Strategic HRM Plan Grading GuideHRM498 Version 42.docx

Strategic HRM Plan Grading Guide
HRM/498 Version 4
2
Strategic HRM Plan Grading Guide
HRM/498 Version 4
Strategic Human Resource Management and Emerging Issues

.
Individual Assignment: Strategic HRM Plan
Purpose of Assignment
The purpose of this assignment is to aid the student in
determining the importance of developing a communication plan
to support the company's strategy and assess how the HR
planning process is integrated into the firm's strategic plan.
Grading Guide
Content
Met
Partially Met
Not Met
Comments:
The student creates a communication plan to support the
strategy of American Plastics.

The student justifies why American Plastics was important for
the strategic HRM planning process.
The student recommends how to address these considerations.
The paper does not exceed 1,050 words in length.
Total Available
Total Earned
10.5
#/10.5
Writing Guidelines
Met
Partially Met
Not Met

Comments:
The paper—including tables and graphs, headings, title page,
and reference page—is consistent with APA formatting
guidelines and meets course-level requirements.
Intellectual property is recognized with in-text citations and a
reference page.
Paragraph and sentence transitions are present, logical, and
maintain the flow throughout the paper.
Sentences are complete, clear, and concise.
Rules of grammar and usage are followed including spelling and
punctuation.
Total Available
Total Earned

4.5
#/4.5
Assignment Total
#
15
#/15
Additional comments:
A Framework for Enhancing Systems Security
Srinarayan Sharma, Indian Institute of Management, Ranchi,
India
sriOsharma(a),gmail.cotn
Vijayan Sugumaran , Oakland University, Rochester, USA, and
Service Systems Management and Engineering, Sogang
University, Seoul, South Korea
sugumara(a),oakland.edu

ABSTRACT
Security concerns have grown in sync with the growth of
ecommerce. This paper
presents a framework for analyzing systems security in terms of
three dimensions,
namely, technology, process, and people. The paper also
advocates a systems
development life cycle view of security. It describes different
activities that need to be
carried out throughout the development cycle in order to
improve overall systems
security. It also discusses the theoretical and practical
implications of the study, and
identifies future research directions.
KEY WORDS
Systems Security, Systems Development Life Cycle, Security,
Ecommerce,
Security Framework
INTRODUCTION
Like all sectors of the economy, e-commerce has also been
negatively impacted by the
worldwide economic downturn. While other sectors have seen
their growth suddenly
move down in the reverse gear, e-commerce has held its ground
well. According to
the latest published e-commerce statistics (US Department of
Commerce, 2011),
online spending in 2010 in the United States increased 8.1
percent from that of 2009,
while in 2011, retail ecommerce was expected to grow 13.7% on

sales of $188 billion
from that of 2010 (eMarketer, 2011).
The long term U.S. retail e-commerce sale is still forecast to
grow in high single digits
to low double digits from an estimated $165.4 billion in 2010 to
$269.8 in 2015
(eMarketer, 2011). Security concerns have grown in sync with
the growth of
ecommerce (Richardson, 2010). According to the 2010
Computer Security Institute
Computer Crime and Security Survey (Richardson, 2010),
though the security
breaches at the respondent companies have decreased, they
remain high. Episodes of
hacking at the headquarters of the software giant Microsoft and
other companies have
only heightened the need for systems security (Gross, 2011).
Online privacy and
security are the most important issues for Internet users and will
remain so in the
foreseeable future (Bennett, 2006). Identity theft, credit card
fraud, and virus attacks
affect virtually all areas of Intemet use. Security breaches can
lead to lower
confidence and heightened fear for consumers resulting in fewer
customers buying
online (Cybersource, 2009). Consumer fears resulted in
estimated online sales losses
of $4.0 billion in 2008, an increase of 11 percent from the
previous year (Cybersource,

2009).
In this paper, we argue that only a systematic approach to
security can protect
companies from Intemet and other security breaches. Towards
that end, we describe
generic systems security concems, and generic security
technologies available to
address these concems. We provide a framework for analyzing
systems security in
terms of three dimensions, namely technology, process, and
people. We also advocate
a systems development life cycle approach to security and
identify some of the key
activities that need to be carried out throughout the
development cycle in order to
improve overall systems security.
The paper is organized as follows. In the next section, we
briefly provide a review of
the security concems and technologies. Following this we
review the information
security literature to survey existing security frameworks. Then
we provide our own
framework to integrate different security issues along with key
activities needed to be
performed in a systems development life cycle. In the next
section, we provide a
discussion of how our framework could be applied to a generic
company. Finally, we
conclude with implications for theory and practice.
SYSTEMS SECURITY ISSUES AND SECURITY
TECHNOLOGIES
Systems Security Issues

Security is a multidimensional concept and needs to be
examined on several
dimensions such as privacy, physical access restrictions,
application availability,
network confidentiality, content integrity, and access policy
(Olson & Olson, 2000).
Security generally refers to authentication, access control, audit
trail, confidentiality,
integrity, availability, and nonrepudiation {Internet Society.,
2000).
Most common security problems in electronic commerce can be
classified into four
categories: operating system weaknesses, application
vulnerabilities, improper
configuration, and lack of training and resources (Connolly,
2001). Ironically, the last
category, lack of training and resources, contributes to the first
three problems. The
following are some of the e-commerce security issues discussed
in the literature.
(a) Misallocation of resources: In the majority of organizations,
security spending has
been lagging compared to migration of corporate information
from legacy systems
to new client/server and web-based systems (Myers, 2011;
Richardson, 2010).
While the critical corporate data has been moved to Unix and
NT systems,
companies are still spending resources to secure mainframes
(Hines, 2007;
Messmer, 2008; Paris, 2009).

(b) Broadband Remote Access Applications: Keeping mission
control applications up
and running 24-hours a day 7 days a week has become a
business necessity. If
they are not secure, hackers will find them and possibly gain
control with
malicious intent. Some hackers use empty hard drives on these
systems for storing
illicit files, while others may use remote access as a backdoor
into enterprise
systems. Cable systems use Ethernet "party-line" architecture
and put a
neighborhood on a single subnet. Each packet is broadcast to
everyone, and only
the addressee is supposed to process it. However, neighborhood
hackers can use
Sniffer technologies to tap into this subnet (Panko, 2010). Once
they have access
to the subnet, they also have easy access to the other systems on
it.
(c) Lack of Incident Response Plan: Organizations often lack an
Incident Response
Plan to cope with security breaches (May, 2011; Richardson,
2010). A good
Incident Response Plan usually includes policies on when to
shut down an
affected server and when to quarantine it. It also outlines how
to contact vendors,
company executives, and response team members, as well as
ISP and law
enforcement officials. The plan explicates logs to be kept and
steps to be

performed to track the hacker's activities and location. It also
describes how the
affected parties will be contacted. In the absence of such a plan,
organizations try
to address any security breaches in an impromptu manner,
which leads to chaos
and delay.
(d) Lack of customizable automated tools to fix security holes:
Plugging every
security hole is extremely resoure-consuming. Scripting tools
available to
automate the process are not customizable. Thus skilled security
professionals are
needed to do the job by hand (Schwartz, 2011).
(e) Lack of security awareness: Organizations lack a strong
security culture to ward
off unexpected hacker attack (Grimes, 2009; Richardson, 2010).
Complexity and
variety of security attacks have made the management of
employee attitude
toward security a paramount concern. Increasing numbers of
companies are
becoming dependent on Intemet access from their desktop for
personal and daily
business and as a result, bring exposure to company data and
information to new,
intensely dangerous levels. While some employees may be
acutely aware of
security dangers, others may need constant reminders. Building
a security-
conscious culture may be a daunting task, but companies need
to instill it to
minimize security breaches.

(f) Heavy emphasis on just IT: There is a general perception
that system security is
the responsibility of the information systems department and is
independent of the
business processes. Factors that control the information flow
between sub-systems
shouldn't just come from a technical view if it is to be effective
companywide
(Grimes, 2009). Business risk control mechanisms are needed to
meet the overall
security objectives.
(g) Lack of security education and Training: Employees need to
be educated to
understand the need for information security and what it means
to the organization
(Richardson, 2010). They have to be encouraged and motivated
to follow
standard security procedures (Myers, 2011).
(h) Lack of Ownership: Employees must also be assigned
responsibility and
ownership of the information they manage (Panko, 2010). Early
involvement of
employees in the process is necessary for their taking ownership
of the process.
Security Technologies
Having briefly described different systems security concems in
companies, in this
section we provide a brief overview of the technologies

available for addressing these
security concems.
(a) Digital Certificates: Digital certificates which are a key part
of Intemet
security, received federal legal authority in June 2000. These
certificates can
serve as a trusted and verified means of identification that
cannot be
repudiated (Gerdes Jr., Kalvenes & Huang, 2009).
(b) Public Key Infrastructure (PKI): It has been difficult to
establish proper trust
and verily credentials with electronic trading partners in the
realm of B2B
electronic commerce. Vendors have developed PKI management
services and
products that are designed to eliminate this problem (Millan et
al., 2010).
However, vendors' ultimate goal of having a system to handle
the entire end-
to-end authentication and payment process is still to be
achieved (Millan et
al., 2010).
(c) Intmsion Detection: Examination of a number of high profile
security
breaches such as those at Microsoft, TJ Max, and Bank of
America has
revealed that most successful intmders escape casual
surveillance. This has
made intrusion detection technology one of the most used
security
technologies. Intrusion-detection systems monitor an
organization's network
and hosts (Xenakis, Panos & Stavrakakis, 2011). They detect

intrusions by
watching for certain actions that resemble characteristics of
known attacks. A
downside of this technology is that it cannot detect attacks
which are not
resident in its knowledge base.
(d) Security in Web Applications: Progress has been made in
preventing attacks
that exploit security weaknesses in Web applications. Perfecto
Technologies'
AppShield, for example, sits between the network firewall and
web server,
allowing Web surfers to access the Web site only from
authorized entry points
and verifying that all incoming client requests are legitimate. If
a request
violates the defined security policy, browsers are denied access
to the
application (Caceres & Teshigawara, 2010).
(e) Personal Firewall: Explosion of broadband networking
option has made
desktops vulnerable. Hackers can gain access to these desktops
with assigned
IP addresses and launch attacks on other systems. Personal
firewalls can mask
these desktops from casual probing. Well-known anti-virus
players such as
Symantec and McAfee along with specialty vendors such as
Network ICE and
Syborgen are providing personal firewall solutions (Schultz,

