Opportunities for computer abuse: Considering systems risk from the offender's perspective

Systems risk refers to the likelihood that an Information System (IS) is inadequately protected against certain types of damage or loss. While risks are posed by acts of God, hackers and viruses, consideration should also be given to the ‘insider’ threat of dishonest employees, intent on undertaking some form of computer abuse. Against this backdrop, a number of researchers have addressed the extent to which security managers are cognisant of the very nature of systems risk. In particular, they note how security practitioners’ knowledge of local threats, which form part of the risk, is often fragmented. This shortcoming contributes to situations where risk reducing efforts are often less than effective. Security efforts are further complicated given that the task of managing systems risk requires input from a number of departments including, for example, HR, compliance, IS/IT and physical security. In a bid to complement existing research, but also offer a fresh perspective, this paper addresses systems risk from the offender’s perspective. If systems risk entails the likelihood that an IS is inadequately protected, this text considers those conditions, within the organisational context, which offer a criminal opportunity for the potential offender, and a model known as the ‘Crime Specific Opportunity Structure’ is advanced. Focussing on the opportunities for computer crime, the model addresses the nature of such opportunities with regards to the organisational context and the threats posed by rogue employees. Drawing on a number of criminological theories, it is believed the model may help inform managers about local threats and, by so doing, enhance safeguard implementation.

[1]  T. Hirschi Causes of Delinquency. , 1970, British medical journal.

[2]  A. Bandura,et al.  Analysis of delinquency and aggression , 1976 .

[3]  A. Bandura Social learning analysis of aggression. , 1976 .

[4]  Roger C. Schank,et al.  Scripts, plans, goals and understanding: an inquiry into human knowledge structures , 1978 .

[5]  Michael R. Gottfredson,et al.  Victims of Personal Crime: An Empirical Foundation for a Theory of Personal Victimization , 1977 .

[6]  C. Welin Scripts, plans, goals and understanding, an inquiry into human knowledge structures: Roger C. Schank and Robert P. Abelson Hillsdale: Lawrence Erlbaum Associates, 1977. 248 pp. £ 10.60 hardcover , 1979 .

[7]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[8]  Ronald V. Clarke,et al.  “Situational” Crime Prevention: Theory and Practice , 1980 .

[9]  J. Adamson "The weakest link". , 1981, The Journal of plastic and reconstructive surgical nursing : official organ of the American Society of Plastic and Reconstructive Surgical Nurses.

[10]  J Bloombecker,et al.  Introduction to computer crime , 1984 .

[11]  Keith Jackson,et al.  Computer ethics: Cautionary tales and ethical dilemmas in computing , 1990 .

[12]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[13]  B. Poyner,et al.  Crime Free Housing , 1991 .

[14]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[15]  R. Clarke Situational Crime Prevention: Successful Case Studies , 1992 .

[16]  Marcus Felson,et al.  Routine Activities and Crime Prevention: : Armchair Concepts and Practical Action , 1992 .

[17]  Gurpreet Dhillon,et al.  Computer Security within Organizations , 1994 .

[18]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[19]  D. Cornish THE PROCEDURAL ANALYSIS OF OFFENDING AND ITS RELEVANCE FOR SITUATIONAL PREVENTION , 1994 .

[20]  P. Ekblom PROXIMAL CIRCUMSTANCES: A MECHANISM-BASED CLASSIFICATION OF CRIME PREVENTION , 1994 .

[21]  Jon Ølnes,et al.  Development of security policies , 1994, Comput. Secur..

[22]  R. Clarke Situational Crime Prevention , 1995, Crime and Justice.

[23]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[24]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[25]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[26]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .

[27]  Donn B. Parker,et al.  The strategic values of information security in business , 1997, Comput. Secur..

[28]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[29]  Keith Osborne,et al.  Auditing the IT security function , 1998, Comput. Secur..

[30]  Bruce Schneier Security pitfalls in cryptographic design , 1998, Inf. Manag. Comput. Secur..

[31]  S. Rogerson,et al.  Developing Ethical Practices to Minimize Computer Misuse , 1998 .

[32]  Gordon Stevenson,et al.  Computer Fraud: Detection and Prevention , 2000 .

[33]  Julie D Nosworthy,et al.  Implementing Information Security In The 21st Century Do You Have the Balancing Factors? , 2000, Comput. Secur..

[34]  Sebastiaan H. von Solms,et al.  Corporate Governance and Information Security , 2001, Comput. Secur..

[35]  Susan D. Hansche Information System Security Training: Making It Happen: Part 2 of 2 , 2001, Inf. Secur. J. A Glob. Perspect..

[36]  Perry Luzwick Security? Who’s Got Time For Security?: I’m Trying to Get my Job Done , 2001 .

[37]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[38]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[39]  Peter Yapp,et al.  Passwords: Use and Abuse , 2001 .

[40]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[41]  R. Willison,et al.  Opportunities for computer abuse : assessing a crime specific approach in the case of Barings Bank , 2002 .

[42]  Steven Schlarman The Case for a Security Information System , 2002, Inf. Secur. J. A Glob. Perspect..

[43]  John D. O'Gara,et al.  Corporate Fraud , 1977 .

[44]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of applying criminological theory to the IS security context , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[45]  Todd Fitzgerald Building Management Commitment through Security Councils , 2005, Inf. Secur. J. A Glob. Perspect..

[46]  M. Cusson,et al.  L’analyse stratégique et quelques développements récents en criminologie , 2005 .

[47]  Robert Willison,et al.  Considering the Offender: Addressing the Procedural Stages of Computer Crime in an Organisational Context , 2005 .

[48]  Susan Hansche Cissp Information System Security Training: Making it Happen, Part 2 , 2006 .