8 Application of Criminological Theories to Internal Information Theft Prevention
8.1. Introduction
Many criminology theorists (e.g., Quinney, 1970; Clarke, 1980; Ekblom, 1992; Cornish, 1994; Aker, 2000; Walker, 2006; Kramer, 2009; Wright, 2010) have studied crime prevention in various research disciplines. As information theft is one of the most prevalent crime issues in business organisations, many theories (e.g., situational prevention, deterrence) have focused on seeking prevention strategies by understanding why people commit these crimes.
This chapter discusses situational crime prevention and deterrence theories that can be applied to the prevention of internal information theft. The theories that have been identified and applied in this chapter are selected because of the attention they have attracted in recent years in academic and security studies.
8.2. Clarke’s 25 Techniques of Situational Crime Prevention
Clarke (1980) argues that there is a need to address the factors that create crime ‘hotspots’ (locations that create crime) and the characteristics that make people more vulnerable to victimisation. In other words, Clarke (1980) suggests that crime prevention measures need to concentrate on preventing crime from occurring and victimisation. These arguments form the basis for Clarke’s 25 situational crime prevention techniques. The 25 techniques are built upon the following five main situational crime measures:
- Increase the effort
- Increase the risks
- Reduce the rewards
- Reduce provocations
- Remove the excuse
The five key measures that form the basis for Clarke’s 25 techniques of situational crime prevention are summarised in Table 8.1 below. Situational crime prevention is underpinned by several theories, including Environmental Criminology, Rational Choice and Routine Activity. The application of these theories and their contribution to prevention of crimes can be extended to the prevention of internal information theft in retail companies. This can be done by adapting Clarke’s (1980) 25 techniques of situational crime prevention. The summary of how other measures of situational crime prevention can be extended to the context of prevention of internal information theft in retail companies is provided in Table 8.2 below; instances in the studies of the use of the situational crime prevention measures are discussed.
Target hardening: This measure can be an effective way of reducing opportunities for internal information theft by obstructing employee access by installing anti-copying computer screens applications in call centres and tamper-proof lockers for servers and routers. Ekblom (1992) suggests that the target hardening approach, which was used in the strategy of the anti-bandit screens on post office counters in London in the 1980s, has cut robberies by more than 40 per cent.
Clarke (1999) agrees with Ekblom (1992) and suggests that target hardening was also used in the ticket machines of the London Underground, which has significantly reduced losses related to ticket sales.
Access control: Clarke (1999) suggests that this measure excludes potential offenders from places such as apartments, departments, stores and offices. Cornish and Clarke (1989) suggests that the use of access control in a South London public housing estate and entry phones have significant impact in reducing vandalism and theft. In the context of retail companies, the use of effective personal identification numbers can be implemented to gain access to computer systems, servers, and customers shopping accounts.
Entry/Exit Screening: This is similar to access control but for the purpose of increasing the likelihood of potential criminals being caught if they fail to meet exit/entry requirements. Cornish and Clarke (1989) suggest that this measure has reduced book thefts in the University of Wisconsin library by 80 per cent. In the context of prevention of internal information theft, the use of fob has been introduced in many retail shops and call centres to regulate and monitor staff movements.