2005).
(f) Disposable IDs: Complex encryption algorithms used by web
browsers have
made the theft of credit card numbers in transit almost
impossible (Buccafurri
& Lax, 2011). However, vendor databases containing these
numbers remain
vulnerable. Disposable ID mechanism makes it possible to issue
one-use
credit card numbers to render stealing of credit card numbers
from vendor
databases useless (Experiencefreak, 2010).
(g) Biometrie Security: Biometrie security technologies have
become easier to
implement. These technologies make use of individual's unique
fingerprints,
face, and voice to ensure authorized entry (Uzoka & Ndzinge,
2009).
(h) Single Sign-On Technologies: Many security systems in past
have required
multiple sign-ons from users to ensure security. Single sign-on
technology
allows users to browse through network resources without
entering several
passwords (Orr, 2005). When combined with biometrics, it can
be a powerful
security tool. Novell's NDS directory device uses this
technology.
SECURITY FRAMEWORK FOR ENHANCING SYSTEMS
SECURITY
In the previous two sections we have discussed the common

security issues that are
being faced by the IT departments in companies engaged in e-
commerce and the
technologies that are currently available for securing mission
critical applications. A
closer examination of the issues and the available technologies
reveal that, while
technical solutions exist to provide adequate security,
organizations still experience
considerable difficulty in securing their applications from
intruders. Most of the
security measures implemented by organizations rely heavily on
technology alone
without considering other factors that have a greater impact on
the overall security of
their systems. According to PwC (2011), companies have been
increasing their
security spending since 2007. But despite the multibillion-dollar
spending, they fall
short of achieving business-process security (Nosworthy, 2000;
PwC, 2011). To
address these shortcomings many researchers have provided
various frameworks. A
brief review of these frameworks is given below.
Chang et al (2011) provide a technology driven framework that
uses (extemal)
environment information to enhance computer security. The
advantage of this
framework is that the environment information is collected by
sensors that are outside
the control of a host and communicate to an extemal monitor via
an out-of-band
channel (with respect to the host), thus it cannot be
compromised by malware on a

host system. The information gathered still remains intact even
if malware uses rootkit
techniques to hide its activities. This framework is applicable to
a number of security
applications: (1) intrusion detection, (2) rate monitoring/control
of external resources,
and (3) access control. Chang et al (2011) show that this
framework is useful even
with coarse-grained and simple information. They present some
experimental
prototypes that employ the framework to detect/control email
spam, detect/control
DDoS zombie attacks and detect misuse of compute resources.
Experimental
evaluation shows that the framework is effective in detecting or
limiting the activities
of such malware. The shortcoming of this framework is that it
does not address
process and people aspect of security that may have a greater
impact on overall
security.
Abbas et al (2011) propose a framework based on options theory
borrowed from
corporate finance and adapt it to evaluation of security
architecture and decision
making for handling issues at organizational level. This
framework addresses three
main problems resulting from uncertainty in information
security management:
dynamically changing security requirements of an organization,
externalities caused

by non-secure system, and obsolete evaluation of security
concerns. The framework is
relevant to information security management in organizations,
particularly issues on
changing requirements and evaluation in uncertain
circumstances created by progress
in technology. This is a process driven framework and does not
address technology
and people aspect of security.
Tsohou et al (2010) provide a classification framework for
categorizing available
information security standards. Recent information security
surveys indicate that both
the acceptance of international standards and the relative
certifications increase
continuously. However, the majority of organizations still does
not know the
dominant security standards or fully implement them. The aim
of this framework is to
facilitate the awareness of information security practitioners
regarding globally known
and accepted security standards. Clearly the focus of this
framework is on a narrow
aspect of technology, that is, technology standards. This does
not address broader
technological issues, process issues and people issues.
There is a need to provide secure and safe information security
systems through the
use of firewalls, intrusion detection and prevention systems,
encryption,
authentication, and other hardware and software solutions.
Patel, Qi, and Wills (2010)
propose a framework which includes safe, secure, trusted, and
auditable services, as

well as forensic mechanisms to provide audit trails for digital
evidence of transactions
and protection against malicious and illegal activities. This
framework focuses on
technology and process aspects of security.
Gurung, Luo, and Liao (2009) develop a research framework
and empirically analyze
the factors that motivate the consumers to adopt and use anti-
spyware tools when they
are faced with security threats. The research model was tested
with data obtained
through online survey questionnaires. The results do not find
statistically significant
relationships for hypotheses related to perceived vulnerability
and response cost with
the dependent variable. Perceived severity, self-efficacy, and
response efficacy was
found to be significantly related to use of anti-spyware tools.
This framework focuses
on people aspect of security.
Using two-stage framework Mouratidis, Jahankhani, and
Nkhoma (2008) empirically
found that personnel from general management have different
perspectives towards
network security than personnel from the network security
management. In particular,
the study indicates that such differences are demonstrated on a
number of areas such
as the effectiveness and the efficiency of the networked system,
control of network

security, security-related decision-making processes, and users
of the network. The
latter being the most controversial issue with one side
indicating that users should be
allowed to use the network in an efficient manner, and the other
side emphasizing that
users pose one of the greatest security risks to the system. This
framework also
focuses on people aspect.
Hong, et al. (2003) propose a framework to integrate security
policy theory, risk
management theory, control and auditing theory, management
system theory and
contingency theory in order to build a comprehensive theory of
information security
management (ISM). This framework suggests that an integrated
system theory is
useful for understanding information security management,
explaining information
security management strategies, and predicting management
outcomes. This
framework is focused on process aspect.
Siponen (2002) provides a framework synthesized from the
information systems (IS)
and software engineering literatures for articulating security
maturity criteria and
examining existing information security maturity criteria. This
framework is focused
on process aspect.
Debar and Viinikka (2006) provide an architecture for the
outsourcing of security
information management (SIM). They posit that the day-to-day
operation of a SIM is

beyond the financial capabilities of all but the largest
organizations, as the SIM must
be monitored constantly to ensure timely reaction to alerts.
Many managed security
services providers (MSSP), therefore, have merged for
outsourcing the alert
management activities. Sensors are deployed within the
customer's inñ-astructure, and
the alerts are sent to the outsourced SIM along with additional
log information. This
framework focuses on process and technology aspects.
Eloff and von Solms (Eloff, 2000) provide a hierarchical
framework for information
systems management from the security standpoint. Their
multilevel model includes
two major aspects of security management, namely, technology
and process. Despite
the fact that considerable emphasis has traditionally been placed
on the technical
aspect, they have introduced the process aspect of security and
discuss the importance
of developing guidelines, code of practice, standards,
legislation, and benchmarking.
While these processes are essential, equally important is the
consideration of the
changing nature of the overall business processes and their
security requirements. For
example, in the dynamic B2B environment, partnerships
between participating entities
are forged and terminated frequently. These partners collaborate

and cooperate on
certain projects, while maintaining individual trade secrets and
competitive edge. In
such a scenario, the security requirements for the systems and
interfaces are driven by
the specific business processes and the data that are exchanged
between them. Thus,
we argue that identifying and articulating the security
requirements for important
business processes is critical in coming up with a
comprehensive security solution.
Most of the security framework reviewed above focus on
technical and/or process
aspects of security. However, an important piece of the security
puzzle is the human
aspect. Recent literature indicates that maximum threat of
security breach comes from
within the organization (Panko, 2010; Richardson, 2010). A
joint study by the
Computer Security Institute (CSI) and the FBI indicates that the
most serious losses in
companies are done by unauthorized insider access (Richardson,
2010). As aptly
pointed out by Dhillon and Backhouse (2000), information
system security is a social
and organizational problem because they are used by people.
Thus, it is the human
beings that interact with, and are responsible for systems that
have the biggest impact
on security of individual systems and the organization as a
whole (Andress, 2000). In
this context, personal traits such as responsibility, integrity,
trust, and ethicality are
deemed critical in securing information assets (Dhillon &
Backhouse, 2000).

In light of the above discussion, we contend that for any
systems security solution to
be effective, it should take into account the following three
dimensions, as depicted in
Figure 1: a) technology, b) process, and c) people. In fact, these
three equally
important dimensions are tightly coupled, and should serve as
the comer stone of
every systems security solution architecture. A weakness in one
dimension not only
affects the system security but also has a severe detrimental
impact on the other
dimensions and thus has a compounding effect. Hence we argue
that a balance and
congruence between these three dimensions is critical for
providing a secure systems
environment. We identify important factors within each of these
dimensions in Table
1 below. These factors are derived from the frameworks
reviewed above.
Table 1: Important Technical, Process, and People Factors for
Enhancing
Systems Security
Technical
• Standards
• Security models
• Specific security
technologies
• Privacy
• Physical access

restrictions
Process
• Guidelines
• Code of practice
• Controls
• Certification
• Accreditation
• Benchmarking
• Self-assessment
People
• Responsibility
• Integrity
• Trust
• Ethicality
10
• Application availability
• Network confidentiality
• Content integrity
• Legislation
• Evaluation
Another drawback discussed in the literature regarding current
security solutions is
that most of the security measures are "after thoughts" (Panko,
2010). In other words,

the security layer is just an add-on to systems without taking
into consideration the
assets to be secured and the business processes that they
support. During the
development life cycle of the system, security requirements and
the design of
appropriate solutions are not an integral part of the development
process.
Technology
Sfcufe
Environment
Ptocess
People
Figure I. Framework for Enhancing Systems Security
For the most part, system security is limited to user
authentication and limiting access
to certain resources through rudimentary techniques. We
contend that a thorough
analysis of the security requirements based on the assets and the
business processes to
be secured, ensuring that there is a good fit between the chosen
security mechanisms
and the processes, is crucial for the effectiveness of system
security. In order to
achieve a high level of success, we advocate that security
related issues be considered
at every phase of the system development life cycle and not just
at the post-
implementation phase. In other words, organizations have to
develop and commit to a

systems development life cycle view of security. Furthermore,
during each phase of
the systems development, the issues related to the three
dimensions of security have to
be delineated and addressed. Table 2 presents some of the
security related activities
that have to be carried out during each phase of the systems life
cycle. Without
11
claiming comprehensiveness, we suggest that these activities
provide a systematic
way to incorporate security aspects into the overall systems
development process.
Table 2. Security Related Activities in Systems Development
Life Cycle Phases
^^^^^Jimensions
SDLC Phas^-^^^
Planning
Analysis
Design
Implementation
and Testing
Technology

Survey existing
security
technologies
(intemal and
external).
standards, and
models.
Identify
technologies and
their requirements
to secure business
processes.
Design security
architecture
including privacy
and physical access
restrictions.
Procure security
technologies
(hardware and
software to meet
security
requirements
identified in
analysis phase).
Ensure application
availability.
network
Process
Study codes of
practice.

