4 Internal Information Theft Prevention Frameworks and Their Implications
1. Introduction
This chapter provides knowledge of internal information theft prevention frameworks. The empirical analysis provided here is based on the findings of reviewed information theft prevention frameworks. Some of the existing internal information theft prevention frameworks aimed to provide generic guides across business organisations. This issue of lack of a specific framework for a particular business organisation, like retail industry, justifies the need for this guide. Thus, the existing frameworks are reviewed to identify their limitations and to provide direction on how security and crime prevention managers, in retail businesses, can avoid such limitations. Cappelli et al. (2006b) advocate that the effectiveness of internal information theft prevention relies on how management adapts available frameworks and applies them in the context of their business operations.
The Cambridge Advanced Learner’s Dictionary defined a framework as a system of rules, ideas, beliefs or a supporting structure around which something can be built that is used to plan or decide something. However, few or none of the existing frameworks focus on a specific structure of information theft and business sector to design the prevention for the specific requirement. The majority of available information theft frameworks are designed based on generic concepts (e.g., technology architecture and the generic nature of crimes). In some information theft prevention frameworks, the concepts of the frameworks are underpinned by research aims and objectives. Hence, as advocated by Burkhalter and Crittenden (2010), understanding of generic frameworks would enable security and crime prevention practitioners to understand and identify the research gaps needed for the recommendation of security guidelines.
4.2. Generic Information Theft Prevention Frameworks
Several studies (e.g., Kardell, 2007; ACFE, 2014) agree that less attention has been given to the studies of internal information theft prevention in the context of a particular business organisation like online retail. Yang and Wang (2011) agree that generic internal information theft prevention frameworks might be too complex to be adapted in some business sectors because of differences in business operations, processes, organisational culture and technology. ACFE (2014) noted that there is need for security and crime prevention practitioners to understand the internal information prevention needs of a particular business sector with critical emphasis on managing the roles of security, people and processes. In his research paper, Adams (2008) also noted that although internal information theft is a common crime across business organisations, the study should be designed within a scope of policy makers in a particular business sector. Cappelli et al. (2006b) agree that the need to align business requirements with roles of management is indispensable for prevention of internal information theft.
Cappelli et al. opined that the effective synergy of efforts interplayed with IT executives, managers, technical employee, human resources, and security officers could be a practicable tool in the prevention of internal information theft. The successful implementation of the US Department of Homeland Security and Cyber Security Project confirmed the need for the deployment of effective management roles in preventing internal information theft in business sectors. In their research project, Cappelli et al. (2006a) and Moore et al. (2008) agree that since internal information theft involves primarily human elements manipulating IS, it would take the comprehensive and strategic roles of human—the management—within a defined business environment to counter the crimes. Savirimuthu and Savirimuthu (2007) suggest that a deeper understanding of the implications of managing information security in retail business is an important prerequisite to applicable information theft prevention frameworks.
Savirimuthu and Savirimuthu suggested that the integration of complementary management with IT security management would be a suitable strategy for mitigation of information theft because these crimes are motivated not only technologically but mostly socially. In agreement, Wang, Yuan and Archer (2006) acknowledge the need to provide a guide for effective development and deployment of a framework for prevention of information theft from the perspective of management roles within a defined business sector.
In addition, Lacey and Cuganesan (2005) suggested that the collaborative effort of ‘human resource security’—IT management, complementary data security and crimes prevention team are often overlooked in the formulation of information theft prevention in existing frameworks. Shah and Okeke (2011) agreed with Lacey, and pointed out that available frameworks fail to prevent these crimes because the strategies do not incorporate the roles of the complementary management teams (auditing, outsourcing firms, credit monitory firms, law enforcement agency, etc.). Table 4.1 summarises the frameworks for information theft prevention.
