Page numbers in italics refer to tables or boxes.
account hijacking 3
account withdrawal 20, 22, 37, 41–2, 42
ACFE see Association of Certified Fraud Examiners
Adams, C. 64
advanced persistent threats (APT) 18
Allen, J. 44
Anderson, D. 57
Anti-Phishing Working Group (APWG) 15, 30n1
application fraud/account takeover 23, 37
application of deterrence theory 120–2
Archer, N. 64
Ashworth, A. 85
Association of Certified Fraud Examiners (ACFE) 21, 25, 64, 71, 109, 113, 135, 136
Australasian Centre for Policing Research 4
Austrian Federal Data Protection Act 122
APWG see Anti-Phishing Working Group
Bagozzi, R. P. 84
Barling, 24
Basel Committee on Banking Supervision 103
Berki, R. N. 85
Bhati, A.: ‘Quantifying the Specific Deterrent Effects of DNA Databases’ 123–4
Biddle, B. J. 56
Biegelman, M. T. 56
Bishop, M. 67
Bligh, M. C. 110
Braithwaithe, J. 103
British Retail Consortium (BRC) 27, 27, 28, 67, 136, 137
Burke, P. J. 2
Burkhalter, C. 63
Cambridge Advanced Learner’s Dictionary 63
Cameron, K. S. 79
Canadian Privacy Act 122
Cappelli, D. M. 46, 63, 64, 67
Centre for Retail Research 53
Chartered Institute of Personnel Development 131
cheats 6
Checkpoint 17
Chia, P. A. 79
CIFAS (Credit Industry Fraud Avoidance System) 18, 20, 25, 130; Fraud Prevention Fraud Service 26; Fraud Report 28; Joint Survey 25; Report 22, 24
Cilli, C. 109
Clarke, E. 10
Clarke, R. V. 8, 45, 116–20, 123
Clickjacking / Exploit kits/Crime packs 18
coercive technology 7
collaborative internal information theft prevention 94–105, 147; agility 95; attributes 94–5; interoperability 95; role-based framework 95–103; vigilance 95; see also role-based framework
collaborative management 88, 96, 97, 104, 106–15, 147, 148; benefits of Information Security Audit 107; effective Information Security Audit implementation 108; implications of collaboration 108–10; interdependence of management improves prevention 111–13; recommendations for effective collaboration 110–1
Collins, J. M. 14
Computer Misuse Act 1990 77, 102
Computer Security Incident Handling Guide 137, 137
Confederation of British Industry (CBI): A Frontline Force: Proposals for More Effective Policing 86
Consortium for Cyber Security Action 128
Conte, J. M. 135
Cornish, D. 117
corporate information theft 22, 23, 36; company hijacking 23; company impersonation 23
corporate social responsibility (CSR) 103, 147
Cosgrove, F. M. 82
CRAVED (Concealable, Removable, Available, Valuable, Enjoyable, Disposable) 8, 9
credit card fraud 3
Credit Industry Fraud Avoidance System see CIFAS
Cressey, R. D. 12; fraud triangle 11, 99
Criminal Justice Commission 84
criminological theories to internal information theft prevention 116–26; access control 117; application of deterrence theory 120–2; Clarke’s 25 techniques of situational crime prevention 116–20, 118–19; digital forensics 122, 123–4; entry/exit screening 117; legislations/law enforcement 122–3; target hardening 117
Crittenden, J. 63
cross-functional management 60, 70, 84, 88, 94, 97, 99, 109, 111, 112, 113, 148
CSO Magazine 18
Cuganesan, S. 64
culturally oriented unethical security practices 83, 84, 109
Cybercash 24
Dahler-Larsen, P. 104
Danish Acts on Private Registers 122
database internal information theft 39–40
data compliance management 58, 71, 77, 78, 89, 98, 104, 108, 112
Data Protection Act 37, 49, 77, 102, 128
data protection policies 14–15, 66, 87, 89, 89, 90, 112, 134, 145
Distributed Denial of Service (DDoS) 18
Dobb, A. 120
Donkeys 6
Douglas, M. 6
Durkheim, E. 44
Fair Credit and Reporting Act 122
Federal Identity Theft and Assumption Deterrence Act USA 3, 4
Fighting Retail Crime Report 20–1