Review existing
security policy.
Identify assets to
secure.
Identify their high
level security
needs.
Perform SWOT
analysis for
security.
Determine process
level security
requirements and
controls.
Design
organizational
security policies.
Ensure that
policies are
consistent with
legislation.
Establish security
interfaces between
sub-systems.
Identify domain
specific test
scenarios.
Perform unit
testing, system
testing.
People

Identify security
champion.
Seek participation
of high level
managers.
Identify
manager(s) for
security
operations.
Involve security
analysts, and
process users (end
users).
Identify and
involve technical
people who will
design security
solutions.
Involve
technology
vendors.
consultants.
designers, and
system integrators.
12
Post
Implementation

confidentiality, and
content integrity.
Fix bugs.
Enhance security
Features.
Train end users.
Promote security.
Actively monitor
security breaches.
Identify new
security risks
Evaluate, perform
self-assessment
and benchmark.
Get accreditation
and certification
Get end users'
trust.
Inculcate end user
responsibility.
securify personnel
integrity and
ethicality.
DISCUSSION
In this section, we provide detailed actions that organizations
can take in order to
mitigate the woes of "security blues" based on our framework
and systems
development life cycle view of security. The actions presented
below are grouped
based on the SDLC phases related to technology, process and

people dimensions of
systems security.
Planning
A sound planning paves the way for effectiveness and efficiency
for security and
compliance. In the planning phase of the SDLC, a company
needs to survey existing
security policies, codes of practice, standards, procedures,
technologies, and models
which are available both intemally and extemally. Information
security policies are
high-level statements about securing systems. A standard is a
detailed rules or
statement to enforce the given policy. As an example, a
company will use passwords
to secure its systems might be a policy statement, while
passwords must be eight
characters in length, should include both capital and small
letters and a number might
be a standard. A procedure can describe a step-by-step method
to implementing
various standards. As an example, the company will enable
password length controls
on all production systems. The company also needs to review
extemal security
standards such as ISO/IEC 27002 which is an information
security standard published
by the Intemational Organization for Standardization (ISO) and
by the International
Electrotechnical Commission (IEC) to find out codes of practice
for information
security management. If necessary, it needs to make changes to
its existing policy.
Effective security begins with a solid understanding of the

protected asset and its
value. The company needs to identify assets to secure. Since it
will be prohibitive to
secure all the assets a company possesses, it should prioritize
asset based on the
existing securify guidelines, codes of practice, and risk
analysis. As an example, risk
analysis will allow the company to weigh the cost of securing
the asset versus the loss
13
if the asset's security is breached. If the cost of securing the
asset is more than the
value of the compromised asset, it may not be beneficial to
secure the asset. As an
example, assume that the value of an asset is $10,000, and the
probability of the
security breach for this asset is 10%. The loss associated with
this security breach will
be $10,000 X 10% = $1000.00. If securing this asset cost more
than $1000.00, then it
should not be secured. High level security needs of the
identified assets also need to
be identified in this stage. Such needs could be categorized as
access control, physical
security, endpoint security, infrastructure security, application
security, and data
security.
Security needs to be recognized by IT managers as an important
issue. The best

technologies and wisest policies will take security only so far
without extensive
management buy-in (Tipton & Krause, 2004). It is heartening to
know that in the CSI
survey, a majority of managers regard security as a top priority
(Richardson, 2010).
The remaining IT managers must also recognize security as a
top priority, if they want
to see their web-systems secure (Tipton & Krause, 2004). In the
planning phase, the
company also needs to identify security champion who will
provide resources and
support the security effort even in case of resistance from other
stakeholders.
Participation of high level managers should be sought in the
planning phase within
whose purview the security function falls. Lower level
managers who will oversee the
operations of the security should also be identified.
Analysis
The company needs to perform strength-weakness-opportunity-
threat (SWOT)
analysis for security. Such a SWOT analysis should identify the
strength of the
existing securify mechanisms (technologies, processes, and
personnel) and their
weaknesses. It should also identify any opportunities that may
be there to strengthen
the existing securify and institute new securify. It should also
identify any current and
possible new threats such as company allowing its employees to
use wirelessly
connected hand-held devices for enterprise communication.
Other possible threats can

come from policy breach, data theft, equipment theft/damage,
social engineering,
DoS, unauthorized access, etc.
In the analysis phase, the company would identify appropriate
technology
requirements (such as hardware and software) to secure assets
and business processes
that need securing. Use of such technologies should be based on
the high level
securify requirements identified in the planning phase. An
outcome of the analysis
phase could be the decision to outsource securify because of the
lack of skilled
securify personnel (Richardon, 2010). Of course, personnel
could be acquired and
trained in-house, but it may be cost prohibitive. Any securify
outsourcing decision
should be made with utmost caution, as companies must trust
handling of their most
critical data to an outsider, namely, an Managed Securify
Provider (MSP). Before
choosing an MSP, a company must thoroughly analyze its
securify needs and
determine if the MSP meets their needs. The company should
also be mindful of the
adverse reactions of their customers (Messmer, 2008).
14
To secure business processes, the company would need to
identify process level
security requirements. The company would also require to

identify relevant security
standards such as ISO 27002 (previously known as ISO 17799)
or COBIT and
benchmarks for business processes. Such standards and
benchmarks could be obtained
from standards certifying bodies such as Intemational
Organization for
Standardization (ISO), the Intemational Electrotechnical
Commission (IEC), and
industry best practices from sources such as Information
Systems Audit and Control
Association (ISACA), the SANS institute, CSI survey, etc. As
an example, in B2B
environments, where business partners may collaborate on
different business
processes, there is a need for very detailed access and content
control. A new security
challenge is the complexity and granularity of protection needed
for business
processes in these environments. The process level requirements
will necessitate
confidentiality, integrity, and authenticity in data flows.
Different business processes
or transactions may require different data. These data may
require different level of
security for different business processes. While SSL may be
sufficient for some data,
digital certificates must be used for others. Though when these
data flow across
different systems, they are in the same bit and byte format.
Thus, the same security
technologies potentially could be applied to the same stream of
data; however,
different security technologies would be required for different
streams of data. A joint
collaboration between RSA and Netegrity is aimed at providing

a multilevel access-
control expertise to produce a security system that can
accommodate many types of
users and scopes of access rights (Parris, 2009).
The company must involve security analysts and process users
(end users) early on in
this phase. Early involvement of these stakeholders makes them
take the ownership of
security requirements of the business processes they are
involved with.
Design
In the design phase the company needs to design its security
architecture. Security
Architecture can be defined as the design artifacts that describe
how the security
controls (security countermeasures) are positioned, and how
they relate to the overall
information technology architecture
(OpenSecurityArchitecture.org, 2006). These
controls serve the purpose to maintain the system's quality
attributes, among them
confidentiality, integrity, availability, accountability, and
assurance. The security
architecture should be holistic and encompassing, make
suggestions on how different
controls can be synchronized and integrated to achieve
maximum effect, include a
comprehensive approach to security risk management, and be
measurable to
demonstrate adherence to the requirements (Eloff & Eloff,
2005) and federal and state
laws, such as the Federal Information Security Act of 2002
(P.L. 107-347, Title III),

National Security Directive 42 (NSD-42), etc.
The company also needs to design its security policies,
particularly. Incident Response
Plan. An information security policy statement expresses
management's commitment
to the implementation, maintenance, and improvement of its
information security
15
management system (ISO 27000). Though there is a need for
reviewing security
policy in the planning phase as discussed above, the approach
needs to be repetitive
given that any security program will never be 100% complete.
The rapidly changing
technologies require continuous adaptation. If the organization
has a security policy, it
should be evaluated to determine whether it is valid and
appropriate. This phase
should include all updates and changes to the policy as well as
identification of all
controls and procedures that are needed to implement the
policy.
In this phase the company also needs to identify technical
people who will design
security solutions. Such people should be carefully chosen to
ensure that they bring a
holistic perspective and are not wedded to some particular
security policy approach.

