Read an Excerpt
In the last week, you almost certainly used your credit card in a restaurant, but you didn't follow the waiter through the door to double-check that he or she didn't imprint the card twice or photograph your signature. You trust the system. But you may be one of the 60% of people who report when surveyed that they are not yet comfortable giving their credit card number to make a purchase on the Internet. You probably made a cell phone call last week, too. Cell phone fraud is many times higher than credit card fraud. But again, you trust the cell phone system more than you trust the Internet.
Electronic commerce (EC) represents the future of commerce, with the Internet the most obvious driver. Just in the past five years we have seen companies like Dell, Schwab, and Cisco extend their customer relationships their traditional commerce into this new style of business and quite literally make billions of dollars in doing so. We have seen a far more cautious shift in consumer behavior, but just about every business person and most consumers accept that at some point, EC will be as much a part of their everyday life as are credit cards and cell phones. Ask them when that will occur and their answer will basically be, "When we can trust it?" Ask the customers of the Dells, Schwabs, and Ciscos why they use EC and the answer will be, "It is a better way of doing business for us and we trust it." Ask them why they will trust it, they will say, "Because it is reliable, we feel safe in providing information, any problems are quickly recognized and responsibly dealt with, and we don't worry." Then, we trust the relationship. Itremoves our fear of the unknown.
Raw technology was the enabler of EC the complex of transmission links computers, "standards," that created first value-added networks (telecommunication-based transaction systems for groups of trading partners) and Internet Commerce (trading systems for anyone in the world). The technology is now all in place. And it can only get better and cheaper. It's no longer the differentiator for EC.
Trust is now the currency and differentiator. Whereas in the early days of EC growth came from skills in building and managing networks and developing information systems, it now comes from building and maintaining trust and sustaining relationships. Just as a decade ago managers needed to be sure their firm had the skills and resources to design the technology base, today, EC is about designing the trust base. This is what our book is about. It is not about trust in itself: its importance, social impacts, or honesty, sincerity and the like. It's about designing trust: system frameworks and tools for ensuring that your organization's EC technology base becomes the platform for the comprehensive continuing and growing trust relationships that will determine its future business health.
What is EC? Just two years or so ago, the answer might have been a "fad Internet hype" or "online transactions" or "paperless business." There's still no real definition, but it's more and more equated with an essential element for ensuring business innovation and even industry survival. In other words, EC is now very much moving into the mainstream, not lurking on the periphery of business. It's already turned the rules of competition upside down in such industries as securities trading, travel reservations and sales, PCs, and book and music retailing, and has profoundly changed supply chain management in manufacturing, retailing, and distribution.
That means it must be in the mainstream thought and practice of those business professionals whose job it is to ensure effective design of EC services and, more relevant to our book, to ensure the reliability and safety needed to build customer trust. EC professionals must provide the same degree of organizational controls taken for granted in nonelectronic commerce: security, financial controls, audit trails, privacy, integrity, and confidentiality. EC is not going away it is very much here to stay. In business-to-business commerce, there are more than a dozen firms, each selling more than a billion dollars of goods a year via the Web. Cisco, the telecommunications equipment manufacturer, gets 70% of its revenues that way. In 1998, one of its customers bought $100 million of its products without a single human contact. Dell Computer not only gets 70% of its revenues from a combination of Internet and phone call center sales, but has destroyed the business model of Compaq, the leader in the personal computer market. Charles Schwab similarly has put at risk the business model of Merrill Lynch, a superbly successful and well-managed company, within its traditional industry. More than half of Schwab's 1999 business came from online trading.
The picture is less clear in the consumer market. Amazon, Yahoo, Excite, eBay, and other Internet stock "plays" may or may not turn out to be viable businesses five years from now, but they have in effect invented entirely new industries, with customer and revenue growth rates in the 50-150% per year range. America Online has turned a company described by a journalist as America's "most dysfunctional" firm into an online equivalent of Wal-Mart. Perhaps the breakthrough point for consumer EC was the Christmas 1998 period. Online retail sales increased by a factor of four over the same season in 1997. But, customer satisfaction halved! The dissatisfaction related to trust and safety: outages, weak links between the online software interface and inventory management, order fulfillment, customer service, payment, and security processes.