|
Authors |
Research focus |
Key concepts |
Research contribution |
|
Shah and Okeke (2012) |
Examination of the roles of management in information theft prevention and internal data security. |
Role-based framework for analysing prevention of internal identity theft related crimes: case study in UK retail industry. |
A systematic and integrated approach where the key components of management work in unison is required to prevent information theft and maximise internal data security. |
|
Steinbart et al. (2011) |
Exploratory investigation of the relationship between internal audit and IS security. |
An exploratory model of the factors that influence the nature of relationship between ISA and IS security functions |
The proficiency of the IS security auditors affects the quality of the ISA practices and could contribute to prevention of internal information theft. |
|
Shah and Okeke (2011) |
Exploration of existing literature on the propagation of information theft, and the conceptualisation of these crimes in the retail industry. |
The synthesis of role-based framework for prevention of information theft in retail industry. |
Information theft prevention strategy should incorporate a collaboration of external and internal crime prevention actors, and all levels of an organisation should be given clear and specific responsibilities regarding internal data security. |
|
Sharariri and Lababidi (2011) |
Examination of the factors affecting internal auditors in the protection of computerised accounting IS from electronic penetration in banking operation |
Enhancement of the factors that would contribute to the effective utilisation of ISA in protecting computerised accounting IS. |
IS auditors should be fully aware of the operations of business organisations, the activities of the e-fraud prevention team to be able to proffer IS security against internal data breaches and attacks |
|
Moorthy et al. (2011) |
Evaluation of the impact of the role of IT on ISA in business organisation |
Impact of the information technology on internal data security auditing. |
Information Systems auditor has the responsibility of ensuring that the management and board of directors understand the liability of potential data security risks. |
|
Schulze and Shah, (2009) |
Investigation of communication strategies used by the e-commerce organisations (via websites) to battle identity theft related crimes. |
Development of the Support—Trust—Empowerment—Prevention (STEP) method for battling identity theft related crimes. |
Few e-commerce organisations proactively prevent identity theft, provide supporting actions and inform consumers on how to protect their data against such crimes. |
|
Ji, Smith-Chao and Min (2008) |
The examination of a theoretical view of identity theft crimes as the basis for business organisational information system designs (from system planner’s perspective). |
Systems Plan for combating identity theft—a theoretical framework. |
Various roles and the relationship of the identity chain should be coordinated in designing collaborative systems for combating identity theft crimes in business |
|
Jamieson, Winchester, Stephens and Smith (2008) |
The study of formation of identity fraud profiling definition, construction of a profiling classification; and identification of the barriers to the use of profiling by business organisations. |
Development of a conceptual framework for identity fraud profiling and provision of frameworks main elements, their relationships. |
Organisational identity fraud based profiling methodologies have information processing techniques applicable to developing fraud profiling models in the IS in business organisations; and that integration of these techniques reduce the incidents of identity crimes. |
|
Vasiu (2004) |
Examination of the risks of e-fraud in an integrated supply chain, and overview of significant adverse effect of e-fraud as a hindrance towards achievement of business organisational IS strategic objectives. |
Development of a conceptual framework for e-fraud control in integrated supply chain of business organisations. |
E-fraud prevention should be integrated to incorporate board-level organisations’ practices and business plans; and that management should be responsible for implementation and coordination of the human, technological, and financial resources necessary for controlling e-fraud in business organisations. |
|
Wright (1998) |
Exploration of the need for IS education among business organisations’ employees |
Development of a framework for IS security training for employees. |
To improve IS security against information theft, IS education must be integrated into the business organisations’ practices and their data protection policies. |
4.3. Software-Based Information Theft Prevention Frameworks
The British Retail Consortium (BRC) (2011) suggests that most of the existing information theft prevention frameworks (e.g., McCormick, 2008; Jabbour and Menasce, 2009) have focused on the implementation of software security. Others researchers (e.g., Bishop and Gates, 2008; Niekerk and Solms, 2010) focus on the combination of technology and process, while a few (e.g., Collins, 2003; Moore et al., 2008) attempt to combine technology, process and people. The resulting frameworks from software-based studies are the scientific approaches that are only implementable in computer systems (Jamieson et al., 2009).
For instance, Le Lievre and Jamieson’s (2005) preconception of a model of identity fraud profiling was built based on information processing, which uses the trails from the computer systems to analyse the behaviour of the perpetrators. This framework application relies more on the use of computer systems than on the contribution of the IS management roles and end-users. This neglect of the contribution of these roles is one of the major challenges that security and crime prevention practitioners would need to tackle to achieve effective information theft prevention.
An analysis of the literature shows that many studies have neglected a crucial element of people: management roles. From Table 4.2 below, software-based frameworks built with the concept of technology dominated information theft prevention studies. 10 out of the 16 identified information theft prevention models were designed and deployed based on technology.
For instance, Nelliker (2010) and Park and Giordano (2006) applied the role-based access control techniques for analyses of information theft criminals’ behaviours and profiles.