These measures could be adapted by retail companies, as summarised in Table 8.2 to reduce the risks of internal information theft. However, several researchers (e.g., Lewis and Sullivan, 1979; Parker, 1998; Clarke, 1999; Willison, 2006) have criticised the extension of the use of situational prevention. Clarke (1999) suggests that the measures may not be 100 per cent effective due to issues such as:
- Technical or administrative ineptitude (Clarke, 1999)
- Measures being defeated by offenders or careless of victims (Cornish and Clarke, 2003)
|
Increase the effort |
Increase the risks |
Reduce the rewards |
Reduce provocations |
Remove the excuses |
|
1. Harden Targets: Anti-robbery system; quality locks |
6. Extend Guardianship: Neighbourhood watch |
11. Conceal Targets: Do not keep valuables in out-of-sight office environment |
16. Reduce frustration and stress: Efficient queuing; soothing lighting |
21. Set Rules: Agreements Registration |
|
2. Control access to facilities: Secure entries |
7. Assist natural surveillance: Street lighting; police hotlines |
12. Remove Targets: Removable car radios; pre-paid phone cards |
17. Avoid Disputes Reduce crowding inpubs |
22. Post Instructions ‘No parking’;‘Private property’ |
|
3. Screen Exits Tickets needed, electronic tags for floor stock |
8. Reduce Anonymity Taxi driver IDs; ‘How’s my driving?’ signs |
13. Identify Property Property marking; vehicle licensing |
18. Reduce Emotional Arousal Control violent Pornography; prohibit paedophiles working with children |
23. Alert Conscience Roadside speeddisplay signs; ‘Shoplifting is stealing’ |
|
4. Deflect Offenders Street closures in red light district; Separate toilets forwomen |
9. Utilise Place Managers Train employees to prevent crime; Support whistleblowers |
14. Disrupt Markets Checks on pawnbrokers; Licensed streetvendors |
19. Neutralise PeerPressure: Campaigns depicting what friends think of risk-taking behaviour (e.g., speeding and drugcampaigns); “It’s ok to say no” |
24. Assist Compliance Litter bins;Public lavatories |
|
5. Control Tools/Weapons: Tougher beer glasses; photos on credit cards |
10. Strengthen Formal Surveillance Speed cameras; security guards |
15. Deny benefits: Ink merchandise tags, Graffiti cleaning |
20. Discourage Imitation: Rapid vandalism repair |
25. ControlDrugs/Alcohol Breathalysers in pubs, Alcohol-free events |
|
Increase the effort |
Increase the risks |
Reduce the rewards |
Reduce provocation |
Remove excuses |
|
1. Target hardening: Physical locks for PCs; Anti-copying computer screens in call centres; Tamper-proof lockers for servers and routers |
6. Extend guardianship watch Staff watching of visitors; Leave signs of occupancy, Disallow exchange of access privileges |
11. Conceal targets; Gender-neutral phone directories; Minimise ID access of offices where sensitive information is kept. |
16. Reduce frustrations and stress: Efficient queues and polite service |
21. Set rules: Harassment codes; Information security policies |
|
2. Control access to facilities: Entry phones; Swipe cards for office access |
7. Assist natural surveillance: Improved office lighting; Open-plan offices |
12. Remove targets: Removable data storages; Clear desk and computer screen |
17. Avoid Over rowed office space: Reduce crowding in call centres |
22. Post instructions: No pen, paper and pencil. |
|
3. Screen exits: Reception desks |
8. Reduce anonymity: ID tags for staff |
13. Identify property: Property marking of PCs, laptops and sever systems |
18. Reduce emotional arousal: Restrict access to how much money is available in customer accounts |
23. Alert conscience: Create staff awareness to secure computers. |
|
4. Deflect offenders: Server and router room closures; Segregation of duties |
9. Utilise place managers: Two clerks for conveniencestores; Management supervision |
14. Disrupt markets: Monitor pawn shops |
19. Neutralise peer pressure: Disperse troublemakers atschool |
24. Assist compliance: Regulated office checkout and regular holiday for staff; IT security education for staff |
|
5. Control tools/weapons: Disabling stolen cellPhones; Deletion of access rights forex-employees |
10. Strengthen Formal surveillance: Security guards; Intrusion detection systems |
15. Deny benefits: Ink merchandise tags; Encryption |
20. Discourage imitation: Censor details of modus operandi; Prompt software patching |
25. Control drugs and Alcohol: Alcohol-free events—end-of-year parties and get-togethers. |
- Too much vigilance reduces security consciousness (Clarke and Harris, 1992b)
- Measures may provoke offenders to unacceptable escalation (Hunter and Ray, 1997)
- Some measures facilitate rather than frustrate crimes (Ekblom,1992)
- Lack of proper analysis (user’s needs) before introducing some measures (Clarke and Harris, 1992b).
- Detrimental effect of some measures on the environment (Akers, 1990; Willison and Backhouse, 2006).
Collectively, these issues, summarised above, suggest reasons why some situational crime prevention measures like generic and software-based framework (discussed in Chapter 5) may not work in intended ways. This is because measures that work in one setting may not work well in other settings due to organisational and management issues.
