Robert Willison
Abstract
Information security has become increasingly important for organizations, given their dependence on ICT. Not surprisingly, therefore, the external threats posed by hackers and viruses have received extensive coverage in the mass media. Yet numerous security surveys also point to the 'insider' threat of employee computer crime. In 2006, for example, the Global Security Survey by Deloitte reports that 28% of respondent organizations encountered considerable internal computer fraud. This figure may not appear high, but the impact of crime perpetrated by insiders can be profound. Donn Parker argues that 'cyber-criminals' should be considered in terms of their criminal attributes, which include skills, knowledge, resources, access and motives (SKRAM). It is as a consequence of such attributes, acquired within the organization, that employers can pose a major threat. Hence, employees use skills gained through their legitimate work duties for illegitimate gain. A knowledge of security vulnerabilities can be exploited, utilising resources and access are provided by companies. It may even be the case that the motive is created by the organization in the form of employee disgruntlement. These criminal attributes aid offenders in the pursuit of their criminal acts, which in the extreme can bring down an organization.
In the main, companies have addressed the insider threat through a workforce, which is made aware of its information security responsibilities and acts accordingly. Thus, security policies and complementary education and awareness programmes are now commonplace for organizations. That said, little progress has been made in understanding the insider threat from an offender's perspective. As organizations attempt to grapple with the behavior of dishonest employees, criminology potentially offers a body of knowledge for addressing this problem. It is suggested that Situational Crime Prevention (SCP), a relative newcomer to criminology, can help enhance initiatives aimed at addressing the insider threat.
In this article, we discuss how recent criminological developments that focus on the criminal act, represent a departure from traditional criminology, which examines the causes of criminality. As part of these recent developments we discuss SCP. After defining this approach, we illustrate how it can inform and enhance information security practices.
In recent years, a number of criminologists have criticised their discipline for assuming that the task of explaining the causes of criminality is the same as explaining the criminal act. Simply to explain how people develop a criminal disposition is only half the equation. What is also required is an explanation of how crimes are perpetrated. Criminological approaches, which focus on the criminal act, would appear to offer more to information security practitioners than their dispositional counterparts. Accordingly, the SCP approach can offer additional tools for practitioners in their fight against insider computer crime.
- Clarke, R., Ed. Situational Crime Prevention: Successful Case Studies (2nd ed.) Harrow and Heston, NY, 1997.Google Scholar
- Cornish, D. The procedural analysis of offending and its relevance for situational prevention. In Crime Prevention Studies (Vol. 3), R. Clarke, Ed. Criminal Justice Press, NY, 1994, 151--196.Google Scholar
- Cornish, D. and Clarke, R. Crime Specialisation, Crime Displacement and Rational Choice Theory. In Criminal Behavior and the Justice System: Psychological Perspective, H. Wegener, F. Losel, and J. Haisch, Eds. Springer-Verlag, NY, 1989, 103--117.Google Scholar
- Cornish, D., and Clarke, R. Opportunities, precipitators and criminal decisions: A reply to Wortley's critique of situational crime prevention. In Theory for Practice in Situational Crime Prevention, Crime Prevention Studies, (Vol. 16) M. Smith, and D. Cornish, Eds, Criminal Justice Press, NY, 151--196.Google Scholar
- Deloitte 2006 Global Security Survey.Google Scholar
- Hunter, R., and Ray Jeffrey, C. Preventing convenience store robbery through environmental design. In R. Clarke, Ed. Situational Crime Prevention: Successful Case Studies (2nd ed.) Harrow and Heston, NY, 1997.Google Scholar
- Parker, D. Fighting Computer Crime: A New Framework for Protecting Information. Wiley Computer Publishing, NY, 1998. Google ScholarDigital Library
- Willison, R. Understanding the perpetration of employee computer crime in the organizational context. Information and Organization 16, 4 (2006) 304--324. Google ScholarDigital Library
- Willison, R., and Backhouse, J. Opportunities for computer crime: Considering systems risk from a criminological perspective. European Journal of Information Systems 15, 4 (2006) 403--414.Google ScholarCross Ref
Index Terms
- Overcoming the insider: reducing employee computer crime through Situational Crime Prevention
Recommendations
Insider hacking: applying situational crime prevention to a new white-collar crime
RIIT '14: Proceedings of the 3rd annual conference on Research in information technologyInsider hacking consists of cybercrimes against entities initiated by individuals who hold a legitimate trust relationship with that entity. The responsibility of preventing insider hacking falls to information technology (IT) or information security ...
Reviews
Pieter Hartel
Situational crime prevention (SCP) is a criminological theory, proposed by Ronald Clarke in the 1980s and developed over the last 30 years, that focuses on the crime event rather than the criminal. A number of highly effective crime prevention techniques in the physical world have been developed from this theory [1]. Willison is one of the few authors who have explored the potential of SCP in cyberspace. His and coauthor Siponen's most recent article is the culmination of a number of his earlier papers that analyze how insiders commit computer-assisted crime. The Barings Bank collapse is a typical example. Willison and Siponen show that by looking at crime from an SCP perspective, information security methods can be applied more systematically. The authors do not consider true cybercrime, but computer-assisted "old" crime. For example, Nick Leeson was able to commit his criminal activities for an extended period of time because of the lack of controls at Barings Bank. This is a classical problem at many institutions that existed before computers were invented. The connection with cybercrime lies in the fact that computerized information systems make it possible to commit crimes on an extended scale. The authors' focus on computer-assisted crime shows, on the one hand, that SCP can be applied to forms of cybercrime and, on the other hand, that much work is left to be done to extend the scope of SCP. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments