Assessment of Data Integrity Risks in Public Blockchain Systems E-Book

Bibliografische Information der Deutschen Nationalbibliothek:

Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie; detaillierte bibliografische Daten sind im Internet über http://dnb.d-nb.de abrufbar.

Impressum:

Copyright © Studylab 2019

Ein Imprint der GRIN Publishing GmbH, München

Druck und Bindung: Books on Demand GmbH, Norderstedt, Germany

Coverbild: GRIN Publishing GmbH | Freepik.com | Flaticon.com | ei8htz

Assessment of Data Integrity Risks in Public Blockchain Systems

Since its first use in 2008, blockchain technology has come a long way and developed its functions from a simple distributed ledger to distributed virtual machines that execute smart contracts and much more. Blockchains have a potential application in many industries and offer great innovation potential for organizations. With all the opportunities and value new technologies can deliver, the risks are often neglected. In this paper risks to data integrity on blockchains are identified. Further the differences regarding data integrity among private and public blockchains are assessed. For the risk identification and the comparison between public and private systems a qualitative method with focus interviews is used, while the risk assessment is done with a quantitate online survey. The identified risks will be evaluated among their likelihood of occurrence and their possible consequences on the integrity of the data. Overall 11 risks have been identified which are applicable to public blockchains. Even though some of them got rated as a “High Risk” there is currently no evidence that a blockchain should be considered insecure. The identified risks should be taken into consideration before a public blockchain is implemented. The differences between public and private blockchains regarding data integrity are not rated, hence based on the collected data it cannot be generalized which design is more secure. The research results facilitate the decision between public and private systems. Based on the collected data and the literature review, the author discusses some actions that can be taken to mitigate the identified risks.

Acknowledgements

At this point I would like to thank all the people who accompanied and supported me during my master thesis. Special thanks to my family, without whose support my thesis would not have been possible. I would like to thank all interview partners and survey participants for their trust and support throughout the research process. A special thank you goes to the advisors at the Management Center Innsbruck and the University of Nebraska at Omaha which supported me the entire time.

Further I want to thank my fellow master students and the special people I meet and made friends with throughout the study program.