Clarke (1999) suggest the need to be aware of these challenges and know which measures work best, in which combination, deployed against what kinds of crimes and under what conditions. Clarke specifically noted that financial costs of particular crime prevention measures need to be assessed by businesses through the development of a permanent in-house capability of their organisations. Hence, there is a need to explore other aspects of crime prevention that may contribute to a holistic approach to internal information theft. The next section discusses deterrence theory and its attributes in internal information theft prevention.
8.3. Application of Deterrence Theory to Information Theft Prevention
Quinney (1970) suggests that deterrence theory can be traced to the works of classical philosophers (e.g., Thomas Hobbes, Cesare and Beccaria, and Jeremy Bentham). These philosophers provide the foundation for modern deterrence theory in criminology that is classified into two types: general and specific (Aker, 2000). General deterrence, as the name posits, is designed for prevention of crime in the general population, while specific is designed based on the nature of the proscribed sanctions to deter potential crime offenders from committing crimes in the future (Quinney, 1970). Typical instances of the application of the deterrence theory include capital punishment (death penalty) and the use of corporal punishment—Shari ’a/Islamic law in Nigeria, which was introduced in 2001. The deterrence approach to crime prevention deters those who witness the infliction of pains upon the convicted fraudster from committing the crimes themselves (Morgan, 2010). Dobb and Webster (2003) and Wright (2010) argue that punishment as an element of a deterrence theory may be expected to affect the conceptualisation of the deterrence of criminals in two ways.
- Increasing the Certainty of Punishment: This involves deterrence of potential offenders by the risk of apprehension. For instance, if there is increase in the number of security guards monitoring retail call centres, some employees may reduce their dishonest activities in order to avoid being caught.
- Severity of Punishment: This may influence potential criminal behaviour if potential criminals judge that the consequences of their actions are too severe (Golden, 2002).
Wright (2010) suggests that these elements of punishment underpin the rationale behind ‘truth in sentencing policies’, to utilise severe sentences to deter some persons from indulging in criminal behaviour.
Some critics (e.g., Willson and Herrnstein, 1985, Moyer, 2001) argue that it is difficult to prove the effectiveness of deterrence because only the offenders that have not been deterred come to the notice of law enforcement. Otherwise, the law enforcement may never know why other employees do not offend. Wright (2010) argues that another reason for deterrence theory’s limited application in prevention of crimes “can be seen by considering the dynamics of the criminal justice system” (Wright, 2010, p. 3). If there is 100 per cent certainty of apprehending an offender, there would be few potential offenders.
For instance, as cited by Wright (2010), because most crimes (internal information theft, as it is in this guide) do not result in an arrest and conviction because of their complexity, the overall deterrent effect of the certainty of punishment might be substantially reduced. Other critics of deterrence theory (e.g., Williams et al. 1980; Scherdin, 1986; Hirsch et al., 1999; Tonry, 2008) agree that the absence of data on awareness of punishment risks makes it difficult to draw conclusions regarding the deterrent impact of deterrence theory. Hence, it may be difficult to measure the impact of the severity of punishment as a deterrence measure against identity theft related crimes on potential offenders who do not believe they will be apprehended for their dishonest actions.
However, Kramer (2009) argues that deterrence theory can be extended as a traditional security theory and superimposed on the prevention of identity theft related crimes. Haley (2013) agrees with Kramer (2009) and argues that strategic application of deterrence theory in businesses could reduce the costs of cases of internal information theft. Goodman, (2010) argues that many studies of information systems security have not done more to apply tools of deterrence to the prevention of computer crimes. In particular, deterrence theory argues that criminal activities can be eliminated by making costs and consequences outweigh the benefits that may accrue from the criminal acts.
Proponents (e.g., Gibbs, 1968; Quinney, 1970; Akers, 2000) of deterrence theory in the context of employee crimes believe that employees may choose to obey or violate the employee business policy after calculating the consequences and gains of their actions. The uses of the legislation/law enforcement system and digital forensic investigation have proven to be great tools for deterrence of internal information theft in various business sectors.
8.4. Legislations/Law Enforcement: A Deterrent to Internal Information Theft
While there may be no silver bullet for effective prevention of internal information theft, the criminal justice system and law enforcement departments can make significant impacts on employees indulging in the crimes (Wright, 2010). Some studies (e.g., Levin, 1971; Orsagh and Chen, 1988; Doob and Webster, 2003; Bavis and Parent, 2007) agree that the criminal justice system increases the certainty of punishment, as opposed to the severity of punishment, and it is more likely to produce deterrent benefits.