Financial Fraud Action 29
First Virtual 24
Fitzgerald, T. 84
Forrester Seeburger Security 128, 129
Forrsight Survey Report 21
fraud practices 22–4, 29; disclosure of commercial or personal data 22; fraudulent account withdrawals 22
Fraud Triangle 11, 99; Perceived Opportunities 11; Rationalisation 11; Social Pressure 11
Freedom of Information 2000 102
French Act on Data Processing 122
Gates, C. 67
Gercke, M. 95
German Federal Data Protection Act 122
Gerring, J. 5
Giordano, J. 67
Global Information Assurance Certification 134
Goffman, E. 2
Greitzer, F. L. 67
grid 6
group 6
Hawks 6
HERO (Highly Empowered, Resourceful and Operative Employees) 21
Hollinger, R. D. 7
Hood, A. 10
Hooks, K. L. 112
human-centred security 42, 45–6
human resource management 99, 101–2, 103
human resource security 64
IBM AppScan 132
IBM Research 27
idem identity 2
identity: concept 2; definition 2
identity deception 5
identity fraud 3, 4–5, 48, 66, 67, 101
Identity Theft Resource Centre 25; Identity Theft: The Aftermath 26–7
Information Commissioner’s Office 77, 128
information processing 52, 54, 57, 66, 67, 128, 131, 145; people as platform 54; retail business 55, 61, 135
information security (IS) 1, 15, 27; complexity 79–80; experts/professionals 36, 52, 54, 55, 59; policies 46, 78–9, 98, 119; threats 28, 47, 53
information security audit (ISA) 40, 48, 58, 106–7, 108, 135, 135–6, 145, 146, 148; benefits of internal security control assurance 107; cost reduction benefits 107; information systems security knowledge 107
information security management 40, 44, 52, 57, 58, 59, 60, 61, 64, 67, 72, 78–9, 80, 81, 97, 99, 100, 103, 111–13, 127, 131, 132, 148, 149
information systems structure 8, 9, 10, 14, 46, 60
information theft: definition 1–4, 5; definition varies by country 3
Insider Threat Security Architecture 67, 68
intellectual property 22, 25, 84, 122
Intellectual Property and Copyright Law 122
internal information perpetrators 10
internal information theft: absence of human-centred security in retail companies 45–6; account takeover 38, 39; account withdrawal 41–2; case from database 39, 40; characteristics 46–7; contextual issues 2–4; corporate information theft 23; credit card disclosure 40–1; factors that encourage 42; global retail business issue 25–7; impacts on retail business 24–5; increase of incidents 24–5; lack of empirical data 42–3; lack of incident analysis 44–5; nature 36–51; online retail companies 27–9; overdependence of management on software security 44; perception that perpetrators are shop-floor employees 44; perpetration methods 15, 37–42; perpetrators’ motive 7–11; retail business operations 43–4; UK prediction for 2015–2106 28–9; UK retail businesses 25, 27, 28; UK rise in cases 37; workplace 5–6; workplace dishonesty 6–7
internal information theft perpetration methods 15, 37–42; see also account withdrawal; application fraud/account takeover; present (current) address fraud
internal information theft prevention frameworks and their implications 63–75, 65–6, 68, 127–42, 133–4; challenges 87–91; cost of information system/technology security management 71; demand on companies to maintain increasing PID/I 70; failure of frameworks 68–71; generic information 63–6; management negligence 70; non-alignment of roles with IS security management team 70; perception of low expectations from IS security and compliance management by business managers 71; recommended practices 129; security of critical retail business assets 130–1; software-based 67–8; see also security and crime prevention management
internal information thieves 20–2; incidents vs. job roles 20, 21
