Email security policy implementation in multinational organisations with special reference to privacy laws

Dixon, Henry George

January 2003

In 1971, scientist Ray Tomlinson sent what is now considered the first email message. It was considered as “nothing short of revolutionary … deserv[ing] a spot in the list of great communication inventions such as the printing press, telegraph and telephone” (Festa, 2001). Whereas email was first used exclusively in the military (Arpanet) and in academic circles, it has now become almost ubiquitous, used widely for private, as well as for business correspondence. According to a Berkeley study (Berkeley, 2000), there were approximately 440 million corporate and personal [e-] mailboxes worldwide in 2001, of which more than a third was corporate mailboxes. As a result of the extensive use of email in the corporate environment, Information Officers have to ensure that the use of email adds business value. In an “always on” market place, the efficiency, immediacy and cost effectiveness of email communication are immediately evident. A study by Ferris Research, quoted by Nchor (2001), shows that there is “an overall productivity gain of US$9000 per employee as they send and receive emails to get projects done.” However, the use of email in the corporate envi-ronment also poses business risks that need to be uniquely addressed. Among these “key business risks” (Surfcontrol, 2001) are security risks, viruses, legal liability, pro-ductivity loss and bandwidth abuse. To address the risks mentioned above and to protect the business value of email, spe-cific policies have to be implemented that address email usage. Information Security Policies are defined in most corporate environments. In a study done by Elron Soft-ware (2001), 83% of respondents who have abused email have company policies regu-lating email usage. There appears to be a gap between policy conception and policy implementation. Various factors inhibit effective policy implementation – ethical, legal and cultural. The implementation of corporate policy becomes especially complex in multinational environments where differing information law Email usage is ubiquitous in the modern business environment, but few companies adequately manage the risks associated with email.

Privacy, Right of

Electronic mail systems -- Management

A Multi-Variate Analysis of SMTP Paths and Relays to Restrict Spam and Phishing Attacks in Emails

Palla, Srikanth

12 1900

The classifier discussed in this thesis considers the path traversed by an email (instead of its content) and reputation of the relays, features inaccessible to spammers. Groups of spammers and individual behaviors of a spammer in a given domain were analyzed to yield association patterns, which were then used to identify similar spammers. Unsolicited and phishing emails were successfully isolated from legitimate emails, using analysis results. Spammers and phishers are also categorized into serial spammers/phishers, recent spammers/phishers, prospective spammers/phishers, and suspects. Legitimate emails and trusted domains are classified into socially close (family members, friends), socially distinct (strangers etc), and opt-outs (resolved false positives and false negatives). Overall this classifier resulted in far less false positives when compared to current filters like SpamAssassin, achieving a 98.65% precision, which is well comparable to the precisions achieved by SPF, DNSRBL blacklists.

Electronic mail systems -- Management.

Spam (Electronic mail)

Phishing.

spam

phishing

Eigen-behavior