This essay aims to highlight some of the causes for concern for the security manager. The paper will touch briefly on elements of burglary, white collar and corporate crime, theft and fraud, staff dishonesty, expressive crimes and robbery. However, the underlying element in this paper which is viewed to be the most noteworthy problem for the security manager is that of cybercrime.
The role of the security manager is demanding with his efforts needing to provide advice for all parts of the organisation. He is there to advise line managers and the IT department, to provide textual information in regards to the security systems, to allow a degree of flexibility to adapt to an ever changing organisation and communicate the importance of the defence mechanisms in place to all affiliates of the organisation (Albrechtsen & Hovden 2009, p.6). Not only is his job related to the information technology aspects of the organisation, but his role may include physical and employment security, crime management, risk assessment and management, detecting and preventing employee dishonesty and theft and to safeguard the import and export routes into the organisation to protect against 3rd party criminals. The predominant argument in this paper as to why cybercrime poses the highest threat is in regards to the invisibility of the cybercriminal and the vast array of tools he has at his disposal to pose both a minor and major threat to any organisation. If the security manager is to be successful it is vital that they have knowledge of business and security experience.
Cybercrime can be defined in numerous ways in regards to the particular speciality in which the crime is committed. Cyber Attack, Cyber Warfare and Cyber Terrorism are all elements of cybercrime yet their severity can vary with changeable levels of destruction. McCusker (2007, p.2) states that;
“At the basic level of analysis there is no discernible control mechanism in place insofar as terminology is concerned. Thus, one might speak of ‘cybercrime', ‘high tech crime', ‘computer crime', ‘technology crime', ‘digital crime' and ‘IT crime' and be discussing the same and/or different concepts, respectively”.
Clearly there is a mass of definitional literature which may overpower the reader and thus for the purpose of this essay, cybercrime will be used to describe the wide array of cyber threats that may pose as a risk to the security manager. To give a little simplicity to a complicated subject, cybercrime;
“...is the use of computers and computer technology as tools in crime commission including manipulating information stored on computer systems in such a way that it violates the law.” (Ross & French 2009, p.14).
As demonstrated, cybercrime definitions are related to the many different ways in which the internet and computers can be incorporated during the crime and poses a difficulty for the academic to describe (Gordon & Ford 2006, p.13). There is some disagreement between perceived experts in the field, some assuming that cybercrime is no different from any other criminal act, and those who view cybercrime as an entirely nouveau crime, with the need for its own laws and regularities to be in place (Adomi 2010, p.712). Arguments have appeared concerning whether such online crime can be categorised into our regular criminal justice system, due the deficit in available research materials which support or oppose either argument (McCusker 2007, p.1). The world of the internet is growing every day and available threats to personal and national security are also never-ending. Due to the rapid expansion, a difficulty arises in its measurement. Something that is so difficult to measure also suggests that the definition may be complex too.
The job of the security manager is not merely to protect their network from hacking as is too often assumed by lay individuals, but from an overwhelming and exhaustive list of different possible ways that a cybercriminal has at their dispense for the use of gain, be it financial or personal. It has been reported that up to 50% of US business had fallen victim to a breach of cyber security in 2005, an overwhelming figure (Yang & Hoffstadt 2006, p.201). The sheer amount of internet users in the world is significant, with Asia (South Korea, Hong Kong, Singapore etc.) having at least 70% of its household population having access to the internet (broadband the most common type). China reported over 94 million users in 2004, showing the extreme growth of the World Wide Web demonstrating the vast vulnerability of the entire world (Broadhurst 2006, p.5).
In any cyber offence, it is clear that the computer acts as the weapon to destroy other systems or to gain access to an individual's assets. They take on a role of somebody else, instructing others as if they were the victim, with little acknowledgment from others affected that anything may be far from normal. One of the biggest issues therein is the disguisable ability of the cybercriminal, the capacity to hide behind the mass of the World Wide Web and the ability to manipulate traceability links to create false locations with the use of IP address manipulation (Aljifri 2003, p.24) and IP theft (Detica, 2011, p. 2). The position of digital information in the 21st century now means that risks to criminal access and corruption require continued attention from a variety of organisations from national, regional and to international protection (Broadhurst 2006, p.3).
However it is not only cybercrime that the security manager needs to be prepared for. Violent crime in the workplace is also a risk to security managers, not only for the welfare of employees, but for the financial implications of the organisation. Victimisation in the workplace expenditure reaches 1,751,100 days of work per year, approximately $55 million in income (Bachman, 1994, p.1). The research further noted that males were more likely to be the victim of violence in the workplace and females more likely to be the victim of theft. Simple measures in regards to the safeguarding of personal belongings (lockers etc.) are likely to reduce this issue and after an initial outlay, the management of the issue should be minor. In regards to male violence, once a perpetrator of violence has been identified, his removal from the company is likely to resolve the issue, although this is no guarantee that future interpersonal violence will not occur. Violent crime in the workplace is a rare occurrence (Neuman & Baron 1998, p.391) and when it does occur, aggressive individuals have cited that their behaviour is intended to gain the same progression of that on the non-aggressive individual ( Bowler et al. 2011, p.427) and hence informative procedures and progression seminars are likely to benefit the grieved employee. However, violent crime, theft in the workplace and robbery/burglary are tangible in nature as opposed to the often unidentifiable or silent crime of the cybercriminal; that is the crime often takes place with no recognition at the time of the offence. Issues arise in regards to surveillance systems used to monitor theft occurrences due to human rights, however theft and fraud in the workplace are still criminal acts and thus a certain level of such surveillance is justifiable (Miller & Weckert 2000, p.255).
Theft and dishonesty in the workplace has been a common cause for research over the recent 20 years (e.g., Beck & Willis 1993) and suggestions of efficient solutions have been made such as effective discipline and moral training (Ikelegbe & Ofulue, 2006, p.83). Discipline is different from punishment such that punishment can often stem from an intentional form of pain or an unpleasantness by a member of authority. Discipline differs in that it need not be unpleasant and it does not necessarily need to be received from somebody in authority (Johnny, 2001 cited in Ikelegbe & Ofulue, 2006, p.84). This allows a little breathing space for the security manager who is able to delegate his resources to line managers in terms of effective management of deviant behaviours in the workplace that incorporate theft and dishonesty. Theft prevention may incorporate simple security measures as aforementioned including video surveillance. A security manager has the ability to allow the monitoring of emails when issues of criminal acts are in question with the view of intercepting/preventing the offence. Ethics are of great importance in the workplace and may supersede a criminal prosecution if such boundaries have been crossed (Frisque et al. 2004, p.28). However, emails that are sent with a company domain are accessible to the company and allow for better crime prevention to be implemented, although the interception of personal emails is not permitted. The mere knowledge that emails may be intercepted is often deterrent enough for the workplace criminal to avoid work emails for collaboration; however this may not stop the use of private email systems.
Statistics from a recent research paper estimated that white collar crime resulted in a $250 billion loss compared with a $17.6 billion loss in regards to household losses from crimes such as arson and theft (Holtfreter et al. 2008, p.50). Information retrieved from the Internet Crime Complaint Centre, estimated the cost of cybercrime (based only on data available to the US) to be $931 billion, an unfathomable amount. Furthermore, other digestible figures of approximately £47 billion are estimated for the UK cybercrime rate annually alone (Detica, 2011, p. 2). Clearly the effect of cybercrime on society and industry is immense; presenting the security manager with an imperative role in protecting their organisation from an attack. Unfortunately research is of the opinion that cybercrime is on the increase (Nisbett, 2002). These figures alone represent the severity of the damage that cybercrime can cause to any organisation.
