assessed is quite high for the two datasets. For example BL has the highest vulnerability among the counterparts as it was noticed that in 2011 about 70.3% of the websites were affected compared to 62.8% in 2013. The least susceptible is CM which is about 3.1% in 2011 but hiked to 45.3% in 2013. Both SQLi and XSS which top the high-risk category of vulnerability also revealed alarming figures. The averages of vulnerability for SQLi and XSS over the two datasets stood at 26.6% and 35.7% respectively. The implication of these findings is that, technically the state of government website could be said to be unguided as the government is not committed to ensuring a secure environment that can be trusted to protect the integrity of information available on the e-government platforms. For instance, the findings that the variables investigated for vulnerability were returning high proportions (BL = 70%, CM = 45.3%, SQLi = 26.6% and XSS = 35.7%). This thus poses a risk on the integrity of the government on one hand as national data could be altered. On the other hand, the citizens could lose their confidence in any information retrieved from any e-government platforms since such information can be misleading. For example, if election results of 62.8

Vulnerability Variable

BL

21.9

SQLi

CM

5.2. Vulnerabilities in categories of organization Comparing the two observations from Table 1, the research observed a downward movement (↓) for all the categories of organization for XSS except for parastatals which attracted more XSS (7.7%) proliferation on the same websites tested. Downward movement here means reduction in the number of websites susceptible, while upward movement means increase in the number of susceptible websites. There is decrease in XSS susceptibility across the categories except for the ‘parastatals’ category which increased by about 7.7%. Also for SQLi, a downward movement (↓) is observed for all the categories of organization tested except for the ‘Others’ category which increased by 14.3%. ‘Others’ category include: professional association and other government offices. Also for CM, for all the categories of organization except ‘states’ have no single infiltration in the first observation for all the categories of organizations but it became prevalent in full force in the second observation. From Table 1, it was observed that 6 of the 8 organizations sampled have at least 40% CM infiltration. The ‘states’ category was singled out as the website that has been susceptible to CM since the first observation. This is evidenced as CM susceptibility increased by a factor of four, up from 15.4% in the first observation to 61.5% in the second observation. The direction for both UP & BL is staggered as some categories were observed to remain unchanged and some follow upward and downward directions and hence the actual movement cannot be ascertained. This section seeks to investigate if the vulnerabilities have any association with categories of organization. The descriptive statistics reported in the findings showed that for XSS, the reduction of this vulnerability is significant having categorized XSS in the high-risk vulnerability (OWASP, 2007). With this, one may be tempted to make an assumption that policy action may have been taken (on the part of the organization) to alleviate this, but this is not enough to reach that Table 1 Percentages of vulnerabilities for categories of e-government. Category of organizations

Agencies (N = 10)

Judiciary (N = 8)

Law enforcement (N = 5)

70.3 Media (N = 2)

28.1

XSS

any e-government platform vulnerable to XSS are published online, the content of such websites can be changed. The integrity of the entire database can also be compromised, especially when the website is vulnerable to SQLi.

42.2 Ministries (N = 6)

31.3

2011 2013

45.3

3.1

Parastatals (N = 13)

States (N = 13)

UP

35.9

43.8 Others (N = 7)

0

20

40

60

Website (%) Fig. 1. Bar chart showing e-government vulnerabilities over time.

80

Variables

1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement 1st Obs 2nd Obs Movement

XSS (%)

SQLi (%)

CM (%)

UP (%)

BL (%)

40 30 ↓ 50 12.5 ↓ 60 40 ↓ – – – 50 33.3 ↓ 38.5 46.2 ↑ 23.1 7.7 ↓ 71.4 28.6 ↓

20 20 – 37.5 25 ↓ 40 20 ↓ 50 – ↓ 50 33.3 ↓ 30.8 23.1 ↓ 23.1 8.3 ↓ 28.6 42.9 ↑

– 10 ↑ – 12.5 ↑ – 40 ↑ – 50 ↑ – 50 ↑ – 53.8 ↑ 15.4 61.5 ↑ – 71.4 ↑

40 40 – 37.5 37.5 – 40 – ↓ – – – 33.3 33.3 – 46.2 38.5 ↓ 30.8 66.7 ↑ 28.6 71.4 ↑

70 60 ↓ 50 62.5 ↑ 80 20 ↓ – 50 ↑ 66.7 50 ↓ 76.9 76.9 – 61.5 61.5 – 85.7 71.4 ↓

“1st Obs”—this means first observation, which data was collected in August, 2011. “2nd Obs”—means second observation, which data was collected in November, 2013.

