SlideShare una empresa de Scribd logo

1 s2.0-s0167404801002097-main

Caio Sanchez Christino
Caio Sanchez Christino
Tecnología
1 de 8
Descargar para leer sin conexión
Computers & Security Vol.20, No.2, pp.165-172, 2001 Copyright © 2001 Elsevier Science Limited Printed in Great Britain. All rights reserved 0167-4048/01$20.00 Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns Gurpreet Dhillon College of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6009, USA, dhillon@nevada.edu. A majority of computer security breaches occur because internal discussion). These insiders could be dishonest or dis- employees of an organization subvert existing controls. While exploring the issue of violation of safeguards by trusted personnel, gruntled employees who would copy, steal, or sabotage with specific reference to Barings Bank and the activities of information, yet their actions may remain undetected. Nicholas Leeson, this paper provides an understanding of related information security concerns. In a final synthesis, guidelines are Numerous security breaches have been reported in provided which organizations could use to prevent computer the popular press describing the sequence of events. In security breaches. the UK for example, a fraud against the National Heritage Department resulted in payments of over Introduction £175 000 being made to fictitious organizations. In another case, a small US based Internet service Businesses today are experiencing a problem with man- provider, Digital Technologies Group, had its comput- aging information security.This is so not only because ers completely erased, allegedly by a disgruntled of increased reliance of individuals and businesses on employee. The dismissed employee was later arrested information and communication technologies, but also and faced a prison sentence of up to 20 years. because the attempts to manage information security have been rather skewed towards implementing increas- Clearly violations of safeguards by trusted personnel ingly complex technological controls. The importance resulting in information security breaches are real and of technological controls should not be underplayed, need to be addressed. A requirement also exists for but evidence suggests that the violation of safeguards by establishing guiding principles that organizations could trusted personnel of an organization is emerging as a adopt in moving a step forward to manage such infor- primary reason for information security concerns. mation security problems. In addressing these concerns Between 61 and 81% of computer related crimes are and needs, this paper reviews the nature of information being carried out because of such violations (see security breaches occurring because of violation of Dhillon [5]; Dhillon and Backhouse [6] for a detailed safeguards by trusted personnel. The case of Barings 0167-4048/01$20.00 © 2001 Elsevier Science Ltd. All rights reserved 165
Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon Bank and the violation of safeguards by Nicholas Since Leeson had gained an immense amount of trust Lesson, a trusted employee, are used to interpret the through his profits, £30 million for Barings in 1994 nature and scope of such security breaches.This is fol- alone, he was able to circumvent many of the security lowed by a discussion that forms the basis for generat- inquiries against him without consequence. Leeson lost ing principles for effectively managing the violations of £126 million in Nikkei futures and Japanese safeguards such that the security of computer based Government bonds on 23 February 1995 after losing systems within organizations is not compromised. £701 million over the past two years. Given the lack- adaisical organizational and information security con- straints at BB&Co., Leeson was able to hide his losses Violation of Safeguards at Barings in a secret account created using Barings’ accounting Bank computer systems.This was account 88888. This section reviews the violation of internal orga- The basic problem at BB&Co. that is of relevance to nizational controls by an employee to gain undue this paper, is the lack of correctly enforced organiza- advantage. It stresses the importance of instituting tional information security measures. Even though a informal controls if computer security situations are functional security plan was in place at BB&Co., it to be adequately managed.The security issues arising did not take into account any interpretive data in its from the misuse affect information systems integrity, implementation, so leaving BB&Co vulnerable. formal and informal control mechanisms, and organizational cohesion in terms of culture. Corporate Restructuring Challenges As BSL expanded and contributed increasing amounts Background to the revenues of the entire Barings Group, rivalry Barings Brothers & Co. (BB&Co.), a 223-year-old developed between BSL and BB&Co.Also, as internal institution specializing in traditional merchant bank- competition between the companies accelerated, so ing, decided to expand into investment banking in did the incentive to take on more risk at BSL. The 1984 as a result of deregulation in the British financial risk-taking management style and fast expansion of markets. BB&Co. established a brokerage firm under BSL left little time for implementing proper control the name of Barings Far East Securities, but this was mechanisms that would guard against financial impro- later changed to Barings Securities Limited (BSL). priety. Barings Group directors became concerned The new company adopted the corporate culture and initiated a corporate restructuring. from its founder Christopher Heath, a man recruited from the brokerage firm Henderson, Crosthwaite & The first thing that went wrong with the corporate Co. Heath brought many like-minded people into the restructuring was that the preferred corporate cul- new Barings subsidiary and created a strong corporate ture of fiscal conservatism could not be transferred culture. This culture was more profit seeking and from BB&Co. to BSL. Had the