This case describes the issues associated with a small business entrepreneur who relies on information technology to provide the competitive edge in his video business. Background on the business, business owner, the employees, and technology used are included to create the
environment for the exploration of ideas.
On a cold day in January, Richard Maze sat in his favorite café with a regular cup of coffee and the morning newspaper. The front page headline caught his eye; it read “Information sto- len, business being sued.” Immediately, Richard looked to see what business had been com- promised. He thought to himself—it can’t be a small-sized business like Video Maze; it must be a multinational company for there to be so much hype. Upon further review, however, Richard was amazed to see the company in question was very similar to his own both in size and structure. Although the business was similar in structure, the function differed. All of these things set Richard to thinking—what do I have in place for my business? Next year I am planning to expand operations by adding another location in a city 20 miles away. Will my current system setup carry over to the new location? Can I interface the two systems and operate my computer services at a cost savings?
With these questions in mind, Richard set out to determine how to more efficiently run his business, while at the same time protect it from the range of new problems in security and operations associated with the continuously changing IT sector.
Video Maze opened in the downtown area of the heavily populated city of Millville, by Richard Maze in 2005. Video Maze later registered the business name as DVD Video Maze, and as the new title indicated, both DVDs and videos were for sale or rental. The video/DVD business had been the primary operation, but a variety of amenities available from the coffee bar made the video selection a pleasure for customers rather than a task. Customers could sit at one of the 10 PCs and view movie choices by searching the online database with key words or favorite titles rather than walk the perimeter of the store trying to read empty video cases. Not only could the choices be viewed in the store, but they could be viewed in the comfort of the customer’s home. Customers could send an email to the shop to make or confirm a movie reservation instead of doing it through the Web page. At pickup, employees requested the cus- tomer’s reservation code to call up their record for processing. At this point, the exchange was made, the customer got the DVD or video, and the employee received the payment, which was entered into the system.
The coffee bar menu included tea/coffee, cappuccino, pop, juice, and water. Snacks included chips, bars, nachos, and other confectionary items. The goal was to make refreshments and snacks available to customers while using the computers, or to take home with them, for a reasonable price.
Customers could use the computers to check their email and browse the Internet and, there- fore, receive an added benefit to their DVD Video Maze experience. Convenience, ease of
use, and availability of the computers, which otherwise would be unused, lent more value to the social aspect of the business.
The impact of information technology on this business has yielded high returns in the past. Competitors were gradually shifting to online booking and soon it would be the industry norm. Future growth would depend on the efficiencies of the information system within the business.
Management and Staffing at Video Maze
The organizational structure was comprised of the owner/operator (Richard), the manager (Jenna), the techy (Chris), the video/DVD clerks (Brad, Sam, Harvey, Judy), and the confec- tionary clerks (Sue, Brandon, Calvin, and Meredith). See Figure 4C-1.
Each employee was permitted full access to the computer network for personal use during slow periods in the day. Richard tried to stress, however, that business operations were the first priority.
Richard’s educational background focused on the Arts. His entrepreneurial spirit was sparked from an urgency to experiment with the unknown adventures of business. When it came to technology, Richard admitted he was afraid of it. Richard relied heavily on the expertise provided by Chris. Richard had decided to offer Chris a challenge if Chris would agree to manage all IT-related areas for both the current and new business operations. If Chris accepted the challenge, he would receive a raise in pay.
Chris was self-taught and easy-going. His interest and excitement over processing power had traditionally caused him to exceed his hardware budget unnecessarily. Chris had been with the business a long time and reassured Richard that he stayed current with the changing IT industry.
The video/DVD clerks ranged in experience levels for data entry and transaction processing. The transactions were processed in the DVD/video computer system. The coffee bar clerks provided the customer with the product and received the payment, thereby completing the transaction. The cash transactions were entered into the database as they occurred.
The hardware configuration was a very important component of the business operations. Richard knew that the Ethernet network consisted of a bank of 10 PCs wired (cat 5e) in a star topology. Chris had prepared a network diagram and store layout as well as system hardware specifications for the servers, computers, and printers. This information is provided later in Figures 4C-2 and 4C-3 in the section called “Supplemental Information.”
Windows® 2003 was installed on the operational server. The other server, which was set up to mirror the operational server, was housed in the basement in the area that had a founda- tion. Chris was pleased with his planning and boasted of the online, up-to-date, current backup, which was ready to be used at any time. He figured this scenario was better than using CDs, DVDs, or tapes because it eliminated storage problems. Chris strongly believed that tape media was at risk of damage in a damp basement.
Windows® 2003 comes with a default setup and Chris installed it with only one change. He created, read/write access for all DVD Video Maze employees, and a multi-user customer log- in “video” with the password “maze.” Chris left inactive accounts from past years installed for testing on the system.