They should also exhibit integrity and ethicality.
Implementation and Testing
The company would need to procure security technologies
(hardware and software to
meet security requirements identified in analysis phase) if it
does not have the
technologies already. Appropriate security technologies could
be obtained by
contacting technology vendors and consultants. If in-house
security systems are to be
deployed, appropriate systems security designers and systems
integrators should be
identified and assigned. Special care should be taken to ensure
security of interfaces
between systems. The individual systems may themselves be
secure, however, when
interacting with other system security could be breached.
To ensure security of individual systems, the company would
need to identify domain
specific test scenarios, and then test its security. Unit testing
will be appropriate for
such scenarios. However, system testing should be perfonned to
ensure the securify of
interfaces between subsystems.
After testing, the security architecture needs to be implemented.
Implementation could
be carried out following any of direct cut-off, parallel, or pilot
approaches. An
analysis should be done to figure out suitability of these
approaches before following
them as every one of them has unique strengths and weaknesses.
As an example,

direct cut-off approach allows one to move the entire system to
new architecture.
However, if there are security glitches, then entire system is
affected. In contrast,
parallel approach allows both old and new architecture to be in
place for some period
of time, but creates confusion among users. Pilot approach
allows implementation in
only small segment. This approach helps in ironing out any
kinks the security
architecture may have before going for full-fiedged
implementation.
Post-Implementation
It is inevitable that there would be some security bugs in the
implemented system. In
this phase, such bugs need to be identified and fixed. It is also
inevitable that security
will be breached at some point in time. If a security breach
takes place, the company
16
should follow its Incident Response Plan developed as a part of
overall security policy
in prior phases.
All end users of all the systems need to be educated and trained
about using proper
security protocols to promote security. Complexity and variety
of security attacks
have made the management of employee attitude toward

security a paramount
concem. While some employees may be acutely aware of
security dangers, others
may need constant reminders. Building a security-conscious
culture may be a
daunting task, but companies need to instill it to minimize
security breaches. As a part
of security culture, users have to see the benefits to themselves
if they are to buy in
these security technologies and policies. (Tipton & Krause,
2004). Therefore, it is
important to make user education a top priority. Getting end-
users to understand the
importance of security and making them conscious of areas in
which they can help
increases the security of the company as a whole. Employee
education buttresses
security solutions installed to protect a company from attack.
Unfortunately, people
working inside the company are considered higher security risks
than those outside
the company (Panko, 2010). The need to address employee
breaches is often obscured
by all the solutions for physical and network security. While
web-browsers and
servers do a good job of encrypting data they exchange, traffic
on intranet and LAN is
often unencrypted. Managers need to pay special attention to
insider security
breaches. Employees need to be educated to understand the need
for information
security and what it means to the organization (Richardson,
2010). They have to be
encouraged and motivated to follow standard security
procedures (Myers, 2011).
Employees must also be assigned responsibility and ownership

of the information they
manage (Panko, 2010). Early involvement of employees in the
process is necessary
for their taking ownership of the process. Future security risks
should also be
identified.
In this stage, companies will do well by self-assessing their
overall security. They
should also benchmark themselves against ISO27000 or similar
standard. If it is found
wanting, they should take action to rectify it. A good way to
meet common
benchmarking standards is to get certified and accredited by
certifying and
accreditation agencies such Verisign.
CONCLUSIONS
Though organizations are spending vast sums of money towards
securing their
mission critical applications, they are unable to completely
protect their applications
and systems from malicious attacks and intrusions. More
importantly, they are not
able to improve the perception of lack of privacy and security in
their applications
from the consumers' point of view. This has resulted in very
high opportunity cost,
estimated to be in billions of dollars. To a large extent, the lack
luster performance of
security mechanisms is attributed to heavy reliance on
technology while ignoring
other factors. Consequently, there is a big push towards taking a
holistic approach to
designing security solutions.

17
This study contributes to the theory by providing a holistic
securify framework which
addresses the shortcomings of the existing frameworks. In
particular, existing
frameworks address only one or two of the three dimensions of
people, process, and
technology, while this framework incorporates all three
dimensions for analyzing and
subsequently implementing systems securify. Existing
framework also do not provide
a holistic way of incorporating securify in business processes.
This paper advocates a
systems development life cycle view of securify and provides
some of the key
activities that have to be carried out throughout the
development life cycle in order to
improve overall securify of business processes and
corresponding applications and
systems. A systematic approach to system security will greatly
enhance customer
confidence and thus provide competitive advantage. The paper
also contributes to
practice by providing a detailed discussion of how this
framework could be
implemented in a given company. Future research could
investigate how and if
organizations are using systems development life cycle
approach to secure their
business processes. They could also examine if all three

dimensions are equally
involved in such an endeavor, or companies give priorities to
one dimension over
others.
ACKNOWLEDGEMENT
The work of the second author has been partly supported by
Sogang Business
School's World Class Universify Program (R31-20002) ftmded
by Korea Research
Foundation and the Sogang Universify Research Grant of 2011.
REFERENCES
Aberdeen Group. (2008) Aberdeen Group Research Benchmark
Report. Passwords,
Privileged Passwords and Password Lifecycle Management.
Andress, M. and Fonseca, B. (2000) Manage people to protect
data. InfoWorld, Nov.
10.
Bennett, M. (2006) Communify poll forum: Biggest concem
about switching to online
applications . CNet Forums, May 2.
Buccafurri, F. and Lax, G. (2011). Implementing disposable
credit card numbers by
mobile phones. Electronic Commerce Research, 11(3), 271-296.
Caceres, G.H.R. & Teshigawara, Y. (2010). Securify guideline
tool for home users
based on intemational standards. Information Management &
Computer Security,
18(2), 101-123.
Chang, E.-C, Lu, L., Wu, Y., Yap, R.H., and C. and Yu, J.

(2011). Enhancing host
securify using extemal environment sensors. International
Journal of Information
Security, 10(5), 285-299.
18
Connolly, P.J. (2001) Securify steps into the spotlight
InfoWorld.com, Jan. 21.
CyberSource. (2009) 10th Annual, 2009 Edition, "Online Fraud
Report."
http://forms.cvbersource.com/forms/FraudReport2009NACYBS
www020309
Debar, H. and Viinikka, J. (2006). Securify information
management as an
outsourced service. Information Management & Computer
Security, 14(5), 416.
Dhillon, G., Backhouse, J. (2000) Information System Securify
Management in the
New Millennium, Communications of the ACM, Vol. 43, No. 7,
July, pp. 125 - 128.
Ellof, J.H.P. and Eloff, M.M. Information Securify
Architecture. Computer Fraud &
Securify, Novemebr 2005, pp. 10-16.
Eloff, M. M., and von Solms, S. H. (2000) Information Securify
Management: A
Hierarchical Framework for Various Approaches, Computers
and Security, Vol. 19,

No. 3, pp. 2 4 3 - 2 5 6 .
eMarketer. (2011) US Retail Ecommerce Forecast: Growth
Opportunities in a
Maturing Channel. March.
Experiencefreak. (2010) Disposable Identify?
http://experiencefreak.posterous.com/disposable-identity. April
23.
Gerdes Jr., J.H., Kalvenes, J., Huang, C.-T. (2009) Multi-
dimensional credentialing
using veiled certificates: Protecting privacy in the face of
regulatory reporting
requirements. Computers &Security, July, Vol. 28, Iss. 5; pp.
248-259.
Grimes, R. (2009) How to manage IT securify - without a tech
background.
InfoWorld, Sept. 25.
Gross, G. (2011) U.S. needs cyber-emergency response,
lawmaker says.
Computerworld, April 11.
Gurung, A., Luo, X., and Liao, Q. (2009). Consumer
motivations in taking action
against spyware: an empirical investigation. Information
Management & Computer
Security, 17(3), 276-289.
Haider, A., Magnusson, C , Yngstrom, L., and Hemani, A.
(2011) Addressing
dynamic issues in information securify management.
Information Management &
Computer Security, 19 (1), 5-24.

Hines, M. (2007) Securify outsourcing on the rise. InforWorld,
Sept. 20.
19
Hong, K.-S., Yen-Ping, C , Chao, L.R, and Tang, J.-H. (2003).
An integrated system
theory of information security management. Information
Security, 11(5), 243-248.
Intemet Society, RFC 2828. (2000) Intemet Security Glossary,
2000.
http://wvw.ietforg/rfc/rfc2828.txt.
Kirk, J. (2005) Oracle password protection is weak, experts
say.. Infoworld, October.
Krebs, B. (2009) Payment Processor Breach May Be Largest
Ever. Washington Post.
Retrieved Jan. 20, 2009, from
http://voices.washingtonpost.eom/securitvfix/2009/01 /pavment
processor breach ma
V b.html?hpid=topnews.
May, T.A. (2011) IT needs to plan for what comes between now
and later.
Computerworld, March 31.
Messmer, E. (2008) Outsourcing securify tasks brings
controversy. NetworkWorld,

March 20.
Millán, G., Pérez, M., Pérez, G., and Skarmeta, A. (2010). PKI-
based tmst
management in inter-domain scenarios. Computers & Security,
29(2), pp. 278-290.
Mouratidis, H., Jahankhani, H., and Nkhoma, M Z. (2008).
Management versus
security specialists: an empirical study on security related
perceptions. Information
Management & Computer Security, 16(2), 187-205.
Myers, L. (2011) Security Education: We are doing it Wrong.
SC Magazine, April 11.
Nosworthy, J. (2000) Implementing Information Security in the
21^' Century - Do you
have the Balancing Factors? Computers and Security, Vol. 19,
No. 4, pp. 337 - 347.
Olson, J.S. and Olson, G.M. (2000) I2i trust in e-commerce.
Communications of the
ACM, Vol. 32, No. 12, Dec. p. 41.
Orr, B. (2005). A single sign-on for all supply chain members?
American Bankers
Association. ^ 5 ^ Banking Journal, 97(9), p. 82.
Panko, R. (2010) Corporate Computer and Network Security,
2/e . Prentice Hall.
Parris, K. (2009) 3 Tips for Brushing Up B2B Security.
TechNewsWorld, 7/2/09.
Patel, A., Qi, W., and Wills, C. (2010). Information

Security, 18(3), 144-161.
20
PwC. Global state of information security survey. (2011) A
worldwide survey by CIO
magazine, CSO magazine, and PwC.
Richardson, R. (2010) CSI Computer Crime and Security
Survey.
Schultz, E. (2005). Study shows home computer users are
ignorant about security.
Computers & Security, 24(1), 5-6.
Schwartz, M.J. (2011) Secure coing or bust. InformationWeek,
April 7.
SecurifyArchitecture.org. Definitions: IT Securify
Architecture., Jan, 2006.
http://wvvw.opensecuritvarchitecture.org/cms/index.php.
Siponen, M. (2002). Towards maturify of information securify
maturify criteria: Six
lessons leamed from software maturify criteria. Information
Management &
Computer Security, 10(5), 210-224.
Tipton, H.F. and Krause, M. (2004) Information security
management handbook.
Fifth Edition, CRC Press.