original conservative money-oriented than the traditional merchant bank- culture been instilled at BSL’s development, perhaps ing culture that had existed at BB&Co for centuries. through the transfer of existing managers from BB&Co. instead of recruiting risk-takers, there BB&Co collapsed in 1995 due to one individual’s probably would have been less rivalry and less wrongdoing and many other individual’s security unwarranted risk-taking. negligence. Nicholas Leeson, the General Manager of Barings Futures Singapore Pte, Ltd. (BFS), a Problems could also have been controlled if it was subsidiary of BB&Co. exploited substandard not for the matrix structure.The structure per se was information security systems and caused the not wrong, but it was not implemented correctly, company to be placed under judicial management causing confusion and unclear reporting lines. and eventually to go bankrupt. Management’s lack of understanding of its own 166
Computers & Security, Vol. 20, No. 2 responsibilities allowed Leeson and others to go One of the first things accounting auditors learn in unsupervised locally, which could have prevented their studies is that examining the internal controls the unethical behaviour and its escalation. Adopting of an organization can tell a great deal about the a hierarchical control system that limits decision- company, how effectively it works, and how aware making could have prevented this. By standardizing management is of their business processes. jobs, implementing direct supervision, and making Management is responsible for maintaining the enti- sure that checks and balances were in place, no ty’s controls. Of course, the controls’ effectiveness employee would have been able to take covert depends on the competency and dependability of actions that would have jeopardized the entire orga- the people using it. Clearly, in this case the size, nization.The situation at Barings Group was a disas- structure, and personnel were available to have effec- ter waiting to happen. It defies probability that the tive controls, but Barings did not manage them, entire collapse did not happen earlier. There are prioritize them, or take responsibility for maintain- several factors that contribute to this assertion. ing them. The most problematic cause of disaster lies in the roots When management establishes its system of internal of BSL itself. BB&Co. began their subsidiary by hand- controls, there are several principals that are important ing over total control to Christopher Heath.The bank to their plan. One fundamental principal is segrega- even requested that the staff of the new subsidiary con- tion of duties. It is important to segregate the areas of sist of employees of Heath’s current company, revenue generation, or custody of assets, and record Henderson, Crosthwaite & Co., where he was a part- keeping. This principal is extremely important ner. It was from this moment that BB&Co. placed because it prevents a single individual from commit- complete trust of BSL in the hands of an entity unfa- ting misappropriation of company assets or revenue miliar to Barings Group. BB&Co. had essentially relin- and then concealing the defalcation by altering the quished control. Even though Heath was a positive records. Some companies even separate controls even influence in creating a company culture that fostered in further in such a way that it would require two or ambition and individualism, he also created an envi- even three individuals to commit this crime and ronment lacking in formal control mechanisms. conceal it on the books. Another factor that foreshadowed the demise of Barings was the rivalry that developed between the two This internal control was not present at BFS. Leeson main firms in Barings Group: BB&Co. and BSL. was responsible, as part of his position, for overseeing the trading and trade processing, settlement, and When Nicholas Leeson came to Barings Future administration. He had access to the authorization Singapore (BFS), a subsidiary of BSL, as General and creation of trading accounts on the IT system; Manager, he would soon be credited with bringing responsibility for generating income by trading a down the entire banking organization. He effectively ‘book of business’, and also the ability to make jour- kept his gross misconduct from being openly discov- nal entries that were posted to the system, apparently ered because of two main reasons: (1) the autonomy without review. of BFS from the central hierarchy and (2) the absurd lack of internal controls throughout the entire Another key problem was the lack of an effective Barings Group. internal auditing department. Problems or weakness- es with the design of the internal controls and dis- crepancies with the adherence to those internal con- Evaluation Of Organizational Controls trols are the primary responsibility of the internal auditing department. Internal auditing departments Internal Controls prioritize their activities based on a risk analysis. The implementation of internal controls for any Areas that are potentially more vulnerable to the organization is key to running a ‘well-oiled’ business. company are their responsibility. Obviously this 167
Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon department failed to do its job if the activities of a was discovered in later years that there was evidence small branch in Singapore were able to bring down of memoranda flying around about this blatant lack of the entire bank. separation of duties long before the collapse, yet noth- ing was done to change it. Fourth, information tech- The key risk items that should have been looked at nology is used to gather company transactions and to was, first of all, the lack of segregation of internal con- maintain accountability to clearly communicate what trol at the branch level. Leeson was a General is happening in the organization. At Barings Bank the Manager who was responsible for both making trades management, internal auditors, and external auditors and recording them. Second, a small branch in were all staring at the ‘88888’ account problem, after Singapore was showing abnormally large profits. all, it was a glaring piece of information, yet no-one Third, account balances were not reconciled. Daily attempted to reconcile this piece of reported infor- reconciliation in the computer age is not unreason- mation. It is true that Leeson hid things, forged doc- able. Fourth, why were receivables in the Singapore uments, had information shredded by subordinates, Office so high? The internal audit department was restricted access to financial information, etc., but the either incompetent or lacking in sufficient fraud could still have been uncovered. Leeson simply organizational support to be effective. had the confidence that even with all the controls in place and the inquiries into discrepancies that were There are five components of an ideal internal control found, he would still be able to beat the internal con- mechanism that management should use to design trol system and recover the severe losses he was accu- and implement controls to give reasonable assurance mulating because the system was weak, flaky, and, that the control objectives are being met.These com- therefore, easily circumvented. Fifth, monitoring the ponents are the control environment, risk assessment, quality of controls periodically is essential to have control activities, information and communication, effective controls. The internal audit department of and monitoring. Barings can best be described as pathetic. Clearly it seems that people at all levels of Barings’ control func- First, the control environment consists of actions, tions used varying degrees of the ‘hands-off ’ approach policies, and procedures that reflect the overall atti- in performing their jobs. tudes of top management about control and its importance to the corporation. Clearly Barings Bank External Controls had some internal controls in place, but they were performed more as a checklist than for true discovery The external auditors also failed in their professional or prevention. Second, management should assess the responsibility to detect material fraud at the Singapore risk in the design of its internal controls to minimize office. Deloitte & Touche were the auditors through errors and fraud. Having the level of autonomy that 1993, the time during which account 88888 was BFS did from the Bank, the risk was much greater and established. By then Leeson’s loss was £23 million; should have caused increased sensitivity for strict this clearly would have been material to BFS’ opera- adherence to a good internal control system. Third, tions. Essentially, on the financial statement, Leeson control activities include other policies and proce- was booking an entry to record the loss as income and dures that help to ensure that necessary actions are as a receivable in order to conceal this loss. Deloitte & taken to address risks in the achievement of the com- Touche failed in their audit of both the revenue of pany’s objectives. Such control activities, adequate BFS and the assets of BFS.The unprofessional manner documents and records, physical control, and inde- that they used to satisfy themselves that the receivable pendent checks on performance are important com- was correct was a major factor contributing to their ponents of internal control mechanisms. Barings’ demise. management knew Leeson had control of both the front and back offices of a After 1993, Coopers & Lybrand were the auditors division (BFS) they hardly knew anything about. It for BFS. Coopers also failed in their confirmation of 168
Computers & Security, Vol. 20, No. 2 the bogus Spear, Leeds & Kellogg (a New York trad- combination of personal factors, work situations and er) receivable. Leeson had earlier claimed it to be a available opportunities [2]. Hearnden [8] believes that computer error. However, when the auditors pur- most of the perpetrators are motivated by greed, sued the point further, he claimed that it was a financial and other personnel problems. Forester and receivable. Confirmations should be requested Morrison [7] suggest that sometimes even love and directly from the debtor by the creditor but returned sex could provide a powerful stimulus for carrying directly to the auditor. Since Leeson produced the out computer crimes. A survey conducted by the UK documents himself, it was not credible evidence for Audit Commission in 1994 found, in addition to per- auditing purposes. Second, if they were to be relied sonal factors, disregard for basic internal controls upon, Coopers & Lybrand could have made a phone (password not changed, computer activities not trace- call to Leeson’s point of contact to confirm the doc- able etc.) and ineffective monitoring procedures con- uments. The biggest question was why no-one tributed significantly to incidents of computer crime. noticed that BSL’s Singapore branch had one indi- An earlier study by Parker [13] found that in most vidual responsible for both the front and back organizations, sufficient methods of deterrence, detec- offices, and realized the possibility for fraud. tion, prevention and recovery did not exist. Clearly Everybody involved with BSL knew the answer: the Barings Bank situation was a case in point. they were enjoying the benefits accrued from the status quo and did not see a need to scrutinize the In the previous section, a number of issues have been BFS’ business processes. presented which could be considered as reasons why information system security breaches occur in the first place. However there is considerable debate as Understanding the Issue to the extent to which information system security The discussion on Barings Bank and the violation of problems exist in reality. Parker [12] found that there safeguards by Leeson, a trusted employee, constitutes was a wide range of opinions regarding the extent of a kind of an information system security breach that computer security breaches due to the subversion of is intentional in nature. Generally, intentional acts controls by internal employees. There were reports