While Jabbour and Menasce (2009) present the Insider Threat Security Architecture (ITSA) framework to analyse the case of IS security compromised by privileged user, Ha et al. (2007) applied a capability acquisition graph to demonstrate criminal threats. These techniques are implementable only on computer systems. The two models that are based on the concepts of the process by Niekerk and Solms (2010) and Bishop and Gates (2008) present a conceptual model that contributes to the argumentation of the organisational culture in information security systems. Only the system dynamics model and the MERIT model by Moore et al. (2008) and Greitzer et al. (2008), Cappelli et al. (2006b) with Keeney et al. (2005) integrated these key elements: people, process and technology to design and deploy an information theft prevention framework.
While it is theoretically possible for these contributions to IS systems security practices to reduce internal data security vulnerabilities and bolster internal information theft prevention, researchers (e.g., Hofmeyr et al., 1998; Allen et al., 1999) suggest that it is practically infeasible unless the roles of human are central to information theft prevention strategies and practices.
|
Prevention Concepts |
Researchers |
Focus of the Model |
Number of Studies |
|
Process |
Niekerk and Solms (2010) |
Conceptual model |
2 |
|
Bishop and Gates (2008) |
Analyses of the information theft threats |
||
|
Technology |
Nellikar (2010) |
Scalable Simulation Framework |
10 |
|
Jabbour and Menasce (2009) |
Insider Threat Security Architecture |
||
|
McCormick (2008) |
EDLP Programme |
||
|
Ha et al. (2007) |
ICMAP |
||
|
Park and Giordan (2006) |
Role-based Access Control |
||
|
Butts (2006) |
SPM-IT / MAMIT approach |
||
|
Chinchani, Iyer, Ngo and Upadhyaya (2005) |
End user security behaviours |
||
|
Symonenko et al. (2004) |
Natural Language Processing Systems (NLPS) |
||
|
Schultz (2002) |
6 indicator framework |
||
|
Anderson et al. (2000) |
8 general approaches |
||
|
People, Process and Technology |
Moore et al. (2008); Band et al. (2006) |
System dynamics |
4 |
|
Greitzer et al. (2008); Cappelli et al. (2006b); Keeney et al. (2005) |
MERIT |
4.4. Why Do the Frameworks Fail in Preventing Information Theft?
The information theft prevention frameworks that have been discussed above cover some essential suggestions for the application and integration of process and software security. However, these suggestions have not yielded effective outcomes in relation to the huge IT security investment made by most retail companies. For instance, PriceWaterCoopers (PWC) (2014) suggests that even though more than 50 per cent of companies in the UK have adopted most practices recommended in these frameworks and plan to spend more on IT security, 67 per cent of the companies expect a rise in information theft incidents.
It is vital to ask why these prevention practices and frameworks discussed above arguably do not contribute to effective prevention of information theft incidents. Vaca (2003) argues that some online retail companies that seem to comply with the prevention practices do have the capacity to provide effective and efficient strategies that ensure quality requirements and cost reduction. Other studies (e.g., Popa and Doinea, 2007; Dean et al., 2012; Forrester and Seeburger, 2013; PriceWaterCoopers (PWC), 2014) agrees that many online retail companies attributed their failure to the lack of resources, or that their company is apparently not big enough to accommodate an IS security departments and maintenance routine costs. In addition to these reasons, the majority of the businesses cannot answer fundamental IS security issue questions related to;
- Performance measurement (how well is the IS security enhancing business requirement?)
- Security control profiling (what IS security processes are important, and what are the critical success factors for control?)
- IS security awareness (what are the risks of not achieving the internal data security objectives?)
- Benchmarking (what do other businesses do, and how can their results be compared and measured?).
In addition to answering these questions, from insights provided from the literature, most of the frameworks and practices for prevention of internal information theft failed because of the following reasons:
- The perception that adequate and advanced IS security tools are already in place;
- Fragmented roles within the IS security management team;
- Security and crime prevention management negligence;
- The huge demand on companies to maintain the increasing PID/I used by the consumers via e-tailing and e-commerce;
- The cost of Information System/Technology (IS/T) security management;
- The perception of low expectations from the IS security and compliance management by the business managers.
