Impact of spam and related threats on business productivity and security

¶ … Business Productivity

The Affects of Span and Junk eMail on Business Productivity and Security

SPAM and junk email is a growing problem on the worldwide web. SPAM is a cheap alternative to direct mailings for the marketer. They can send out hundreds of thousands of emails with the expectation that a certain percentage will turn into sales. However, spam also presents a security risk, as it can allow the entrance of viruses and worms into the system. It can also serve as a means to steal personal information from the unsuspecting user. This study will examine the amount and types of email received by employees and managers at a major hotel. It will use numerical data, questionnaires and face-to-face interviews to accomplish its task. The results will be presented in the form of a report that outlines steps that can be taken to avoid the influx of spam on company computers.

The Affects of Span and Junk eMail on Business Productivity and Security

Introduction and Problem Outline

Everyday million of businesspersons across the world open up their email and find it filled with unsolicited, and mainly unwanted emails offering everything from shammy cloths to the latest in weight loss pills. Sorting through this junk to find the real emails from clients and business-related mail takes time and reduces productivity. In addition, since the Melissa virus caused devastating damage to systems around the world, email security is on everyone's mind. Everyone is wondering if that piece of email is legit, or if it will be the one to wreak havoc on their business system. Span and junk email pose a significant threat to business productivity and security. The proposed research study will address the topic of spam and junk email and its affect on productivity and security.

Background/Context

According to Winslow (2005), American Online claims to cull 75% of the incoming spam through filters. However, many small businesses do not have the capabilities to employ such large-scale filtration devices. For these companies, there is little that can be done, and spam can have a dramatic impact on their business (Winslow 2005). According to MX Logic, SPAM is down 9% (Winslow 2005), but they did not disclose exactly how they derived that number. With the average small business receiving close to 300 junk emails per day, this means a very small decrease in the number of emails actually received. This is hardly enough of a reduction to notice (Winslow 2005).

In a recent study, email was found to contribute to constitute a major portion of employee workload. On average, the typical user received 59 business related emails and send out around 27 (D'Antoni 2003). It is estimated that 28% of all incoming messages are junk mail (D'Antoni 2003). According to the study, the average worker spends 37 minutes every day dealing with junk email (D'Antoni 2003). This amount of time every day adds up to a whopping 12 hours or more of lost productivity every month. When one considers the hourly rate paid for those 12 hours, times the number of employees, this can add up to a major operating expense. This is one expense that does not result in increased revenues, but represents an unnecessary waster of time.

Worker reactions to spam were overwhelmingly negative. They found if annoying and offensive in some cases. However, when the subject line is interesting, the employee may read as many as two every day (D'Antoni 2003). The volume of spam is expected to increase. Companies will be forced to invest more in spam blocking technology or face increased operational costs due to the amount of time employees must spend dealing with spam.

The advent of spam and junk email led to technological advances that include blacklists, IP blockers, and mail filters. However, even with these tools, junk email continues to invade the email of employees (D'Antoni 2003). Junk email take a toll on businesses by stressing network bandwidth to the limits, reducing productivity, and leading to endless employee frustration (D'Antoni 2003). It was found that almost 66% of all companies use some type of email filtering to attempt to block spam (D'Antoni 2003). Those that do not will continue to face an increasing amount of spam and will have to suffer the consequences of lost productivity due to their choices

Spam creates a lose-lose situation for the business. Small businesses are less equipped to offset these costs than larger companies. Small businesses take a greater hit from the expenses involved in blocking it or in terms of lost productivity. They must either face increased lost productivity and the negative affects of the junk email assault, to they must spend increasing amounts of money to try to block at least some of it. For the recipient, there is little benefit to the spam itself. Much of it is not targeted marketing, or at least marketing that is well-thought out and planned. It is a numbers game in which companies increase their targets in hopes of capturing a small percentage of the sales.

We have already discussed the incredible number of spam emails that employees receive on a daily basis and the impact that this will have on the company. It is estimated that spam cost U.S. companies over $10 billion a year in 2003 (D'Antoni 2003). There is no guarantee that this technology will even help the problem. For every new piece of technology invented to reduce spam, companies that send spam invent new ways to get around it and "fool" the system into thinking that they are legitimate email.

