Integrated e-commerce security model for websites

E-commerce is the branch of digital life that contains all economic and trade businesses conducted via the internet and commercial procedures connected to these businesses. It is considered the major and fastest-growing area in the world. It is the greatest way of purchasing goods and services done net. The old buying was changed by e-commerce only through this Covid pandemic. However, the enormous challenge of e-commerce is insider and outsider cyber-attacks, which threats the confidentiality, integrity, and availability of e-commerce. The researchers have proposed several security models and frameworks for the e-commerce field; however, there is a lack of an integrated model to secure the purchasing and selling of websites. Thus, this study presents a survey of cyberattacks that may damage e-commerce and proposes an integrated security model for e-commerce using a design science approach. The proposed model comprises three main parts: Client, e-commerce, and security. The results show that the proposed model can ensure purchasing and selling on the website and instantiate their solution models using a modeling approach.


Introduction
*The internet plays a vital function both in individuals and in entrepreneurship. The online transaction has to be secured since there is a significant increase in cyber-crimes; as per the principles of e-commerce, some conditions are necessary to ensure the security of e-commerce mentioned below. In the network's context, security and integrity are a way to preserve customers' confidence, consistency, and accuracy with the data. It also applies to protecting data against unauthorized user change. One of the standard algorithms used to get the message authentication is an authentication code Mandatory Access Control (MAC). There are also rising risks and problems with an internet business or e-commerce. The effects of intellectual property law of commerce, customer disputes, reimbursement, product housing, and logistics. Security is the danger that any e-commerce company manager must overlook.
E-commerce security may be described as implementing the collection of protocols or regulations that carry out all e-commerce transactions safely. These safety criteria should be put in a position to protect the security of different ecommerce firms against a range of undeniable hazards. Online security during Internet transactions is one of the critical jobs (Sengupta et al., 2005). Many programs handle electronic payments that depend on web-based e-commerce. In this article, we discuss the existing security models that deal with the various forms of assaults and e-commerce risks and propose a new model that counters the security risk and increases the trustworthiness of the ecommerce systems.
This paper aims to propose a security model for e-commerce websites using the design science method. The proposed model comprises three parts: A client part, e-commerce part, and security part. The client part is used to prepare the client information before sending it to the e-commerce part. It has five activities: Sending an order, receiving it, deleting the ordering, payment, and revising it. The e-commerce part is used to handle/process the client's request. It is further made of six activities: Availability, quality, price of the order, time of order, seller, and shipping path. The security part is used to secure both parts (client and e-commerce) during sending, processing, and receiving. It consists of seven activities: Authentication, authorization, encryption, firewall, IDS, hashing, and recording. This study adapted the design science method for this purpose.
The rest of this paper is structured as follows: Section 1 gives an introduction to e-commerce security. Section 2 offers the literature review. Section 3 covers the methodology, and Section 4 produces the results and discussion. Finally, Section 5 concludes the paper.

Literature review
This section evaluates the existing attacks statistically based on the published works between 2010 and 2021. We picked e-commerce businesses since cyber threats mainly affected them after a financial industry. Though e-commerce uses strong marketing or engaging web design, cyberattacks can damage the company. Fig. 1 shows that maximum work is done on financial fraud attacks followed by brute force attacks, bot attacks, spam attacks, etc. The minor publications are done on the distributed denial of service (DDoS) attack and SQL injection. In the coming sections, we will explain all these attacks.  Fig. 1 shows that during the past eleven years (2010-2021), publications were highest for financial fraud strikes on e-commerce sites. E-commerce fraud increases quickly, and payment methods attract cybercriminals in large portions (Fletcher, 2007). The hackers have conducted illegal transactions that lead to considerable losses for the company. The standard financial frauds include triangulation fraud (Wang et al., 2006;Hayes, 2020;Paintal, 2021), identity theft (Aïmeur and Schőnfeld, 2011;Paintal, 2021), friendly fraud (Guo et al., 2015), and affiliate fraud (Amarasekara and Mathrani, 2016;Dong et al., 2021) and clean fraud (Foley, 2016;Manohar et al., 2021). Fig. 2 shows the maximal investigation of an identity fraud followed by friendly, clean, fraudulent attacks by affiliates. Although triangulation attacks are rising nowadays, researchers have done minimal research in this area.

Brute force attack
Hackers attempt to guess a password to breach a website's authenticated mechanism and get access to a web application's secret information. Although it is an ancient form of attack, its popularity surges because of the exponential growth in IoT devices. A brute force attack was launched on "eBay of China." For two months, hackers hacked the accounts of 21 million consumers. In 2019, the Sucuri Firewall successfully prevented 1.3 million brute-force attempts (Badotra and Sundas, 2021).