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

conclusion. Also the findings about SQLi gave further insight into the situation as the downward movement (reduction) cut across the categories except for ‘others’, which increased to 42.9% from 28.6% which translates to about a 14.3% hike. The findings for CM require a special note when comparing its non-existence in the first observation with sudden prevalence in the second observation. Having over 40% susceptibility for six of the eight categories that have not been vulnerable to this before is a big concern. Perhaps, this happens by accident during website upgrade or redesign without given cognizance to checking the websites for possible application flaws.

S123

Table 3 Mean table of vulnerabilities for the datasets.

XSS SQLi CM UP BL

5.3. Vulnerabilities in e-government over time

Test

N

Mean

Std. deviation

Std. error mean

Previous Current Previous Current Previous Current Previous Current Previous Current

64 64 64 64 64 64 64 64 64 64

.42 .28 .31 .22 .03 .45 .36 .44 .70 .63

.498 .453 .467 .417 .175 .502 .484 .500 .460 .488

.062 .057 .058 .052 .022 .063 .060 .062 .058 .061

“Previous” means first observation and “current” means second observation. Min = 0, max = 1 (having normalized the data).

In Table 2, it was observed that three of the variables (XSS, SQLi and CM) are significantly different for the two datasets at 95% CI. For both high-risk vulnerabilities (XSS, SQLi) the test revealed that there is a reduction in the number of vulnerability loopholes between the previous data and the current data (given a two year interval between the two datasets). For example in Table 3, the first observation for XSS, 42 websites were reported susceptible (Awoleye, Ojuloge, & Siyanbola, 2012) which thereafter reduced to 28 when the second data was collected, given μp = 0.42, σp = 0.498 and μc = 0.28, σc = 0.45 (where μp, σp represent mean and standard deviation of previous data respectively while μc, σc represents the same for current data)—see Table 2. Also for SQLi, it was noticed that the infiltration reduced by one third, from 31 websites previously affected to 22 in the second observation. The t-test result for CM also showed a significant difference between the two datasets, but the negative t value indicates a change of direction relative to other variables. CM 2-tailed value =0.000 shows that the probability of obtaining an absolute value greater than or equal to the observed t statistic (since the difference between the sample means is purely random) is zero. Also, the CM vulnerability jumped from 3 websites previously vulnerable, to 45 in the current data which means additional 42 websites, which is an increase of about 93%. This figure is high and hence there is a need to further investigate what is responsible for this, and to proffer appropriate solution. This is an area for future work. Since this section deals with comparative analysis of egovernment, it is also important to state that some of the websites are not affected by any one of the five vulnerability variables used for this study. There is an increase of 13 websites up from 7 in the first observation to 20 in the second observation that are not affected, as computed in SPSS using the ‘compute variable’ tool for the count operation. The research noticed that XSS, SQLi and CM vulnerability have changed significantly over the years as the findings presented by the independent t test. The organizations may have redesigned the websites to forestall the vulnerability by input validation and by ensuring appropriate handling of characters with special meaning. Consider the standard deviation and the mean value as shown in Table 3, first for both

