2 Know the Nature of Internal Information Theft
2.1. Introduction
This chapter provides behind the scenes analysis of cases of internal information theft, in most cases within a retail environment, revealing what went wrong and illustrating how the theft was perpetrated, even the most unsuspecting operation. It provides in-depth understanding of the characteristics of information theft perpetrators in the targeted retail companies. This analysis is essential for readers to have a comprehensive knowledge of real time data of where and how the perpetrators operate. Haley (2013) suggests that if information security experts or crime prevention practitioners do not know how perpetrators exploit retail companies’ risks and vulnerabilities, they may not have adequate knowledge to develop and implement a security strategy. Adhering to this suggestion, this chapter introduces a number of examples of individuals who have been caught attempting or engaging in internal information theft.
The majority of the cases analysed in this chapter were extracted from the public archives of the UK Association of Business Crime Partnerships and UK National Fraud Authority. Case analysis of internal information theft perpetrators covers their age (at the time of the fraud), gender, job title, description of the nature of the fraud (attempt), motivation, how they were caught and lessons learnt. Some of the cases of corporate information theft analysed were collected from the public domain. In those cases, the names of the fraudsters were retained. In the cases that were not in the public domain, no identifying information is given and all the names have been changed to protect the individuals’ privacy. The internal information thefts analysed here have been categorised under corporate information theft.
Although full discussion of these categories has been discussed in the section 1.1.4.3 of Chapter 1, it is important to revisit those explanations in this chapter to provide comprehensive understanding of the perpetrators’ characteristics.
Case Study 2.1 Record Rise in the Cases of Information Theft in the UK (UK’s ONS, 2014)
The number of internal information theft cases recorded by fraud prevention bodies and law enforcement agencies had risen by nearly by 60 per cent in five years in England and Wales. According to the Office of National Statistics (ONS) (2014), more than 230,000 cases of internal information theft-related crimes/frauds were recorded in England and Wales from January to June 2014. This figure represents a 59 per cent rise in five years and more than a fifth on the previous 12 months. Online retail and banking sectors recorded a further 316,000 cases of related employees frauds. In total, over 12 million cases of information theft and related employee fraud were recorded in the 12-month period.
However, the ONS (2014) noted that these figures recorded across business sectors may have overlapped. These reports suggest the prevalent nature of information theft in UK e-business sectors. The rise in these crimes in both retail and banking sectors may have been due to the nature of the online business operation of these sectors, which carry less risk of being caught. Norman Baker, the UK’s minister of state in the coalition government of 2013–2014, and Jack Dromey, the UK shadow policing minister, noted that information theft-related fraud has increased by 21 per cent because much of these online crimes go unreported.
2.2. Internal Information Theft Perpetration Methods
The common methods include unauthorised alteration to company data/ modification of company payment instructions. In some cases, the fraudsters who have stolen financial information use it for money laundering or services by deception. This often involves the use of counterfeit or forged companies’ documents. The common schemes include Application Fraud/Account Takeover, Present (Current) Address Fraud and Account Withdrawal. They also involve the compromise of information systems, network, data, which identify the victim as the statutory owner under the UK Data Protection Act, 1998. The victims in this case are the retail companies in relation to their customer. The theft involves acts where the suspect/ perpetrator has used their legitimate access to IS and network to perpetrate internal information theft. The suspect/perpetrators include current/former employees of the victim retail companies, current/former consultant/contractor/partners.
The case of the individuals analysed are not limited to the UK online retail sector. It has included some cases of other sectors (e.g., banking) because of the multifaceted operational nature of the retail sector business through credit/debit cards. These cases were directly or indirectly involved with online retail and banking sectors due to the relationships both sectors share in their business operations.