could result in frauds, virus infections, and invasion suggesting that only 374 cases were directly related of privacy and sabotage. Parker [11] uses the term to computer misuse, hence portraying computer ‘computer abuse’ to describes such acts as vandalism crimes as being of minor significance. However dur- and malicious mischief and places them in the same ing the same period nearly 150 000 computers had category as white-collar crime.White-collar crime is been installed within US organizations. Clearly the defined by Parker as “any endeavour or practice reported computer crime cases were an underesti- involving the stifling of free enterprise or promoting mation and what we actually see is just the tip of the of unfair competition; a breach of trust against an iceberg.The UK Audit Commission’s study suggests individual or an institution; a violation of occupa- that many individuals and organizations fail to rec- tional conduct or jeopardizing of consumers and ognize computer crime as a problem. Its survey clientele”. Information system security breaches found employees at the managerial and supervisory resulting from the violation of safeguards by internal levels as falling short of understanding the risks that employees can therefore be defined as a deliberate computer misuse presents. In fact two-thirds of the misappropriation by which individuals intend to perpetrators were supervisors who had been in the gain dishonest advantages through the use of the organization for a minimum four years [1]. Another computer systems. Misappropriation itself may be study based in the US found an astonishing 31% of opportunist, pressured, or a single-minded calculated computer crimes were being carried out by low paid contrivance. clerks, 25% by managers and 24% by computer per- sonnel [10]. Indeed Balsmeier and Kelly [3] suggest Computer crime committed by internal employees that most organizations had no method to minimize is essentially a rational act and could result from a or deter computer crime and that the rewards for 169
Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon unethical behaviour seem to outweigh the risks.This auditors from both firms made a serious mistake. clearly suggests that Barings Bank, with all the flaws They relied on the internal controls of BFS when the in its internal reporting and control structures, was a internal controls were defective in the first place. victim of an information system security breach that They did not perform any substantive procedures to has been considered a significant threat for a while. ensure that this material weakness was not causing Yet no learning was incorporated into Baring Bank’s materially incorrect balances to certain accounts.The thinking process. auditors then reported to the board of directors that everything was fine when in reality that could not From an auditing perspective, consideration could have been further from the truth. have been given to at least two aspects. First, the internal audit should have been reported to the audit committee, comprised of the board of directors of Discussion the company. Additionally, these members of the Since most of the computer security breaches occur audit committee should have been independent because internal employees have subverted the exist- board members, rather than board members who ing controls (see Dhillon [4]), it is important that work for the company in the capacity of manage- emphasis is placed on the more pragmatic aspects of ment or other professionals who provide service to an organization. Considering the particular case of the company. The independent, external auditors Leeson, an individual gets involved in particular acts as should also have reported to the audit committee. a consequence of a combination of a person’s This is necessary to ensure that the auditors are behavioural and normative beliefs. If a person’s atti- reporting to a level high enough to ensure that rec- tude to perform an illicit act needs to be influenced, ommendations and warnings do not fall on ‘deaf one has to focus of changing the primary belief sys- ears’. Internal and external audits are designed to tem. More than any specific communication instru- help assure the board of directors and stockholders ment, an organization-wide feeling of working that the financial statements of management are together to solve problems and not hide them is the materially correct and that management is acting key.This ties together the cultural and reporting stan- responsibly to maximize shareholder value and safe- dards, so that Barings could have moved forward and guard their assets. If they were to report to anyone its subsidiaries would not have hidden losses. Rather but the audit committee, that responsibility could be they should have worked together to solve problems. jeopardized by internal politics. This, combined with proper auditing techniques, would have allowed Barings and its subsidiaries to Second, an accountability and responsibility structure avoid collapse. The paragraphs below identify some for internal auditors should have been created. specific guidelines that organizations should consider Although internal auditors report directly to a com- if violations of safeguards by trusted personnel are to mittee of the board of directors, the internal audit be avoided. department still needs to be accountable and respon- sible in order to use the resources that they are given in the most effective manner. The fact that internal Formalized Rules auditors let a serious problem with the segregation of It has been argued that if an organization has a high duties pass without ‘raising a major ruckus’ was neg- level of dependence on IT, there is a greater likelihood ligent. External auditors also needed to be held of it being vulnerable to computer related misuse accountable. In public accounting, a partner with }(e.g. see Moor [9]). It is therefore important that over 20 years of experience would normally sell the organizations implement effective and systematic engagements.The client then will not see the partner policies.The demand for establishing security policies until the job is over. Unfortunately, most of the audit within organizations has long been made by is performed by staff members, who are usually just academics and practitioners alike, however such calls one to three years out of college. In this case, the have largely gone unheeded. Formalized rules in the 170