In an attempt to rid inboxes of spam, some legitimate email gets misclassified and ends up unread in the junk email folder. This may be the one confirming the sale, or an important time-related message, but it does not get read and this can have devastating results. Nearly 46% of all users know that they have lost important email. Almost 21% are not sure and 33% indicated that they have not lost any email that they know of (D'Antoni 2003). However, it might be noted that those who answered "no" may not know how many important emails were lost.

A majority of email users indicated that they did not consider their spam filtering technology to be significant in reducing the number of junk emails in their inbox. Currently, there are measures being considered that will give the government some means to control spam, but many feel that these measures will be only minimally affective in reducing the number of junk emails that they receive (D'Antoni 2003).

Problem Presentation

This research will explore the real costs of spam for companies. Several studies have been conducted that explore the issue from the standpoint of time spent reading unsolicited junk email. However, spam has several costs that are not part of the costs considered in other studies. Aside from lost production in terms of time, this research will also explore the costs of spam in terms of the following:

Drain on network resources and unproductive bandwidth use

The potential to infect the system with viruses and worms

Attempts to use computer security for fraud, such as phishing

Analysis

The issue being addressed in this study is the impact of spam and junk email on business productivity and security. This is a problem that affects everyone, particularly small businesses that are not equipped to absorb the costs associated with spam. This target group for this evaluation will consist of small business managers, who will provide information regarding the affect of spam on their productivity and security issues.

The overall goal of the project is to provide a different perspective on the affects of spam on business performance. This research will take a different measurement approach than previous studies regarding the issue of spam. It is hoped that this research study will achieve the task of presenting a perspective of the problem of spam in relation to bandwidth usage and security issues. These two areas are a necessary element in understanding the impact of spam on business productivity. Data will be collected using face-to-face interviews and questionnaires.

Results of face-to-face interviews and questionnaires will help the researcher better to understand the issues related to spam and business productivity, and security issues. The end product will be a published set of security protocol in order to enhance productivity and reduce security threats to the company.

Planning

Spam represents a triple risk factor to business productivity. It reduces productivity by utilizing time bandwidth and other company resources. It introduces a security threat to the company as a whole through the introduction of viruses and worms. Spam also represents and individual threat in terms of personal information. Individual employees are in danger of having their personal information stolen via spam tactics such as spoof emails and such. Of these issues, personal and business level security will be the easiest of these risks to mitigate. If is difficult to control the amount of spam coming into the company and taking up bandwidth, but policies can be developed to make users more aware of these risks and the procedure that can be used to reduce the threat.

The objectives of this project will result in a reduced security risk due to incoming spam and junk email messages. Achievement of the objective will be difficult to measure because it represent something that will not happen if the project is successful. A reduction in threats due to the actions or inactions of employees will result in achievement of these objectives. An employee questionnaire or survey would be useful in determining if the policies result in a greater awareness and adherence to prescribed policies regarding how to treat spam in the company. Increased awareness and willingness to take actions to increase security, as measured by a survey conducted some time after the policies are in place will provide insight into the success or failure of the prescribed measures.

Evaluation

There are several contributing factors that will affect the outcome of the project and the ability to achieve the intended objectives of the study. The first factor will be the willingness of managers to disclose the real risks associated with spam. They may have differing perceptions of the real risks. They may tend to minimize or overstate the real risks involved in the amount of spam or junk email that they receive. They may not be aware of the real risks involved with spam and the affect that it is having on their company, which may have an impact on their interview and questionnaire answers.

The impact of spam on companies will have to be considered in terms of the quality and level of spam security that the company has installed. It would be expected that companies with no spam or junk email protection would be inundated with unwanted email to a higher degree than companies that have installed sophisticated spam protection packages.

The key strategy that will be used to achieve the objectives will be careful analysis and identification of the root cause of the problems with security. For instance, if the interviews and questionnaires indicate that the problem is more software related, these issues will be at the forefront of the solution and more efficient software, or perhaps layers of software will be used to target the problems. However, if people are found to be the problem, then training and policies will be used to address the issues. For instance, if it is found that employees are engaging in activities during lunch that involve accepting solicitations from sponsors to play a game or take a quiz, then these issues will have to be addressed in order to reduce the amount of spam coming into the computers.

Interviews and questionnaires will be the key tools to evaluate the risks and root causes of problems found during the study. Ecommunication within the company will be used to evaluate the number and threats associated with spam and junk mail within the company. It might be noted that employee perceptions regarding email risks and threats may be different than the information revealed through the actual examination of the email itself. This analysis will serve as a comparison to the perceived threats and risks associated with spam and junk email within the company.