The perception that adequate and advanced IS security tools are already in place: Company managers sometimes believe that having security software and firewalls, and being Sarbenes-Oxley (SOX), PCI and ISO related compliant are enough. They fail to know that, unless these controls and regulations are consistently checked, the effectiveness of their security might not be assured. Dean et al. (2012) suggests that it took more than 5,000 companies until 2008 to join the International Association of Data Privacy that was founded in 2000. PriceWaterCoopers (PWC) (2014) indicated that 80 per cent of companies fail to evaluate their spending on IS security resources or review if they are properly implemented and regulated. PWC (2014) suggests that most companies struggle to evaluate their data security tools and regulations only in the aftermath of information theft incidents. Bielski (2005) agrees with this suggestion that few companies make strategic investments in their IT security.
Non-alignment of roles between the IS security management team: Shah and Okeke (2011) noted that some businesses lack integrated data security approaches between the external and internal security auditors. In some cases, there is segregation in the roles of the sourcing and outsourcing security companies between the business and law enforcement agencies. For an effective proactive measure in the prevention of internal information theft, they suggested that the business IS management and the security audit team have to work in unison and jettison the perception of role segregation between cross-functional management.
Management negligence: The evolving information theft risks and threats that might demand new tools and procedures are often treated with laxity by business owners, security and crime prevention management. At times, some of the security tools and regulations are not applied effectively. In PriceWaterCoopers’ survey (PWC) (2014), 56 per cent of businesses did not carry out any security checks of their external providers; instead they only relied on contracts and contingency plans. IS security-resource implementations can be effective only if they are well reviewed, regulated and properly applied. Many companies have fallen into this bandwagon of aftermath effect of internal information theft. PriceWaterCoopers’ (PWC) (2014) tracking of the past three years shows the degrading capabilities of IS security management across business organisations. In 2011, only 41 per cent of approximately 10, 000 executives across business organisations in 138 countries acknowledged that they have data security compliance and identity management strategy, compared to 48 per cent in 2009. While only 39 per cent of these executives acknowledged that they reviewed their data security policies and regulations annually in 2011, more than 52 per cent did in 2009. With an increasing reliance of the companies on software security, the majority of companies depend on contingency plans to rectify security flaws after incidents of information theft are perpetrated by criminals.
The huge demand on companies to maintain the increasing PID/I used by the consumers via e-tailing and e-commerce: An average retail company today handles at least five million customers’ PID/I, which encourages decentralisation of the data storage. This practice leads to vulnerabilities related to file transfer protocols (FTP), network shares and e-mail, which in turn pose many challenges, including large file management, FTP software process, audit trails and version control, etc. (Forrester and Seeburger, 2013).
The cost of Information System/Technology (IS/T) security management: The ACFE (2014) survey suggests that some of the companies apparently consider themselves too small to bear the cost of applying security auditing for information theft prevention. The failure of the business executives to conduct a cost and benefit analysis of IS security investments often leads them to believe that security costs outweigh the benefits. PriceWaterCoopers’ (PWC) (2014) survey indicated that 12 per cent of senior management give less priority to data compliance management.
The perception of low expectations from the IS security and compliance management by the business managers: Popa and Doinea (2007) noted that many businesses managers often do not trust the capabilities of their security audit and compliance management. In some cases, companies perceive data security audits as a complex practice and become intimidated by the daunting and demanding tasks of data security management. In some cases, vulnerability and penetration tests are perceived by the business owners as a hindrance that may affect the effective running of business operations. Business owners tend to put business gains ahead of the security risks associated with information theft. In summary, there are some factors identified in the research review which can contribute to poor implementation of information theft prevention frameworks. They include:
- Poor understanding of the nature of internal information theft by IS security and crime prevention management (Newman and McNally, 2005; Schreft, 2007);
- Absence of comprehensive frameworks, strategy and data security tools (Abagnale, 2007; Jakobsson and Myers, 2007); if they exist, these frameworks for prevention were developed in the context of generic business organisations which might be inapplicable to particular businesses such as retail industry (CIFAS1, 2010; BRC, 2011);
- Overdependence on software security, which may lead to inadequate monitoring of privileged users of information systems (Mills, 2007; Acoca, 2008).
- Lack of understanding of the role of people in integrating people, process and technology (Keeney et al., 2005; Cappelli et al., 2006b; Moore et al., 2008).