Companies allow consumers to buy goods or services from a seller using various web browsers and portals, which include the use of business-to-business (B2B) online shopping and processing of services. During the retail transaction, retail companies subcontract to or collaborate with banks in processing consumer card information and authorising the payment for the complete online shopping operation.
|
Name |
‘Jane’ |
|
Age |
32 |
|
Gender |
Female |
|
Job title |
Cashier |
|
Nature |
‘Jane’ stole numerous credit cards that were left by customers in a rush after shopping. She used the cards to make purchases from her own company’s online portal. After several weeks, when the crime was not discovered, she continued to use the debit cards to make more purchases from other online retail portals. |
|
Motivation
|
Opportunity: She had an opportunity and she took it. She believed that everyone in the shop could have done the same. Self-Justification: ‘Jane’s’ main justification was that she didn’t think she was doing something wrong. She had the opportunity and made use of it. She thought that everyone would have done the same and that could justify her fraud as the norm. Absence monitoring system like CCTV cameras: Because there is no monitoring/surveillance in place to check the employees’ internal shop activities, ‘Jane’ was convinced that she would never be caught. |
|
How caught |
One customer whose credit card ‘Jane’ had stolen came in the next day after she had realised that she had left her card behind, checked with her bank and found out it had already been used. ‘Jane’s’ company called the police and she got arrested. |
Case Study 2.2 Lessons Learnt from Case of an Account Takeover
Perpetrators’ perception of lack of effective security: Due to ‘Jane’s’ company’s lack of verification procedures, she found it easy to bypass their website defences. It was easy for her to defraud e-commerce sites that have no identity verification or shared fraud alert data, which could have been used to trail and alert others to her dubious purchases. If there were identity checks such as name and address, a more complete identification of the individual could have emerged which would flag negative fraud alerts in the customer databases.
Failure of the credit card companies to report the fraud: It was easy for Jane to continue her fraudulent scheme because the credit card companies failed to report the fraud to the card owner.
Customer Negligence: In addition, there was negligence on the part of most online retail customers to check their spending regularly with their banks.
|
Name |
‘Smith’ |
|
Age |
24 |
|
Gender |
Male |
|
Job title |
Software Engineer |
|
Nature |
‘Smith’ gathered customers’ personal identifiable information from his Company’s information systems and sold them on the ‘black market’. |
|
Motivation |
Expertise: ‘Smith’ has used his technical skills to exploit the information systems of his employer and stole information for his personal gains. The Demand for Personal Information by Fraudsters: The huge demand for the online credit/debit card details has created a ‘hot product’ perception for both ‘Smith’ and his customers. |
|
How Caught |
‘Smith’s’ hacking activities on the information systems were revealed by the biannual information audit. The trails of how he logged into the company’s information database were analysed and he was arrested. During his fraud investigation, it was revealed that numerous customers’ card details were found on his personal laptop and some hidden websites that he has been using to sell the stolen card details. |
Case Study 2.3 Lessons Learnt from Case of Information Theft from Database
Absence of a regular information security audit in ‘Smith’s’ company allowed him lots of time to perpetrate internal information theft without getting caught. There is no effective security system in place to prevent ‘Smith’ from hacking his employer’s information systems, although if it existed he would have used his IT skills to manoeuvre it. High security surveillance should have been placed on ‘Smith’, as he possesses software engineering skills, because he could pose a huge security threat to companies. It is import for information security managers to identify the job roles that pose the greatest internal information theft risks. Retail companies should put in place regular evaluation strategies to access the transaction trails of those in roles with high risks of vulnerabilities to internal information theft.