The strategy to be implemented in an attempt to reduce bandwidth usage and improve security protocols will entail a comparison of the perceived vs. The actual risks associated with spam and junk email will be to identify the causes of these problems. The solution to the problem will be to devise a published set of protocols to help reduce the amount of email coming into the company and to help improve security. Increased security will be achieved through a combination of action and awareness of the potential problems associated with spam. Employees will have a set of actions that they can take to help increase security and decrease spam and junk email within the company.

Target

This study will be directed towards department managers and those within the company that are responsible for helping to reduce operating costs and increase profits within the company. The primary audience will be managers who wish to take positive steps to help reduce the security risk and operational problems associated with spam and junk emails. It is intended to provide them with a strategy for helping to reduce their associated risks within the department. The target audience of the study will also be part of the sample population as well, but not all of them.

Chapter 2: Literature Review

The problem of spam began as a minor annoyance, mush on the same level as junk mail through the post office. It was easy enough to just delete it or ignore it. However, spam and junk email have grown in proportion to the increase of ebusiness and now represents a major loss of productivity. Recently, this topic has caught the attention of the academic community and studies indicate that this problem is more than an annoyance. It represents a major cost and security risk for companies. The following will examine relevant literature regarding spam and issues of bandwidth and security issues due to spam and junk email.

The Affects of Spam and Junk Email on Business

Several studies examined the costs and other losses associated with the high number of spam that companies typically receive. The costs of spam can be divided into tangible and intangible costs. Tangible costs include the costs to purchase anti-spam software and hardware to combat the problem (Edwards 2007). Lost productivity due to the time it takes to read each email could be viewed as either a tangible or an intangible cost (Edwards 2007). Waster storage is another tangible cost, particularly if it results in the purchase of extra storage space or devices (Edwards 2007). One of the more difficult intangible costs is the amount of cost that is passed onto the customer from ISPs (Edwards 2007). Spam harms business and can lead to damage to their reputation, especially if it was their computer that acted as the zombie and sent out a virus to everyone in their customer base.

How does Spam Work?

Spam and junk emails are a form of direct marketing. This marketing technique relies on the statistical assumption that if one sends out enough ads, most people will reject it, but a certain number will respond (McCusker 2005). Unlike bulk mailing, which entails printing costs, stuffing envelopes, labels, and the costs of mailing, spam is a low cost alternative. Cost estimations indicate that the cost of sending an email is between U.S.$0.000082 and U.S.$0.000030 (McCusker 2005). This amounts to upwards of U.S.$0.50 to over a dollar for conventional bulk mail through the Post Office. As one can see, spam is the cheap alternative to the old fashioned version of direct mail. Companies can send out millions of emails and they can do it repeatedly every day. One case reported that a response rate of 0.0023 led to a sales of $1,500.00 (McCusker 2005). This venture only cost the spammer $350.00 (McCusker 2005). Almost 1/3 of all email respondents will click on the email and at least read it (McCusker 2005). This is a very lucrative marketing technique.

Spam can only be sent to valid email addresses. Spammers obtain these lists from internet sites, such as chat rooms, blogs, or other means. They may use corporate email addresses, as these sites are often designed to build customer relations (McCusker 2005). Spammers use software that tracks back to them to confirm that a recipient has read the email.

The most noxious of the techniques used to obtain valid email addresses is called a "directory harvest attack" (McCusker 2005). In this strategy, the spammer will attempt to deliver emails to corporate addresses using any number of possible name combinations. They send them out and see how many come back rejected. Those that do not bounce will be considered valid email addresses and can be used to target the marketing campaign (McCusker 2005). As one can see, spammers use a number of strategies to obtain valid email addresses. One might note that this approach does not represent a targeted audience.

One source of spam that is often not considered in spam threat analysis is the "friendly fire" spam where employees and their families send jokes and other such links through the company email for mass distribution. Internally generated email spam can be devastating for a large company (McCusker 2005). Companies that allow this type of behavior and do nothing to stop it risk liability, should damages arise from actions within their company.

