Elsevier

Computers & Security

Volume 20, Issue 8, 1 December 2001, Pages 715-723
Computers & Security

Refereed papers
Computer crimes: theorizing about the enemy within

https://doi.org/10.1016/S0167-4048(01)00813-6Get rights and content

Abstract

A majority of computer crimes occur because a current employee of an organization has subverted existing controls. By considering two case studies, this paper analyzes computer crimes resulting because of violations of safeguards by employees. The paper suggests that various technical, procedural and normative controls should be put in place to prevent illegal and malicious acts from taking place. Ultimately a good balance between various kinds of controls would help in instituting a cost-effective means to make both accidental and intentional misconduct difficult. This would also ensure, wherever possible, individual accountability for all potentially sensitive negative actions.

Introduction

Computer crime resulting from violation of safeguards by current employees can be defined as a deliberate misappropriation by which individuals intend to gain dishonest advantages through the use of the computer systems. Such violations constitute a significant proportion of computer crimes — as high as 81%10. Misappropriation itself may be opportunist, pressured, or a single-minded calculated contrivance. Computer crime committed by current employees is essentially a rational act and could result because of a combination of personal factors, work situations and available opportunities. These insiders may be dishonest or disgruntled employees who would copy, steal, or sabotage information, yet their actions may remain undetected. Such illegal and often malicious acts can have serious consequences for a business, yet many companies do not follow the proper procedures so as to prevent illegal activities from taking place. This includes having a system of controls in place to help prevent an employee’s ability to perform illegal actions. It also involves promoting the values that a business feels are positive, and monitoring employee behaviour.

This paper, by considering the cases of Kidder Peabody and Daiwa Bank, presents an analysis of computer crimes and theorizes about establishing adequate controls. The paper argues that more often than not, computer crimes occur when a current employee of an organization subverts existing controls to take undue advantage from the situation. The paper is organized into six sections. Following a brief introduction, section two and three describe the computer crime situations at Kidder Peabody and Daiwa Bank. Section four presents a comparison of the two situations and section five draws lessons and principles for managing computer crimes. Finally section six draws broad conclusions.

Section snippets

The Kidder Peabody case

Consider the case of illicit activities of Joseph Jett who defrauded Kidder Peabody & Co out of millions of dollars over a course of more than two and half years. Jett was able to exploit the Kidder trading and accounting systems to fabricate profits of approximately US$339 million. Jett was eventually removed from the services of Kidder in April 1994. The US Securities and Exchange Commission claimed that Jett engaged in more than 1000 violations in creating millions of dollars in phony

Daiwa Bank scandal case

In yet another case, illicit activities of Toshihide Iguchi, a bond trader for the New York office of Japan’s Daiwa Bank, resulted in the bank loosing at least $1.1 billion. It is estimated that over a period of eleven years Iguchi made 30,000 unauthorized trades and allegedly fabricated profits at Daiwa, while in reality he was making substantial losses. The fact that Iguchi was able to get away without being caught for so long is astonishing. Iguchi seemingly never sought any monetary gains

Jett vs. Iguchi

There are a few similarities between Jett’s and Iguchi’s actions. Both were able to subvert the controls at their respective businesses. And clearly their actions were illegal and unethical, which caused each of their companies to loose huge amounts of money. Jett’s apparent motives were to increase Kidder’s profits while making huge bonuses for himself. His attitude seemed to be that it didn’t matter what he was doing was illegal or unethical as long as he was making money. He has been quoted

Drawing lessons for managing computer crime situations

The cases of Kidder Peabody and Daiwa Bank suggest that there are certain basic safeguards that organizations can put in place thereby minimizing chances of a computer crime taking place. Safe-guards or controls that could be put in place can be classified into three categories — technical, formal or informal interventions3. However the success in implementing controls is achieved by establishing the right balance between various controls (c.f. Dhillon).4 Technical interventions essentially

Technical controls

Clearly, both in the case of Kidder Peabody and Daiwa Bank, there were opportunities to establish appropriate technical controls that could have prevented crimes from taking place in the first place. As described earlier, Kidder relied on advanced information technology systems to manage the various transactions. And Jett identified a means to postpone the actual time when a loss could appear on the Profit and Loss statement. Simply put, this is a systems and analysis design problem. When the

Formal controls

Formal controls deal with establishing adequate business structures and processes so as to maintain high integrity data flow and the general conduct of the business. Establishing adequate processes also ensures compliance to regulatory bodies, organizational rules and policies. Therefore it goes without saying, good business processes and structures ensure the safe running of the business and preventing crime from taking place. Clearly mature organizations have well established and

Informal controls

Informal controls, perhaps the most cost-effective type of controls, essentially centre around increasing awareness of employees, ongoing education and training programs, and management development programs focusing on developing a sub-culture that enables everyone to understand the intentions of various stakeholders.

In particular, informal controls could take the form of communicating appropriate behaviour and attitudes, making the employees believe in the organization and assuring individual

Conclusion

Clearly there are a number of controls that could be established to prevent situations like those at Kidder and Daiwa from occurring. As has been stated in the previous sections, such controls are at three possible levels — technical, formal and informal. In particular setting standards for proper business conduct, monitoring employees to detect deviations from standards, implementing risk management procedures to reduce the opportunities for things to go wrong, implementing rigorous employee

References (11)

  • Baskerville, R., Designing information systems security, John Wiley & Sons, New York,...
  • Dhillon, G., Managing information system security, Macmillan, London,...
  • Dhillon, G., Managing and controlling computer misuse, Information Management & Computer Security, 7, 5,...
  • Dhillon, G., “Principles for managing information security in the new millennium,” in Dhillon, G., ed., Information...
  • Dhillon, G., Violation of safeguards by trusted personnel and understanding related information security concerns,...
There are more references available in the full text version of this article.

Cited by (0)

View full text