Tsohou, A., Kokolakis, S., Lambrinoudakis, C , and Gritzalis, S.
(2010). A securify
standards' framework to facilitate best practices' awareness and
conformify.
Information Management & Computer Security, 18(5), 350-365.
US Department of Commerce. (2011) US census Bureau News.
Feb., 17.
http://vvww.census.gov/retail/mrts/www/data/pdf/ec current.pdf
Uzoka, F., & Ndzinge, T.. (2009). Empirical analysis of
biométrie technology
adoption and acceptance in Botswana. The Journal of^ Systems
and Software, 82(9),
1550-1564.
Xenakis, C , Panos, C , & Stavrakakis, I.. (2011). A
comparative evaluation of
intrusion detection architectures for mobile ad hoc networks.
Computers & Security,
30(1), 63-80.
21
AUTHOR BIOGRAPHY
Dr. Srinarayan Sharma is a Professor of Information Systems in
the Indian
Institute of Management, Ranchi, India. His past work has
involved studies of
various IT innovations such as open source software, computer-
aided software

engineering, data warehousing, mobile commerce, etc. His
current interest Ues in
the application of IT to solve contemporary problems such as
global warming,
water scarcity, and world poverty. His past work has been
published in various IT
journals and conferences such as Communications of the ACM,
Information Systems
Journal, Information <& Management, Annual Conferences of
the Association of
Information Systems, Annual Conferences of the Decision
Sciences Institutes,
etc.
Dt, Vijayan Sugumatan (Corresponding Author) is a Professor
of Management
Information Systems in the Department of Decision and
Information Sciences at
Oakland University, Rochester, Michigan, USA. He is also
WCU Professor in the
Department of Service Systems Management and Engineering at
Sogang
University, Seoul, South Korea. His research interests are in the
areas of Service
Systems, Ontologies and Semantic Web, Intelligent Agent and
Multi-Agent
Systems, and Component Based Software Development. He has
published over
150 peer-reviewed articles in Journals, Conferences, and Books.
He has edited ten
books and serves on the Editorial Boards of eight journals. His
recent
publications have appeared in Information Systems Research,
ACM Transactions on
Database Systems, IEEE Transactions on Education, IEEE
Transactions on Engineering

Management, Communications of the ACM, and Healthcare
Management Science. D r .
Sugumaran is the E d i t o r - i n - C h i e f of the International
Journal of Intelligent Information
Technologies. He is the Chair of the Intelligent Agent and
Multi-Agent Systems
mini-track for Americas Conference on Information Systems
(AMCIS 1999 -
2012). He served as the Program Co-Chair for the 13th
International Conference
on Applications of Natural Language to Information Systems
(NLDB 2008). He
also regularly serves as a program committee member for
numerous national and
international conferences.
22
Copyright of Journal of Information Privacy & Security is the
property of Ivy League Publishing and its content
may not be copied or emailed to multiple sites or posted to a
listserv without the copyright holder's express
written permission. However, users may print, download, or
email articles for individual use.
Reproduced with permission of the copyright owner. Further
reproduction prohibited without permission.
Perceptions and attitudes about eCommerce development in

China: An exploratory study
Stylianou, Antonis C;Robbins, Stephanie S;Jackson, Pamela
Journal of Global Information Management; Apr-Jun 2003; 11,
2; ProQuest Central
pg. 31

Managing the dynamics of e/mCommerce
with a hierarchical overlapping
Business-Value-Framework
Andreas Rusnjak
Business Information Technology
Christian-Albrechts-Universität zu Kiel
Kiel, Germany
[email protected]
Hristomir Hristov
Business Economics
Kiel, Germany

[email protected]
Marwane El Kharbili
Model Driven Engineering
Université du Luxembourg
Luxembourg, Luxemburg
[email protected]
Andreas Speck
Business Information Technology
Kiel, Germany
[email protected]
Abstract: Many e/mCommerce-Projects are failing because of
insufficient planning, poor management, conflicting ideals and
objectives between all involved stakeholders. In order to deal
with these conflicts, we need to manage these projects using
easily
understandable business values over all hierarchical levels of
enterprises, in agile fashion. In our framework, business values
provide support for goal- and value-based eCommerce software
development. Due to the fact that there's little to no empirical
research in eCommerce Business Value, this work is showing an
approach to a Business Value Framework which enables better
prioritization over multiple business domains, an enhanced
focus
on strategic goals and a better understanding of market needs.
Keywords: Business Value, Project Management, eCommerce,
Website-Engineering
I. INTRODUCTION
A majority of innovative business models are technology-

driven. The customers in digital markets are predominantly
accessing companies via software-interfaces, e.g. a website.
Because of this and due to changing consumer behavior, a
technology- and innovation-orientation as well as an efficient
Project- Management (PM) are becoming more and more im-
portant as a critical success factor (CSF) for e/mCommerce
companies. Rusnjak & El Kharbili [1] state that CSFs "are
elements, determinants or conditions which are having a deci-
sive influence to success of entrepreneurial actions" and creat-
ing competitive advantages. [1; 2]
Usually eCommerce-Websites are representing a frame-
work for the realization of all electronic commerce activities of
a company in the WWW. They are an automated part of the
whole information system "company" to create and sell goods
and services. Nearly the whole turnover of eCommerce-based
business models is realized over information systems.
Beyond this, a website is an instrument for marketing, for
(e.g. legal) information, communication and processes. There-
fore it is a complex system and requires a Website-Engineering
in form of situation analysis, strategic goal setting, modeling
and implementation [5]. Besides hard- und software require-
ments Website-Engineering needs to focus also on findings in
marketing, communication design, graphic design, desktop
publishing, typography and multimedia science with a specific
significance given to external influences, high (speed of) adap-
tability to changing markets, actual information and integration
of different disciplines [8]. The application of Business Values,
e.g. used in agile software development, is an attempt to deal
with these different focuses. Business Value refers to any
measures of worth of a business entity [12].
This paper introduces the development of a new framework
for Business Value and shows a first approach for discussion.
Based on a literature review and interviews with (project) man-

agers it explains the usage of a capacious Business Value
which includes the findings mentioned before.
II. SITUATING THE PROBLEM
Project Management (PM) has become very important for
every possible way of modern corporate landscape but it's not a
perfect process by itself. McLaughlin (2009) is showing in his
case study [7] typical problems causing the failure of eBusi-
ness-Projects. The problems were ambiguous objectives, unrea-
listic goals, unclear references to strategy, poor communication
and an insufficient leadership. In addition, concerned stake-
holders were not involved in the formulation of requirements
and not involved during the realization. The project was mostly
driven by technical employees without any exact knowledge of
the real requirements of the stakeholders/ market.
2010 IEEE 24th International Conference on Advanced
Information Networking and Applications Workshops
978-0-7695-4019-1/10 $26.00 © 2010 IEEE
DOI 10.1109/WAINA.2010.23
461
After three years with significant investments the project
was stopped without any result, and neither delivered compo-
nents nor clear dates for deployment. Remarkably, selling
complex technology-based business solutions was the core
business of the researched company. [7]
The reasons for the failure of eCommerce-Projects are vari-
ous. Both empirical experiences as well as scientific work are

showing that most of the reasons are insufficient planning
(time, costs, and resources), poor management and different
ideals and goals of the involved stakeholders. In order to suc-
cessfully manage eCommerce-Projects all stakeholders need to
understand the vision of the project, the strategic goals, the
ideals and the objectives of all concerned parties. Top-
Management-Support is a key factor for a successful realiza-
tion of eCommerce-Projects or implementation of eCommerce-
Systems. It helps to emphasize the need for technology or in-
novation and obtain strong commitment from all involved
parties in the project. If top management doesn't provide a clear
direction or vision, involved stakeholders may get confused
and projects will fail [8; 9].
An important application for prioritization, project transpa-
rency and performance measurement is necessary to manage
the dynamics of e/mCommerce regarding to all involved stake-
holder.
III. BUSINESS VALUE
Mahmood et al. [4] state that there's "little or no empirical
research in ecommerce business value, but some related con-
cepts already identified include business value; e-commerce
impact; and e-commerce businesses success and failure. We
drew useful insights from IT business value and other related
literature. There are studies on factors contributing to IT sys-
tems success or failure". We agree on this point and want to
roughly describe this point way as a base for later discussion.
Defining Business Value seems to be a difficult task. In order
to do it adequately, it is imperative that one appreciates the
variety and complexity of factors that determine Business
Value and those that influence it at every hierarchical level
within an organization.
Williams & Williams (2003) define Business Value (of an

investment) in economic terms as "the net present value of the
after-tax cash flows associated with the investment" [10]. Matts
& Pols (2004) identify a possible creation of Business Value
from a certain project when "it increases or protects profit,
cash flow or return on investment in alignment with the com-
pany’s strategy" [11]. Tosic et al. (2007) recognise the Busi-
ness Value as "a broad concept that refers to any measures of
worth of business entity. It includes not only financial aspects
(e.g., income, costs, profit) but also many other aspects (e.g.,
market share, customer satisfaction) important for business
operations" [12].
The meaning of Business Value, depending on one’s per-
spective, spreads out into different dimensions of both tangible
and intangible values with structural significance to the differ-
ent stakeholders. Its implementation requires both financial
assets and human resources that can guarantee its achievement
and steer it in the right direction.
Business Value should be described as a model, rather than
a single statement or (just) a number. Considering the fact that
the Business Value of an organisation depends on numerous
influences, e.g. the level of information or environmental issues
that are dynamic in their nature, it would be easier for man-
agement to deal with a model that has assumptions, input and
output, instead of using some prognosticated statements. Possi-
ble determinants for success of eCommerce and part of Busi-
ness Value are performance, productivity and perception (e.g.
companies image and customer satisfaction).
Performance is measured by financial indicators (hard fac-
tors) like return on investment, return on equity, return on
sales, growth in revenue, etc. and productivity in sales to total
assets, total sales and sales by employee, etc. The perception
can be expressed by soft factors like company image as well as
customer satisfaction, product-service-innovation and number

of returned customers. Finally Business Value is understanda-
ble as an integrative parameter, expressing the relationship
between strategy, organizational performance and ICT via hard
factors (e.g. financial power, turnover, etc.) and soft factors
(e.g. market position, image, etc.). [4]
IV. BUSINESS-VALUE-FRAMEWORK (CET-MODEL)
"When designing an e-business, practitioners must pay at-
tention to creating a Web site that is visually attractive and
easily navigable. Practitioners must also focus on online sys-
tem quality and effectiveness. Attention must be paid beyond
online system components, toward establishing relationships
and networks that endure and thus provide real and sustainable
competitive advantage" [4].
This section describes a model to deal with the dynamics of
e/mCommerce and a short case about the proposition of a new
eCommerce-project in a small and medium-sized enterprise
(SME). To keep it anonymous we call it "Blue Travel" (BT).
The approach of the model (CET = Company – Environment –
Technology), which is presented in this paper, is based on the
work about "Website Engineering" of Schwickert [5] and Win-
ter et al. [6]. In relation to this model we classify the drivers of
Business Value over three domains into three basic dimen-
sions: Company, Environment and Technology. The hierar-
chical levels "Strategy", "Tactics" and "Operation" are used as
domains.
Figure 1. CET-Model
462

