AUTHOR
Shalini Kesar
ABSTRACT
The problem of computer crime continues to increase across the world (CSI/FBI 2007). Audit Commission Report (2001) broadly categorized computer crime into Fraud; Theft; Use of illicit software; Invasions of privacy; Hacking; Sabotage and Virus. The Report defined computer fraud, as an unauthorized input, or alteration of input; destruction/suppressing/misappropriation of output from a computer process; alteration of computerized data; alteration or misuse of programs, but excluding virus infection. In other words, it is a deliberate misappropriation by which an offender tries to gain unauthorized access to the organization’s information systems. The misappropriation itself may be opportunistic, pressured, or a single-minded, calculated plan, which can vary from simple acts to serious crimes. Indeed, the above assumption of computer fraud is broad in its scope. Hence, for the purpose of this paper, fraud is further classified into three types: Input fraud; Throughput fraud and Output fraud (Backhouse and Dhillon 1995).
The extent of the damages caused by computer fraud acts can be gauged from various reports and surveys (Audit Commission 2005; DTI 2006). Recent Computer Security Institute Survey (CSI/FBI 2007) stated that the average annual loss reported in this year’s survey increased to $350,424 from $168,000 the previous year. Further, almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident. A most recent case of computer fraud, one of the biggest trading frauds in history was committed by a singles futures trader, 31-year-old Frenchman Kerviel within France’s second-largest bank Société Générale . Although the illicit trading claimed to be simple in nature but apparently it was concealed by “sophisticated and varied techniques”ii that involved circumventing bank’s multilayered security systems for over a yeariii . Consequences of the fraudulent activities resulted in losses mounting as high as $7.14 billions. Kerviel is been charged with: fraudulent falsification of banking records, use of such records and computer fraudiv . Although the monetary loss uncovered within Société Généralei is very large, illicit trading involving computer fraud is indeed not new. Almost thirteen years ago, a similar incidence happened within Baring Bank, where a single rouge trader, Leeson committed computer fraud to engage in illicit trading that resulted in a loss of £827 million. Initial media reports on Barings Bank seem to focus only on Leeson’s illicit trading and ‘blamed’ him for the collapse of the bank. Later, Bank of England Report (1995) revealed that Leeson’s computer fraud took place during the change of flux that involved a combination of ambitious internal reconstructing, integration of the bank and broking operations. Consequently, Leeson was able to commit computer fraud to engage in illicit trading that escaped the management for almost three years, till he was caught.
Against this backdrop, this paper argues failure to examine wider structural issues within the organizations and focusing only on the offenders can leave Information Systems (IS) vulnerable. Therefore, it is significant that organizations understand the very complex nature of computer fraud and the changing environment of organizations today that leads to disregard or inadequacies for basic IS security controls (Audit Commission 2005). With some exceptions, most traditional studies on managing computer fraud adopt a functionalistic viewpoint thus failing to recognize that ‘suitable opportunities’ within organizations arise in and as a consequence of daily activities within the working environment of an organization. This is because management mostly relies on technical solutions while trying to combat computer fraud. Given that Organizations today, do not follow a strict hierarchical structure, therefore, just relying on technical solutions organizations seems an inapt approach (Parker 1998; von Solms 2001).From this viewpoint, IS security researchers emphasis the importance of ‘human factors’ when dealing with management of computer fraud (for example, see Hitchings 1995, 1996; Dhillon 1997; Kesar and Rogerson 1998; Dhillon and Backhouse 2001; Siponen 2001; Stanton et al. 2005; Kesar 2005).
In criminology studies, researchers such as Clarke and Cornish (2000) assert that offenders are influenced by three main groups of variables: Background Factors; Current Life Circumstances; Situational Variables. This assertion provides a useful insight while understanding the underlying reasons for the occurrence of computer fraud. Keeping this in mind, this paper looks at two cases that involved a single ‘trusted’ trader circumventing security breaches to engage in computer fraud (input). Ironically, both the cases are similar yet occurred 13 years apart. The first case, Barings Bank occurred in 1995, whereas the second case occurred this year at the Société Général bank. It takes the support of the Crime Specific Opportunity Structure (CSOS) model by Willison (2000a, 2000b, 2002) to demonstrate how working environment within each bank may have provided ‘suitable opportunities’ to the offenders to engage in computer fraud. The CSOS model originates from a new school of thought, Situational Crime Prevention (SCP), which incorporates dispositional variables of traditional criminology (Clarke 1997). The conceptual model, CSOS, demonstrates interactions between the degree of guardianship, the targets, offender and facilitators, which warrant a viable opportunity in terms of perceived risks, effort and rewards. Using CSOS as a theoretical framework for specific crimes will enhance our understanding of a various factors that underpin the causes of such intentional illicit acts within organizations. Moreover, the increasing sophistication in both technology and IS users in today’s networked organization makes it vital that organizations understand the underlying reasons for the occurrence of the problem of computer fraud, particularly those committed by ‘trusted’ employees. This is because a flawed understanding about IS systems security will afford little scope for developing effective solutions for managing threats like computer fraud committed by employees. This paper significantly contributes to the limited existing research within IS security by diverting from the ‘narrow and technical perspective’ traditionally taken in this context. Hence, it takes into account wider organizations structure issues rather than just focus on the offender alone to understand computer fraud from a criminological perspective.