Computers & Security, Vol. 20, No. 2 form of security policies will help in facilitating prevalent work situation and the opportunity to bureaucratic functions such that ambiguities and mis- commit criminal acts affected the primary belief understandings within organizations can be resolved. system of Leeson, thus creating an environment con- Lack of formal rules or an inability to enforce the ducive to a crime being committed.This suggests that rules was very well evidenced in the case of Barings monitoring of employee behaviour is an essential Bank and Leeson’s activities. Most regulatory bodies step in maintaining the integrity of an organization. (e.g. the Securities and Exchange Commission in the Such monitoring does not necessarily have to be US) demand that certain procedures should be fol- formal and rule based. In fact, informal monitoring, lowed. There are even explicit rules regarding super- such as interpreting behavioural changes and identi- vision. However because of an increased pressure to fying personal and group conflicts, can help in perform and be profitable, many of the formal rules establishing adequate checks and balances. were overlooked at Barings Bank.The case of Barings Bank suggests that although organizations cherish to instill a culture of efficiency and good practice, poor Conclusion communication often has a negative impact.The case This paper has presented an analysis of violation of also suggests that formalized rules are essential for the safeguards by trusted personnel by considering the functioning of an organization and often something case of Barings Bank and the activities of Nicholas more needs to be done. Perhaps there should be an Leeson. The analysis has suggested that organizations adequate emphasis on informal or normative controls. need to focus on the underlying beliefs that lead indi- viduals to engage in intentional illicit acts resulting in computer security breaches. Clearly, behavioural Normative Controls change is ultimately the result of changes in beliefs. Clearly, mere technical or formal control measures are Thus it is important that people within organizations inadequate to prevent computer security breaches. In are exposed to information which will produce other related work Dhillon [4] cites cases where it was changes in their beliefs. In proactively managing the relatively easy for insiders to gain access to informa- occurrence of adverse events, it is essential that we tion systems and camouflage fictitious and fraudulent trace those changes in primary beliefs that result in transactions. In the US, one of the most publicized particular attitudes and subjective norms. examples of this kind of behaviour is evidenced by the demise of the Kidder Peabody and the dealings of Acknowledgments Joseph Jett. Jett was able to exploit a loophole in the accounting system to inflate the profits. It was possi- Acknowledgments are due to Dr. James Backhouse, ble to engage in criminal activities because the person director of Computer Security Research Center at involved was an insider. It therefore becomes obvious the London School of Economics, for extensive dis- that no matter what the extent of formal and techni- cussions, comments and feedback on various aspects cal controls, prevention of insider security breaches of information security management. The assistance demands certain normative controls. Such controls and comments of number of graduate students at the essentially deal with the culture, value and belief sys- University of Nevada, Las Vegas and London School tem of the individuals concerned (for details see of Economics, including Russell Cook, Roy Dajalos Dhillon [4]). and Freddy Tan are also acknowledged. Employee Behaviour References Previous research has shown that besides personal [1] Audit Commission, Opportunity makes a thief. circumstances, work situations and opportunities Analysis of computer abuse, The Audit Commission available allow individuals to perform criminal for Local Authorities and the National Health acts (e.g. see [2]). In the case of Barings Bank the Service in England and Wales, 1994. 171
Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon [2] Backhouse, J. and Dhillon, G., Managing comput- [8] Hearnden, K., “Computer crime and people,” in er crime: a research outlook, Computers & Security, Hearnden, K., ed., A handbook of computer crime, 14, 7, (1995), 645-651. London: Kogan Page, 1990. [3] Balsmeier, P. and Kelly, J.,The ethics of sentencing [9] Moor, J.H., What is computer ethics, white-collar criminals, Journal of Business Ethics, 15, Metaphilosophy, 16, 4, (1985), 266-275. 2, (1996), 143-152. [10]Oz, E., Ethics for the information age, Business [4] Dhillon, G., Managing information system security, and Educational Technologies, 1994. Macmillan, London, 1997. [11]Parker, D.B., Crime by computer, Charles [5] Dhillon, G.,“Challenges in managing information Scribner’s Sons, New York, 1976. security in the new millennium,” in Dhillon, G., ed., Information security management: global challenges [12]Parker, D.B.,“Ethical dilemmas in computer tech- in the new millennium, Hershey: Idea Group, 2001. nology,” in Hoffman, W.M. and Moore, J.M., ed., Ethics and the management of computer technology, [6] Dhillon, G. and Backhouse, J., Information system Cambridge, MA: Oelgeschlager, Gunn, and Hain, security management in the new millennium, 1982. Communications of the ACM, 43, 7, (2000), 125-128. [13]Parker, D.B. and Nycum, S.H., Computer Crime, [7] Forester, T. and Morrison, P., Computer ethics: cau- Communication of the ACM, 27, 4, (1984), tionary tales and ethical dilemmas in computing, The MIT Press, Cambridge, 1994. 172