Every Domain is having its special focus, named "Dimen-
sion" with own ideals, goals (general intentions) and precise
objectives. Dimensions are primary fields for decisions and
responsibility of domains. Therefore there is an own under-
standing of Value and priority on every domain, like a Busi-
ness Value but in this case named Domain Value (DV).
According to [13] it's advisable to link every Domain Value
like CSFs to a responsible domain manager. A hierarchical
overlapping Business-Value-Framework regarding to the three
hierarchical levels (Strategy, Tactic and Operation) enables the
management as well as the stakeholders to identify where, how
and how much value is provided or destroyed, strategic re-
sources and the grid of projects and processes. Furthermore it
provides a clear view about the actual value-situation of a
company, a better communication and cooperation. It is sup-
porting a better satisfaction of all stakeholders, explaining the
correlations of Business Value and complex strategies becom-
ing transparent and explainable. [3]
It is an interesting fact that technology, which is a signifi-
cant factor for an eCommerce organisation, can be classified
with an internal as well as an external focus. An eCommerce
company depends strongly on technology, its innovations and
trends. The final decision as to whether an organisation wants
to implement a new technology or not, is made by the company
itself, depending on market trends, user adoption and consumer
behaviour. As a result a hierarchical overlapping Business
Value is an expression of the Domain Values.
A. Case of failed "Blue Travel"-Project
BT is running its core business in the tourism branch and
owning many travel agencies in different cities. Due to the
increasing popularity of eCommerce and increasing competi-
tion the owner decided to start an eCommerce-Initiative with

focus to actual trends in eCommerce.
Management Situation:
Top-Manager of BT is the Founder. A vision or mission
statement doesn't exist in his company and all strategic deci-
sions are made by the Top-Manager himself. The Headquarter
owns five travel offices and is responsible for the allocation of
financial and human resources as well as for strategically and
organizationally guidelines. The managers of the travel offices
are representing the lower management and they are basically
responsible for operative tasks, e.g. customer care, local mar-
keting activities and the realization of the input from headquar-
ter. BT is having no middle management and all activities to
customer are managed by the travel offices.
Failed eCommerce-Project:
BT started a first eCommerce-Initiative in April, 2008. The
Top-Manager authorized an extern eCommerce-Agency with
the realization of an eCommerce-Service which enables the
selling of travels and related services (e.g. insurances) online.
The objectives were (1) winning 10.000 new customers and (2)
increasing the turnover and profit up to 30% within three years.
Only the Top-Manager and the managing director of the
eCommerce-Agency were involved in the project-planning and
–realization.
In May 2008 the agency presented the concept of a travel-
portal (i) for placement of travel services (ii) with special
community features. After a development time of seven
months the eCommerce-service (website) was implemented in
December 2008. The features were (a) enabling customers to
create a simple profile, reviews and recommendations, (b)
enabling customers to send travel inquiries direct to the head-
quarter of BT and (c) enabling the headquarter of BT to publish

travel offers via a content management system on the website.
Result:
After six months of operation the preliminary conclusion
was disappointing. (1) The number of visits was approx. 7.000,
(2) the number of new customers less than 50, (3) the turnover
approx. 20.000 EUR, (4) the organizational effort to forward
the travel inquiries into the right travel offices was huge with
unclear processes and responsibilities (5) and there was no
coherent marketing concept. The project failed on broad-front.
A problem-analysis shows that (i) the Top-Manager wasn't
present enough, (ii) the priority, concrete goals and ideals were
not communicated adequate, (iii) the employees with their
special know-how about market and internal processes were
not involved, (iv) the project-manager of the eCommerce-
Agency had underestimated the goals and ideals, (v) the project
reached a momentum of its own and (vi) it was predominantly
developed by technical employees without any knowledge of
market mechanisms, customer needs, etc. By the end of July
2009 the eCommerce-Website was turned offline. At this time
the costs were more than 50.000 EUR and a lot of employees,
confused, frustrated and demotivated.
Possible
Solution
:
The objectives and ideals, formulated by the Top-Manager
as well as the strategic meaning of the project for BT are legi-

timating the installation of a new business unit named "eSer-
vices". With this business unit a new "middle" management
level will be created as well. The manager of eServices, named
"eCommerce-Manager" is responsible for tactical tasks of
eCommerce regarding all involved stakeholder, resources, etc.
Figure 2. Organizational Structure of "Blue Travel"
His job is to coordinate the development of the eCom-
merce-Initiative with the Top-Manager and the managers of the
travel offices (lower management) with the responsibility to
achieve the strategic goals, objectives and ideals. Some impor-
tant points of his coordination activities are the alignment of
existing processes to new eCommerce-processes, identifying
CSFs, customer needs as well as achieving eCommerce-
readiness within the BT-organization.
463
Concerning to as-is-analysis and a reference concept as
well as the concrete implementation the manager of the travel

office with the highest turnover is becoming the manager for
operational responsibilities regarding to the eCommerce-
Initiative.
Via the CET-Model - based on Business Value and some
selected examples - we want to show an approach for an effi-
cient communication as well as prioritization of objectives and
ideals over each management-level of BT in an easy unders-
tandable and transparent way. The illustration of the objective-,
ideal- and value-dependencies is based on Eric Yu's i*-
framework [14; 15] with an own notation for ideals (rounded
rectangle with four triangles) and values (small circles). Goals/
objectives are regular modeled via rounded rectangles.
B. Strategic Domain
(Dimension: Company)
Task and responsibility of top-management is to realize the
vision/ mission of a company via the formulation of strategic
programs and goals. Every strategic program or goal is
representing a value for this domain and a goal for other do-
mains. Due to the fact that the management is having an overall
view to a company, this Domain Value is mainly having an
internal focus expressing values about vision/ mission, corpo-
rate culture, strategy, leadership system, shareholder, stake-

holder, organization, etc. A direct alignment between strategy
and information system is having a significant positive influ-
ence to workflows and eCommerce-Programs and to the
achievement of online efficiency, e.g. online presence in a
higher quality. A strategic commitment brings a substantial and
significant importance to the development of a Website and
therefore this causes a better performance and marks a critical
success factor for software development [4].
Due to the case of the SME the strategic objectives (1) in-
creasing SMEs profit/ turnover up to 30% and (2) number of
new customers up to 10.000 during the next three years for a
new eCommerce-Initiative were formulated by the top-
management. The ideals, goals of the top management are (1)
improving the market position and the return on investment of
the SME, (2) satisfying its shareholders and (3) an efficient
organization as well as (4) motivated and qualified employees
which are carrying the new eCommerce-culture in best way.
Figure 3. 2 Goals & 4 Ideals of Strategic Domain
DVS(eComm) = OBJECTIVESS1,2 | IDEALSS1,2,3,4
C. Tactical Domain

(Dimensions: Environment, Company and Technology)
The tactical domain with a focus on all dimensions is the
central body of our framework. As the rule it is represented by
the middle and lower management and linking the top man-
agement level to the operative level. Beside its tasks, e.g. im-
plementing strategic programs and goals, coordination, infor-
mation and controlling, the primary focus of this domain is to
set its Domain Value of eCommerce-Projects and processes
with a view for stakeholders involved outside a company, e.g.
customers, supplier, co-operation partner and market-based
innovations. This domain is also responsible for a clear, simple,
transparent communication and measurement of Business Val-
ue over all hierarchical levels of a company. Tactical decisions
served for concretion of strategic goals and reference to every
involved sub domain of a company (e.g. areas of operation,
business processes, branches, etc.). At this level web-based
objectives of tactical fields will be selected to develop goal-
focused plans for design and structure of a website. [5]
According to our case the eCommerce-Manager of the
SME - who got the ideals, goals and objectives from the stra-
tegic domain - analyzed the market situation and CSFs. He
decides to launch an eCommerce-Service for consumer and
travel offices with special services and features. This service

shall enable customers creating a (semantic) profile with per-
sonal data and special travel data in an easy way. It shall also
enable travel agencies to match consumer travels with their
portfolio and allowing offerings in a transparent form. Some
tactical objectives are (1) eCommerce-instruction for 10% of
the employees during the first year, (2) establishing the eCom-
merce-service within one year and an investment of 300.000
EUR, (3) reducing marketing costs up to 20% via special
community-features during the next two years and (4) offering
a full-service-application-programming-interface for the
processing of travel bookings to reduce transaction costs up to
15% by start of the eCommerce-service.
The ideals, goals of the eCommerce-Manager are (1) win-
ning more customers, (2) establishing an eCommerce-service
with best usability and transparency, (3) cooperating with ser-
vice partner for content and more products as well as (4) reduc-
ing process and transaction costs.
Figure 4. 4 Goals & 4 Ideals of Tactical Domain
DVT(eComm) = OBJECTIVEST1,2,3,4 | IDEALST1,2,3,4