XSS and SQLi, there is a reduction in both vulnerabilities but the reduction in proportion is slightly higher for SQLi. The most important thing is that the population of the websites that are still vulnerable to both XSS and SQLi are still enormous. This stands as a risk of jeopardizing smooth running of e-government services and it may discourage the citizens in using the service. The findings for CM showed that this vulnerability is newly introduced to the websites. If about 93% could be affected by CM, this calls for special attention especially if one considers the implication on the quest for a smarter government. As discussed earlier, CM could permit reading and manipulating data stored on the client side; this should be prevented especially now that e-commerce is being promoted by the advent of cashless policy in Nigeria (Awoleye, Okogun, & Siyanbola, 2013). 6. Summary and conclusion The rate at which technology is changing faster than ever before cannot be over-emphasized, but it is pertinent to state that organizations, government and society are not moving with the change as to meet up with the challenges. This failure to keep up with change could be blamed for the inadequacies found on the e-government platforms investigated in this study. Most of the e-government sites in Nigeria are susceptible to different forms of web application error, although about a third of the websites are reported invulnerable in the recent data collected. When the two datasets were compared using the same sets of variables on 64 government websites. We found a reduction in the level of vulnerability for three of the parameters viz; XSS, SQLi and BL by 14.1%, 9.4% and 7.5% respectively as depicted by the descriptive analysis in Fig. 1. Further analysis using independent t statistic presented significant reduction in the susceptibility of two (XSS and SQLi) of these variables. Though a reduction is recorded for these two high-risk variables, the fact still remains that currently the susceptibility still stands at 28.1% for XSS and 21.9% for SQLi. The difference in the CM is also reported to be high (about 93%); this is also tested by a t-test statistic. The negative t value (t = −6.350) indicate the direction (increased

Table 2 Independent t-statistic table of e-government vulnerabilities for the datasets. F

XSS SQLi CM UP BL

Equal variances assumed Equal variances not assumed Equal variances assumed Equal variances not assumed Equal variances assumed Equal variances not assumed Equal variances assumed Equal variances not assumed Equal variances assumed Equal variances not assumed

Sig.

t

df

Sig. (2-tailed)

Mean difference

Std. error difference

9.837

.002

5.774

.018

414.250

.000

2.877

.092

3.373

.069

1.671 1.671 1.198 1.198 −6.350 −6.350 −.898 −.898 .932 .932

126 124.906 126 124.386 126 78.167 126 125.860 126 125.580

.097 .097 .233 .233 .000 .000 .371 .371 .353 .353

.141 .141 .094 .094 −.422 −.422 −.078 −.078 .078 .078

.084 .084 .078 .078 .066 .066 .087 .087 .084 .084

95% confidence interval of the difference Lower

Upper

−.026 −.026 −.061 −.061 −.553 −.554 −.250 −.250 −.088 −.088

.307 .307 .249 .249 −.290 −.290 .094 .094 .244 .244

S124

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125