|
Name |
‘Ceri’ |
|
Age |
29 |
|
Gender |
Female |
|
Job title |
Credit Card Issuance Officer |
|
Nature of theft |
An employee embezzled £310,698 from an employer. ‘Ceri’ manipulated a payroll and credit card scheme that led to her embezzling £310,698 from her small business employer over a period of five years |
|
Motivation |
Boost of Annual Salary: She was using the stolen money to boost her annual salary. Family Pressure: ‘Ceri’ used her employer’s account to pay for her daughter’s three credit card bills, totalling more than £15,000. |
|
How Caught |
Numerous calls from customers complaining about non-payment. The calls sparked an investigation that was reported to the local police. During the course of the investigation, the investigation team discovered that ‘Ceri’ had a record of improper use of a credit card. |
Case Study 2.4 Lessons Learnt from Case of Credit Card Disclosure
Past behaviour is an excellent predictor of future behaviour. A thorough background check can provide valuable information, especially when a candidate is applying for a position of trust. Such an investigation would likely have prevented ‘Ceri’s’ hiring. The revelation of fraudulent activities by ‘Ceri’ started when customers complained about not receiving their payments for services/goods rendered. This employer made a most positive move by not allowing such complaints to be investigated by the employee charged with processing those transactions.
|
Name |
‘Kathy’ |
|
Age |
47 |
|
Gender |
Female |
|
Job title |
Accountant |
|
Nature |
An accounting clerk wrote 137 retail companies’ contract payment cheques valued at £1.4 million and deposited them into her personal account. This trusted employee was given the authority to prepare cheques without proper internal safeguards and reasonable management oversight. |
|
Motivation |
No segregation of duties/working alone: This individual could prepare and issue cheques without being scrutinised before the cheques were authorised for payment. Opportunity: She had the opportunity and used it because she was ‘trusted’ by the government. |
|
How Caught |
This fraud scheme was actually uncovered by an accident, as result of a credit union employee calling Head of Finance and asking a question about cheques being deposited in a personal checking account. Shortly afterward it was confirmed that the account in question belonged to one of that county agency’s employees. At this point, government auditors were called in and an investigative audit was launched. |
Case Study 2.5 Lessons Learnt from Case of Account Withdrawal
There should be clearly defined roles and segregation duties. This would discourage the employees’ ideology of ‘work-alone’ that allows internal information theft activities. No employee should be in a position to write company cheques or make payments without second-party confirmation that such payments are valid. ‘Undue’ or ‘unqualified’ trust causes an overwhelming number of owners and managers to fail in their jobs because they naively assume that their operation is immune from internal fraud. After all, the managers might argue that they have loyal, long-term and highly trusted employees or volunteers handling their highest-risk financial activities. A few of the managers may understand that whenever trust is incorrectly bestowed, problems are likely to follow.
2.3. Factors that Encourage Internal Information Theft
The above case studies have shown the characteristics of internal information theft perpetrators. The analysis shows that stealing of credit and debit cards details, corporate and personal account manipulation and account withdrawal are the common cases. Other research reports (e.g., CIFAS, 2012; Kroll, 2013) have shown that customers’ payment card numbers and card details are the major targets. These reports suggest that corporate account details are at risk as customers’ personal identifiable information (PII). Based on the lessons learnt from the above cases, the major factors for the increase in internal information theft in retail companies include:
- Lack of empirical data of internal information theft in the public domain;
- Retail business operations;
- Overdependence of security management on software security;
- Perception that internal information theft perpetrators are shop-floor employees;
- Lack of internal information theft incident analysis;
- Absence of human-centred security in online retail.
2.3.1. Lack of Empirical Data of Internal Information Theft
Readers can understand that the impacts of internal information theft are inestimable, as suggested by the examples of individuals who were caught, although indicators of the impact of information theft cases are not released to the public, possibly due to privacy-related issues, as some of the cases are in the public domain (Shah et al., 2013). Most retail companies might not be encouraged to reveal the impacts of internal information theft, as such publicity might bring some irreparable dent/damage to their companies’ brand. This issue of protecting the victimised companies’ brand and reputation is one of the major factors that have led to increasing cases of internal information theft in businesses (Laudise, 2008). However, without reliable data on the cases of internal information theft, it would be difficult, if not impossible, to provide a contextual preventive measure for information theft.
The case analyses above were based on the few available data in the public domain. This unavailability of data arises from three causes:
- Retail companies rarely share data on information theft incidents;
- Companies gather data on information theft incidents for narrow purposes and;
- Perpetrators always act to conceal their trails.