Table of Content

Assessment of Data Integrity Risks in Public Blockchain Systems

Acknowledgements

List of Figures

List of Tables

List of Abbreviations

1 UTXO Unspent Transaction OutputIntroduction

1.1 Research Gap and Research Question

1.2 Motivation

1.3 Value Proposition

1.4 Outline

2 Background

2.1 Centralized, Decentralized& Distributed Systems

2.2 Blockchain Technology

2.2.1 Genesis

2.2.2 Components in a Blockchain System

2.2.3 Bitcoin Blockchain Design

2.2.4 Categories of Blockchains

2.2.5 Properties of Blockchains

2.2.6 Smart Contracts & Decentralized Applications

2.3 Data Security

2.4 IT Risk Management

2.5 Previous research

3 Qualitative Research Methodology

3.1 Data Collection Method

3.2 Focus Interview

3.2.1 Guiding Questions

3.2.2 Selection of respondents

3.3 Ontology& Epistemology

3.4 Content Analysis

3.5 Data Presentation

3.6 Scientific Quality Criteria

4 Results for Risk Identification

4.1 Interview Participants

4.2 Identified Risks

4.3 Differences in Public and Private Blockchains

5 Discussion / Explanation of identified Risks and Differences

5.1 Identified Risks

5.1.1 Consensus Attack (51% Attack)

5.1.2 Poor Contract Code

5.1.3 Alternative Chain

5.1.4 Misuse of Private Key

5.1.5 Incorrect Data Input

5.1.6 A blockchain contains historical data

5.1.7 Malicious node

5.1.8 Data on the blockchain cannot be deleted

5.1.9 No Central Authority

5.1.10 Trust in Protocol Developers

5.1.11 Trust in other Third Parties

5.2 Differences public and private blockchains

5.2.1 Different Consensus Models

5.2.2 Higher Quality Code on Private Chains

5.2.3 Public chains are more often a target of a 51% attack

5.2.4 Private chains can readjust itself easier

5.2.5 Public chains are more reliable

5.2.6 Only known parties on the network

5.2.7 Data is private

6 Quantitative Research Methodology

6.1 Online Survey Design

6.1.1 Defining Objectives

6.1.2 Population & Sampling Size

6.1.3 Data Collection Strategy

6.1.4 Designing the survey questions

6.2 Data Analysis &Visualization

6.3 Scientific Quality Criteria

7 Results for Risk Evaluation

7.1 Survey Participants

7.2 Research Results

8 Discussion & Implications of the Results from the Risk Evaluation

8.1 Discussion

8.2 Implications of Results

9 Limitations of the Research

10 Conclusion

11 References

Appendix

1 Category Definitions

2 Survey

3 Code for Visualizations

4 Consent Sheet

List of Figures

Figure 1: Architecture styles

Figure 2: Simplified bitcoin block design

Figure 3: Merkle Tree

Figure 4: Importance and Severity of core attributes and enablers

Figure 5: Scope of COBIT 5 for Risk

Figure 6: Risk Assessment Process

Figure 7: Inductive Category Development

Figure 8: Survey Logic

Figure 9: Age Distribution

Figure 10: Highest degree of Survey Participants

Figure 11: Occupations of Survey Participants

Figure 12: Likelihood of Risks

Figure 13: Consequences of Risks

Figure 14: Risk Matrix

List of Tables

Table 1: Examples of Decentralized Systems

Table 2: Types of nodes

Table 3: Used Consensus Mechanism and Hash Algorithms

Table 4: Interview Guiding Questions

Table 5: Exemplary illustration of categories

Table 6: Measures to enhance research quality

Table 7: Interview Participants

Table 8:Identified Threats to Data Integrity in Blockchain Systems

Table 9: Differences Public & Private Systems

Table 10: Considered LinkedIn Groups

Table 11: Risk Priority Categories

List of Abbreviations

1 Introduction

The term blockchain has become one of the main IT related buzzwords in the industry. Random organizations used the term blockchain in their company name to increase their share value. An article by Easton(2018)shows that an iced tea-maker was able to boost its share price temporary by 180% by changing the business name to “Long Blockchain Corp.”. Blockchain found its first real-world utilization with the cryptocurrency Bitcoin, which was developed by the pseudonym Satoshi Nakamoto in 2008 and launched in 2009. Since Bitcoins launch, more than 1500 other cryptocurrencies are currently on the market, which mostly also utilize blockchain technology (CoinMarketCap, 2018). Almost every industry tries to get in touch with blockchain to leverage their business. The “Gartner Hype Cycle for Emerging Technologies”, which is a depiction that shows maturity and adoption of trending technologies, shows, in its most recent issue that is available, that blockchain technology is currently in the phase called “Peak of Inflated Expectations”.

With all this hype, the questions arise whether it is justified or blockchain technology will disappear again soon. A general answer to the success of blockchain is almost impossible, but from a technical perspective, the advantages that blockchain could give are undisputable, especially when it comes to the basics of data security, which are also known as the CIA (Confidentially, Integrity, Availability) triad.

When there is a big hype about a new technology there is always a gold-rush mood where a lot of new people join and expect the greatest things. In this case, often disadvantages or risks are forgotten or simply ignored.

1.1 Research Gap and Research Question

By implementing a not very mature technology, organizations have to be aware of the disadvantages of the technology. There is some literature published about security problems within blockchain technology. Karame and Androulaki(2016) studied the security of blockchain, especially of Bitcoin. Bitcoin is using a public and permission less blockchain, where every participant in the network can change the ledger stored on the blockchain (Nakamoto, 2008). A lot of researcher addresses the advantages that blockchain can bring to industries and organizations, but the conducted literature review of the author showed, that there are currently no publications that address the threats that blockchain can bring to data integrity.As described by Boritz(2005) data integrity is an essential part to data quality and should therefore have a high priority in any information system. While there is already a lot of discussions going on how blockchain can achieve data integrity there is currently no publication that addresses the risks, that the implementation of a blockchain can bring to data integrity. To narrow down the research this thesis focuses only on the public type blockchains, although a short comparison of the risks is done to be able to deliver more complete research results. While the differences are often discussed for example by Antonopoulos(2015) or Bashir(2018) they are not compared on a data integrity level. To enhance the contribution to the current state of research the identified risks are rated among their likelihood and the impact on data integrity.