vulnerability) relative to its other counterparts (XSS and SQLi) that was also significant. It is important to state that the categories of organization do not influence the vulnerability over the two independent observations. Although a closer inspection of Table 2 revealed that some of the parameters for the category ‘media’ were missing or are not represented, this may be largely due to its low representation in the exercise (N = 2), and this may not be representative. In conclusion, the majority of e-government initiatives on web platforms in Nigeria are vulnerable to XSS, SQLi and CM. As explained earlier, XSS enables an attacker to infiltrate government sites. This can be done by causing website defacement usually by injecting malicious scripts in the form of JavaScript etc., such a code can further be used to change the content of a web page and can even alter the price of an item on any e-commerce or online shopping websites (Hsieh et al., 2006). SQL injection can give a perpetrator a possibility of manipulating the integrity of databases and may even execute some arbitrary code to alter tables on the server. Cookie manipulation is described as a small piece of information usually created by the web server and stored in the web browser, each time the user accesses the web server, this data is readily available and is passed back to the server. It contains information used by web applications that causes persistence and can pass information back and forth in the client–server environment (Hsieh et al., 2006). These attacks have been notorious for these nefarious activities over the years but e-governments are still vulnerable. How then do we achieve the goal of a smarter government if this is not speedily addressed? As new technologies emerge, it is important to also create innovative ways of managing such systems, especially public related web platforms. This is important because very good numbers of services are now offered through these platforms to the public and quite a number of databases are also put online to meet the need of the citizens. 6.1. Policy There are three key stakeholders that can contribute to the successful transformation of e-government to a smarter one. These are the citizens (public), the organizations (including both government and nongovernment) and the government at all levels (local, state and federal). If the process of having seamless service is treated as an important issue, compliance from these key players will go a long way in repositioning egovernment status in Nigeria. If these stakeholders will adopt the maxim of equity, then this can be achieved. The maxim of equity states that ‘he that comes to equity must come with clean hands’. Equity sees that; having done what ought to be done; if we all do the right thing then we would not have problem. Let the public use the service responsibly and also treat the platform as a public property rather than the government's. While this policy suggestion is good, the only challenge to this will be the level of compliance, hence taking a more pragmatic step will not be out of place. We are also aware that other people will also have access to the resources beyond the borders of Nigeria, since the service rides on a platform that cannot be hindered by any geographical boundary. It is at this instance that a more practicable solution is put to the fore. Let the federal present a guideline for using the service and ensure compliance. Let there be standards following best practices that will serve as a guide for any e-government platforms. Let there be a body that will be responsible of carrying out a thorough verification and certifying such e-government websites before it is approved to make it public. The symbol of government certification could also be placed on the home page of such websites as evidence to instill trust and confidence in the website users and to assist the task force to confirm the authenticity of the same. Re-certification may also be necessitated for these websites every two years because of the evolutionary nature of the e-government system. Also on the part of the organization, they must be ready to comply and to ensure all round functionality for their websites as well as see continuous monitoring of the web security as a necessary task that must be given adequate attention.

