|
Article Excerpt
ABSTRACT: This paper discusses theoretical and practical issues related to the use of a biometric-enabled security layer in accounting systems aimed at enhancing user authentication and reducing control risk. Originating in criminology, biometric technology has matured over the years with applications in diverse disciplines. However, its use in business and accounting is still in its infancy, and many issues about its role in information systems security are unresolved. The paper proposes an access decision framework that draws from the strategy and risk assessment literature to model processes where biometrics might be used to reduce control risk. Despite its potential strengths, biometric technology is not a panacea and represents one element in a portfolio of security mechanisms needed to protect information resources. The paper discusses challenges in implementing biometric technology and identifies avenues for future research.
I. INTRODUCTION
The unfortunate events of September 11, 2001 in New York City, Pennsylvania, and Washington, D.C. have forced all concerned to revisit security issues broadly, including those related to information systems. The losses resulting from these attacks will have a lasting impact. Surreptitious cyber-attacks on information resources can also have devastating consequences. The vulnerability of critical information resources to catastrophic and cascading failure makes them attractive targets for intruders and unauthorized persons with malicious intent.
Cyber-related security threats have the potential for highly debilitating consequences for business and other organizations. Yet many entities do not have effective security mechanisms in place to mitigate such threats (Scharpenberg, as quoted in Hart 2001). Cyber-fraud and lost productivity from cyber-attacks are also significant threats to economic activity (Nichols et al. 2000; Pipkin 2000). A fundamental cause of such losses is the absence or breakdown of identification and authentication (1) systems (Stallings 2000).
Sound identification and authorization mechanisms are often a necessary prerequisite for mitigating threats to other key security services such as confidentiality, non-repudiation, data integrity, and data availability. In view of recent widespread security concerns, there has been a surge of interest in biometric mechanisms as a means of strengthening identification and authentication services. A biometric is a distinguishable physiological or behavioral attribute that can be used to automatically verify and authenticate an individual's identity (Matyas and Stapleton 2000). Some of the popular biometrics include fingerprints, voice patterns, iris and retinal patterns, hand geometry, signature verification, and keystroke analysis. (2) Since a biometric is tied to an individual, its misuse (from loss or theft) is more difficult, although not impossible.
The accounting profession has developed various control frameworks that identify risks and security measures related to business information resources and other assets. Specifically, these control frameworks (e.g., Committee of Sponsoring Organizations [COSO] 1992; U.S. Department of Justice 1977; Canadian Institute of Chartered Accountants [CICA] 1998; SysTrust [AICPA 2002; McPhie 2000; Boritz and Mackler 1999]; COBIT 2002) challenge the accounting profession to design and maintain control systems in a manner that safeguards an enterprise's information resources. A strong security mechanism that reduces control risk and generates enhanced confidence among information systems users would be an ideal tool for accountants in the discharge of their responsibility. Biometric technology appears to be a powerful candidate. This technology can potentially reduce control risk in accounting applications and business processes, particularly when used in conjunction with traditional control measures.
In this paper, we examine the potential use of a biometric-enabled security layer in accounting systems to mitigate threats to identification and authentication services. We propose an "access decision framework" that considers both exposure and business information intensity (BII) as fundamental factors in classifying applications and business processes that might be candidates for the type of security services that biometrics can offer. The proposed framework draws from the strategy and risk assessment literature. It utilizes concepts of risk and exposure, as well as Porter and Millar's (1985) work on the interaction of information systems and strategy, to model potential accounting applications and business processes that can benefit from an application of biometrics to reduce control risk. BII refers to the level of IT content in an entity's product and value chain. BII is high when the IT content of both the product and the value chain is high. Similarly, BII is low in situations where the reverse occurs. Exposure refers to potential losses that an organization can suffer in the absence of sufficient information systems security and control (Romney and Steinbart 2003; CICA 1998).
The remainder of the paper is organized into five sections. In Section II, we provide an overview of the biometric authentication process, and discuss risk and assurance issues associated with the technology. In Section III, we analyze specific areas in accounting information systems (AIS) where biometric technologies may add value. In Section IV, we present and illustrate, with examples, an access decision framework for evaluating biometric-enabled security mechanisms in AIS and provide a decision aid for implementing the framework. In Section V, we discuss challenges and constraints in the implementation of a biometric security layer for the AIS, and identify opportunities for future research. Finally, our conclusions are presented in Section IV.
II. AUTHENTICATION AND BIOMETRICS
This section provides an overview of biometrics and discusses the biometric-enabled authentication process. It includes a discussion of the distinction between identification and authentication, an examination of factors used to authenticate information systems users, a description of the biometric authentication process, and an overview of selected issues and challenges that impact the effectiveness of biometrics as an authentication tool.
Identification versus Authentication
Identification is a one-to-many matching process that ascertains the existence of an individual in a database. This process merely determines that the person exists. If access control is predicated only on the existence of an individual, then the individual is given access to the system when the required identifier is found to exist in the access database. There is no confirmation or proof that the person who is given access is indeed the person who initiated the access procedure. Authentication, on the other hand, ascertains that the individual who is identified in the database is in fact the person whom he or she claims to be. Authentication is a one-to-one matching process of a claimed identity. In other words, a user who wishes to log on to a service claims a specific identity. The automated identification system searches through the entire database of users until a match is found (i.e., a one-to-many matching process). The authentication process, on the other hand, verifies that the claimed identity belongs to the user. The match is performed against a specific reference or authentication factor associated with the claimed identity.
Authentication Pyramid
The pyramid in Figure 1 shows three broad categories of factors that organizations use for automated authentication--possession, knowledge, and biometrics. Authentication can be predicated on a single factor (e.g., a password, a PIN, or a picture ID) or on multiple factors (e.g., password and picture ID, or PIN and picture ID). Vertical movements within the pyramid are associated with increases in the strength and focused nature of the authentication process. The likelihood that the verified identity is not that of the true owner also decreases with vertical movements in the pyramid.
[FIGURE 1 OMITTED]
In the first category, the user must present a physical possession (such as a token or a key) to be authenticated. Though visible and usually portable, possessions can be lost, stolen, shared, duplicated, forgotten, or destroyed. Possession-based authentication factors provide assurance that a user presents a valid token or card. Within the context of an automated authentication process, these factors do not provide direct assurance that a user who is allowed access into an information system is indeed the person he or she claims to be.
In the second category, the user provides information about his/her knowledge (such as a PIN, password, or passphrase). Passwords and other knowledge authentication factors are highly portable, invisible (unless written down), can be changed often, and can be designed to be relatively secure. However, they can be forgotten, reused, stolen, guessed, or shared. Passwords offer assurance that the person at the keyboard knows the password. They do not offer assurance that the person at the keyboard is indeed the person he/she purports to be.
In the third category, the system employs distinguishable physiological characteristics and behavioral traits (biometrics) to authenticate the user and allow access to information resources. Biometric technology falls into this category. Biometrics are difficult to steal and directly tied to one and only one user. Furthermore, they cannot be forgotten or misplaced and,...
|