Better audit, control, and monitoring processes would have avoided many of these problems. Neat Web sites and great prices don't in themselves add up to reliable, safe, and trustable commerce. EC changes so many rules of the business game.
So, how do you yourself deal with it as a business opportunity for your company and client? What approaches to your work are most effective in applying forms of paperless commerce? Answering this question is what motivated us to write this book: to provide a practical guide for you to manage your business evolution into the electronic world of the future. Our goal is to help you make sound business decisions that will apply EC and its technologies for your benefit.
Our approach is simple: EC, whether via the Internet, electronic data interchange, value-added industry networks or even electronic mail, is basically about the systematic design of trusted relationships. Again, of course, that's what commerce has always been about: handshakes, keeping your word, writing contracts, ensuring informed consent, and the like. But, equally obvious, in the electronic ether, there is no face-to-face contact (look you in the eye and shake hands), very few regulations about commerce protection, and immense uncertainties, all of which add up to customer risk. Cut the risk, build the trust, and cement the relationship.
This book is designed to help you achieve these through:
- a no-nonsense approach to the key trust design issues surrounding EC, such as risk mitigation, control, audit, and security
- an interpretation of where EC technology is and where it is going, so you can anticipate the trust design agenda
Trust is the very foundation of commerce and EC doesn't change that. What EC does, though, is challenge many of the trust assumptions and processes that paper commerce now takes for granted, even those are often vulnerable, though built up over as much as centuries and supported by law, professional expertise, and experience. The mere fact that in the paper world, we have become accustomed to processes that consider paper to be irrefutable proof doesn't really respond to the fact that there are still bogus bonds and worthless contracts. If someone displays their broker's license on their office wall or gives you a business card that says J. J. Jones, CPA, you wouldn't automatically check this out.
Paper documents are powerful. We have become accustomed to them, because we either know the broker or CPA or assume the paper is valid; the business card opens up the relationship. Perhaps we should be more prudent; certainly, there are many con artists exploiting our trust in licenses, receipts, business cards, and the like. But we feel in general that we are in control, and that if something goes wrong, we know where to turn. If things look funny, we back off and don't give the party our business. In the EC world, we often have to decide to give our business and hence our trust before the fact rather than after. That's why so many of us decline the EC invitation to give our credit card number or fill out a form on our personal computer screen that asks for "private" information, yet we happily fill out almost the same form to apply for a department store credit card. EC removes paper and in doing so can remove a sense of confidence and familiarity. How do we find new ways of restoring that sense?
In Chapter 1, we begin our journey for controlling EC by exploring the very basics of trust concepts and issues. Trust is such a commonsense concept and so central to our lives, yet it's hard to even define except in vague terms. We start the journey by zeroing in on the pragmatics of trust.
In Chapter 2, we specifically approach the question of the risk issues in trust relationships and provide suggestions as to how to mitigate these risks on an ongoing basis. One of the most obvious effects of EC is that it accelerates the business process to a degree that there is literally no time to intervene if anything looks out of order. When companies aim at a "one-click" Web service, they mean that there can be no "Excuse me a minute" or "Do you mind if I get a little more information from you" it's point, click, and go. Things that might have taken days or weeks in the paper commerce world now take minutes or seconds. What does this acceleration mean to the business process and for traditional controls? Chapter 2 provides answers. We also place these risks in the context of the roles and responsibilities of the business and IT manager what needs to be looked for and what can be done about it.
How to control these risks is the central theme of Chapter 3. We see a direct relationship between the value of control processes and the success of a trust-base business relationship. That may seem a contradiction; "control" suggests bureaucracy, suspicion, and distrust. But consider the everyday use of notaries to "control" the validity of a signed document. Bureaucracy? No, it's a service in the interests of all parties that makes it easier to do business, not more difficult. In fact, creating and managing an effective control process can be seen as a marketing tool for the success of a firm planning to move its business over to EC-based technologies. For us, control on behalf of the customer creates a service advantage. Audit trails, security, backup, reliability, privacy, data integrity, confidentiality, and the other components of control build a trust bond, which is the theme of Chapter 4.