References Ajayi, G. O. (2003). E-government in Nigeria's e-strategy. The Fifth Annual African Computing and Telecommunications Summit, Abuja, Nigeria. Akunyili, D. (2010). ICT and e-government in Nigeria: Opportunities and challenges. World Congress on Information Technology, Amsterdam, The Netherlands, 25th–27th May 2010, 2013 (available on http://goafrit.wordpress.com/2010/06/12/ict-and-egovernment-in-nigeria-prof-akunyili/Accessed on 7th December). Almgren, M., Debar, H., & Dacier, M. (2000). A lightweight tool for detecting web server attacks. Network and Distributed System Security Symposium (NDSS 2000) (pp. 157–170). Anley, C. (2002). Advanced SQL injection in sql server applications. Available on. http:// www.ngssoftware.com/papers/advanced_sql_injection.pdf (accessed on 16th November, 2012) Anthopoulos, L. G., Siozos, P. T., & Soukalas, I. A. (2007). Applying participatory design and collaboration in digital public services for discovering and re-designing egovernment services. Government Information Quarterly, 24, 353–376. Awoleye, O. M., Ojuloge, B., & Siyanbola, W. O. (2012). Technological assessment of egovernment web presence in Nigeria. The 6th International Conference on Theory and Practice of Electronic Governance, Albany, NY, USA, 22–25 October. Awoleye, O. M., Okogun, O. A., & Siyanbola, W. O. (2013). Technological assessment of banking innovation in Nigeria. African Journal Accounting, Auditing and Finance, 2(2), 157–174. Awoleye, O. M., Oluwaranti, A. I., Siyanbola, W. O., & Adagunodo, E. R. (2008). Assessment of e-governance resource use in southwestern Nigeria. Proceedings of the 2nd international conference on theory and practice of electronic governance. Cairo, Egypt. ACM International Conference Proceeding Series. (pp. 154–159). Backus, M. (2001). E-governance and developing countries: Introduction and examples. Report No 3, April 2001 (Available on http://www.ftpiicd.org/files/research/reports/ report3.pdf accessed 12th April, 2013). Balduzzi, M., Gimenez, C. T., Balzarotti, D., & Kirda, E. (2010). Automated discovery of parameter pollution vulnerabilities in web applications. NDSS 2011, 18th Annual Network and Distributed System Security Symposium, 6–9 February 2011, San Diego, CA, USA. Bandhakavi, S., Bisht, P., Madhusudan, P., & Venkatakrishnan, V. N. (2010). CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. WWW 2010, April 26-30, 2010. North Carolina, USA: Raleigh ACM978-1-60558-799-8/10/04 Available on http://cs.uiuc.edu/~madhu/ccs07.pdf. Barrantes, E., Ackley, D., Forrest, S., Palmer, T., Stefanovic, D., & Zovi, D. (2003, October). Randomized instruction set emulation to disrupt binary code injection attacks. Proceedings of the 10th ACM conference on computer and communications security (pp. 281–289). Bates, D., Barth, A., & Jackson, C. (2010). Regular expression considered harmful in client-side XSS filters. WWW 2010, April 26–30, 2010, Raleigh, North Carolina, USA (ACM 978-1-60558-799-8/10/04. Available on http://www.collinjackson. com/research/xssauditor.pdf). Cenzic (2009). Web Application Security Trends Report Q1–Q2, 2009. Available on. http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf (accessed 25th April, 2013) CERT (2000). Advisory CA-2000-02: Malicious HTML tags embedded in client web requests. Available on. http://www.cert.org/advisories/CA-2000-02.html (accessed 13th April, 2013) Chan, C. M. L., Lau, Y., & Pan, S. L. (2008). E-government implementation: A macro analysis of Singapore's e-government initiatives. Government Information Quarterly, 25(2008), 239–255. Chen, H. (2002). Digital government: Technologies and practices. Decision Support Systems, 34(3), 223–227. Chen, Y., & Gant, J. (2001). Transforming local e-government services: The use of application service providers. Government Information Quarterly, 18, 343–355. Chien, E. (2006). Malicious Yahooligans. Available on. http://www.symantec.com/ avcenter/reference/malicious.yahooligans.pdf (accessed 16th November, 2012) Christey, S., & Martin, R. A. (2007). Vulnerability type distributions in CVE. Available on. http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf (accessed 16th November, 2012) Cook, S. (2003). A web developer's guide to cross scripting. Available on. http://www. sans.org/reading_room/whitepapers/securecode/web-developers-guide-cross-sitescripting_988 (accessed on 12th April, 2013) CWE-SANS (2010). Top 25 most dangerous programming errors. http://www.applicure. com/blog/cwe-sans-top-25-dangerous-programming-errors (Accessed May 05, 2013) Ebrahim, & Irani (2005). E-government adoption: Architecture and barriers. Business Process Management Journal, 11(5), 589–611. Endler, D. (2002). The evolution of cross site scripting attacks. Technical report. iDEFENSE Labs (Available on http://www.cgisecurity.com/lib/XSS.pdf accessed 12th April, 2013). Erlingsson, U., Livshits, B., & Xie, Y. (2009). End-to-end web application security. Microsoft Research (Available on http://static.usenix.org/event/hotos07/tech/full_papers/ erlingsson/erlingsson.pdf). Fatile, J. O. (2012). Electronic governance: Myth or opportunity for Nigerian public administration? International Journal of Academic Research in Business and Social Sciences, 2(9) (available on http://www.hrmars.com/admin/pics/1104.pdf accessed 4th December, 2013). Gil-García, J. R., & Martinez-Moyano, I. J. (2005). Exploring e-government evolution: The influence of systems of rules on organizational action. NCDG Working Paper No. 05001. Gundy, M. V., & Chen, H. (2012). Noncespaces: Using randomization to defeat cross-site scripting attacks. Computers and Security, 31(2012), 612–628.