internal security control 91, 106, 107, 112
International Association of Data Privacy 70
Ipse Identity 2
ISA see information security audit
ISO 69
ISO 19011:2011 113
ISO 9001:2000 57
IS security management 44, 57, 58, 59, 69, 70, 81, 95, 112, 113, 128
Lababidi, M. H. 65
Lacey, D. 64
law enforcement agencies: and police indifference in security and crime prevention management 85–7; roles 102
Le Lievre, E. 67
Leslie, C. 10
Lewis, G. 103
Luhmann, N. 56
management overdependence on software security 44
management roles in prevention of internal information theft 59–61, 60; managerial and policy 60; operational management 60; technical management 60; resource and control management 60; risk management 60
Manning, P. K. 83
Maynard, S. B. 80
McConville, M. 83
McLaren, T. S. 45
Menasce, D. A. 67
MERIT model 67
Metropolitan Police Operation Sterling MPS 20
Microsoft: Enhanced Mitigation Experience Toolkit 128; Windows 10 53; Windows Server 2012 53
Min, Q. 66
Moore, R. 46
Moorthy, M. K. 65
National Fraud Authority (NFA) Report 26, 36
Near Field Communication 18
Nelliker, 67
Newburn, T. 83
Niekerk, R. 67
Nieminski, J. 109
OECD see Organisation for Economic Co-operation and Development
Office of National Statistics (ONS) 37
Okeke, R. I. 64, 65, 70, 106, 108
online retail 6, 8, 11, 15, 16, 17, 20, 24, 27, 27–9, 29, 37, 38, 38, 39, 42, 46, 47, 57, 60, 64, 69, 72, 78, 85, 95, 101, 102, 103, 110, 113, 146; UK 52–3
organisational role theory 56–7
Organisation for Economic Co-operation and Development (OECD) 3, 4–5, 53; Transborder Data Flow Guidelines 123
Organised Crime Strategy Report (OCSR) 25
Park, J. S. 67
patchable software vulnerability 17, 18, 127
Patent Law 122
Payment Card Industry Data Security Standard (PCI DSS) 76–8, 79, 153; adoption of in prevention of internal information theft 76–8
PCI 69
Pease, K. 114
Pelletier, K. L. 110
people-centred roles in preventing internal information theft 52, 57–9, 58
perpetration methods 15, 16, 37–8; abuse of private knowledge 15; coercion 15, 16; collusion 15, 16; email/IM/web/Internet violation 15; infiltration 15, 16; patchable software vulnerability (PSV) 17; social engineering 15, 17; unapproved hardware/devices 15
perpetrators 13–14; characteristics 5, 46–8; concealment of perpetrators 7; Cressey’s Fraud Triangle Model 11; economic climate—recession 10–1; financial gain and rewards 7; motives 7–11; person theory 11; retail business environments 8; shop-floor employees 44; workplace theory 11
personal identifiable information (PII) 7–8, 15, 18, 20, 21; theft 23, 42, 48 (see also application fraud/account takeover; phishing; present [current] address fraud)
person theory 11, 12; Epidemic of Moral Laxity 11, 12; Marginality Proposition 11, 12; Opportunity 11, 12
PID account fraud 15
Ponemon Institute Research 132
Preliminary System Dynamics Maps of the Insider Cyber-threat Problem 57
present (current) address fraud 23, 37
PriceWaterCoopers (PWC) 68–9, 70, 71, 80, 108, 135–6
Privacy Act 122
Project Griffin 87
proprietary information systems 131–2, 132
Punch, 84
Reiner, R. 83
retail business operations 43–4, 52–62; information processing 54, 55; Loss Prevention team 48–9; management roles in prevention of internal information theft 59–61, 60; negligence of security challenges 84; organisational role theory 56–7; overregulated and disjoined information security policies 78–9; people 53–5; people-centred strategy in prevention of internal information theft 57–9, 58; people platform for information processing 53–5, 54; Regional Loss Prevention 49; role of people in prevention of internal information theft 55–6
