BARRIERS TO THE PUBLIC KEY INFRASTRUCTURE (PKI) DEPLOYMENT AND USAGE FOR AUTHENTIC DOCUMENT TRANSACTION IN SRI LANKAN BANKING SECTOR MASTER OF BUSINESS ADMINISTRATION IN INFORMATION TECHNOLOGY H. S. Rajapakse Department of Computer Science & Engineering University of Moratuwa December 2007 2 BARRIERS TO THE PUBLIC KEY INFRASTRUCTURE (PKI) DEPLOYMENT AND USAGE FOR AUTHENTIC DOCUMENT TRANSACTION IN SRI LANKAN BANKING SECTOR By H.S.Rajapakse The Dissertation was submitted to the Department of Computer Science & Engineering, University of Moratuwa in partial fulfillment of the requirements for the Degree of Master of Business Administration. Department of Computer Science & Engineering University of Moratuwa December 2007 3 DECLARATION The work submitted in this dissertation is the result of my own investigation, except where otherwise stated. It has not already been accepted for any degree, and is not being concurrently submitted for any other degree. Hirannya Rajapakse 11th February 2007 I endorse the declaration by the candidate. Mr. Shantha Fernando 4 TABLE OF CONTENT Abstract.........................................................................................................................5 Chapter1 .....................................................................................................................11 Introduction..............................................................................................................11 Background ..........................................................................................................11 Problem Identified................................................................................................14 Research Objectives .............................................................................................15 A Brief Method of Study Adopted.......................................................................15 A Brief Review of Literature on Previous Attempts ...........................................16 Expected Results from the Study.........................................................................17 Chapter2 .....................................................................................................................18 Literature Review.....................................................................................................18 Overview of Public Key Infrastructure ................................................................18 Authentic Documents...........................................................................................19 Digital Signature ..................................................................................................19 Obstacles to PKI Deployment and Usage ............................................................20 Public Key Infrastructure for Financial Institutions ............................................25 Electronic Transaction Act in Sri Lanka..............................................................26 Adoption of Public Key Infrastructure in Sri Lanka............................................27 Vendors for Public Key Infrastructure.................................................................27 Global Implementation on PKI............................................................................27 Chapter3 .....................................................................................................................29 Methodology of Study .............................................................................................29 Conceptual Framework ........................................................................................29 Generation of Hypothesis .....................................................................................30 Operationalization of Variables ...........................................................................31 Research Design.......................................................................................................33 Analysis of other factors ......................................................................................33 Type and nature of the study................................................................................33 Purpose of the study.............................................................................................33 Type of investigation ...........................................................................................33 Unit of Analysis ...................................................................................................35 Data Collection Methods .....................................................................................35 Primary data collection ........................................................................................35 Sampling Design ..................................................................................................37 Data Collection ....................................................................................................41 Chapter4 .....................................................................................................................44 Observations .............................................................................................................44 Data and Results.......................................................................................................45 Chapter5 .....................................................................................................................51 Analysis and Discussion of Results .........................................................................51 Descriptive Analysis of IT users ........................................................................51 Descriptive Analysis of Branch Managers ........................................................53 Usage of Document Management Systems and Level of Information Security..54 Public Key Infrastructure (PKI) usage for Authentic Documents Transactions ..58 Relationship on Barriers to PKI deployment and Usage .....................................62 Chapter6 .....................................................................................................................73 Conclusion and Recommendations ..........................................................................73 Limitations ...............................................................................................................75 