O.M. Awoleye et al. / Government Information Quarterly 31 (2014) S118–S125 Halfond, W. G. J., & Orso, A. (2005). AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks. 20th IEEE/ACM International Conference on Automated Software Engineering, CA, USA (pp. 174–183). Halfond, W. G. J., Viegas, J., & Orso, A. (2006). A classification of sql injection attacks and counter measures. College of Computing Georgia Institute of Technology (Available on http://www.cc.gatech.edu/~orso/papers/halfond.viegas.orso.ISSSE06.pdf). Halkidis, S. T., Chtzigeorgiou, A., & Stephanides, G. (2006). A practical evaluation of security patterns. Available on. http://users.uom.gr/~achat/papers/AIDC2006.pdf (retrieved 12th April, 2013) Hee-joon, S. (2002a). Analysis on the improved effects of administrative transparency of the e-government. Administrative Treaties, 40(4), 109–134. Hee-joon, S. (2002b). Prospects and limitations of the e-government initiative in Korea. International Review of Public Administration, 7(2), 45–53. Higgins, K. J. (2006). Cross site scripting: Attackers' new favourite flaw. Available on. http://www.darkreading.com/security/application-security/208804050/crosssitescripting-attackers-new-favorite-flaw.html Howard, M., & LeBlanc, D. (2003). Writing secure code (2nd ed.). Redmond, WA: Microsoft Press. Hsieh, M. -D., Wang, T. -P., Tsai, C. -S., & Tseng, C. -C. (2006). Stateful session handoff for mobile WWW. Information Sciences, 176, 1241–1265. Huang, Y. W., Huang, S. K., & Lin, T. P. (2003). Web application security assessment by fault injection and behaviour monitoring. WWW2003, May 20–24, 2003, Budapest, Hungary (ACM 1-58113-680-3/03/0005. Available on http://www2003.org/cdrom/ papers/refereed/p081/FINAL_WAVES_WWW2003.htm). Ifinedo, P. (2005). Measuring Africa's e-readiness in the global networked economy: A nine-country data analysis. The International Journal of Education and Development using Information and Communication Technology, 1(1), 53–71. Ifenedo, P. (2006). Towards e-government in a sub-Saharan African country: Impediments and initiatives in Nigeria. Available on. http://www.researchgate.net/ publication/232981268_Towards_E-Government_in_a_Sub-Saharan_African_ Country/file/72e7e52616c2281cdd.pdf (Accessed on 7th December, 2013) infoDev/World Bank (2009). E-government primer, Washington DC. Available at. http:// www.infodev.org/publications (accessed 20th April, 2013) Kc, G. S., Keromytis, A.D., & Prevelakis, V. (2003, October). Countering code-injection attacks with instruction-set randomization. Proceedings of the 10th ACM conference on computer and communications security (pp. 272–280). ACM Press. Kim, S., Jeong, S. K., & Lee, H. (2009). An institutional analysis of an e-government system for anti-corruption: The case of OPEN. Government Information Quarterly, 26, 42–50. Kirda, E., Jovanovic, N., Kruegel, C., & Vigna, G. (2009). Client-side cross-site scripting protection. Computer and Security, 28(7), 592–604. Layne, K., & Lee, J. (2001). Developing fully functional e-government: A four stage model. Government Information Quarterly, 18(2001), 122–136. Lee, I., Jeong, S., Yeo, S., & Moon, J. (2011). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modeling, 55(1–2), 58–68. Malerba, F., Nelson, R., Orsenigo, L., & Winter, S. (1999). History friendly models of industry-evolution: The computer industry. Industrial and Corporate Change, 8(1), 3–41. Martinez-Romo, J., & Araujo, L. (2012). Updating broken web links: An automatic recommendation system information processing and management, 48(2012), 183–203. Metcalfe, J. S. (1994). Evolutionary Economics & Technology Policy. The Economic Journal, 104(425), 931–944. Mitropoulos, D., & Spinellis, D. (2009). SDriver: Location-specific signatures prevent SQL injection attacks. Computer and Security, 28(3–4), 121–129. Moen, V., Klingsheim, A. N., Simonsen, K. I. F., & Hole, K. J. (2006). Vulnerabilities in egovernments. Proc. 2nd International Conference on Global E-Security (ICGeS-06), London, England, April 20–22 (pp. 2006). Moen, V., Klingsheim, A. N., Simonsen, K. I., & Hole, K. J. (2007). Vulnerabilities in egovernments. International Journal of Electronic Security and Digital Forensics, 1(1), 89–100. Mohammed, S., Abubakar, M. K., & Bashir, A. (2010). E-government in Nigeria: A catalyst for national development. International conference on development studies. Nigeria: University of Abuja, F.C.T (Available on http://www.abu.edu.ng/publications/200906-23-113825_373.doc accessed on 4th December, 2013). Moon, M. J. (2002). The evolution of e-government among municipalities: Rhetoric or reality? Public Administration Review, 62(4), 424–433. Nelson, R., & Winter, S. (1982). An evolutionary theory of economic change. Cambridge: Belknap Press. OWASP (2004). The ten most critical web application security vulnerabilities. Open Web Application Security Project (Available on http://umn.dl.sourceforge.net/sourceforge/ owasp/OWASPTopTen2004.pdf).