Internal information theft incidents data are withheld due to concern over copycat activities and publicity, and perhaps also due to privacy-related issues. Few available data were shared under guarantees of confidentiality and under restricted-use agreements.
Information theft data are available only if there is no other option. With these limited access issues, information theft data, like the ones discussed here, are rarely available to researchers. Second, retail companies have no motivation to share data related to information theft incidents. They are provided only for selected cases of forensic investigation or legal proceedings. Sometimes, the available data were not organised. In some cases, the databases were not accessible. These issues made empirical data collection, collation and analysis intensive research.
Third, most of perpetrators are skilled enough to cover their trails before the detection. In some cases, it takes short period of time to carry out successful attack. Perpetrators often devised and conceal their perpetration trails. These issues contribute to incomplete data capture on their methods of their information theft perpetration. This was noted by researchers (Newman and McNally, 2005) as one of the setbacks of information theft prevention research. However, this chapter has provided, through these case analyses, huge valuable insights despite the deficiencies in the data material.
2.3.2. Retail Business Operations
The case analysis shows that retail business operations is one of the major factors that accounts for the increasing cases of internal information theft. The case examples analysis suggest that the use of credit and debit cards through mobiles phones have encouraged successful perpetration, as most of the cases analysed directly or indirectly involve cards compromise.
In line with the discussion in Chapter 1, the case analyses suggest that desk-based employees who carry out most of the end-user online trading through credit or debit cards are more vulnerable than employees from other departments. This trend is followed by finance/accounting operation employees. These revelations suggest that most employees in retail operation are a potential threat to proprietary information because of the situational or the opportunistic nature of their job roles. This knowledge suggests that more attention should be given to the operational departments, IT departments and accounting positions, other than to age and gender. Thus, these findings suggested that the characteristics of the perpetrators are not likely to be classified based on gender but on their operational departments.
2.3.3. Overdependence of Management on Software Security
This issue of management relying too much on the software security for prevention of information theft was confirmed in the case analyses, which suggest that management of the companies leaves the activities of the employees to be monitored by security systems. This is a major issue because the information systems are designed by some of the employees; the perpetrators may be as skilled as those who designed the security software, as, for example, in the case of ‘Mr. Smith’, a software engineer who stole customers’ card details for his financial gain. The detection capability of software security cannot match the effectiveness of the use of monitoring and security audit, as we have seen in this example of ‘Mr. Smith’ because he has the skills to cover his trail. The overreliance on software security can create the perception that adequate security is in place. This perception is misleading in a way that the IS security management can neglect other security measures. However, Allen et al. (1999) and Hofmeyr et al. (1998) suggest that although software security has a place for the internal information theft but cannot equate the human security—effective monitoring and security audit.
2.3.4. Perception that Perpetrators Are Shop-Floor Employees
The retail management team often see the shop-floor employees, call centre employees, as potential internal information thieves because of their operational roles in dealing with card transactions. The management often perceived themselves as the ‘clean employees’ that rarely indulge in information theft perpetration. This perception among security and crime prevention practitioners, as argued by Raab (2008), can cause gross negligence of the top management, who use their position to perpetrate internal information theft-related crimes. However, the knowledge drawn from the case analyses has shown that since deviance, as argued by Durkeim (1966), is ‘an integral part of all healthy societies’, any employee can be tempted to indulge in internal information theft if there are no effective prevention guidelines and measures in place.
2.3.5. Lack of Internal Information Theft Incident Analysis
Another notable lesson learnt from the case analyses is that some companies, apparently, have no culture of information theft incidents analysis or assessment. The detection and prosecution of perpetrators bring the incidents to a close. Case reports, in most cases, are documented for management meeting but not really for analysis and assessment. Security and crime prevention management often believe that reoccurring incidents of information theft avail them the opportunity to get experience of the intricacy of such crimes. This practice is not helpful, as an effective crime incident analysis and assessment can reduce the risks and costs of similar crimes in the future. It can also serve as a model or a clue for crime prevention management.