Amit (2010) has noted that the major anti-virus software industries have worked hard to create high level protection systems. The issue however lay in the fact that they will never be able to provide security against all viruses. It is this vulnerability which presents as a major problem to the security manager. Online business transactions are commonplace and the amount of e-commerce that is involved in the modern organisation is continually expanding. There has been an intense spike in the number of e-card, debit and credit card transactions which allows the cybercriminal access to personal identification numbers (PIN), bank and company information (Boyd 2009; Shackelford 2009). The sheer mass of possible cybercrime is indefinable, ever expanding and infinite in its capabilities, proving an almost impossible task for the security manager. As McCusker (2007, p.5) notes;
“The recognition by the business sector of the wealth of product placement opportunities available on the Internet will not have escaped the notice of traditional organised crime entities.”
The environment the internet provides for the cybercriminal allows for the perfect crime when utilising a social engineering attack. In such an attack the victims are themselves guilty of allowing malware to run on their machine with the cybercriminal mirroring the warning messages often presented amongst today's operating systems. The victim may be advised by their machine that they are missing a particular codec; when in fact by assumingly allowing this codec to install they are allowing a Trojan to enter his machine, giving the cybercriminal full access to their computer (Provos et al. 2009). Spamming has become a method of choice for the cybercriminal, allowing the internet's own infrastructure to facilitate the spread of unsolicited email, often including phishing information (an encouragement for individuals to enter personal financial information into a login site that mirrors that of an official site, i.e. banks and building society's online banking systems) from any infected machine. This allows the cybercriminal to remain anonymous to the security manager and may also allow them to surpass security measures in place. The security manager may have blocked particular domains, but by facilitating the domains of personal user's emails, there is an entry point which is not guarded by an antivirus system. These infected machines are known as ‘botnets' (Berg, 2007, p.20) and are able to house ‘botviruses', which causes the computer to utilise the ‘always on' internet facilities of broadband, retrieve information from a central ‘bot master' and run spam over thousands of infected machines. This allows a virus/phishing email to spread with no real lead on the initial commander. Once more, the anonymity of the internet is to the cybercriminals gain.
Further vulnerabilities allow the cybercriminal to perform web attacks, SLQ injection attacks, redirections, drive by downloads and to take over web servers (Ibid). The main concern at any one point is that due to the programming nature of the computer galaxy, there will always be one more programme, virus or Trojan just around the corner. Whenever counter measures are introduced there is always the ability for a hacker to ‘crack' the system, shut down servers and cause havoc amongst industry; all behind the smokescreen of the World Wide Web.
“Technological advances have always been used to the advantage of the criminal fraternity.” (McCusker 2007, p.1).
As McCusker further notes, the internet was not designed to be an intelligent system, merely an expansive library for the world to store and publicise information. The infrastructure on which the internet is based has not changed since its introduction and therefore is becoming ever more strained under the compression of such increasing internet. Cybercrime is becoming more convoluted with every day that passes. It is a highly organised crime and becomes more demanding to stop or prevent as cybercriminals utilise nouveaux technologies such as social networking sites (facebook/twitter), foreign based criminal syndicates and smart viruses (Berg, 2007, p.19).
Although changes in the internet infrastructure began prior to the year 2000 (Speer 2000, p.259), it is only touching the surface of the continual growth which needs reorganization. This incapability to stay ahead of the development is where vulnerabilities are detected and are utilised to the cybercriminals advantage. Alas, the security manager is unable to defend or protect an entire worldwide system upon which his computer network runs which is slowly softening in terms of security. Although the security manager can install and run the latest and most up to date security systems, if the mainframe on which they perform is to become compromised, then the entire system is defenceless to an attack. Again, McCusker (2007, p. 6) describes the predominant weakness of the internet;
“... the Internet was never designed to be secure from exploitation. The strength of the Internet in terms of its rapid communication facility has become one of its undermining weaknesses.”