S125

OWASP, Open Web Application Security Project (). The ten most critical web application security vulnerabilities. Available on. http://www.owasp.org/images/e/e8/OWASP_ Top_10_2007.pdf Pauli, J. J., Engebretson, P. H., Ham, J., & Zautke, M. J. (2011). CookieMonster: Automated session hijacking archival and analysis. Eighth International Conference on Information Technology: New generations (pp. 403–407). Rokhman, A. (2011). E-government adoption in developing countries; the case of Indonesia. Journal of Emerging Trends in Computing and Information Sciences, 2(5), 228–236. Sang-ho, Y. (2002). Study on the development and application of e-government maturity assessment model. Korea Policy Academy Society News, 11(4), 243–271. SANS Institute (2009). Top cyber security risks. Available on. http://www.sans.org/topcyber-security-risks/summary.php Schelin, S. H. (2003). E-government: An overview. In G. D. Garson (Ed.), Public information technology: Policy and management issues (pp. 120–137). Hershey, PA: Idea Group Publishing. Wang, Y. (2002). The adoption of electronic tax filing systems: An empirical study. Government Information Quarterly, 20, 333–352. Wangpipatwong, S., Chutimaskul, W., & Papasratorn, B. (2005). Factors influencing the adoption of Thai e-government websites: Information quality and system quality approach. Proceedings of the Fourth International Conference on eBusiness, Bangkok, Thailand. Whitson, T. L., & Davis, L. (2001). Best practices in electronic government: Comprehensive electronic information dissemination for science and technology. Government Information Quarterly, 18(2001), 79–91. Xie, Y., & Aiken, A. (2006). Static detection of security vulnerability in scripting languages. 15th USENIX Security Symposium, 2006 (Available on http://theory.stanford.edu/ ~aiken/publications/papers/usenix06.pdf). Yves, Y., Wouter, J., & Frank, P. (2005). A methodology for designing counter measures against current and future code injection attacks. Proceedings of the third IEEE international information assurance workshop. College Park, Maryland, USA: IEEE Press. Zhao, J. J., & Zhao, S. Y. (2010). Opportunities and threats: A security assessment of state egovernment websites. Government Information Quarterly, 27, 49–56.

Michael O. Awoleye is a Research Fellow in the African Institute for Science Policy and Innovation, Obafemi Awolowo University, Ile-Ife, Nigeria. Mr. Awoleye earned his B.Sc. degree in Computer Science in Olabisi Onabanjo University and proceeded to the United Kingdom to obtain his M.Sc. in Information Engineering with Network Management at the Robert Gordon University, Aberdeen, Scotland. He is about completing his Ph.D. in Technology Management at the African Institute for Science Policy and Innovation at the Obafemi Awolowo University, Nigeria. His interest is in the area of policy oriented research such as innovation studies, web/data mining and application security, computer networks, case-based reasoning among others. He has spent over a decade in the public service and has a number of publications to his credit. Blessing Ojuloge. A research officer in the Training and Research department of the National Centre for Technology Management, an Agency of the Federal Ministry of Science and Technology. He has his background in Computer Science from a reputable university in Nigeria and he is presently undertaking his M.Sc. degree program in Computer Science at the University of Nigeria, Nsukka, Nigeria. His area of research interest includes web/internet technology, computer networks, network and computer securities and information technology management. Mathew O. Ilori. A Professor of Technology management and former director at the Technology Planning and Development Unit, Obafemi Awolowo University, Ile-Ife. He obtained his first degree in Chemistry from the University of Ife and his Masters (Food Science and Technology) in the same university. He thereafter proceeded to the University of Ibadan for his Ph.D. in Food Technology and in 1999 he became a professor of Technology Management. He is a policy analyst and a seasoned researcher with active participation in the development of many public policies in the area of Science Technology and Innovation. He has published over 100 peer reviewed papers at both local and international learned journals.