McLaren et al. (2011) noted that for organisations to compete in a highly dynamic security marketplace, they must frequently adapt and align their security strategies and information systems by continuous incident analysis and evaluation.
Other researchers (e.g., Lu and Ramamurthy, 2011; Ransbotham et al., 2012), have also pointed out that that security capability and empirical examination of vulnerability data disclosure mechanisms enable firms’ agility against any security threats. Such strategies boost a business organisation’s security proactive stance, and decrease the volume of exploitation attempts. On the contrary, the case analyses suggest that management regarded experiences as the preferred method of improving their data security and crime prevention strategies, due to the cost of hiring experts or professionals to manage either their internal data security strategies or crimes incidents analyses. As also noted by KPMG (1997), prevention of internal information theft requires effective data security risk management that can tackle the extent of the risks involved.
However, although studies suggest that it is the responsibility of management to educate employees on data security policy, and that analyses of crimes are more likely to lead to effective prevention of information theft, it is important to point out that in some incidents the case analyses are not carried out due to constraints such as finance, inadequacy of management, lack of strategy performance measures, inadequacy of management, and employees’ attitudes. Ekblom (2002) and Clarke and Eck (2003) noted that availability of resources, finance and staffing are among the greatest challenges of crimes preventions within any socio-economic setting, even if clearer strategic crime prevention plans exist. Unless clearer plans are in place, management will struggle to determine priorities and areas of assistance in terms of immediate prevention action (low cost action and high risk/impact) and long-term interventions (deterrence law and penal reform, major policy changes and planning).
2.3.6. Absence of Human-Centred Security in Retail Companies
Human roles can still play a huge part in preventing internal information theft. A comprehensive discussion of human roles—the management—is presented in Chapter 3. However, the case analyses in this chapter have shown that reports from customers, law enforcement agencies and security audits are the methods through which the perpetrators were caught. These agree with the suggestions of Moore (2005) and Cappelli et al. (2006a), that the responsibilities of information theft prevention lie with human-centred security. Concerns should also be directed to employees’ operational policies and monitoring of the IS security infrastructure and to the need for retail companies to invest in employee training. Researchers (e.g., Haagman and Wilkinson, 2011) suggest that employee training is one of the vital instruments for information theft prevention practice. Policy is very salient at any stage of IS security implementation; without a clear IS security policy, the IT governance of retail companies would not hold water (Leon, 2008). Sommer (2012) suggests that an effective policy implementation is the root on which other prevention.
2.4. Characteristics of Information Theft Perpetrators
The case analysis based on the profile of the individuals caught perpetrating information theft provided a more general characterisation of and additional insights into the nature of thefts in online retail. The internal information theft cases describe variables such as age, sex and job roles that were used to characterise perpetrators, but do not presume these variables are the same for all business organisations. Retail companies need to use these identified characteristics as a reference guide to analyse internal information theft cases in their business organisation.
Based on the case examples analysed in Subchapter 2.2 above, the following major characteristics of the perpetrators can be drawn:
- Perpetrators are not necessarily technically oriented to carry out information theft;
- The nature of internal information theft perpetrated by managers is comparatively different from the cases by shop-floor employees;
- Most internal information theft cases were detected through customer complaints, information system audits and colleagues.
Perpetrators are not necessarily technically oriented to carry out internal information theft: This characteristic of the perpetrators suggests that the seemingly least-threatening employees—the call centre employees without technical knowledge or privileged access to retail information systems can still cause significant damage, as in Case Study 2.2 of ‘Jane’, who stole numerous credit cards that were left by customers in a rush after shopping. She might not have the technical capabilities of the software engineers, but she used her call-centre and operational skills to use the stolen cards to make purchases from her own company’s online portal.