What should be noted is that businesses and organisations in our modern world rely heavily on the internet and the technology of the computer. Letters have been replaced with emails and telephone conversations with instant messaging (IM) services, all with one thing in common; their traceability. Every email, IM conversation, webpage and keystroke is logged and accessible to the hacker. With this information, it does not matter how big the fences surrounding the organisation are or how thick the walls are or how complicated the code to the building is. The cybercriminal has access to all the keys, from the comfort of their own home. Big assaults no longer require the manpower of typical physical assaults. One offender is enough to wreak havoc amongst a nation. In 2003, a 14-year-old boy was arrested in Hong Kong for falsifying a website, supposedly created by a well reputed local newspaper. He entered onto the website false information regarding the SARS epidemic and informed readers that Hong Kong was to be declared a closed port. The widespread terror caused an overwhelming impact on the nation, with supermarkets cracking under the pressure of individuals packing their shelves with food before the quarantine of their homes. Only hours later were the inhabitants of Hong Kong were informed that the rumour was false did the frenzy subside (Broadhurst 2006, p.4).
“With these risks has come the awareness that ‘information security' is no longer a matter for the technical and computer specialist, but for millions of people who now engage these new media every day for business, communications and leisure.” (Ibid, p.5).
Simply put, the attacker does not need to place assault unto a business's assets, merely its computers (Yang & Hoffstadt 2006, p.201). This is a colossal problem for the security manager who is unable to neither watch the systems 24/7 for signs of attack nor provide the organisation with the security tools which have stood the test of time. For there can be no tools of great standing as these non-tangible threats change every day. Anti-virus systems work hard at providing daily updates for the security manager to have in place. But unfortunately for an anti-virus system to be able to detect a virus, the virus must first be created and unleashed into the internet. The virus then acts in the way in which it was designed, is reported by a user who is affected and the system is updated. The problem herein lie that the security mangers organisation is always at threat of a virus.
Obtaining computer data will continue to be the driving force in the world of cybercrime. In a 2009 report, the Giorgia Tech Information Security Centre published a report that stated that the five primary security threats were that of; malware, botnets, cyber warfare, threats to VoIP and mobile devices and the evolving cybercrime economy (Ahamad et al, 2008, p.1). Malware is said to be one of the highest threats to the security manager with the ability to destroy/edit poorly configured websites, allowing the cybercriminal access to one of the most predominant forms of contact with the consumer. Bonets are the next biggest threat with potentially 10% of all computer systems being part of a network of machines infected with malicious code at the hands of a cybercriminal master (Ibid, p.2), with little real chance of being detected. If this is accurate the security manager may have up to 1 in 10 machines in their organisation form part of an online world of crime which they know nothing about. Detecting and finding such malicious code is time consuming and sometimes impossible with the ever changing intelligent virus.
“Bot communications are designed to look like normal (Web) traffic using accepted ports, so even firewalls and intrusion prevention systems have a hard time isolating bot messages” Ahamad et al, 2008, p.2).
Clearly as this shows, along with many of the threats this paper has described, protecting an organisation from the endless possibilities of cybercrime is a very difficult task for the security manager. The internet is a non-tangible infrastructure, relying on a mass of programmes computed by humans. In contrast, crimes such as workplace violence and theft seem insignificant in comparison. There will never be a violent attack, theft or organised white collar crime incident that could compare to the severity of a cyber-attack. Potentially, entire nations personal and financial information are at the hands of a small few, who with the technical knowhow are able to wipe out/destroy such information with a few simple keystrokes. The security manager is no match for the world of cybercrime and should accept that they will always be fighting a losing battle. However, it may in fact be the continual strive for victory over the cybercriminal that prevents them from taking complete control. As long as there are IT professionals and programmes readily available to the consumer and corporate organisation that only allow partial destruction over complete devastation, then we are in part protected. However, as aforementioned, the security manager is always at threat, as the next virus is continuously imminent.
Adomi, E.E. ed., 2010. Handbook of Research on Information Communication Technology Policy, IGI Global. Available at: http://www.igi-global.com/bookstore/chapter.aspx?titleid=45419 [Accessed August 28, 2011].
Ahamad, M., Amster, D., Barrett, M., Cross, T., Heron, G., Jackson, D., King, J., Lee, W., Naraine, R., Ollmann, G., Ramsey, J.,Schmidt, H. and Traynor., P. 2008. Emerging Cyber Threats Report for 2009, USA: Georgia Tech Information Security Center.