Reference.....................................................................................................................77 5 Abstract As concerns for information in business, information systems are used for electronic document transactions in both internal and external business processes, which have been growing in recent years. As such, most of the banks have implemented or planning to develop document management systems to improve their business activities. These document management systems could come in forms of paper-based transactions to online systems. However, there are risks to information when using these document management systems. This leads to the main barrier of trust during transactions adopted among mature stakeholders. Therefore, it is a necessity now to offer a better security mechanism in this changing environment. Public key infrastructure (PKI) can be considered as an enabler for secure transaction. We can use it as a tool for trust assessment and decision making in our document management systems. Digital signature based on PKI is used for secure electronic document transactions in document management systems in order to streamline the business environment. However, it is observed that digital certificates have not been diffused to document management systems in the Sri Lankan banking sector for secure transactions. Electronic Transactions Act, No. 19 of 2006 was brought to promote public confidence in the authenticity, integrity and reliability of data messages, electronic documents, electronic signatures and electronic records in Sri Lanka. Even though it is legally accepted, there is a low adoption for electronic signature for document management systems. Although we do not have to pay more attention on introducing digital signature for carrying out electronic transactions, globally we can come across significant trends on PKI software for the banking sector. What could be the reason of not being able to deploy PKI enabled document management systems in our banking sector for secure document transaction? This could be due to some barriers on implementing a better security mechanism. The attempt of this research is to identify these barriers to PKI deployment and usage for authentic document transaction and try to understand the precise relationship among these obstacles and cater solutions to overcome barriers 6 for secure document management systems. Hence, the researcher believes that this research will serve as a guide for information security professionals and information system auditors, as well as end users to think of better information systems to carry out secure document transactions. 7 Acknowledgement Thanks are due first to my supervisor, Mr. Shantha Fernando, Senior lecture of Computer Science & Engineering Department of University of Moratuwa for his great insights, perspectives, guidance and sense of humor. His continuous guidance helps me through out my research project to make it success. I am grateful to Mrs. Vishaka Nanayakkara, head of Computer Science & Engineering Department of University of Moratuwa and our course coordinator who introduce me to subject of research skills. Her constant encouragement and guidance was a great motivation and help me to complete this research on time. My sincere thanks go to the people who serve in Computer Science & Engineering Department office of University of Moratuwa, for helping in various ways to clarify the things related to my academic works in time with excellent cooperation and guidance. I pay my gratitude to everyone who contributed their time for being interviewed and for sharing their perceptions, attitudes, ideas some time even their private information. As well, I thank my wife and my colleagues for the support they have given me over the time. 8 List of Figures Figure.1.PKI Usage by Industry Type Figure.2.PKI Application Weight Figure.3.Obstacles Encountered when Implementing PKI Figure.4.Major Reasons not Implementing PKI in Organizations Figure.5.PKI Obstacles Weight Figure.6.Conceptual Framework Figure.7.Research Design Figure.8 Barriers to PKI Deployment and Usage in Sri Lankan Banking Sector Figure.9.Distribution of Barriers to PKI Implementation Figure.10.Distribution of Information Security Experience Figure.11.Distribution of PKI Knowledge Figure.12.Education Level of IT Users Figure.13.E-Business Experience of IT Users Figure.14.Education Level of Branch Managers Figure.15.E-Business Experience of Branch Managers Figure.16.Information System Usage Figure.17.Mode of Authentic Document Figure.18.PKI Implementation Figure.19.Plans on PKI Implementation Figure.20.Belief of Manual Signature Figure.21.Facing Barriers to PKI Implementation Figure.22.Distribution of “PKI Poorly Understood” Figure.23.Distribution of “High Cost” Figure.24.Distribution of “Poor Interpretability” Figure.25.Distribution of “Too Complex” Figure.26.Distribution of “Hard to Maintain” Figure.27.Distribution of “Hard to Use” Figure.28.Distribution of “Lack of Management Support” Figure.29.Distribution of “Software Applications do not Support PKI” Figure.30.Distribution of “Lack of Demand to PKI” Figure.31.Scatter of Barriers to PKI and Information Security Experience 9 Figure.32. Scatter of Barriers to PKI and Information Security Experience in Years Figure 33.Scatter of Barriers to PKI and PKI Knowledge 10 List of Tables Table 1.Comparison of Paper and Digital Signature Properties. Table 2. List of Banks Belongs to Target Population Table 3.Reliability Statistics - Barriers to PKI Implementation Table 4.Reliability Statistics - Information Security Experience Table 5.Reliability Statistics - of PKI Knowledge Table 6.Data Set for Barriers to PKI Deployment and Usage Table 7. Calculated values for Barriers to PKI Deployment and Usage Table 8. Only Intend Party can open the Document Table 9.Integrity of Documents Table 10.Identify the Communication Party Table 11. Non- Repudiation of Document Management Systems Table 12. Secure Level of Document Management Systems Table 13. Improvement of Current Security Features on Document Management Systems Table 14.Statistics on Barriers to PKI Table 15.Correlation of Barriers and Information Security Experience Table 16.Correlation of Barriers and PKI Knowledge Table 17.Testing Hypothesis for Experience Table 18.Testing Hypothesis for PKI Knowledge Table 19.Model Summary for Variables Table 20.Model for Variables