e-Commerce Risk Analysis

Overview

E-Commerce companies have become increasingly important in this era of global pandemics and resulting restrictions on businesses and individuals. Consumers are ordering products online in larger numbers than ever before due to business closures or restricted operating hours. Companies positioned in the e-Commerce industry are experiencing growth beyond previous predictions. But, at the same time, some E-commerce companies are seeing their business decline drastically due to travel restrictions and the reluctance of businesses and individuals to travel for any but the most critical of reasons. Added into the risk picture are risks from the actions of cybercriminals, hackers, and nation-state actors are taking advantage of these unsettled times resulting in increased risks for companies whose business models depend upon the Internet for financial transactions, orders, and communications both internal and external. For a company considering an expansion into e-Commerce there can be an increased number of risks overall especially in the areas of information technology and online ordering.

For this project, you will prepare a Risk Analysis to be presented to the governance board (executives and senior managers) at Bay & Shore General Store. After their approval, the Risk Analysis will be sent to the company’s bankers as part of a loan application package for the planned e-Commerce expansion.

Note: before proceeding, you should review NIST SP 800-30 R1: Guide for Conducting Risk Assessments. https://doi.org/10.6028/NIST.SP.800-30r1  Pay special attention to Appendix D: “Threat Sources: Taxonomy of Threats Sources Capable of Initiating Threat Events” and Appendix H: “Impact: Effects of Threat Events on Organizations, Individuals, and the Nation.”

1. Review the Case Study for Information about Bay & Shore General Store

For this project, you will begin by reviewing the Case Study description of Bay and Shore General Store (found in the course case study Identifying & Managing Cybersecurity Risk > The Clients > Bay & Shore General Store). Pay particular attention to the list of Use Cases which the company has provided. These are repeated below. Using your previous learning, brainstorm the types of security risks or threats could apply to each use case.

Table 1. Bay & Shore General Store Use Cases for e-Commerce Activities

Actor	Actions
Customer	Customer browses an online catalog of products
Customer	Customer makes a product purchase (email or phone now, using shopping cart in future)
Employee	Employee fills order and ships to customer
Company (Automated Process)	Company bills customer for items and shipping costs
Customer	Customer initiates return of a delivered product
Customer	Customer cancels purchase that has not been shipped
Employee	Employee enters a price change for an item in inventory
Employee	Employee initiates reorder for low-stock
Manager	Manager checks sales report
Manager	Manager authorizes refund
Manager	Manager authorizes payment to vendors for stock

2. Review the Security Requirements for Accepting Payments via Payment Cards

1. Read the Payment Card Industry Data Security Standards Council’s document Maintaining payment security. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
2. Brainstorm the types of cybersecurity risks which could affect Bay and Shore General Store’s payment transactions (review the Use Cases to identify which ones involve financial transactions).

3. Review the Risk Statements from Three Comparable e-Commerce Companies

Review the Risk statements prepared by three companies who operate similar e-Commerce infrastructures. These companies are shown in the table below along with links to public documents which contain their Risk statements.

Table 2. e-Commerce Companies Similar to Bay & Shore General Store

Company	Website	Annual Report to Investors (Form 10K)
1800Flowers	https://www.1800flowersinc.com/investors	https://otp.tools.investis.com/clients/us/1-800-flowers1/SEC/sec-show.aspx?Type=html&FilingId=15219013&Cik=0001084869
Amazon	https://ir.aboutamazon.com/overview/default.aspx	https://s2.q4cdn.com/299287126/files/doc_financials/2021/ar/Amazon-2020-Annual-Report.pdf
Etsy	https://investors.etsy.com/home/default.aspx	https://d18rn0p25nwr6d.cloudfront.net/CIK-0001370637/4e43d306-4e72-462c-8f1a-bcb19b770718.pdf

4. Research the Three Comparison Companies

1. Using the URLs listed in Table 2 and your own research, review each company’s website to learn about the products and services which it sells via e-Commerce.
2. After you have reviewed each company’s websites, identify 3 or more additional sources of information about each company and how it operates in cyberspace. These can be news articles, data breach reports, etc. Focus on finding information that addresses how the company is responding in the current cyberthreat and economic environment (2019 or later).
3. Using the information obtained from your sources, identify the types of information, information systems, and business operations which drive each company’s need to purchase (or build its own) cybersecurity products and services.  Make certain that you clearly identify by company what assets, information, and operations need to be protected.