Amit, I. 2010. “Cyber [Crime/War]” Connecting The Dots [online]. Available at: http://www.sourceconference.com/publications/barc2010pubs/CyberCrimeWar-SOURCEBCN.pdf. [Accessed August 28, 2011].
Albrechtsen, E. & Hovden, J., 2009. The information security digital divide between information security managers and users. Computers & Security, 28(6), pp.476-490.
Aljifri, H., 2003. IP traceback: a new denial-of-service deterrent? IEEE Security & Privacy, 1(3), pp.24- 31.
Bachman, R. 1994.Violence and theft in the workplace. Washington, DC: U.S. Department of Justice.
Beck, A. & Willis, A., 1993. Employee Theft: A Profile of Staff Dishonesty in the Retail Sector. Journal of Financial Crime, 1(1), pp.45-56.
Berg, T. 2007. The Changing Face of Cybercrime – New Internet Threats create Challenges to Law Enforcement Agencies. Available at: http://www.michbar.org/journal/pdf/pdf4article1163.pdf [Accessed August 28, 2011].
Bowler, M.C. et al., 2011. The Impact of Interpersonal Aggression on Performance Attributions. Group & Organization Management, 36(4), pp.427 -465.
Boyd, B.L., 2009. Cyber warfare: Armageddon in a Teacup?, Available at: http://stinet.dtic.mil/oai/oai?&verb=getRecord&metadataPrefix=html&identifier=ADA512381 [Accessed August 29, 2011].
Broadhurst, R., 2006. Developments in the global law enforcement of cyber-crime. Policing: An International Journal of Police Strategies & Management, 29(3), pp.408-433.
Detica. 2011. The Cost of Cybercrime. Available at: http://www.detica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf[Accessed August 29, 2011].
Frisque, D.A., Lin, H. & Kolb, J.A., 2004. Preparing Professionals to Face Ethical Challenges in Today's Workplace: Review of the Literature, Implications for PI, and a Proposed Research Agenda. Performance Improvement Quarterly, 17(2), pp.28-45.
Gordon, S. & Ford, R., 2006. On the definition and classification of cybercrime. Journal in Computer Virology, 2(1), pp.13-20.
Holtfreter, K. et al., 2008. Public perceptions of white-collar crime and punishment. Journal of Criminal Justice, 36(1), pp.50-60.
Ikelegbe, S., & Ofulue, J. 2006. Deviant Behaviours in the Workplace: Causes, Impact and Effective Discipline. Inter-World Journal of Management And Development Studies, 2(1), pp.78-87.
McCusker, R., 2007. Transnational organised cyber crime: distinguishing threat from reality. Crime, Law and Social Change, 46(4-5), pp.257-273.
Miller, S. & Weckert, J., 2000. Privacy, the Workplace and the Internet. Journal of Business Ethics, 28(3), pp.255-265.
Neuman, J.H. & Baron, R.A., 1998. Workplace Violence and Workplace Aggression: Evidence Concerning Specific Forms, Potential Causes, and Preferred Targets. Journal of Management, 24(3), pp.391 -419.
Nisbett, C (2002). New directions in cyber-crime, White Paper, QineticQ. Available at: http://www.qinetiq.com/home/security/information_and_network_security/white_paper_index.Par.0012.File.pdf[Accessed August 29, 2011].
Ross, J.I. & French, J.L., 2009. Cybercrime, Infobase Publishing.
Shackelford, S.J., 2009. From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. Berkeley Journal of International Law, 27, p.192.
Speer, D., 2000. Redefining borders : The challenges of cybercrime. Available at: http://cat.inist.fr/?aModele=afficheN&cpsidt=1164154 [Accessed August 31, 2011].
Yang, D.W. & Hoffstadt, B.M., 2006. Countering the Cyber-Crime Threat. American Criminal Law Review, 43, p.201.