retail management negligence of security challenges 84
role-based framework 95–103; collective roles 102–3; cross-functional management 60, 70, 84, 88, 94, 97, 99, 109, 111, 112, 113, 148; flexible support 97; key attributes 96–8; middle management 100–1; monitoring 97; roles of human resource management 101–2; roles of law enforcement agencies 102; service-level agreements 97; structure 98, 99; supervisory management 101; support capabilities 97; top management 99–100
Roukis, G. S. 84
Rowlingson, R. 123
Rudesill, C. L. 112
Ruighaver, A. B. 80
Sanders, A. 82
SANS Critical Security Controls 128
Sarbenes-Oxley 69
SAREM (Stealth, Challenge, Anonymity, Reconnaissance, Escape, Multiplicity) 7, 8
scareware 18
Scerra, N. 82
Schulze, M. 66
security and crime prevention management 79–83, 89; clarity of roles 88; classification of information theft incidents 81–2; complexity of information security 79–80; complexity of internal information theft incidents 90; cooperation/support 88; lack of clarity of data protection policy 14, 87, 90; lack of employees/end-user awareness training 89; lack of trained IS/T staff 90; negligence of security challenges 84; narrowly defined security roles 80–1; negligence 84; operational changes 88–9; other related challenges 87–91; poor internal data security control and strategy 91; poor IS/T security tools 90–1; stereotyped attitudes 82–3
security auditors 65, 70, 77, 78–9, 107, 108, 109, 112, 113, 148, 152
security practices for internal information theft prevention 127–42; critical retail business assets 130–1; detection mechanisms as prevention practice 136–9, 137–9; governance and security intelligence 134–5; information theft risks associated with recruitment 131; perpetration 140–1; proprietary information systems 131–2, 132; recommended 129; strategy 133, 133–4; use of Information Security Audit 135, 135–6
Sekerka, L. E. 84
Seneviratne, M. 86
Sequel Query Language (SQL) 18, 137, 141
service-level agreements (SLAs) 97
Shah, M. H. 28, 64, 65, 66, 70
Shepherd, D. 83
Skolnick, J. 82
Slapper, G. 83
Smith, S. 66
Smith-Chao, S. 66
Social Network Attacks 18
software security 42, 44, 55, 60, 67, 70, 71, 72, 79, 146, 147, 153
Solms, R. V. 67
Sony PlayStation Network 132
Steinbart, P. J. 65
Steinnon, R. 112
Stephens, G. 66
Stickley, J. 28
supervisory management 101
Swedish Data Act 122
targeted assets by internal information criminals 18–20, 19
Taylor, R. B. 124
technical up-griddling 7
terrorism 87
theft incidents 17, 18, 20, 28, 28–9, 42, 43, 44–5, 69, 70, 77, 79, 81–2, 85, 87, 88, 90, 98, 104, 109, 111, 112, 134, 136–7, 137, 138
Tombs, S. 83
Trade Secrets Law and Trademark Law 122
Trustworthy Computing 53
Tsai, J. L. 79
UK Association of Business Crime Partnerships 36
UK Data Protection Act 37, 49, 77, 102, 128
UK Fraud Advisory Panel 4, 22, 24, 131
UK Home Office 29, 48; Identity Fraud Steering Committee 3, 4; A New Approach to Crimes 86
UK National Audit Office Report 26
UK National Fraud Authority 26, 36
United Nations Intergovernmental Expert Group (UNIEG) 3
University of Wisconsin 117
US Department of Homeland Security 64
US Department of Justice 14
US Privacy Act 122
Vaccaa, J. R. 69
Van Maanen J. 110
Vasiu, L. 66
Verisign 24
Verizon Data Breaches Investigation Report (DBIR) 16, 17, 18, 20, 24, 132, 136–17, 138
Verizon Risk Team Survey Report 18, 21
vultures 6
Walker, A. 86
Wang, W. 64
Webb, B. 83
Webster, C. 120
Welch, T. 123
Wells, J. 25
Wenger, E. 94
Winchester, D. W. 66
wolves 6
workplace theory 5, 11, 13; climate and structure 13; deterrence doctrine 13; perceived fairness 13
Wright, M. A. 66
3.15.12.124