Understanding computer misuse committed by internal employees

AUTHOR

Shalini Kesar & Simon Rogerson
Centre for Computing and Social Responsibility
De Montfort University
The Gateway,
Leicester,
England

ABSTRACT

Organisations widely apply information technology in order to conduct their businesses more efficiently and effectively. Indeed the logical malleability of computers assures enormous application of information technology in the future. It has been pointed out in the literature that as organisations become dependent on information technology the incidence of computer misuse increases. Based on the US Office of Technology Assessments report (1994), two broad types of computer related misuse could occur: non-intentional and intentional. Non-intentional acts arise due to environmental damages, human error, or because of analysis and design faults. Intentional acts on the other hand can be classified under three categories: violation of safeguards by trusted personnel, system intruders, malicious software, viruses and worms. Natural or physical disasters including fires, floods, earthquakes, power failure and bomb attacks can be categorised as environmental damages. Most of these result in the destruction of not only the main computer systems but also backup systems, causing damage of up to hundreds and thousands of dollars. Whereas human errors could result from confusing instructions or procedures, inadequate internal controls, incorrect data entry, lack of familiarity with the system or inappropriate system application. Inadequate involvement of users, lack of adequate time and resources or incorrect use of methodological tools could all lead to analysis and design faults. In contrast, intentional acts occur when employees within the organisation engage in acts that are unauthorised and prohibited. In such a situation, violations of safeguards by trusted personnel occur. This is reflected in a report from the US that showed that nearly 81 per cent of computer crime is committed by current employees (Brown 1991). The second type of intentional acts occurs when individuals engage in illegal or unauthorised and disruptive behaviour such as hacking (sometimes known as cracking-(Computing, 1997). Intentional acts could also occur when malicious software, viruses and worms are released into computer systems by either or both insiders or outsiders (Kluth 1990; Bicknell 2000; Computing 2000). Logic bombs and Trojan horses are examples of such intrusions. In this paper, the term ‘computer misuse’ is used broadly to embraces incidences such as computer fraud, computer crime, sabotage, emblezzement, software piracy and invasion of privacy. It refers to the occurrence of any adverse event as a consequence of use of IT. The cause of such events could range from sheer negligence, incompetence, and ignorance. Indeed evidence from various sources suggests that incidents of computer misuse are increasing in numbers and are causing significant concern among organisations. For example, the UK Audit Commission report indicated a 183 per cent increase in the total value of reported incidents of computer misuse. Moreover the reported cases of computer misuse only represent the ‘tip of the iceberg’. This is because many organisations often do not report cases of such illicit activities that result in computer misuse due to unnecessary media publicity. More often they do not want to be shown as vulnerable to crime, as it is difficult to detect could some of the reasons. Consequently researchers have argued that such activities are widespread, more serious, and hence require a deeper understanding of the underlying cause. In addition the explosion of the Internet also continues to pose concerns regarding the increasing occurrence of computer related misuse (for example, see Clarke 1999; Berghel 2000; Walsh 2000). For example, it was noted a survey conducted by Ernest and Young (Canada Global Information Security Survey where more than 300 Canadian businesses participated in the annual survey, which assesses current IT security systems around the system) indicated that Canadian businesses’ financial losses due to hacking exceed $1 million. More recently the ‘I love you’ virus caused an estimated of damage at £1.7 billion (Computing 2000; Bicknell 2000). Indeed the problem of computer misuse is not restricted to particular countries (for example, see Pawar and Goyal 1994; Computing 2000). Evidence from various sources suggests that incidents of computer misuse are increasing in numbers and are causing significant concern among organisations. This paper focuses on computer misuse committed by internal employees. It analyses the collapse of Barings Bank. In February 1995, Barings Brothers collapsed through the speculations of a 28 year old, Nicolas Leeson. Indeed many researchers and practitioners have expressed the reasons of the collapse of Barings that range from incompetence within the bank to conspiracy by Barings’ executive as alleged by Singapore investigators. Further the economic, political, social and technological factors that influenced Barings are explored. This will not only help in understanding the retrogression which contributed to Barings’ collapse but also explore the web of deception that Leeson spun to evade management and auditors. While trying to understand the underlying factors that permeated Barings before the collapse, this paper takes the support of the classification proposed by Backhouse and Dhillon (1995). They propounded a broad classification: personal factors, work situation, and opportunities.

REFERENCES

Backhouse J. and Dhillon. G (1995). “Managing computer crime: a research outlook.” Computers & Security 14: 645-651.

Berghel H. (2000). “Identity theft, social security numbers, and the web.” Communication of the ACM 43(2).

Bicknell D. (2000). Love bug prompts security shake-up. ComputerWeekly. London.

Brown R. K. (1991). Security overview and threat. National Computer Security Educators, Information Resource Management College, National Defence University, Tutorial Track, NCSC.

Clarke R. (1999). “Internet privacy concerns confirm the case for intervention.” Communication of the ACM 42(2).

Computing (1993). China executes hacker over £122,000 theft. London: 1.

Computing (1997). Hackers breach college systems. Computing. London: 10.

Computing (2000). Lovebug mayhem prompts industry to rethink security. The IT Newspaper. London.

Kluth D. J. (1990). “The computer virus threat: a survey of current criminal statues.” Hamline Law Review 13(Spring): 297-312.

Office of Technology Assessment (1994). Information security and privacy in network environments, US Government Publication.

Pawar M. S. and R. M. Goyal (1994). “computer crime in Bombay: efforts to alter this problem.” International Journal of Offenders Therapy and Comparative Criminology 38(3).

Walsh A. (2000). “Partner in crime.” The computer bulletin 2(5).

Comments are closed.