Chapter 5 is about security, which is the most cited concern about not using EC, yet many companies are using EC tools like the Internet with few worries about it. Does this mean these firms don't care? Have they resolved these concerns through technical tools? Or is there something else? What do we mean by security, and more important what tools should be applied under what circumstances? For us, security is more than just procedures and software/hardware protections. These are only a part of the story, which is about business planning. Our study on the Secure Electronic Transaction (SET) standard, which has been adopted by all the major credit card issuers (but has yet to be widely embraced and proactively implemented), clearly focuses on the need to look at the total picture and the key issues for EC before implementing a technological solution.
Chapter 6 is an exploration of EC itself: its roots and its components.
Because we see EC as being as much about relationships as about technology, the purpose of security, audit, and control is to make those relationships safe for all parties. (For this reason, we use the broad term "safety" to cover the full range of security, audit, and control procedures, software, standards, firewalls, audit trails, and the like in the rest of this chapter.) That shifts them from being specialized responsibilities of a technical or accounting function in the organization to their becoming an integral part of business planning and business management.
That they rarely are reflects what we will call in Chapter 7 the systems defense approach to business safety in computer systems and networks. We define a business enhancement strategy that augments systems defense and builds safety into the design of EC relationships.
EC puts more and more of a firm's cash flow online. There has always been a conflict in telecommunications between access and control. The relationship
elements communication, speed, convenience, variety of transactions, provision of information, and opening up the system for more and more users and uses pushed toward open access; that's long been the ethos of the Internet and a major factor in its success and diffusion. Anything that gets in the way of these elements limits the relationship. The control elements are required for reasons of safety, regulation, protection of proprietary information, privacy, and ensuring an accurate record and audit trail. The challenge is to ensure that these augment, not intrude, on the relationship.
All this leads to a rethinking of where internal control, audit, and security should be targeted. EC is creating a new age for business and management. Approaching controls and audit processes in traditional ways no longer provide the level of assurance needed for the successful management of an organization. This is why in Chapter 8 we have developed an EC-specific approach to audit and control that looks at adding business value to a role that has been largely handled as administrative.
EC changes external processes and demands. Regulatory and tax agencies are profoundly affected by electronic processes, and governments are responding with new laws and expectations. What are the key issues and where are they going? EC is still bereft of a great deal of formality in law, which creates uncertainty and risk for business managers in trying out a new process or EC technology. We review a number of key regulations and their impacts on the business community in Chapter 9.
Finally, in Chapter 10 we describe where future trends lead, what the likely scenarios and solutions are: how you plan for what you can't predict. Our final chapter is about the future that means it's about uncertainty. Our goal is to help you make change an ally, not a threat, by focusing on what we see as the most likely developments in EC over the coming years. "Likely" does not mean "definite"; it is close to impossible to predict anything in the field of EC, though, of course, there's a growing industry of expert opinions and forecasts, especially concerning the growth of Internet commerce.
We make no direct predictions, though we give our own best estimates of trends. We do this so that we can highlight opportunities for you to look out for and to assess their implications for risk reduction, security, audit, and control. We classify these trends into categories of likelihood: inevitabilities, strong probabilities, possibilities, and unknowns.
EC is a dynamic interaction of electronics: technology; commerce: relationships, markets, services, industries, and competition; context: social and political forces; economics: capital, investment, revenues, and margins. We can only guess at what these will lead to. Throughout this book, we present our personal views. Whether or not they turn out to be prescient or misguided and whether or not you agree with them, several points seem incontestable:
- The future will see a rapid loss of traditional control points and security mechanisms.
- Many of the most likely developments in the technology and its applications will transform the nature of commercial relationships.
- The pace of change is such that it inherently means an increase in uncertainty.
- All this adds up to a challenge, a threat, and an opportunity.
We hope that as you finish our book, you see EC as your opportunity.