464
D. Operative Domain
(Dimension: Technology)
For technology-based companies this domain is understood
as a very critical "Enabler" for entrepreneurial activities with
an important impact on the value chain. Products, services and
processes of eCommerce-companies are created, established,
improved via projects. Besides the concrete design, structure,
development and implementation of an eBusiness-Project the
focus and Business Value-expression of the operative domain
is mainly aimed to technological innovations and software-
requirements like scalability, performance, security, impact on
existing processes, etc. Based on the goals of the strategic and
tactical domain and a vision briefing in our case the manager
for technical development creates a requirements sheet.
Among other things his operative objectives are (1) as-is
analysis and reference concept of all involved processes and
features within 2 months, (2) develop a technical eCommerce-
infrastructure with new server for web, database,
communication, development, replication, backup and security

within three months and maximum cost of 30.000 EUR, (3)
recruitment of a project team with core competences in
JavaScript, Ruby on Rails, (User-centered-)Design within
three months, (4) development of widgets for social networks
to generate traffic from other websites (1.000.000 Visits
during the first two years) and an application programming
interface (API) for easy processing and automated transactions
with travel agencies to reduce transaction time and costs up to
10%.
The ideals, goals of this manager are (1) delivering a scala-
ble and secure system, (2) easy to use and understand which (3)
allows high loads on traffic and performance as well as an (4)
efficient support of processes and information of the organiza-
tion by technology.
Figure 5. 4 Goals & 4 Ideals of Operative Domain
DVO(eComm) = OBJECTIVESO1,2,3,4 | IDEALSO1,2,3,4
V. LINKING DOMAIN-VALUES TO BUSINESS-VALUE
To speak and measure with a hierarchical overlapping
Business Value it is necessary to link each Domain Value to

one Business Value which can be related to a strategic pro-
gram, a special product development, a software-project, etc. In
our case the Business Value of the eCommerce-Project is the
inclusion of all related Domain Values:
BV(eComm) = DVS(eComm) + DVT(eComm) + DVO(eComm)
In the form of a well structured Business Value-Sheet every
involved stakeholder is able to see his Domain Value, the Do-
main Value of other domains and the overall Business Value
referring to its focus, e.g. a software project, a product, a strat-
egy, etc. This helps to understand the ideals and goals of the
other stakeholders as well as enable stakeholders to set prioriti-
zations in their objectives regarding to other domains. Due to
the case of the SME the top management and the managers of
the tactical and operative domain can identify how value is
created over the three hierarchies, what the preferences, the
main tasks and ideals of every domain and their contribution to
value.
Figure 6. Linking Domain Values to Business Value
VI. CONLUSION & FUTURE WORK
Our first approach seeks to allow better prioritization re-

garding other domains, e.g. in agile software development-
projects, an enhanced focus on strategic goals and develop-
ments, a better understanding of market needs (especially for
technical employees), a strategic/value-control- and a strateg-
ic/value-feedback-system over all hierarchical levels.
465
With a widespread view over all important business fields,
the CET-Model leads to a better business/strategy-orientation
in agile software/process development in eCommerce as well
as other branches. The introduced framework aims to bridge
the existing gap between business strategy and e/mCommerce-
Development. Tasks in the development process are planned (i)
in a timeline, (ii) following priorities according to the interests
of the different business domains (hierarchical levels)/ market
views/ technical views (iii) and results/ increments are better
traceable/ checkable (e.g. for controlling, improvement, busi-
ness planning) by every domain.
In future iterations of this work, we will discuss the interac-

tion of Business Values and Domain Values as well as further
study value drivers and influence factors. Our next steps will be
a more precisely evaluation of the measurement possibilities of
Ideals as well as Domain Value and Business Value as a priori-
ty-setting and a performance-measurement-tool to build a
common meta model of Business Value and Domain Value
followed by an analytic and empirical validation of the CET-
Model.
REFERENCES
[1] Rusnjak, Andreas; El Kharbili, Marwane (2009): On
Leveraging
Business Processes to deal with Critical Success Factors;
Workshop on
Business Process Modeling and Realization, Informatik 2009,
Luebeck,
Germany, 2009; to be published
[2] Böing, Christian (2001): Erfolgsfaktoren im Business-to-
Consumer-E-
Commerce; Wiesbaden: Gabler (Schriftenreihe
Unternehmensführung
und Marketing, 38)

[3] Sussland, Willy A.: Business Value & Corporate
Governance: a new
approach; Journal of business strategies, Emerald Group
Publishing
Limited, 2004; Retrieved 07.09.2009 online from:
http://www.emeraldinsight.com/10.1108/02756660410516029
[4] Mahmood et al.: Measuring E-Commerce Technology
Enabled Business
Value: An Exploratory Research; International Journal of E-
Business
Research, Vol. 4, Issue 2, IGI Global, 2008; Retrieved
07.09.2009 from
http://www.infosci-
journals.com/downloadPDF/pdf/ITJ4209_ICYdW2bbcf.pdf
[5] Schwickert, Axel C.: Web Site Engineering – Ein
Komponentenmodell;
Arbeitspapiere WI Nr. 12/ 1998, Universität Mainz, 1998;
Retrieved
07.09.2009 online from: http://geb.uni-
giessen.de/geb/volltexte/2004/1685/pdf/Apap_WI_1998_12.pdf
[6] Winter et al.: Business Engineering – Der St. Galler Ansatz
zum

Veränderungsmanagement; in OrganisationsEntwicklung 27
(2008),
Universität St. Gallen; Retrieved 07.09.2009 online from
http://www.alexandria.unisg.ch/EXPORT/PDF/Publikation/4458
3.pdf
[7] McLaughlin, Stephen: The imperatives of e-business: case
study of a
failed project; Journal Of Business Strategy Vol. 30 No. 1
(2009),
Emerald Group Publishing Limited, 2009; Retrieved 07.09.2009
online
from: www.emeraldinsight.com/10.1108/02756660910926966
[8] Lee, Sungjae; Kim Kyoung-jae: Factors affecting the
implementation
success of Internet-based information systems; Elsevier Ltd.,
2007;
Retrieved online on 18.10.2009 from:
http://dx.doi.org/10.1016/j.chb.2005.12.001
[9] Sung, Tae Kyung; Gibson, David V.: Critical Success
Factors for
Business Reengineering and Corporate Performance: The Case
of

Korean Corporations; Elsevier Science Inc., 1998; Retrieved
online on
18.10.2009 from: http://dx.doi.org/10.1016/S0040-
1625(98)00027-4
[10] Williams, Steve; Williams, Nancy: The Business Value of
Business
Intelligence, 2003; Retrieved on 17.09.2009 online from:
http://www.decisionpath.com/docs_downloads/BIJarticle.pdf
[11] Matts, Chris; Pols, Andy: Business Value Driven Software
Development, 2004; Retrieved on 17.09.2009 online from:
http://cdn.pols.co.uk/papers/businessvaluedrivendevelopment.pd
f
[12] Tosic, Vladimir; Suleiman, Basem; Babar, Abdul:
Specification of
Business Value with and in Software Patterns, 2007; Retrieved
on
18.09.2009 online from: http://patterns-
wg.fuka.info.waseda.ac.jp/SPAQU/proceedings/20-
TosicSuleimanBabar-SPAQu07-Final.pdf
[13] Fishman, Allen: Critical Success Factors key to attaining
goals; Inside

Tucson Business; 07/20/98, Vol. 8 Issue 17, p10, 1/2p, 1998;
Retrieved
online on 18.10.2009 from:
http://search.ebscohost.com/login.aspx?direct=true&db=bwh&A
N=8983
34&site=ehost-live
[14] Yu, Eric: Presentation: Strategic Actor Relationships
Modelling with i*;
December 13-14, 2001, IRST, Trento, Italy; Retrieved on
08.04.2009
from: http://www.cs.utoronto.ca/pub/eric/tut1.2-v2.ppt
[15] Yu, Eric: i* an agent oriented modelling framework;
Toronto; Retrieved
on 16.04.2009 from: http://www.cs.toronto.edu/km/istar/
466
The Impacts of Service Quality and Customer
Satisfaction in the e-Commerce Context

Yong Lin, Jing Luo, Li Zhou, Petros Ieromonachou,
Lin Huang
The Business School
University of Greenwich
London, UK
[email protected]; [email protected]; [email protected];
[email protected]; [email protected]
Shuqin Cai, Shihua Ma
School of Management
Huazhong University of Science & Technology
Wuhan, China
[email protected]; [email protected]
Abstract—This paper aims to investigate the impacts of service
quality on customer satisfaction and loyalty in the e-commerce
context, in particular from a triad view of customer-e-retailer-
3PL (third party logistics) provider. A literature review is
primarily used to determine the conceptual model and to
develop

the measurement scales. Data were collected through online
questionnaire survey conducted in China. Structural equation
modeling was used to analyze the collected data and test the
proposed research hypotheses. The results indicate that both e-
service quality and logistics service quality are strongly linked
with customer satisfaction. The research results shown that
practitioners (e-retailers) should not only focus on e-service
quality, but also the logistics service quality. This research
validates the proposed service quality framework with two
dimensions (e-service quality and logistics service quality) in e-
commerce context. Second, it highlights the impact path of
service quality on customer satisfaction and loyalty.
Index Terms—Supply chain management, e-service quality,
logistics service quality, customer satisfaction, loyalty, e-
commerce.
I. INTRODUCTION
Along with the fast growth of Internet and its wide
application in business, online shopping has grown rapidly in
many countries [1]. Electronic commerce (e-commerce) brings
huge business opportunities (such as sale product and provide
service online) and revenue growth [2] to companies like e-
retailers, mainly due to its convenient, interactive, lower costs

