استفاده از تحلیل پوششی داده ها و درخت های تصمیم گیری برای تجزیه و تحلیل بهره وری و پیشنهاد کنترل های B2C

Appropriate guidelines for controls in B2C (business-to-consumer) applications (hereafter B2C controls) should be provided such that these guidelines accomplish efficiency of controls in the context of specific system environments, given that many resources and skills are required for the implementation of such controls. This study uses a two-step process for the assessment of B2C controls, i.e., efficiency analysis and recommendation of controls. First, using a data envelopment analysis (DEA) model, the study analyzes the efficiency of B2C controls installed by three groups of organizations: financial firms, retail firms, and information service providers. The B2C controls are composed of controls for system continuity, access controls, and communication controls. DEA model uses B2C controls as input and three variables of implementation of B2C applications, i.e., volume, sophistication, and information contents as output. Second, decision trees are used to determine efficient firms and generate rules for recommending levels of controls. The results of the investigation of the DEA model indicate that retail firms and information service providers implement B2C controls more efficiently than financial firms do. Controls for system continuity are implemented more efficiently than access controls. In financial firms, controls for system continuity, communication controls, and access controls, in a descending order, are efficiently adopted in B2C applications. Every company can determine its relative level of reduction in each component of controls in order to make the control system efficient. The firms that efficiently implement B2C controls are determined using a decision tree model. The decision tree model is further used to recommend the level of controls and suggest rules for controls recommendation. This suggests the possibility of using decision trees for controls assessment in B2C applications.

As organizations rely increasingly on IS (information Systems) for strategic advantage and operations, management needs to pay more attention to IS security issues due to a corresponding increase in the impact of IS security abuses. Controls of e-business applications should ensure the security, integrity, auditability, and controllability of the configured software, data, and support organization [16]. As controls are not only expensive to put in place and operate, but also increase audit efforts and slow down the execution of business processes, it is necessary to automate controls in an optimum manner from a cost and regulatory perspective [28]. How internal auditors or security administrators make decisions of controls assessment or adjustment is in large part a matter of judgment and experience. Thus, it is necessary to devise a systematic approach for controls assessment for security management that relies on a series of subjective judgments of internal auditors or security administrators. Gordon and Loeb [13] have shown an economic model to determine the optimal level of investment in information security. Cavusoglu et al. [7] suggested a model based on game theory for strategic investment decisions in security controls; in the IT security problem, the firm and hacker are players and the firm's payoff from security investment depends on the extent of hacking it is subjected to. Industry characteristics such as system vulnerability to security risks and availability of value added networks can affect the efficiency of EDI (Electronic Data Interchange) controls [21]. Pareek [27] used an optimization algorithm based on a linear programming model to identify controls that need to be tested to address the risks. The law of diminishing returns posits that, beyond a certain point, the effectiveness of protection provided by additional controls will diminish and no longer improve the quality of the information systems [9]. Guidance can be provided by analyzing the data collected from questionnaires used to measure controls. In view of the state of implementation, and given the high cost and resources needed to develop controls embedded in the system, it is necessary to analyze the efficiency of controls in B2C (business-to-consumer) applications (hereafter B2C controls). Depending on who performs the analysis, however, a wide range of security measures may be implemented, resulting in either too few or too many B2C controls. This study intends to investigate the assessment of B2C controls, i.e., efficiency analysis and recommendation of controls, using a data envelopment analysis (DEA) model and decision trees. Previous studies have combined the use of DEA and decision trees in analyzing organizational units [30], [31] and [34]. Using decision trees may support IS managers and convince them of the kinds of control measures that are necessary under given system circumstances. The firms that efficiently implement B2C controls are determined using a decision tree model. The decision tree model is further used to recommend the level of controls and to suggest rules for controls recommendations. This suggests the possibility of using decision trees for controls assessment in B2C applications.

Security breaches of web-based, B2C applications, which applications are often integrated with mission-critical financial reporting applications in enterprise resource planning (ERP), are increasing at an alarming rate. Assurance that the controls are in place and effective is important, and this assurance can be given through control assessment. Firms, however, cannot install every possible control, as such a strategy is not economically feasible. Considering the efficiency of controls, the extent of B2C controls can be adjusted in relation to the extent of the implementation of B2C applications. Then, system environments can be examined in order to recommend the appropriate level of controls. This study conducts a controls assessment in two parts: determination of efficiency of B2C controls using DEA and recommendation of level of controls using decision trees. The proposed methods can result in a greater return on the auditor's time and expense because the company need not request business management to supply unnecessary supporting documentation. After the analysis is completed for the first time, future assessments of controls will need much less effort as the completed questionnaire establishes a baseline. DEA can validate the efficiency of controls for the implementation of B2C applications. The scientifically and rationally applied approach may lessen the burden of retrofitting security measures, saving resources in areas of auditing and security management. DEA can help identify firms adopting controls efficiently and can signal inefficient controls that need to be reduced to be efficient. The study further investigated the efficiency differences among industries and control classes, performing multi-industry and multi-class controls investigation to determine the efficiency of B2C controls. The results of the investigation of the DEA model indicate that retail firms and information service providers implement B2C controls more efficiently than financial firms do. Controls for system continuity are implemented more efficiently than access controls. In financial firms, controls for system continuity, communication controls, and access controls, in a descending order, are efficiently established in B2C applications. Decision trees support auditors by creating two kinds of rules, i.e., rules for determining firms that efficiently implemented B2C controls and rules for recommending the level of B2C controls. This study of the efficiency of B2C controls has significant implications for researchers and practitioners. As studies that examine efficiency in controls and security have been lacking, this study provides insight to researchers by suggesting an overall normative approach to the evaluation and design of controls in terms of efficiency analysis of controls and decision analysis framework to evaluate the fit between system environments and controls. This study does not evaluate the impact of controls on risk reduction, and the relation between risks and controls of B2C applications should be further examined in order to enhance our understanding of B2C control strategy and to mitigate security risks. Further, the study results may help practitioners such as auditors and security administrators by providing a systematic approach for the determination of the mode and level of controls in the process of implementation of B2C applications. Every company can determine the relative amount of reduction in each component of controls in order to make the control system efficient. Auditors can align controls with system environments and implementation of B2C applications. This enables the control strategy to achieve a balance with organization, system, infrastructure related factors, and utilization of B2C applications. Considering the security incidences, limited internal audit resources, and legal requirements such as the Sarbanes-Oxley Act, the proposed methods will help establish action plans to define what controls must be introduced, enhanced or removed. The action plan is demanded for controls that are rated as limited, deficient or excess. Actual and objective measures of information security performance such as data loss and number of fraudulent transactions are good output variables. At this time, the study sample does not include those variables. It will be better to include them in the sample in a future study.