Trojan horses attack
It's a pretty frequent sort of software that's susceptible. This program hides in the background of a computer and performs harmful activities. Unlike worms and viruses, it does not replicate itself. According to some experts, the Trojan horse introduces most viruses into a system. It may connect itself to a system's authentication mechanism, copy all authentication credentials, such as login and password, and communicate with its owner (Salomon, 2010). IcedID, SpyEye, Gootkit2, Panda, Chthonic, Zeus, Gozi, TinyNuke, and Betabot are examples of banking Trojans.

DDoS attack
DDoS assaults are one of the most severe dangers to the E-commerce sector (Bhardwaj et al., 2020). DDoS intrusions are quickly increasing, according to Kaspersky's DDoS Protection data. The number of incidents had increased to 84 percent, and they had lasted for more than 60 minutes, nearly doubling. China had risen to the top of the list of countries targeted by DDoS attacks, followed by the United States and Hong Kong (Kaspersky and Furnell, 2014).

Bot attack
Bots are used to perform e-commerce fraud such as scalping, false account creation, gift and credit card account takeover. It is one of the most common problems that an e-commerce website may encounter (Aswal et al., 2020). It may steal and leak the product's pricing and information to other ecommerce competitors for their benefit. On the other side, it tries to hack into client accounts to steal money through gift or credit card fraud. According to the most recent cyber-crime data, 210 million fraudulent attacks occurred in the first quarter of 2018, up 62 percent over 2017 (Badotra and Sundas, 2021).

Malware attack
Malware is a common cyber danger to ecommerce sites (Kashinath et al., 2021). Its major goal is to steal credit card information. These sorts of cyberattacks are on the rise; in only six months, 7,339 E-commerce sites had been compromised.

Cross-site scripting (XSS) attack
The vulnerable web applications' users are in grave danger. It's a relatively popular attack that involves injecting malicious code into a susceptible web application. It has the potential to harm a digital business's reputation and its consumer relationships. There are two forms of cross-site scripting attacks: Stored XSS and reflected XSS. XSS that is accumulated is more harmful than XSS that is reflected (Rodríguez et al., 2020). All online applications are vulnerable and have at least one risk, according to the Cisco annual security report in 2018. Web risks are getting more complex, precise, and pervasive, according to the research. It further said that 40 percent of all attempted attacks use a technique known as cross-site scripting. As a result, it is the most commonly used method (Rodríguez et al., 2020).

Spam attack
A spam attack is defined as an unsolicited mass communication transmitted by instant messaging, email, or other IoT devices (Pradeep and Kj, 2016). Advertisers typically utilize it to advertise their products without incurring any running fees. It may also be used to hack a website, allowing hackers to collect all of the information on the site, modify the website code, and upload harmful files. Furthermore, the hacked website was exploited by hackers to send spam emails to other websites (Shahapurkar, 2021).

Website attacks and digital forensic investigation
Several websites' attacks have been mentioned in the previous section. These attacks threaten the confidentiality, integrity, and availability of the websites.
Therefore, the digital forensics investigation field is required to investigate these attacks and reveal who the attacker is, when the attack happened, and which part of the data.

Relationship between website usability and security
The security of an e-commerce site or business is highly dependent on the usability factors of the website. Therefore, a large number of researchers discussed the security and usability of the ecommerce models. The site's usability increases customer trust on one side and minimizes the attacks on the other side. Thus, a highly usable ecommerce model increases the customer base by reducing risk factors (Mohd and Zaaba, 2019). Usable security may be described as improving the safety of a system and taking into account customers' interactions. Usability and security come together, and they are interdependent. Measuring usability also assesses security because they are not unique to each other. A highly secure system leads to a helpful system (Chandler and Hyatt, 2003). These are multidimensional subjects that are highly challenging to measure usability and security (Zaaba et al., 2011). Website usability and safety may be determined using different related criteria at the human and organizational levels (Gray and Salzman, 1998). The mixing establishes a model that shows a model in one framework of numerous factors, such as security, website quality, satisfaction, and training. Several previous assessment studies tried to assess e-commerce usability and security using models (Palmer, 2001).

