Privacy and security in Internet-based information systems

Sammanfattning: In an increasingly networked world, where new technologies and applications are rapidly introduced into homes and offices of users, complexity is rising. As a consequence, threats and dangers related to Internet usage are more eminent than ever before. A central assumption is that if human activity is to evolve and grow in the environment constituted by the Internet, a sound control of personal information, and a reasonable level of protection from malicious and deceitful behaviors is necessary. The research presented in this thesis is organized around two concepts, privacy and security. Privacy can loosely be described as “the right to be let alone” and security as “the protection from harm”. The setting in which these concepts are studied is Internet-based information systems, which are the global information systems that use the Internet as the communication infrastructure, and which involve information, hardware, software, and human actors. Since Internet-based information systems are characterized by, e.g., openness, dynamicity, anonymity, connectivity, and hostility, managing privacy and security is a cumbersome and challenging task. In the study of privacy, a number of empirical studies are conducted, in which we explore the nature and extent of software-based privacy invasions in Internet-based information systems. Three examples of privacy-invasive activities that are specifically examined are spam (unsolicited bulk e-mail), adware (software that displays commercial content), and spyware (software that spies on users). The main contributions are the analyses of such privacy-invasions and their consequences, and the specification of a new category of software, which is referred to as privacy-invasive software (software that ignores users’ right to be let alone). In the study of security, it has been investigated how interorganizational and interoperable business collaboration using Internet-based information systems can be achieved in the context of virtual enterprises. Virtual enterprises are a major trend in enterprise interoperability, making it possible to configure cooperative settings in which different companies temporarily share their resources toward a common goal. To realize this vision, we introduce Plug and Play Business, which is an integrated framework of information and communication technologies intended to support secure formation and operation of virtual enterprises. A formal analysis of Plug and Play Business, and the crucial tasks involved in the management of virtual enterprises is carried out together with a discussion of how to improve security and promote trust. A community of virtual enterprises, a gatekeeper facility, and a set of security measures including norms and norm-enhancing mechanisms are identified for this purpose. To support the users of Plug and Play Business, intelligent software agents are suggested as means to automate some of the tasks necessary for operating a virtual enterprise. The study of security is concluded by an assessment of the available technologies in support of realizing of Plug and Play Business software.