4.5. Summary of Chapter 4
This chapter has explored the available information theft prevention frameworks and their practical implementation issues. The failure of most of the frameworks can be attributed to the lack of clear roles and responsibilities given to security managers and administrators, which in turn might lead to other related issues summarised in Case Study 4.2. These issues provide background on comprehensive internal information theft prevention practices and knowledge that could be extended in designing effective security strategies by retail management. In addition, the knowledge provides insight into the imperative for evaluative research to assess how the requirements of the frameworks are met for successful implementation of subsequent prevention practices in online retail companies. The challenges of effectively implementing the frameworks have been, in some cases, cited as the reason that some internal information prevention practices have failed. However, the failure of the practices have left management with little or no better option than to resort to the available coercive security strategies (software security). But with this option, yet another question is whether the choice leaves us better off. If yes, the unavoidable question still remains: why have the software-based frameworks, like the ones identified in this chapter, failed? Chapter 4 provides answers to this question by identifying organisational challenges that are being faced by information security management in preventing internal information theft in retail businesses.
References
Abagnale, F.W. (2007). Stealing Your Life: The Ultimate Identity Theft Prevention Plan. New York: BroadwayBooks, The Crown Publishing Group.
Acoca, B. (2008). ‘Online identity theft’. Organisation of Economic Cooperation and Development (OECD) Observer, 268, pp. 12–13.
Adams, C. (2008). ‘No certainty yet for identity assurance: The need for assuring identity is clear, but the path to achieving it is no’. Signal, 63 (1), pp. 83–86.
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J. and Stoner, E (1999). ‘State of the practice of intrusion detection technologies’. Tech. Rep. CMU/SEI-99-TR-028, Carnegie Mellon University/Software Engineering Institute, pp. 1–111.
Anderson, R.H., Bozek, T., Longstaff, T., Meitzler, W., Skroch, M. and Wyk, K.V. (2000). ‘Research on mitigating the insider threat to information systems’. Proceedings of a Workshop Held in RAND Corporation, Santa Monica, pp. 1–35.
Association of Certified Fraud Examiners (ACFE). (2014). ‘Report to the nations on occupational fraud and abuse: Global fraud study’. Available: http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf, Accessed 20 April 2014.
Band, S.R., Cappelli, D.M., Fischer, L.F., Moore, A.P., Shaw, E.D. and Trzeciak, R.F. (2006). ‘Comparing insider IT sabotage and espionage: A model based analysis’. CMU/SEI-2006-TR-026.
Bielski, L. (2005). ‘Will you spend to thwart ID theft?’ ABA Banking Journal, 97 (4), pp. 54–62.
Bishop, M. and Gates, C. (2008). ‘Defining the insider threat’, Proceedings of the 4th annual workshop on Cyber security and information intelligence research: Developing strategies to meet the cyber security and information intelligence challenges ahead.
British Retail Consortium (BRC). (2011). Retail Crime and Loss Prevention Report. Available: http://www.brc.org.uk/brc_news_detail.asp?id=2065, Accessed 12 February 2012.
Burkhalter, C. and Crittenden, J. (2010). ‘Professional identity theft: What is it? Are we contributing to it?’ What can we do to stop it?’ Contemporary Issues in Communication Science and Disorders, 35, pp. 89–94.
Butts, J.W. (2006). ‘Formal mitigation strategies for the insider threat: A security model and risk analysis framework’. Available: https://www.afresearch.org/skins/rims/q_mod_be0e99f3-fc56–4ccb-8dfe670c0822a153/q_act_downloadpaper/q_obj_9390d5ea-5e71–4abb-b3e6-c03c79975762/display.aspx, Accessed 9 October 2012.
Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A. and Willke, B.J. (2006a). ‘Management and education of the risk of insider threat (MERIT): Mitigating the risk of sabotage to employers’ information, systems, or networks.’ Proceedings of the 24th International System Dynamics Conference, Nijmegen, Netherlands, July.
Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A. and Willke, B.J. (2006b). ‘System dynamics modeling of computer system sabotage’. Joint CERT Coordination Center/SEI and CyLab at Carnegie Mellon University Report, Pittsburgh, PA, pp. 1–34.
Chinchani, R., Iyer, A., Ngo, H.Q. and Upadhyaya, S. (2005). ‘Towards a theory of insider threat, assessment’. Proceedings of the 2005 International Conference on Dependable Systems and Networks, Yokohama, Japan, pp. 108–117.
CIFAS: The UK’s Fraud Prevention Service, (2010). ‘Staff Fraudscape: Depicting the UK’s staff fraud landscape’, Available: http://www.cifas.org.uk/secure/contentPORT/uploads/documentsCIFAS%20Reports/CIFAS_Staff_Fraudscape_May_2010.pdf, Accessed 29 November 2011.