This finding reinforces the need that retail companies will have to adhere to good security principles across all the levels of employees, irrespective of their job roles. Hence, this study recommends that companies guide their policies and practices by restricting all levels of employees’ access control. In addition, retail companies should assume that potential perpetrators will leverage exploitable IS security vulnerabilities within the research of most non-technical employees (Fichtman, 2001). And there is no amount of theft prevention systems that will defend against such perpetrators. Therefore, online retail companies can begin to minimise cases of perpetration only if they continually strengthen their policies on the principle of trusted information systems security and access control mechanisms.
The nature of information theft perpetrated by managers is comparatively different from cases by shop-floor employees: Although the business activities and access to information systems of managers and shop-floor employees may have differed at times, managers caused the damages than shop-floor employees in relation to the impact of information theft. It takes longer time to detect internal information theft penetrated by managers than those perpetrated by shop-floor employees. This finding was suggested by the case of Jessica Harper, the Head of Online Security/Lloyds Banking Group. In addition, this characteristic suggests that employees in certain job roles, such as accountants and software engineers, pose different threats different from employees in call centre positions. It behooves the companies to consider auditing the activities of employees in relation to features of their job roles. It is essential for e-businesses, including financial organisations, to develop policies and clearly enforce them for all employees with respect to their job roles and business operations but with equal disciplinary actions. Therefore, a corollary to this varying nature of information theft perpetrators is that practices should be put in place in the companies to disallow exceptional handling or the case of ‘different rules for different employees’.
In addition, companies should greatly limit the amount of trust they give to employees at the management level. There should be access control that is effective enough to provide only necessary access to the employees in management positions. The case analyses suggest that employees in management positions were not closely examined or monitored by the victimised companies until it is too late. There should no case of ‘sacred cow’; no employee should be monitored with preference because of their management position or because an employee makes more money for the company than other employees.
Most of the internal information theft cases were detected through customer complaints, information system audits and colleagues’ suspicions: The case examples indicate that technology played a very small role in enabling the victimised companies to detect perpetrators. However, by itself this conclusion could be explained by other factors. Perhaps technological approaches could be largely successful at detecting information security flaws before more damage was done, therefore reducing the impact of the information theft, but they may not match the capability of the human roles. However, if technologically based security software had been in place, in some cases, it could have been outdated or perhaps not installed properly. In the case examples discussed above, the victim companies were very successful at detecting information theft cases by conducting audits, monitoring the employees’ suspicious behaviour and questioning the employees’ abnormal activities. Retail companies should establish anonymous and open communication channels to encourage their employees to report suspicious colleagues. There should be frequent impromptu and routine information security audits in place to review the operational activities of all employees. There should be a ‘no exception rule’, no matter the position of the employee in implementing the checks and audit processes.
2.5. Summary of Chapter 2
The case analyses in this chapter have reinforced the UK Fraud Bill of 2006 and UK Home Office definition, according to which information theft occurs “when sufficient information about an identity is obtained to facilitate identity crimes or fraud, irrespective of whether in the case of a person, company, organisation or an entity…. And this could lead to frauds of using a false identity or someone else’s details for unlawful activity…it could be also when someone avoids falsely claiming that the criminal was the victim of identity fraud…; these frauds come in variety of ways and for various motives”.
This could involve using a false identity or someone’s personal identifiable information (PII) (e.g., name, address, date of birth) for financial/commercial gain. The perpetrators use the PII to buy goods or secure services (e.g., bank account opening for money withdrawals) or for credit cards, loan applications, and contract services.
In addition, this chapter has answered the question of what schemes or methods are used by perpetrators. From the analyses, the main techniques for stealing customer data were: copying the customers’ details from the systems, diversion of the ordered products, selling of the data on the black market; organised crime—collusion, collaboration and infiltration, computer means, hacking, research of customers’ identity, buying customers’ data from employees with unrestricted access. In some cases, some employees pay an estate management agent to lease him a house for the purpose of collection of the redirected ordered goods from the retail companies. In similar instances, some employees reveal customer data details to an external criminal who pretends to be the real customer. And in other cases, some external criminals call into the call centre departments pretending to be from a retail company’s IT department, and then ask for the customer’s data or password retrieval.
