Abstract
Information security has become increasingly important for organizations, given their dependence on ICT. Not surprisingly, therefore, the external threats posed by hackers and viruses have received extensive coverage in the mass media. Yet numerous security surveys also point to the 'insider' threat of employee computer crime. In 2006, for example, the Global Security Survey by Deloitte reports that 28% of respondent organizations encountered considerable internal computer fraud. This figure may not appear high, but the impact of crime perpetrated by insiders can be profound. Donn Parker argues that 'cyber-criminals' should be considered in terms of their criminal attributes, which include skills, knowledge, resources, access and motives (SKRAM). It is as a consequence of such attributes, acquired within the organization, that employers can pose a major threat. Hence, employees use skills gained through their legitimate work duties for illegitimate gain. A knowledge of security vulnerabilities can be exploited, utilising resources and access are provided by companies. It may even be the case that the motive is created by the organization in the form of employee disgruntlement. These criminal attributes aid offenders in the pursuit of their criminal acts, which in the extreme can bring down an organization.
In the main, companies have addressed the insider threat through a workforce, which is made aware of its information security responsibilities and acts accordingly. Thus, security policies and complementary education and awareness programmes are now commonplace for organizations. That said, little progress has been made in understanding the insider threat from an offender's perspective. As organizations attempt to grapple with the behavior of dishonest employees, criminology potentially offers a body of knowledge for addressing this problem. It is suggested that Situational Crime Prevention (SCP), a relative newcomer to criminology, can help enhance initiatives aimed at addressing the insider threat.
In this article, we discuss how recent criminological developments that focus on the criminal act, represent a departure from traditional criminology, which examines the causes of criminality. As part of these recent developments we discuss SCP. After defining this approach, we illustrate how it can inform and enhance information security practices.
In recent years, a number of criminologists have criticised their discipline for assuming that the task of explaining the causes of criminality is the same as explaining the criminal act. Simply to explain how people develop a criminal disposition is only half the equation. What is also required is an explanation of how crimes are perpetrated. Criminological approaches, which focus on the criminal act, would appear to offer more to information security practitioners than their dispositional counterparts. Accordingly, the SCP approach can offer additional tools for practitioners in their fight against insider computer crime.
- Clarke, R., Ed. Situational Crime Prevention: Successful Case Studies (2nd ed.) Harrow and Heston, NY, 1997.Google Scholar
- Cornish, D. The procedural analysis of offending and its relevance for situational prevention. In Crime Prevention Studies (Vol. 3), R. Clarke, Ed. Criminal Justice Press, NY, 1994, 151--196.Google Scholar
- Cornish, D. and Clarke, R. Crime Specialisation, Crime Displacement and Rational Choice Theory. In Criminal Behavior and the Justice System: Psychological Perspective, H. Wegener, F. Losel, and J. Haisch, Eds. Springer-Verlag, NY, 1989, 103--117.Google Scholar
- Cornish, D., and Clarke, R. Opportunities, precipitators and criminal decisions: A reply to Wortley's critique of situational crime prevention. In Theory for Practice in Situational Crime Prevention, Crime Prevention Studies, (Vol. 16) M. Smith, and D. Cornish, Eds, Criminal Justice Press, NY, 151--196.Google Scholar
- Deloitte 2006 Global Security Survey.Google Scholar
- Hunter, R., and Ray Jeffrey, C. Preventing convenience store robbery through environmental design. In R. Clarke, Ed. Situational Crime Prevention: Successful Case Studies (2nd ed.) Harrow and Heston, NY, 1997.Google Scholar
- Parker, D. Fighting Computer Crime: A New Framework for Protecting Information. Wiley Computer Publishing, NY, 1998. Google ScholarDigital Library
- Willison, R. Understanding the perpetration of employee computer crime in the organizational context. Information and Organization 16, 4 (2006) 304--324. Google ScholarDigital Library
- Willison, R., and Backhouse, J. Opportunities for computer crime: Considering systems risk from a criminological perspective. European Journal of Information Systems 15, 4 (2006) 403--414.Google ScholarCross Ref
Index Terms
- Overcoming the insider: reducing employee computer crime through Situational Crime Prevention
Recommendations
Insider hacking: applying situational crime prevention to a new white-collar crime
RIIT '14: Proceedings of the 3rd annual conference on Research in information technologyInsider hacking consists of cybercrimes against entities initiated by individuals who hold a legitimate trust relationship with that entity. The responsibility of preventing insider hacking falls to information technology (IT) or information security ...
Comments