Many countries (e.g., UK, US, Austria, Denmark, France, Germany) across the globe have continued to enact laws and legislation to match the advancement of computer crimes from outside and within business sectors. The common areas of legislation cited in the literature that have been enacted in different countries are as follows:
Privacy Laws and Legislation: This has been used to protect the theft of personal identifiable information of individuals, especially customers of retail companies. Since 1970, the US has used the Fair Credit and Reporting Act and Privacy Act to govern the processing, access, and disclosure of credit information. The same protection of individual privacy was the aim of the Canadian Privacy Act of 1975. The same data privacy protection and governance have been legislated across European countries.
These include the Austrian Federal Data Protection Act of 1978, the Danish Acts on Private Registers, the French Act on Data Processing of 1978, the German Federal Data Protection Act of 1977 and the Swedish Data Act of 1973. Other intellectual property laws have been cited in the literature (e.g., Organisation for Economic Cooperation and Development (OECD), 2013) which have been introduced as a deterrent for the prevention of corporate identity related crimes. These include:
- Intellectual Property and Copyright Law (e.g., Copyright Act of 1976): To deter the theft of trade names, ideas, secrets, computer programmes, personal knowledge, etc. that may be vulnerable to internal identity theft related crimes.
- Trade Secrets Law and Trademark Law: To deter the theft of ideas and trademarks of software and hardware of businesses and organisations.
- Patent Law: To deter theft of software concepts and established products.
To ensure that the deterrence influence of legislation extends to international regions where jurisdictions on privacy laws may differ from the originating venue, the Organisation for Economic Cooperation and Development (OECD) (2013) has introduced the OECD Transborder Data Flow Guidelines to promote effective prevention of internal information theft. The guidelines are designed to prosecute and deter incidents of information theft. For instance, in the US, any employee who is convicted of trafficking or trading passwords or credit cards will be liable to the penalties of Title 18, USC 1029, which include 15 years in prison for the first offence (Identity Theft and Assumption Deterrence Act, 1998). In the UK, violation of Section 55—unlawful obtaining of personal data—makes it an offence for perpetrators of internal identity theft related crimes and hackers outside the organisation to obtain unauthorised access to personal data (Data Protection Act, 1998, Section IV).
8.5. The Use of Digital Forensics as Information Theft Deterrence
Many studies (e.g., Clarke, 1999; Farrington and Petrosino, 2000) agree that an effective use of digital forensics as crime prevention has a deterrence effect on potential perpetrators. Clarke (1999) argues that increasing the perceived risks of committing crimes could deter potential perpetrators. Clarke further explained that this ‘situational approach’ of crimes prevention can deter an intended or potential criminal, if the criminal knows that there is every certainty of being caught. Farrington and Petrosino (2000) agrees with Clarke (1999) that digital forensic analysis plays a vital role in crimes under investigation, suggesting that fewer crimes would be committed in a business environment where there are such measures.
Drawing on the above suggestion, other studies (Rowlingson, 2005; Walker, 2006; Sommer et al., 2012) have emphasised the importance of digital forensics as a deterrence measure for internal information theft. Rowlingson (2005) suggests that digital forensics can deter potential offenders because of the high risks that the criminal will be caught. If dishonest staffers know that the targeted organisation is policing their corporate IS property with forensic technology, it alerts staffers that their organisation will ‘always catch and prosecute thieves’. It may as well act as a psychological deterrent to potential computer related criminals (Gottfredson and Taylor, 1986; Walker, 2006).
Moreover, digital forensic investigation practice may encourage and intensify the mindset of natural surveillance to potential information theft perpetrators (Sommer et al., 2012). It provides demonstrative evidence during the courtroom prosecution of suspects. Welch (1997) argues that evidence generated through digital forensic investigation convinces the jury beyond a reasonable doubt that the offender is guilty of the offence.
Bhati (2010) suggests that there is no doubt that digital forensic evidence greatly deters criminal behaviour. In his study ‘Quantifying the Specific Deterrent Effects of DNA Databases’, Bhati (2010) tested the specific deterrent effect of digital forensic DNA evidence on crimes. He concluded that deterrence of digital evidence has probative effect ranges from 20 per cent to 30 per cent. Taylor et al. (2007) agree with Bhati (2010) in their deterrence theory and suggest that digital forensic evidence could be used as a deterrence measure to prevent internal information theft.