REFERENCES
Audit Commission (2001). Your business@ risk: an update of IT abuse 2001, London, Audit Commission Publications, HMSO.
Audit Commission (2005). London, Audit Commission Publications, HMSO.
Backhouse, J. and Dhillon, G. (1995) “Managing computer crime: a research outlook.” Computers & Security 14 (7): 645-651.
Bank of England Report (1995). Report of the Board of Banking Supervision: Inquiry into the circumstances of the collapse of Barings, London, HMSO.
Clarke, R., Ed. (1997). Situational crime prevention: successful case studies. Albany, NY, Harrow and Heston.
Clarke, R., and Cornish, D. (2000). Rational choice. Explaining crime and criminals: essay in contemporary criminological theory. R. Paternoster and R. Bachman. Los Angeles, CA, Roxbury Publishing Company: 23-42.
CSI/FBI (2007). Crime and Computer Survey. San Francisco, CSI.
Dhillon, G., and Backhouse, J. (2001). “Current directions in IS security research: toward socio-organisational perspectives.” Information Systems Journal 11 (2): 127-153.
D.T.I. (2006), Information Security Breaches Survey 2006, Information Security Breaches Survey, Cooper & Lybrand, Department of Trade and Industry, London. www.security-survey.gov.uk.
Hitchings, J. (1995). “Deficiencies of the traditional approach to information security and the requirement for a new methodology.” Computers & Security 14 (5): 377- 383.
Hitchings, J. (1996). A practical solution to the complex human issues of information security design. Information systems security: facing the information society of the 21st century. K. S. Katiskas and D. Gritzalllis. London, Chapman & Hall: 3-12.
Kesar, S., and Rogerson, S. (1998). Attitudinal and normative components in information misuse: the case of Barings Bank. Effective utilization and management of emerging information technologies. M. Khosrowpour, Idea Group Publishing: 60-67.
Kesar, S. (2005). Interpreting Computer Fraud Committed by Employees. Ph.D. Thesis (Information Systems). Informatics Research Institute (IRIS) University of Salford, Salford, UK: 311
Parker, D. (1998). Fighting computer crime: a new framework for protecting information. New York, Wiley.
Siponen, M. T. (2001). “On the role of human morality in information systems security.” Information resources Management Journal 14(4): 15-23.
Stanton, J. M., Stam, R.K., Mastrangelo, P., and Jolton, J. (2005). “Analysis of end user security behaviors.” Computers & Security 24 (2): 124-133.
von Solms, B. (2001). “Corporate governance and information security.” Computers and Security 20 (3): 215- 218.
Willison, R. (2000a). “Understanding and addressing criminal opportunity: the application of situational crime prevention to IS security.” Journal of Financial Crime 7 (3): 201-210.
Willison, R. (2000b). Reducing computer fraud through situational crime prevention. Information security for global information infrastructures. S. Qing and J. H. P. Eloff. Eds. Boston, Kluwer Academic Press: 99-109.
Willison, R. (2002). Opportunities for computer abuse: assessing a crime specific approach in the case of Barings Bank. PhD Thesis (Information Systems). London, London School of Economics.
ENDNOTES
i Source: http://www.businessweek.com/ap/financialnews/D8UCCE4O1.htm (date of access January 23, 2008).
ii Source: http://news.bbc.co.uk/1/hi/business/7206270.stm (date of access January 25, 2008).
iii Source: http://news.bbc.co.uk/1/hi/business/7206270.stm (fate of access January 22, 2008).
iv Source: http://www.guardian.co.uk/business/2008/jan/24/creditcrunch.banking/ (Date of access January 24, 2008). Also see http://www.forbes.com/feeds/ap/2008/02/06/ap4623008.html