Collins, J.M. (2003). ‘National Institute of Justice Crime Report’. U.S. Department of Justice, Office of Justice Programs, Michigan State University, USA.
Dean, S., Pett, J., Holcomb, C., Roath, D. and Sharma, N. (2012). ‘Fortifying your defences: The role of internal audit in assuring data security and privacy’. PCW Publications. Available: http://www.PWC.com/us/en/risk-assurance-services/publications/internal-audit-assuring-data-security-privacy.jhtml, Accessed 9 October 2012.
Forrester and Seeburger. (2013). ‘The future of data security and privacy: Controlling big data’. In: The WebCast, The Silent Enemy: Preventing Data Breaches from Insiders, 13 March 2013 at 13:00–14:00 EDT.
Greitzer, F.L., Moore, A.P., Cappelli, D.M., Andrews, D.H., Carroll, L.A. and Hull, T.D. (2008). ‘Combating the insider cyber threat’. IEEE Security and Privacy, 6 (1), pp. 61–64.
Ha, D., Upadhayaya, S., Ngo, H., Pramanik, S., Chinchani, R. and Mathew, S. (2007). ‘Insider threat analysis using information-centric modelling’. International Federation for Information Processing, 242 (2007), pp. 55–73.
Hofmeyr, S.A., Forrest, S. and Somayaji, A. (1998). ‘Intrusion detection using sequences of systems calls’. Journal of Computer Security, 6 (3), pp. 151–180.
Jabbour, G. and Menasce, D.A. (2009). ‘The insider threat security architecture: A framework for an integrated, inseparable, and uninterrupted self-protection mechanism’. International Conference on Computational Science and Engineering, CSE ’09, pp. 1616–1620.
Jakobsson, M. and Myers, S. (2007). Phishing and Countermeasures: Understanding the Increasing Problems of Electronic Identity Theft. Hoboken, NJ: John Wiley and Sons.
Jamieson, R J., Winchester, D W., Stephens, G. and Smith, S. (2008). ‘Developing a conceptual framework for identity fraud profiling’. Proceedings of the 16th European Conference on Information Systems at the J.E. Cairnes Graduate School of Business and Public Policy, National University of Ireland, Galway, Ireland, 9–11 June.
Jamieson, R., Land, L. P, W., Smith, S., Stephens, G. and Winchester, D. (2009). ‘Information security in an identity management lifecycle: Mitigating identity crimes’. AMCIS 2009 Proceedings, pp. 1–9.
Ji, S., Smith-Chao, S. and Min, Q. (2008). ‘Systems plan for combating identity theft—A theoretical framework’. Journal of Service Science and Management, 2008 (1), pp. 143–152.
Kardell, R.L. (2007). ‘Three steps to fraud prevention in the workplace’. ACFE Report to the Nation of Occupational Fraud and Abuse, pp. 16–19.
Keeney, M.M., Conway, T., Kowalski, E., Williams, M., Cappelli, D., Moore, P.M., Rogers, S. and Shimeal, T.J. (2005). ‘Insider threat study: Computer system sabotage in critical infrastructure sectors’. Joint SEI and U.S. Secret Service Report, Pittsburgh, PA, pp. 1–45.
Lacey, D. and Cuganesan, S. (2005). ‘The role of organisations in identity theft response: The organization–individual victim dynamic’. Journal of Consumer Affairs, 38 (2), pp. 244–261.
Le Lievre, E., and Jamieson, R. (2005). ‘An Investigation of Identity Fraud in Australian Organisations’. Collaborative Electronic Commerce Technology and Research (CollECTeR), pp. 1–10.
McCormick, M. (2008). ‘Data theft: A prototypical insider threat’. Advances in Information Security, 39 (2008), pp. 53–68.
Mills, G. (2007). Identity Theft: Everything You Need to Know to Protect Yourself. Sussex, UK: Summersdale Publishers.
Moore, A.P., Cappelli, D.M., Greitzer, F.L, Carroll, L.A. and Hull, T.D. Andrews, D.H. (2008). ‘Combating the insider cyber threat’. IEEE Security and Privacy, 6 (1), pp. 61–64.
Moorthy, M. K., Seetharaman, A., Zulkifflee, M., Meyyappan, G., and Lee, H. S. (2011). ‘The impact of information technology on internal auditing’. African Journal of Business Management, 5(9), pp. 3523–3539.