Spam is filled with chain letters, bogus business opportunities, advance fee fraud, and get-rich-quick schemes (McCusker 2005). Although, some legitimate offers do arrive through spam, many are too good to be true and filled with empty promises that the originator cannot deliver. The art of "phishing" is another offshoot of email fraud. In this scam, an official mock (spoof) email is sent to the person. The most typical are those that look like a bank (McCusker 2005). These emails try to tempt the user to click on a link. When they do so, they will be asked for their user ID, password, and other information such as account numbers and addresses (McCusker 2005). It is estimated that phishers are able to fool approximately 5% of a well-known companies' users with this technique (McCusker 2005).

These are the most common methods used to disseminate spam. Viruses can be disseminated using similar techniques. This process works like this. The virus is placed in an email attachment and sent. The recipient opens the attachment and releases the worm. The work sends copies of itself to email addresses that are stored in the recipient's computer (McCusker 2005). The worm will install itself on networks and all other computers within the network. Next, the worm allows a "Trojan horse" to be downloaded. It can allow open proxies, and get around gateways, disguised as the unsuspecting recipient's computer. The recipient's computer then becomes vehicle for the dissemination of the virus (McCusker 2005). The computer user is referred to as a "zombie" as they are unaware of what their computer is doing. If this happens to every recipient on just that one user's list the virus can spread at almost lightening speed.

Spam as Crime

Direct advertising is not against the law. However, spammers must following certain rules in order to avoid criminal activity. Laws differ from country to country. However, most have several common components. Some of the most common components of criminal actions resulting from spam are no opt-out or opt-in, using a false or misleading header, use of deceptive subject headings, not to state that the message is an advertisement, not to leave a functional return email address, not to provide an unsubscribe, not to provide a valid postal address, email after the addressee has rejected it or blocked the sender (McCusker 2005). In addition to these actions, a harvest or dictionary attack is not illegal, but if caught for another offense, can lead to stiffer sentencing (McCusker 2005). Failure to place warning labels on sexually oriented material is against the law (McCusker 2005). These actions are illegal, a large number of spam emails break one or more of these laws.

Breaking spam laws can lead to civil or criminal penalties. In the United States, these penalties can include up to 5 years of imprisonment, forfeiture of property used in crime, and up to a million dollar fine (McCusker 2005). As one can see, spam or junk email crime is serious business. However, in the UK and Australia, penalties are often limited to fines, although these can be quite steep (McCusker 2005). The U.S. has the stiffest internet crime laws, as compared to those of the UK and Australia. They differ on several points. For instance a dictionary attack is not illegal in the U.S. And UK, but is illegal in Australia (McCusker 2005). Failure to post a functioning return address is a crime in all three of the countries examined (McCusker 2005). These examples provide clues as to how internet crime is perceived in various countries.

Conclusion review of literature only revealed a handful of credible studies regarding the costs and effects of spam on a business. Statistics differed as to the actual costs of spam. It may be noted that a vast majority of the cites presenting such statistics are hosted by companies that intend to sell spam filtering hardware and software. These cites were considered to be highly biased and were not considered in the literature for this review. Many did not provide sources or back up for their claims. These were not considered of acceptable standard for this report and were not included in this report. No material from commercial cites was included in this literature review.

Only academic sources were included in this literature review. This left only the handful of material that is presented in this study. This research indicates that there is still much to be learned about the costs of spam and its impact on security. None of the studies found during the literature review addressed the topic of this research proposal. This research will fill the gap and provide valuable knowledge as to how to affectively reduce the threats inherent with spam.

Only one other study was found that was similar to this one. D'Antoni (2003) used a survey technique to examine the impact of spam on a business. However, this study addressed different aspects of the topic. Although there will be some crossover in the proposed research study, it will provide a fresh look at some issues that were not addressed in the named study. It will address security and other issues that were not included in the research found to any degree.

Chapter 3: Research Design

The research design for this study will use a questionnaire technique similar to that used by D'Antoni (2003). This portion of the study will address quantifiable data and will directly address the tangible costs of spam for the company. It is expected that the costs associated with spam will be high, as indicated by what little literature could be found in the literature review. This knowledge will help to determine how big the problem is, but it will not tell us anything about how to solve it.

To achieve the objective of this research and develop policies and procedures for decreasing span in the workplace, it is necessary to delve into the topic in more depth than quantitative techniques alone can provide. For this reason face-to-face interviews will be included to help discover the underlying reasons and patterns behind the costs and risks. Qualitative techniques will provide greater insight into the topic and will be more useful than the quantitative portion in providing the basis for the intended anti-spam policies and procedures that are the goal of this research.

