Overcoming the insider: reducing employee crime through Situational Crime Prevention

Information security has become increasingly important for organizations, given their dependence on ICT. Not surprisingly, therefore, the external threats posed by hackers and viruses have received extensive coverage in the mass media. Yet numerous security surveys also point to the 'insider' threat of employee computer crime. In 2006, for example, the Global Security Survey by Deloitte reports that 28% of respondent organizations encountered considerable internal computer fraud. This figure may not appear high, but the impact of crime perpetrated by insiders can be profound. Donn Parker argues that 'cyber-criminals' should be considered in terms of their criminal attributes, which include skills, knowledge, resources, access and motives (SKRAM). It is as a consequence of such attributes, acquired within the organization, that employers can pose a major threat. Hence, employees use skills gained through their legitimate work duties for illegitimate gain. A knowledge of security vulnerabilities can be exploited, utilising resources and access are provided by companies. It may even be the case that the motive is created by the organization in the form of employee disgruntlement. These criminal attributes aid offenders in the pursuit of their criminal acts, which in the extreme can bring down an organization. In the main, companies have addressed the insider threat through a workforce, which is made aware of its information security responsibilities and acts accordingly. Thus, security policies and complementary education and awareness programmes are now commonplace for organizations. That said, little progress has been made in understanding the insider threat from an offender's perspective. As organizations attempt to grapple with the behavior of dishonest employees, criminology potentially offers a body of knowledge for addressing this problem. It is suggested that Situational Crime Prevention (SCP), a relative newcomer to criminology, can help enhance initiatives aimed at addressing the insider threat. In this article, we discuss how recent criminological developments that focus on the criminal act, represent a departure from traditional criminology, which examines the causes of criminality. As part of these recent developments we discuss SCP. After defining this approach, we illustrate how it can inform and enhance information security practices. In recent years, a number of criminologists have criticised their discipline for assuming that the task of explaining the causes of criminality is the same as explaining the criminal act. Simply to explain how people develop a criminal disposition is only half the equation. What is also required is an explanation of how crimes are perpetrated. Criminological approaches, which focus on the criminal act, would appear to offer more to information security practitioners than their dispositional counterparts. Accordingly, the SCP approach can offer additional tools for practitioners in their fight against insider computer crime

Crime scripting: A systematic review

The file attached to this record is the author's final peer reviewed version.More than two decades after the publication of Cornish’s seminal work about the script-theoretic approach to crime analysis, this article examines how the concept has been applied in our community. The study provides evidence confirming that the approach is increasingly popular; and takes stock of crime scripting practices through a systematic review of over one hundred scripts published between 1994 and 2018. The results offer the first comprehensive picture of this approach, and highlights new directions for those interested in using data from cyber-systems and the Internet of Things to develop effective situational crime prevention measures

Cyber-crime Science = Crime Science + Information Security

Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Organised crime and public sector corruption

Foreword: In 2006, the Australian Government introduced the Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) which increased regulatory controls over businesses potentially able to facilitate organised criminal activities such as money laundering. The implementation of tougher legislation and associated law enforcement interventions may result in criminal organisations adjusting their tactics in order to continue their activities without detection. In this paper, the risk and potential impact of tactical displacement by organised criminals is discussed with regard to the potential for increased attempts by organised crime groups to corrupt public servants. There is a paucity of research exploring the nature and extent of public sector corruption committed by organised crime groups. This discussion is informed by literature on ‘crime scripts’ originally developed by Cornish (1994) and the 5I’s crime prevention framework developed by Ekblom (2011). Making use of public-source information about the commission of such crimes, as exemplified in two recent corruption cases, some intervention strategies are proposed that may be effective in reducing the risks of corruption of public sector officials by organised crime groups in Australia

Cyber-Situational Crime Prevention and the Breadth of Cybercrimes among Higher Education Institutions

Academic institutions house enormous amounts of critical information from social security numbers of students to proprietary research data. Thus, maintaining up to date cybersecurity practices to protect academic institutions’ information and facilities against cyber-perpetrators has become a top priority. The purpose of this study is to assess common cybersecurity measures through a situational crime prevention (SCP) theoretical framework. Using a national data set of academic institutions in the United States, this study investigates the link between common cybersecurity measures, crime prevention activities, and cybercrimes. By focusing on the conceptualization of cybersecurity measures as SCP techniques, this study also offers the SCP approach as a framework by which universities can seek to reduce incidents of cybercrime through the design, maintenance, and use of the built environment in the digital realm. Implications for theory, research and practice are discussed

Cyber Safety: A theoretical Insight

This paper is written by the EUCPN Secretariat following the topic of the Estonian Presidency of the Network, which is Cyber Safety. It gives a theoretical insight in what Cyber Safety is. Furthermore, we take interest in what the exact object is of cybercrime and have a deeper look into two European policy priorities, namely cyber-attacks and payment fraud. Moreover, these priorities are the subject of the European Crime Prevention award. The goal of this paper is to add to the digital awareness of local policy-makers and practitioners on a theoretical level. A toolbox will follow with legislative measures, existing policies and best practices on this topic

Improving Organizational Information Security Strategy via Meso-Level Application of Situational Crime Prevention to the Risk Management Process

Existing approaches to formulating IS security strategy rely primarily on the risk management process and the application of baseline security standards (e.g., ISO 27002, previously ISO 17799). The use of existing approaches generally leads to measures that emphasize target hardening and incident detection. While such measures are appropriate and necessary, they do not capitalize on other measures, including those that surface when situational crime prevention (SCP) is applied to specific crimes. In particular, existing approaches do not typically surface measures designed to reduce criminal perceptions of the net benefits of the crime, or justification and provocation to commit the crime. However, the methods prescribed to-date for implementing SCP are cumbersome, requiring micro-level, individual analysis of crimes. In the current article, we propose that concepts derived from SCP can be strategically applied at an intermediate (meso) level of aggregation. We show that such meso-level application of SCP, when combined with the traditional risk management process, can reduce residual information security risk by identifying new strategies for combating computer crime. Using three illustrative cases, we demonstrate that the application of the proposed strategic approach does surface meaningful countermeasures not identified by the traditional risk management process alone

The online stolen data market: disruption and intervention approaches

This article brings a new taxonomy and collation of intervention and disruption methods that can be applied to the online stolen data market. These online market-places are used to buy and sell identity and financial information, as well as the products and services that enable this economy. This article combines research findings from computer science with criminology to provide a multidisciplinary approach to crimes committed with the use of technology.This work was supported by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHSS&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific under contract number N66001-13-C-0131, to A.H.; and the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice under grant number 2010-IJ-CX-1676, 2010, to T. H.This is the author accepted manuscript. The final version is available from Taylor & Francis via http://dx.doi.org/10.1080/17440572.2016.119712