5. Analyze each Comparison Company’s Form 10-K Annual Report to Investors

1. Using the links from Table 2, download a copy of each company’s Annual Report to Investors from its Form 10-K filing with the United States Securities and Exchange Commission. (Note: the company is the author of its Form 10-K. Do not list the SEC as the author.)
2. Review each company’s description of itself including history, current operations, etc.
3. Read and analyze the Risk Factors section in each company’s report to investors (Item 1.A). This section is a professionally written risk analysis that has been written for a specific audience. Pay close attention to what the company includes as risk factors and how the writers chose to present this information.
4. Analyze the risk factors to determine which ones are related to e-Commerce / Internet operations or are otherwise affected by the use of information in digital form and Information Technology systems and infrastructures. Make a list that shows what information, digital assets, and/or business operations (processes) need to be protected from cyberattacks and/or cybercrime (including insiders and external threats) and the type of risk or threat that could affect those assets and processes.
5. Determine which of the identified risks are likely to also apply to Bay & Shore General Store as it expands into e-Commerce operations.

6. Construct Your Risk Analysis

After analyzing each company’s e-Commerce operations and risk statements about those activities, you will construct and document your own cybersecurity risk analysis which focuses upon identifying risks that other e-Commerce companies face that Bay & Shore General Store is also likely to encounter during its planned expansion into e-Commerce (including all supporting business processes). Use the provided Bay & Shore General Store Use Cases as a starting point to organize your analysis. Your risk analysis should address 8 or more of the Use Cases listed under Bay & Shore General Store.

Write

1. An introduction section which identifies the company being discussed (Bay & Shore General Store) and provides a brief introduction to the company including when it was founded and significant events in its history. You should extract this information from the course case study.
2. A section containing an introduction to the e-Commerce industry followed by a business profile (3 total) for each comparison company. Put your industry introduction (overview) at the top of this section. Include in your overview a discussion of the Payment Card Industry’s data security standards and how these apply to payment card transactions for e-commerce companies. Then, for each company, provide a separate sub-section in which you summarize their business activities and provide a brief business profile. The profile information should include: headquarters location, key personnel, primary types of business activities and locations, major products or services sold by the company, major competitors, recent financial performance, and additional relevant information from the annual report to investors. Describe this company’s needs or requirements for cybersecurity products and services. What information and/or business operations need to be protected? While your focus should be upon the company’s e-Commerce activities, you should also address the back-office or supporting information and business processes required to deliver those e-commerce activities.
3. A section in which you identify and then discuss common risks, i.e. those affecting all three companies, which could also affect Bay & Shore General Store. Make sure that you consider risks associated with payment card transactions. Organize these risks using eight or more Use Cases from Table 1. For each of your selected Use Cases, explain how the identified risk could also impact Bay & Shore General Store (for example, a denial of service attack could prevent customers from placing orders). A separate section which provides a detailed summary of the identified risks and potential impacts upon the company’s operations as a whole. What are the likely sources of threats or attacks for each type of information or business operation? (E.g. protect customer information from disclosure or theft during online purchase transactions.). What are the possible impacts should these risks occur?

You may present your summary in table format or using a list format (bullet points).

ID	Use Case	Description of Risk	Potential Impacts to BSGS  (Harm or Loss)
1
2
3
4
5
6
7
8

• A recommendations section in which you list recommended high level (overview) cybersecurity strategy for Bay & Shore General Store. Answer the question: what are their business needs for cybersecurity and how can these be met? This section should present an overall risk management strategy and include how the four major risk treatments (accept, avoid, mitigate, and transfer) can be applied to the identified risks. If there are risk treatments that you do not recommend using, state that and provide an explanation as to why such risk treatments should not be used in the store’s risk management strategy.

Submit for Grading

Submit your work in MS Word format (.docx or .doc file) using the Project #2 Assignment in your assignment folder. (Attach the file.)

Additional Information

1. Consult the rubric for additional information about the requirements for this project.
2. The recommended length for this project is 8-10 pages not including the required title page and list of references (also required).
3. Your e-Commerce Risk Analysis should be professional in appearance with consistent use of fonts, font sizes, margins, etc. You should use headings to organize your paper. The CSIA program recommends that you follow standard APA formatting since this will give you a document that meets the “professional appearance” requirements. APA formatting guidelines and examples are found under Course Resources.
4. You are allowed to exceed the page count listed under item #2 but you should focus upon providing a clear and concise written analysis.
5. Your paper should use standard terms and definitions for cybersecurity.  
6. You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s page count.
7. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs. 
8. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
9. Consult the grading rubric for specific content and formatting requirements for this assignment.