Research Hypothesis

The following hypotheses will represent the central points that will be examined by the research study.

H1: Spam will prove to have a measurable tangible cost for the companies examined.

H2; Spam will result in significantly increased bandwidth, creating problems with speed and accessibility.

H3: Spam represents a significant security risk to the network due to the potential for intrusive viruses.

H4.: Spam represents a personal threat to the user due to phishing for private information.

Research Question

The formal hypotheses will serve as the central focal point of the research study. However, in order fully to understand the affect of the research topic, it will be necessary to examine the following research question. How can Spam emails, and their associated security threats, be alleviated to boost the company's productivity by listing and analyzing identifiable incidents from the company's email log in order to set up an accurate security protocol which will be implemented for full time computer users within the organization the final result being a much safer and effective electronic communication?

Expected Outcome

The expected outcome of this research study will be greater knowledge on the impact of spam on company productivity in terms of time and cost. It will also assess the threat of attacks against the company system. The study will address threats to individuals through phishing activities. The final outcome of the project will be the development of formal written security protocols and procedures.

Three data spotlights are identified for this study. The first will be the actual number of spam incidents and potential threats received by employees through the company system. The second data spotlight will be questionnaires that will be taken by the study participants. The third data spotlight will be on the face-to-face interviews to provide a more in-depth outlook on the other two types of data being gathered.

The data gathered will relate to the research question and hypotheses by providing a critical analysis of the issue of spam emails within the company. The data collected will allow the researcher to evaluate the affect of spam on the company. The questionnaires and interview data will help to clarify the problem so that the key issues can be clearly identified and addressed in the resulting policies and procedures.

Context of the Problem

The key highlight of the contextual basis for the study is the increased use of the Internet as a cheap alternative to more costly advertising alternatives. In the beginning, the problem was not that bad and people may receive an unwanted email from time to time. However, as use of the Internet grew for business purposes, the potential for use as a virtually free advertising medium grew exponentially. Now the problem of spam is one of the most pervasive problems in the business community and threatens to increase operating costs and reduce productivity. It presents a potential route for the invasion of systems by viruses and other threats. It also presents an individual threat to the individual through phishing.

Root Cause Analysis

The primary problem that will be addressed in this research study is how to eliminate spam and the results of it. The answer centers on an examination of which weapons are most likely to be the most effective in eliminating this threat. The key problem is finding the root cause of the problem so that proper means can be devised to eradicate it. The it department at the London Bridge Hotel has already invested considerable time and money into implementation of security measures designed to reduce spam and eliminate potential threats as a result. However, as the number of emails still getting through the filters demonstrates, there is still much to be learned and much to be done in this area.

Associations emails, phishing, file sharing, financial details, customs and habits, personal details sharing

Perspectives

It seems appropriate to focus on the business perspective, as the management would like to do what is judicious to reduce expenditure to the minimum in order to remain competitive as a business. Risk management is also an important part of the business landscape. Reducing risks can be as valuable as reducing costs, or increasing sales.

Effect

The key effects of spam are risks to security due to the storage of credit card details, and other information stored on the computer. In addition, spam costs a considerable loss of time and money. Bandwidth reduction is the third key effect of spam that will be studied in this report.

Aim

The aim of the study is to survey full time workers in the company and implement a security protocol on how to safely and efficiently use the email system as an aid to accessibility within a modern business environment.

Objectives

This study will focus on three key objectives using the appropriate measurement components to achieve analysis of the spotlight object. These three aims are stated as follows:

1. To identify and list (Activity) in a catalogue (Milestone) the components of the company's email system (Spotlight).

2. To describe (Activity) by means of annotated diagrams (Milestone) how a Spam mail functions by observing its effect on the bandwidth and sensitive details held by the business' computers (spotlight)

3. To prepare (Activity) a security protocol (Milestone) explaining how full time workers could be helped by the use of security measures implement in their daily e-communication routine; by examining pattern of accessibility for full time workers within the hotel.

Problem solving approach

The problem will be resolved from and it and revenue perspective by highlighting the fact that spam email can cause productivity loss and security issues within the company. The Research will be based on the company's incoming emails log, which will constitute the primary data collection method. The researcher intends to concentrate on the log to find the central cause of the inability to reduce the number of inbound spam emails.