and high degree of customization and personalization to their
customers [3]. However, even with the growing number of
customers for online shopping, e-commerce is proved to be
complicated and difficult more than traditional way of doing
business. Improving the service quality of electronic commerce
is regarded as one of the key factors leading to success or
failure [4].
During the past two decades, service quality in e-
commencer context is increasingly recognized as an effective
way of gaining and sustaining competitive advantages [5, 6],
and a key to customer satisfaction and loyalty [7, 8]. One
branch of past researches has focused on e-service quality [9,
10] due to the acceptance and usage of internet technologies in
commerce, which differs the interaction and exchange from the
traditional business. e-service quality is defined as “the extent
to which a Web site facilitates the efficient and effective
shopping, purchasing and delivery” [5].
However, this didn’t fully reflect the e-commerce
experience and the service quality perceived by customers.
From a process view, e-service is only the first part that
customer perceived during online shopping, covering search
and browser product information, and place order online. The

other important part is the logistics service [4], while
companies either deliver products to customer by themselves,
or outsource such service to third party logistics (3PL) provider
to accomplish the delivery. Logistics service quality is
regarded as an important key to create customer satisfaction
[11]. In a recent study, the data show that the most concerned
two issues of online shopping are actually logistics-related
problems, including long delivery time, the mismatch between
the received product and the product specification online [12].
As discussed above, in the context of logistics outsourcing,
the online shopping is happened within a service triad
consisting of e-retailer, customer, and 3PL provider (see Fig.
1),
not a dyad with only e-retailer and customer.
Fig. 1. Service triad of customer-e-retailer-3PL provider in e-
commerce context
The perceived service quality of online shopping is much
more complicated due to several roles interacted with each

other in the service triad [13, 14]. The perceived service quality
from customer is not only decided by the e-service provided by
the e-retailer, but also the logistics service offered by 3PL
provider.
e-retailer Customer
3PL provider
e-service
Logistics service
978-1-4799-3134-7/14/$31.00 ©2014 IEEE
In order to better address the triad nature of the online
shopping (e-commerce) experience, this research aims to
propose a framework of service quality combing e-service
quality and logistics service quality, in particularly with a
triadic view in order to capture the complex dynamics in the
context of e-commerce [13, 15], and to investigate the
relationships between service quality and customer satisfaction
and customer loyalty.

This research makes two contributions. First, it validates
the proposed service quality framework with two dimensions
(e-service quality and logistics service quality) in e-commerce
context. Second, it highlights the impact path of service quality
on customer satisfaction and customer loyalty.
In the following sections, hypotheses related with service
quality and customer satisfaction/loyalty are developed through
a literature review. Then, results from the study that conducted
to test the research hypotheses are presented. Finally,
theoretical contribution and management implications are
discussed, and future research directions are proposed.
II. TTHEORETICAL FRAMEWORK AND HYPOTHESES
A. Service quality and customer satisfaction and loyalty
Service quality (SQ) has been an important research topic
in the marketing literature for some time beginning with the
conceptual model developed by [16]. The delivery of high SQ
strengthens corporate brands and excellence in the service
encounters [17], and contributes to consumer satisfaction.
In the e-commerce context, customer satisfaction is

normally defined as “the customers' comparing applause of an
e-commerce enterprise, which causes the customers' re-
purchase” [18], and it is proven to be positively related to
customer loyalty.
B. E-service quality
The quality of the online business service is considered to
be an important driver for the success of B2C e-commerce and
companies’ differentiation strategy [19], and it is normally
referred as electronic service quality (e-SQ) and defined as “the
extent to which a web site facilitates efficient and effective
shopping, purchasing, and delivery of products and services”
[6].
A considerable amount of research has been done on the
criteria that consumers used to evaluate e-SQ delivered through
the web site. These criteria range from web site design,
effectiveness and efficiency of online browse (information
availability and search), security issue, online purchase (order
transaction), and delivery of goods and services [20], mainly
focus on customers' online experience and behaviors [21].
It is expected that e-service quality has positive impacts on
customer satisfaction and loyalty, hence there two hypothesis

are defined below.
H1: e-service quality directly and positively affects
customer satisfaction on e-services.
H2: Customer satisfaction on e-services directly and
positively affects customer loyalty on e-services.
C. Logistics service quality
Research on logistics service quality can be traced back to
1970s, but it is found that it is difficult to be measured,
particularly in an online shopping context.
In a B2C (business-to-customer) context, three dimensions
including availability of products, timeliness of delivery and
quality of delivery can be used to measure the physical
distribution service quality (PDSQ, [22]). Communication was
added as the fourth dimension emphasizing the importance of
order status information in improving SQ [23]. While in a
business-to-business (B2B) context, PDSQ can be evaluated
with three outcome dimensions: availability, timeliness and
condition [24]. The PDSQ framework was extended with
several other constructs, covering the ordering process and
receiving process [11].

This test will test whether logistics service quality has
positive effects on customer satisfaction and customer loyalty.
H3: Logistics service quality directly and positively affects
customer satisfaction on logistics services.
H4: Customer satisfaction on logistics services directly and
positively affects customer loyalty on logistics services.
D. Conceptual framework
From a view of the triad in the e-commerce context, the
perceived service quality of online shopping is defined with
two dimensions: e-service quality and logistics quality. This
research investigates how these two factors influences
customer satisfaction and loyalty. Figure 2 presents the
conceptual framework with the proposed hypotheses in this
research.
In order to fully understand the inter-relationship within the
service triad as described in Figure 1, the following hypotheses
are developed to test their interactions.
H1a: e-service quality directly and positively affects

customer satisfaction on logistics services.
H1b: e-service quality directly and positively affects
customer loyalty on e-services.
H1c: e-service quality directly and positively affects
customer loyalty on logistics services.
H2a: Customer satisfaction on e-services directly and
positively affects customer loyalty on logistics services.
H3a: Logistics service quality directly and positively
affects customer satisfaction on e-services.
H3b: Logistics service quality directly and positively
affects customer loyalty on e-services.
H3c: Logistics service quality directly and positively
affects customer loyalty on logistics services.
H4a: Customer satisfaction on logistics services directly
and positively affects customer satisfaction on e-services.
H4b: Customer satisfaction on logistics services directly
and positively affects customer loyalty on e-services.

H5: Customer loyalty on logistics services directly and
positively affects customer loyalty on e-services.
III. RESEARCH METHODOLOGY
A literature review was primarily used to determine the
conceptual model and to develop the measurement scales. Data
was collected through using the online questionnaire firstly
developed as English version and then translated into Chinese.
Structural equation modeling was used to data analysis.
A. Measurement Scales
E-service quality (ESQ) was measured by 5 constructs
mainly derived from [8]. Logistics service quality construct
was based on [11]. Customer satisfaction was measured by
items developed from [8, 11, 25]. Customer loyalty was
measured by items generated from [8]. Table I shows the list of
measurement constructs and items, and their detailed sources.

All construct items were measured on a seven-point Likert-
like scale, ranging from 1 (=strongly disagree) to 7 (=strongly
agree).
B. Data collection
A questionnaire was designed to measure service quality, to
evaluate the customer satisfaction and loyalty. The online
questionnaire link was sending out to contacts through QQ,
which is the most popular social networking tools in China.
And these contacts are also asked friendly to pass the
questionnaire link to their own contacts. As a result, total
number of requests and response rate are not calculated. In
total, 699 samples are collected. Table I shows the respondents
characteristics. Within 699 respondents, 495 are valid and
others are invalid due to uncompleted questions.
Why China was selected for this research is because, as the
second largest economy in the world, online shopping grows
very fast in China in last few years. The number of Internet
users in China has reached 618 million by the end of December
2014, of which the online shoppers amount to 302 million, and
this means a continuous growth rate of 24.7% comparing with
2012 [26]. Moreover, the total market transaction amount of

online shopping has hit 1.26 trillion Yuan (RMB) in 2012, with
a growth rate of 66.5% [12].
C. Reliability and validity
After data collection, a series of analyses were performed to
test the reliability and validity of the constructs based on the
sample of 495 respondents.
Reliability of the measurement scale is measured by
Cronbach’s α [27]. Cronbach’s α value for all four
measurement scales are all above 0.75, which shows good
reliability of the measurement scales.
Convergent validity is tested by evaluating whether the
individual scale item’s standardized coefficient is significant or
not, which means greater than twice its standard error [28]. As
presented in Table III, it reveals that coefficients for all items
greatly exceed twice their stand error. Such significance
provides evidence of convergent validity for the tested items.
In addition to convergent validity, to ensure adequacy of
the measurement model, discriminant validity should also be

evaluated to address the extent to which individual items
intended to measure one latent construct do not at the same
time to measure a different latent construct [29].
D. Structural equation modelling method
In this research, structural equation modeling [28] with
AMOS 20.0 is used to estimate the conceptual model as
described in Fig. 2, and the analysis is based on the sample of
495 respondents.
TABLE I. RESPONDENTS CHARACTERISTICS (BASES ON
699 SAMPLES)
(*Notes: RMB Yuan, during the data collection period, the
exchange rate is
USD/CNY: 6.117(low)-6.196(high))
IV. EMPIRICAL ANALYSIS AND RESULTS
A. Hypotheses testing with structural model
Table II provides a summary of the goodness of fit statistics.
TABLE II. FIT STATISTICS OF STRUCTURAL MODEL

Fit statistics Overall fit measure
Notation Model value
Chi-square to degrees of
freedom x
2/d.f. 2.607 (x
2=3937.175;
d.f.=1510)
Root mean square error of
approximation RMSEA 0.053
Root mean square residual RMR 0.090
Goodness of fit index GFI 0.757
Normed fit index NFI 0.868
Comparative fit index CFI 0.914
Incremental fit index IFI 0.914
As shown in Table II, all the indices are with the
recommended range. In particular, with x2/df less than 3.0

Strategic HRM Plan Grading GuideHRM498 Version 42.docx

Strategic HRM Plan Grading GuideHRM498 Version 42.docx

Recommended

Recommended

More Related Content

Similar to Strategic HRM Plan Grading GuideHRM498 Version 42.docx

Similar to Strategic HRM Plan Grading GuideHRM498 Version 42.docx (20)

More from florriezhamphrey3065

More from florriezhamphrey3065 (20)

Recently uploaded

Recently uploaded (20)

Strategic HRM Plan Grading GuideHRM498 Version 42.docx