8.6. Summary of Chapter 8
As the discussion of crime prevention theories in this chapter shows, situational crime prevention theories, the deterrent effect of the criminal justice system and digital forensic investigations may substantially reduce incidents of internal information theft. However, the impact of the deterrent on the prevention of internal information theft may be dependent on the extent of awareness that potential offenders have in relation to the deterrence measures. Based on the existing evidence presented here, there is a need for both security management and crime prevention management to apply deterrence theories along with other security practices to ensure the likelihood of detecting criminal behaviour. Chapter 10 will discuss recommended security practices that can be used to supplement crime prevention theories to achieve effective information theft prevention in retail businesses.
References
Akers, R.L. (1990). ‘Rational choice, deterrence, and social learning theory in criminology: The path not taken’. Journal of Criminal Law and Criminology, 81 (3), pp. 654–656.
Akers, R.L. (2000). Criminological Theories. Los Angeles: Roxbury.
Bavis, C. and Parent, M. (2007). ‘Data theft or loss: ten things your lawyer must tell you about handling information’. Ivey Business Journal Online, 76 (6), pp. 1–9.
Bhati, A. (2010). Quantifying the Specific Deterrent Effects of DNA Databases. Washington, DC: Justice Policy Centre; The Urban Institute, pp. 1–59.
Clarke, R.V. (1980). ‘Situational crime prevention: Theory and practice’. British Journal of Criminology, 20, pp. 136–147.
Clarke, R.V. (1999). Hot Products: Understanding, Anticipating and Reducing the Demand for Stolen Goods, Police Research Series, 98. London: Home Office.
Clarke, R.V. and Harris, P. (1992) ‘A rational choice perspective on the target of auto theft’. Criminal Behaviour and Mental Health, 2, pp. 25–42.
Cornish, D. (1994). ‘The procedural analysis of offending and its relevance for situational prevention’. In: R. Clarke (Ed.), Crime Prevention Studies. New York: Criminal Justice Press, pp. 151–196.
Cornish, D. and Clarke, R.V. (1989). ‘Crime specialisation, crime displacement and rational choice theory’. In: H. Wegener, F. Losel and J. Haisch (Eds.), Criminal Behaviour and the Justice System: Psychological Perspective. New York: Springer-Verlag, pp. 103–117.
Cornish, D.B. and Clarke, R.V. (2003). ‘Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention’. Crime Prevention Studies, 16 (2003), pp. 41–96.
Dobb, A. and Webster, C. (2003). ‘Sentence severity and crime: Accepting the null hypotheses’. Crime and Justice, 30, pp. 143–195.
Ekblom, P. (1992). ‘Preventing post office robberies in London: Effects and side effects’. In: R.V. Clarke (Ed.), Situational Crime Prevention: Successful Case Studies. Albany, NY: Harrow and Heston, pp. 36–43.
Farrington, D.P. and Petrosino, A. (2000). ‘Systematic reviews of criminological interventions: The Campbell Collaboration Crime and Justice Group’. International Annals of Criminology, 38 (2001), pp. 49–66.
Gibbs, J.P. (1968). ‘Crime, punishment and deterrence. South-western’. Social Science Quarterly, 48, pp. 515–530.
Golden, L. (2002). Evaluation of the Efficacy of a Cognitive Behavioural Program for Offenders on Probation: Thinking for a Change. Dallas: University of Texas.
Goodman, W. (2010). ‘Cyber deterrence: Tougher in theory than in practice’. Strategic Studies Quarterly, 4 (3), p. 103
Gottfredson, S. and Taylor, R.B. (1986). ‘Environmental design, crime and prevention: An examination of community dynamics’. In: M. Tory and A.J. Reiss (Eds.), Communities and Crime. Chicago: University of Chicago Press, pp. 387–416.
Haley, C. (2013). ‘A theory of cyber deterrence’. Georgetown Journal of International Affairs, Available: http://Journal.Georgetown.Edu/A-Theory-Of-Cyber-Deterrence-Christopher-Haley, Accessed 23 April 2014.