Chris had set up each of the PC workstations to perform standard functions for the cus- tomers, which included the search and selection of titles from the DVD/video database, the option to view the clips of the titles and to reserve the title from the computer bank in-house or from home. The software used for this was Microsoft Access® database interfaced with a Web page form. The Web page was located on the main server. The fees for Internet access were monthly. The PCs had a browser installed to access the Internet via the local ISP. Chris felt that some of the software bundled with the PCs at the time of purchase were not neces- sary and, therefore, did not install them. See the following section of supplemental informa- tion for a complete list of the bundled software. Norton Security software was resident on all systems but was not active.
Any user/customer could log in to a PC, modify or save any kind of files to the hard drive, anywhere on the network except for Chris’s. Chris set himself up as administrator on the server and used administrator access rights only to clear log files accruing on the server. If he could have figured out how to stop log files from being created, he would put an end to them.
The cash systems accessed the database to view the customer’s selection and ultimately pro- cessed the transaction and updated the inventory table. The interface to interact with the Microsoft Access® database and perform cash register functions was developed years ago by an old friend of Chris’s. Additional staff information such as scheduled shifts and employee
records were also a part of the same Microsoft Access® database. 4C
Chris designed the business database in Microsoft Access® 2007. The database had multiple tables and multiple keys. The key for the tables associated with the customer was the customer number. The key associated with the timesheets and payroll information was the employee number. Chris used remote software to log in and fix problems from home or elsewhere.
Chris figured all customers knew their customer number so it made a perfect key for entering transactions. As a precaution, Chris printed a list of all customers and their associated num- bers just in case a customer forgot their number. The video/DVD clerks found this a nuisance at peak times and often relied on guesses to put customer numbers in. Chris set up the same scenario for employee numbers. When the field naming system had been devised, Chris had told Richard that he jotted down the fields quickly and might be missing some information but “it wasn’t a concern” because anyone could get the idea of what the labels represented.
Richard noted that one of his employees always sat at the computer farthest away from every- one. He never seemed to share his Internet search results with anyone and was consciously monitoring anyone who sat at that same computer. Richard asked Chris if there was any chance that Brad could be using the computer inappropriately and if he would be legally obli- gated and possibly have his computer equipment confiscated. Chris did not know the answer to Richard’s question.
Some of the employees had received complaints from customers. Some customers said it took forever to access the DVD/Video Maze Web page, and when they did get into the system, it took a long time to process their selection. Chris told the clerks the system was like anything else: it has good days and bad days and there was nothing to be concerned about. He said the backup server was online and ready to go if the main server crashed.
As for business reporting, every couple of months Chris met with Richard to discuss improve- ments for the computer aspects of the operation. Each time, Chris spoke in technical language emphasizing the need for replacement or for upgrades to the existing systems. Richard, unfa- miliar with the lingo, invested additional dollars trying to stay on top of the technology wave. Chris believed speed was what the customers wanted when searching the database and insisted that hardware was the way to go. Chris believed the computer bank should be upgraded constantly.
Chris reassured Richard that the business expansion discussed earlier was simple. He said the new operation required onsite hardware the same as the current site and another ISP connection. All transactions and business processing could be processed at the main site (current site).
With respect to working hours, Chris logged many hours of work and ultimately received a paycheck greater than anyone else working at Video Maze, including Richard. Richard felt this was fair considering his lack of knowledge when it came to IT.
Chris’s time was usually devoted to removing files from the system hard drives. Chris has asked Richard to approve specifications to upgrade all the hard drives. Chris felt the upgrade would pay for itself by reducing the number of hours he spent cleaning the hard drives.
Employees were permitted to check their email account during break time. Several months ago, during one of Chris’s breaks, he noted an email from a friend in the industry, which included an attachment about server disaster guidelines (see the Windows 2000 Server Disas- ter Recovery Guidelines in the section of Supplemental Information later in this case). Chris felt he didn’t have the time to read it now but put it in his “to do” pile. He figured it was out- dated anyway. He never did seem to get the time to read emails like this and others.
The Situation and Alternatives
After his eye-opening experience while having coffee that January morning, Richard decided that he would contact Chris, his PC specialist, to discuss the current system. During their con- versation, Chris firmly stated the system was secure and that there was no way business infor- mation could be compromised. Chris refused to even consider the possibility of risk and told Richard he did not have the time to “fool around” with unimportant tasks such as an assess- ment on a system he knew by heart. Chris did agree, however, to give Richard permission to pass on his notes on the system and setup to someone else, if Richard really felt it was neces- sary to have an assessment conducted.
After the discussion with Chris, Richard decided to contact his good friend Paul, who was an IT instructor at the local university. Paul suggested having a group of his competent students investigate and observe the business operation with the intent of producing a threat and risk assessment document. A time was set up for Richard to speak with the class, and once the meeting was over, Richard felt he had been well received by the Systems Security, Audit, and Control class. He also felt assured that the students would meet the challenge. Richard passed the business information on to the students. He was, however, unable to answer any addi- tional questions other than the information provided by Chris by way of his notes and his own knowledge.