Strength and weakness of the existing website usability and security models
It evaluates whether the current e-commerce methods can highlight all usability and security features in a single paradigm. Mapping the qualities assessed by the methods into usability features and security dimensions summarizes each model's advantages and disadvantages. Table 1 presents a review of the models based on the mapping to determine whether they can capture usability features and include security factors in each model's evaluation.
From all the models offered above, most of the models mainly measured only the component learnability and satisfaction. None of the models were able to capture all the features of usability and security altogether. McCloskey (2004), Al-Dwairi and Kamala (2009), and Chong et al. (2012 assessed the most significant usability and security elements. McCloskey (2004) measured learnability, efficiency, satisfaction and, security. At the same time, Chong et al. (2012) measured learnability, efficiency, satisfaction and, memorability. Al-Dwairi and Kamala (2009) measured learnability, satisfaction, privacy and, security. Only Szymanski and Hise (2000), McCloskey (2004), Pikkarainen et al. (2004), Lim et al. (2005), and Al-Dwairi and Kamala (2009) added the element security in their model.
By examining the advantages and disadvantages of each model, it is sure that there is an absence of one complete model that can assess the usability and security of an e-commerce website. Without a full model that comprises usability and security fundamentals, the assessment of the e-commerce model is not practical. It would not be able to deliver a whole vision for development. The aim of usability assessment is mostly to notice parts that sound for action and then improve the difficulties for a working package. The current assessment models do not achieve this aim. Most of the existing models only assess specific usability features rather than talking about all 5 usability elements with security fundamentals in a model. None of the current models gather all 5 usability elements and collected with the security fundamentals. While each of the models stated overhead made famous aids, there is still no one model that has combined all 5 usability features with the security fundamentals into one wide model.  (2000) 

Methodology
This paper adopted a Design Science Research (DSR) method to develop the proposed artifact, mentioned as the E-Commerce Security Model for the Websites (Al-Dhaqm et al., 2017b;Al-Dhaqm et al., 2020b;Al-Dhaqm et al., 2021c). DSR is a investigative method used to generate original and insistent objects for a particular problem area that allows analytics to be studied (March and Smith, 1995). This specific application of DSR focuses on information technology artifacts that meaningly influence the requested location. According to (March and Smith, 1995), the making of DSR can be clarified in terms of 4 types of artifacts that contain: concepts that establish the verbal to classify difficulties and answers, artifacts that use this oral to define difficulties and answers, approaches that describe procedures that suggestion help on how to response challenges and the final artifact derive which are clear as groupings of concepts, artifacts, and techniques. The DSR life-cycle holds the repetitious assessment of produced artifacts. Therefore, authors identify, select, and group concepts, activities, and tasks of the e-commerce security domain and combine them in one abstract platform called the E-commerce security model for websites.

Results and discussion
The proposed e-commerce security model for the website illustrated in Fig. 3 consists of three main parts: client, e-commerce, and security. Each part has several activities. The client part is used to prepare the client information before sending it to the ecommerce part. It comprises five activities: Sending the order, receiving it, deleting the ordering, payment, and revising it. The e-commerce part is used to handle/process the client's request. It has six activities: Availability, quality, price of the order, time of order, seller, and shipping path. The security part is used to secure both parts (client and ecommerce) during sending, processing, and receiving.
It contains seven activities: Authentication, authorization, encryption, firewall, IDS, hashing, and recording. Therefore, this model allows users to derive/instantiate their models easily. Assume this scenario, "Fahad wants to buy iPhone from the Lazada website." In this scenario, Fahad and iPhone are the first part (client part), where is Lazada website is the second part (e-commerce part).
Therefore, Fahad sends his order to the Lazada website. The security part is used before, during, and after sending the request. Before sending the request, the security part checks the authentication and authorization of the Fahad by inserting the user's name and password and restricting the level of approval of the Fahad against the Lazada website. During sending, the security part will use the encryption activity to protect Fahad's request from any attacks. In the e-commerce part, if the request/order is available, Fahad will check the quality, price, and shipping time. Here, Fahad can agree, delete, or change the request/order. If Fahad agrees to buy the iPhone device, he needs to pay the device's price using payment activity in the client part. The security part will protect the purchasing process using hashing and encryption activities. The firewall and IDS activities are used to protect both interests from insider or outsider threats. Finally, Fahad will receive the order details, contact the seller, and ask about the shipping path and time of delivery. Fig. 4 displays how Fahad can instantiate a real scenario to purchase iPhone derived from the ecommerce security model.

Conclusion
The security and usability of the e-commerce models are working together to improve the overall performance, increase usability, and provide a secure environment for the end client. In this paper, the proposed model is simplified and improved. It served two basic purposes. The three-level security model provides improved security and serves both the merchant and the client. Secondly, it simplifies the process to improve performance. It incorporates the encryption for secure payment as check the additional parameters of order successful completion. The same model will increase the clients' experience and trust that will help in increasing the client base. Besides these improvements, the model is generalized to be used in any e-commerce scenario to serve a larger community of users.