Hirsch, A. Bottoms, A., Burney, E. and Wikstrom, P.O. (1999). Criminal Deterrence and Sentence Severity: An Analysis of Recent Research. Oxford: Hart Publishing.
Hunter, R. and Ray, J.C. (1997). Preventing convenience store robbery through environmental design. In: R. Clarke (Ed.), Situational Crime Prevention: Successful Case Studies (2nd edn.). New York: Harrow and Heston, pp. 146–192.
Kramer, F.D. (2009). ‘Policy recommendations for a strategic framework’. In: F.D. Kramer, H.S. Stuart and L.K. Wentz (Eds.), Cyberpower and National Security. Dulles: National Defence University Press and Potomac Books, Inc., p. 15.
Levin, M.A. (1971). ‘Policy Evaluation and Recidivism’. Law and Society Review, 6 (1), pp. 17–46.
Lewis, E.R. and Sullivan, T.T. (1979). ‘Combating crime and citizen attitudes: A study of the corresponding reality’. Journal of Criminal Justice, 7, pp. 71–79.
Morgan, P.M. (2010). ‘Applicability of traditional deterrence concepts and theory to the cyber realm’, Paper presented at a workshop on deterring cyber-attacks, Washington, DC, p. 57.
Moyer, I.L. (2001). Criminological Theory: Traditional and Non-Traditional Voices and Themes. Thousand Oaks, CA: Sage.
Organisation for Economic Cooperation and Development (OECD). (2013). ‘OECD guidelines governing the protection of privacy and trans-border flows of personal data’. Available: http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf, Accessed 30 November 2013.
Orsagh, T. and Chen, J.R. (1988). ‘The effect of time served on recidivism: An interdisciplinary theory’. Journal of Quantitative Criminology, 4 (2), pp. 155–171.
Parker, D. (1998). Fighting Computer Crime: A New Framework for Protecting Information. New York: Wiley Computer Publishing.
Quinney, R. (1970). The Social Reality of Crime. Boston: Little, Brown.
Rowlingson, R. (2005). ‘An introduction to forensic readiness planning’. Centre for the Protection of National Infrastructure (CPNI) technical note, pp. 1–13.
Scherdin, M.J. (1986). ‘The halo effect: psychological deterrence of electronic security systems’. Information Technology and Libraries, 5 (3), pp. 232–235.
Sommer, P. (3rd edn.). (2012). ‘Digital Evidence, Digital Investigations and E-Disclosure: A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers’. Information AssuranceAdvisory Council, UK.
Taylor, R.B., Goldkamp, J.S., Weiland, D., Breen, C., Garcia, R.M., Presley, L.A. and Wyant, B.R. (2007). ‘Revise policies mandating offender DNA collection’. Criminology and Public Policy, 6 (4), pp. 851–862.
Tonry, M. (2008). ‘Learning from the limitations of deterrence research’. In: M. Tonry (Ed.), Crime and Justice: A Review of Research. Chicago: The University of Chicago Press, pp. 279–306.
Walker, C. (2006). ‘Computer forensics: Bringing the evidence to court’. Available: http://www.infosecwriters.com/text_resources/pdf/Computer_Forensics_to_Court.pdf, Accessed 24 January 2013.
Welch, T. (1997). ‘Computer crime investigation and computer forensics’. Information systems security, 6(2), pp. 25–56.
Williams, K.R., Gibbs, J.P. and Erickson, M.L. (1980). ‘Public knowledge of statutory penalties: The extent and basis of accurate perception’. Pacific Sociological Review, 23 (1), pp. 105–128.
Willison, R. (2006). ‘Understanding the perpetration of employee computer crime in the organisational context’. Information and Organisation, 16 (4), pp. 304–324.
Willison, R. and Backhouse, J. (2006). ‘Opportunities for computer crime: Considering systems risk from a criminological perspective’. European Journal of Information Systems, 15 (4), pp. 403–414.
Willson, J.Q. and Herrnstein, R.J. (1985). Crime and Human Nature. New York: Simon and Schuster.
Wright, V. (2010). ‘Deterrence in Criminal Justice Evaluating Certainty vs. Severity of Punishment’. The Sentencing Project Research and Advocacy for Reform, pp.1–9.