It was now several weeks since Richard had given the students the details, and in that time Richard was doing a lot of thinking. A threat and risk assessment might answer the secu- rity question, but not the business expansion question and vice versa. Is the business system secure? Is the business system scalable to accommodate a second business at a different location? Is Richard responsible for the security of his customers’ information? Is Richard responsible for the actions of his employees in the workplace? Are there any inefficiencies in the system or the business that could be corrected? He looked forward to receiving the students’ response, and he hoped their analysis would shed light on some of these impor- tant questions.
Case Study 4C: Business Risk
A threat and risk assessment of the owner of Video Maze takes into consideration that every customer’s security needs are unique. The Video Maze and its regulatory requirements, its specific threats, budget, existing information technology, business environment, and the risk of tolerance all contribute to the kind of solutions that are unique to the business. In Richard’s Video Maze, determining and implementing optimal protection solution that meets the business needs relies on a threat and risk assessment, which concentrates on defining whether or not the business system is secure, whether or not Richard is responsible for the security of his customers’ data, weighing the responsibility of Richard towards his employees in the workplace, and if other inefficiencies that could be corrected exist in the business.
There is the need to know about the strength of security behind the Video Maze. Apart from the creation of a strong username and password, there may be the need to have professional guidance in dealing with security threats. The owner of the Video Maze has ensured that his business has a technology expert, who provides his expertise on matters information technology. The technology expert has ensured that the hardware specifications as well as the software specifications are all working and secure.
However, there is suspicion on the behavior of some employees during business operations and occasionally during break time. An employee whose name is Brad has been noted to be never sharing his internet search information with others. He is also noted to be behaving suspiciously when someone uses his computer. Brad is, therefore, noted as a security threat to the Video Maze system. Coincidentally, some customers have complained about slow internet when accessing the Maze Web page. Kris is also reported to have ignored an email from a friend in the industry, which had included an attachment about server disaster guidelines, a factor that could compromise the entire system.
Negligence of the professional technology expert should call for the hiring of another expert, whose actions may not cost the entire system. Suspicious behavior of an employee and the slow Maze Web page called for an audit of the servers of the system to check if the security of the business has been compromised. Richard’s action to call for the security audit would most likely achieve the required threat and risk assessment document from the local Information technology competent university students.
Information technology security risk has often been seen as a function of threat, vulnerability, and assets value. Various measures such as countermeasures can be put in place to reduce the security risks. The countermeasures should be structured such that the probability for a threat to become true is reduced. The measures can also reduce vulnerability as well as reduce the impact caused when a threat comes true (Last, 2001).
The countermeasures in Richard’s Video Maze include the backup server, which could be used in case the entire system was compromised and the frequent upgrade of the system to the modern technology. With the security audit in place and the countermeasures checked regularly, the company system is scalable to have room for another company at a separate location, which Richard had thought of. In case the system would be compromised, the online backup would be essential in retrieving customer information and other useful data for the business.
In Richard’s case, risk can be termed as a function of asset value, threat, and vulnerability. The risks that would still exist even after applying countermeasures would have to be considered by the management and be accepted or rejected by the employees. The risk factor is illustrated as in the figure below (ENISA, 2006, P. 10).
Asset Value Risk Countermeasures
Threat Residual Risk Vulnerability
In spite of the fact that Richards’ customers have their usernames and passwords; Richard is responsible for the security of their information. Research indicates that apart from having strong security details of online accounts, the security of such accounts is to be monitored by the real owners of the business. In the contemporary world, institutions such as banks maximize the security of their customers’ information by seeking expertise guidance from the relevant technology experts and bodies in charge of financial organizations. It is also the responsibility of the customer to ensure the security of their online content. Even as institutions strive to guarantee the security of their online systems, it is significant for the customers of the institutions to understand the threats revolving around computer systems. Moreover, customers have the responsibility to keep their devices secure by installing software such as anti-virus, which would prevent malicious activity from their online network.
Richard is held responsible for the actions of his employees at the workplace as he should have identified the strange behavior from the employees as a threat to the security of his Video Maze. As the business owner, it is expected of Richard to limit the degree of confidentiality among his employees and know the impact of disclosing data to his employees. The phases of risk assessment in information technology require that the enterprise can still identify information that has been disclosed to other parties as such risks have major business impacts for the company (ENISA, 2006, P. 11).
RRI Risk Assessment
ENISA.(2006). Risk Assessment and Risk Management Methods: Information Packages for Small and Medium Sized Enterprises (SMEs) (1st ed.). Retrieved from https://www.enisa.europa.eu/publications/information-packages-for…/fullReport
Last, J. M., Abramson, J. H., & Freidman, G. D. (Eds.). (2001). A dictionary of epidemiology (Vol. 4). New York: Oxford university press.