Nellikar, S. (2010). ‘Insider threat simulation and performance analysis of insider detection algorithms with role based model’. Electronic Master of Science Thesis, Electrical and Computer Engineering, Graduate College of the University of Illinois at Urbana-Champaign, USA, pp. 1–6. Available: https://www.ideals.illinois.edu/bitstream/handle/2142/16177/Nellikar_Suraj.pdf?sequence=2, Accessed 23 May 2011.
Newman, G.R. and McNally, M.M. (2005). Identity Theft Literature Review. Washington, DC: US Department of Justice.
Niekerk, R. and Solms, R.V. (2010). ‘Information security culture: A management perspective’. Computers and Security, 29 (4), pp. 476–486.
Park, J.S. and Giordano, J. (2006). ‘Role-based profile analysis for scalable and accurate insider-anomaly detection’. Proceedings of the 25th IEEE International Performance Computing and Communications Conference, Workshop on Information Assurance, Phoenix, AZ, pp. 463–469.
Popa, M. and Doinea, M. (2007). ‘Audit characteristics for information systems’. Revista Informatica Economic, 4 (44), pp. 103–106.
PriceWaterCoopers (PWC). (2014). Information Security Breach Survey (ISBS) Technical Report. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14–767-information-security-breaches-survey-2014-technical-report-revision1.pdf, Accessed 02 April 2014.
Savirimuthu, A. and Savirimuthu, J. (2007). ‘Identity theft and systems theory: The Fraud Act 2006 in perspective’. Unscripted, UK.
Schreft, S.L. (2007). ‘Risks of identity theft: Can the market protect the payment system?’. Economic Review—Federal Reserve Bank of Kansas City, 92 (4), pp. 5–40.
Schultz, E.E. (2002). ‘A framework for understanding and predicting insider attacks’. Computers and Security, 21, pp. 526–531.
Schulze, M. and Shah, M.H. (2009). ‘The step method battling identity theft using e-retailers’ website’. Paper accepted at 9th IFIP Conference on e-Business, e-Services, and e-Society, I 3 E, Nancy, France.
Shah, H.M. and Okeke, R.I. (2011). ‘A framework for internal identity theft prevention in retail industry’. Intelligence and Security Informatics Conference (EISIC), European, Athens, Greece.
Shah, M.H. and Okeke, R.I. (2012). ‘Role-based framework as a model for analysing prevention of internal identity theft related crimes’. Submitted to Information and Management for review.
Sharariri, J.A. and Lababidi, M.H. (2011). ‘Factors affecting the role of internal auditor in the protection of computerised accounting Information Systems from electronic penetration (A Field Study on Banks Operating in Jordan)’. International Research Journal of Finance and Economics, 68, pp. 140–160.
Steinbart, P.J, Raschke, R.L., Gal, G. and Dilla, W.N. (2011). ‘The relationship between internal audit and information security: An exploratory investigation’. University of Waterloo Centre for Information Integrity & Information Systems Assurance 7th Biennial Research Symposium, October 20–22, 2011, pp. 1–32.
Symonenko, S., Liddy, E.D., Yilmazel, O., Zoppo, R.D. and Brown, E. (2004). ‘Semantic analysis for monitoring insider threats’. IEEE International Conference on Intelligence and Security Information. Available: http://surface.syr.edu/cgi/viewcontent.cgi?article=1047&context=istpub.
Vacca, J. R. (2003). Identity Theft. USA: Prentice Hall PTR.
Vasiu, L. (2004). ‘A conceptual framework of eFraud control in an integrated supply chain’. Proceedings of European Conference on Information Systems (ECIS), Paper 161.
Walker, A., Flatley, J., Kershaw, C and Moon, D. (2008, 09). Crime in England and Wales: Findings from the British Crime Survey and police recorded crime, Home Office Statistical Bulletin Volume 1, pp. 85–87.
Wang, W., Yuan, Y. and Archer, N. (2006). A Contextual Framework for Combating Identity Theft, IEEE Security and Privacy. Published by IEEE Computer Society.
Wright, M.A. (1998). ‘The need for information security education’. Computer Fraud and Security, 1998 (8), pp. 14–17.
Yang, S. and Wang, Y. (2011). ‘System dynamics based insider threats modelling’. International Journal of Network Security and Its Applications, 3 (3), pp. 1–12.