This results in the following research questions:

RQ1: WHAT ARE RISKS WITHIN PUBLIC BLOCKCHAIN SYSTEMS REGARDING DATA INTEGRITY?

RQ2: WHAT ARE THE DIFFERENCES FOR DATA INTEGRITY WITHIN PUBLIC AND PRIVATE BLOCKCHAINS?

RQ3: WHAT ARE THE LIKELIHOOD AND CONSEQUENCES FOR EACH IDENTFIED RISK?

1.2 Motivation

Blockchain is one of the hot trending topics in the IT industry now. Such innovative technologies offer always a great opportunity to do research on. The author is also interested in blockchain technology and got already in contact with it by using cryptocurrencies. Blockchain and cryptocurrencies (especially Bitcoin) have proven their right of existence, when observing the constant increasing adaption and awareness by consumers and organizations (Thompson, 2018). Big tech companies like IBM or Microsoft offer blockchain services in their cloud environments or even contribute to the development of open sources blockchains. Also, as a future employee within the IT and consulting industry it is necessary to have knowledge about new and innovative technologies all the time, especially when the technology has the potential to disrupt whole industries. Furthermore, the author is convinced that the conducted research will deliver a significant value to organizations that consider implementing blockchain technologies in any way.

1.3 Value Proposition

The aim of this research is to contribute to the current state of research on blockchain technology and to support organizations when considering the implementation of a blockchain in their IT infrastructure.

Value is delivered for organizations by identifying risks, that the organization may have not been aware of. The evaluation of the identified risks can be seen by organizations as basis where they can add or remove risks depending on the system and design the organization intends to use.

From an academic perspective research about blockchain technology can be done in various fields of study. According to Risius and Spohrer(2017) most of the publications are in the field of computer science and information system, but there are also publications involving blockchain in finance, political science or law. Risius and Spohrer(2017) proposed a research framework which works as a guideline on which topics regarding blockchain research should be conducted. In this framework various levels of analysis are defined which are “Users & Society”, “Intermediaries”, “Platforms” and “Firms and Industries”. These various levels can overlap in a research project, but their primary focus is to inspire future research. Beside the level of analysis, the framework defines different activities which are “Design & Features”, “Measurement and Value” and “Management and Organization”. The research of this thesis on conducted of the level “Platforms” and assesses “Design & Features”. By following the blockchain research framework provided by Risius and Spohrer(2017), the academic relevance is ensured.

1.4 Outline

The background section of this master thesis will introduce the reader to the basic literature of blockchain technology and data security, especially data integrity and IT risk management. At the end of this section the reader should be able to understand what a blockchain is and how it works and what data integrity is and why it is an essential part of data / information security. Chapter 3 explains the research methodology for the risk identification, while the following Chapter presents the first empirical results. Next the results of the risk identification are briefly discussed and explained. In Chapter 6 the research methiodal for the risk evaluation is described. While the subsequent Chapters discuss the results and the implications of the found results. Chapter 9 delineates the limitations and assumptions that apply to the conducted research. In the last Chapter a conclusion of the thesis is stated. The raw data of the research is not included in the appendix, but instructions how to reproduce the conducted research.

2 Background

This Chapter provides background information on the topics decentralized systems, blockchain technology & design, data security and IT risk management. The goal of this Chapter is to provide the knowledge needed for the conducted research.

2.1 Centralized, Decentralized& Distributed Systems

Blockchains are distributed and decentralized system, hence it is important to understand the properties and parameters of these system designs.

At the beginning of the computer era, systems were big in size and expensive in acquisition and maintenance. These systems processed 1 instruction per second where nowadays systems can execute millions of instructions per second. All of processing was done in a single unit, which is called a centralized system (Tanenbaum & van Steen, 2016). The centralized architecture is still used by mainframes, even though mainframes are also able to operate in a cluster and can therefore be a distributed computing system (Weller, 2007).

In literature there is no single definition of the term distributed system. According to Tanenbaum and van Steen(2016) a distributed system is defined as:

“[…] a collection of independent computers that appear to the user of the system as a single computer.”

Andrews(2000) states that a distributed system consists of numerous computing systems that have their own random access memory (RAM). As there is no general definition of a distributed system the author will stick to the definition by Tanenbaum and van Steen(2016) for this thesis.

According to Grosch(1953)