The insights provided by the case analyses point to the question of the impact of internal information theft in retail companies. In particular, some retail companies’ Loss Prevention team handled hundreds of cases every year. The majority of such cases reports come from call centres and from the employees handling the financial details of customers. In some cases, the Regional Loss Prevention team employees may not be comfortable to report that their work colleagues engaged in internal information theft. Consequently, the impact of the cases of internal information theft might be recorded or documented accurately.
However, the common impacts of internal information theft, among others, include: business loss, loss of customer trust, job loss, data security challenges, huge budget allocation for job recruitment, training, data security, software security, investigation costs, litigation costs, information security auditing; big challenge to the directors and management, damage to the business name, and no records of approximate company loss.
Based on the lessons from the case analyses, retail companies should direct their prevention efforts to the following measures:
- Employee training on data protection,
- Secured customers’ data identification,
- Effective application and implementation of computer use policy,
- Effective implementation of IT security tools: anti-virus and firewalls, intrusion detection and penetration test,
- Restriction from the use of pen and paper and mobile phones,
In particular, employee training should be emphasised as a key internal information theft prevention strategy. Every new employee should be mandated to do online training on the Data Protection Act. The employees should also be mandated to pass the assessment that follows the training. In addition, there should be internal information theft prevention awareness and follow-up on how the training was perceived by the employees to enable the companies to evaluate the impact of employee training on the prevention of information theft.
Moreover, computer policy should be on the priority list of effective internal information prevention strategies. Companies should implement a system for a unique employee login, be ready to change access passwords regularly, forbid the downloading of applications from the Internet to the company’s systems, not have access to Internet or social networking sites, not use either pen and paper or mobile phone while working (except the top managers) and employees must be compliant with password policy. There should be no exception for some managers; as such exception might lead to some leakages involving the top management.
Finally, there should be a system for secure customer data identification. A few retail companies often implement secure customer data identification as one of their strategies in prevention of internal information theft. It is necessary for companies to use and implement an intelligence system in call centres departments to confirm customers’ identity. This should be built on a knowledge-based system of using identifications: either of name, address, account number, date of birth or combination of any of the personal information attributes. These systems should be designed in such a way that identification processes and questions involve some element of complexity to deter the criminal from within or from outside a company to access customers’ sensitive data. However, a consequence of a knowledge-based system is that if the system fails and the company had relied upon the system for the security of the customers’ data, there would be a high risk of information theft cases on such occasions. It is the responsibility of the security management to design security tools that are well-integrated with the retail operation to avoid risks associated with a knowledge-based system. The next discussion of this guide, in Chapter 3, looks into how the key components—people, process, and technology—can be integrated to provide an effective information theft prevention strategy.
References
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J. and Stoner, E. (1999). ‘State of the practice of intrusion detection technologies’. Tech. Rep. CMU/SEI-99-TR-028, Carnegie Mellon University/Software Engineering Institute, pp. 1–111.
Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A. and Willke, B.J. (2006a). ‘Management and Education of the Risk of Insider Threat (MERIT): Mitigating the risk of sabotage to employers’ information, systems, or networks.’ Proceedings of the 24th International System Dynamics Conference, Nijmegen, Netherlands, July.
Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A. and Willke, B.J. (2006b). ‘System dynamics modeling of computer system sabotage’. Joint CERT Coordination Center/SEI and CyLab at Carnegie Mellon University Report, Pittsburgh, PA, pp. 1–34.
CIFAS: The UK’s Fraud Prevention Service. (2012). ‘Staff fraudscape: Depicting the UK’s staff fraud Landscape’. Available: https://www.cifas.org.uk/secure/contentPORT/uploads/documents/External-0-StaffFraudscape_2012.pdf.
Clarke, R.V., and J.E. Eck (2003). Become a Problem-Solving Crime Analyst: In 55 Small Steps. London: Jill Dando Institute of Crime Science.
Durkheim, E. (1966). Suicide. New York: Free Press.
Ekblom, P (2002) ‘From the Source to the Mainstream is Uphill: The Challenge of Transferring Knowledge of Crime Prevention Through Replication, Innovation and Anticipation.’ In: N. Tilley (ed.) Analysis for Crime Prevention, Crime Prevention Studies 13: 131–203. Monsey, NY: Criminal Justice Press/ Devon, UK: Willan Publishing. www.popcenter.org/Library/CrimePrevention/Volume%2013/07-Ekblom.pdf
Fichtman, P. (2001). ‘Preventing credit card fraud and identity theft: A primer for online merchants’. Information Systems Security, 10 (5), pp. 1–8.
Haagman, D. and Wilkinson, S. (2011). ‘Good Practice Guide for Computer-Based Electronic Evidence’. Association of Chief Police Officer (ACPO): 7Safe Information Security, Official Release, pp. 6–72.
Haley, C. (2013). ‘A theory of cyber deterrence’. Georgetown Journal of International Affairs. Available: http://Journal.Georgetown.Edu/A-Theory-Of-Cyber-Deterrence-Christopher-Haley, Accessed 23 April 2014.
Hofmeyr, S.A., Forrest, S. and Somayaji, A. (1998). ‘Intrusion detection using sequences of systems calls’. Journal of Computer Security, 6 (3), pp. 151–180.
KPMG. (1997). ‘Business organisations’ fraud survey’. KPMG Report, Sydney, Australia.
Kroll Global Fraud Report. (2013). Who’s got something to hide? Searching for Insider Fraud. Available: http://fraud.kroll.com/wp-content/uploads/2013/10/FraudReport_2011–2012.pdf, Accessed 08 February 2013.
Laudise, T.M. (2008). ‘Ten practical things to know about ‘sensitive’ data collection and protection’. The Computer and Internet Lawyer, 25 (7), pp. 26–33.
Leon, J.F. (2008). ‘Top ten tips to combat cybercrime’. The CPA Journal, 78 (5), pp. 6–19.
Lu, Y. and Ramamurthy, K. (2011). ‘Understanding the link between information technology capability and organizational agility: An empirical examination’. Management Information System Quarterly, 35 (4), pp. 931–954.
McLaren, T.S., Head, M.M., Yuan, Y. and Chan, Y.E. (2011). ‘A multilevel model for measuring fit between a firm’s competitive strategies and information systems capabilities’. Management Information System Quarterly, 35 (4), pp. 909–929.
Moore, R. (2005). Cybercrime: Investigating High-Technology Computer Crime. Cleveland, MS: Anderson Publishing.
Newman, G.R. and McNally, M.M. (2005). Identity Theft Literature Review. Washington, DC: U.S. Department of Justice.
Office for National Statistics (ONS). (2014). Report for Crime in England and Wales. Available: http://www.ons.gov.uk/ons/rel/crime-stats/crime-statistics/period-ending-march-2014/index.html, Accessed 22 August 2014.
Raab, C.D. (2008). ‘Social and political dimensions of identity’. In: S. Fischer-Hübner, P. Duquenoy, A. Zuccato and L. Martucci (Eds.), The Future of Identity in the Information Society. New York: Springer, pp. 3–19.
Ransbotham, S., Mitra, S. and Ramsey, J. (2012). ‘Are markets for vulnerabilities effective?’ Management Information Systems Quarterly, 36 (1), pp. 43–64.
Shah, M.H., Okeke, R.I. and Ahmed, R. (2013). ‘Issues of privacy and trust in E-Commerce: Exploring customers’ perspectives’. Journal of Basic and Applied Scientific Research, 3 (3), pp. 571–577.
Sommer, P. (2012). Digital Evidence, Digital Investigations and E-Disclosure: A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers’ (3rd edn.). London: Information Assurance Advisory Council.