Recomendados

Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Maran Corporate Risk Associates, Inc.
 
Cyber liabilty
Cyber liabiltyCyber liabilty
Cyber liabiltyMaran Corporate Risk Associates, Inc.
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability RiskChristopher Rieser
 

Recomendados

Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilityDFickett
 
Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Maran Corporate Risk Associates, Inc.
 
Cyber liabilty
Cyber liabiltyCyber liabilty
Cyber liabiltyMaran Corporate Risk Associates, Inc.
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability RiskChristopher Rieser
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover StoryPatrick Spencer
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsClear Technologies
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trustlmgangi
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your InformationAIIM International
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Fitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerceFitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerceFITSUM RISTU LAKEW
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou MilradLou Milrad
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))NAFCU Services Corporation
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 

Más contenido relacionado

La actualidad más candente

Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprisesTaranggg11
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsClear Technologies
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecuritycrazyivan389
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1Marlon Moodley
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trustlmgangi
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your InformationAIIM International
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalNicholas Cramer
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Fitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerceFitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerceFITSUM RISTU LAKEW
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou MilradLou Milrad
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry BrianHuntMSFCPACRISC
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Lance Michalson
 

La actualidad más candente (20)

Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
Top 3 security concerns for enterprises
Top 3 security concerns for enterprisesTop 3 security concerns for enterprises
Top 3 security concerns for enterprises
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk Management
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
 
Ey managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurityEy managing-real-estate-cybersecurity
Ey managing-real-estate-cybersecurity
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1
 
Security Built Upon a Foundation of Trust
Security Built Upon a Foundation of TrustSecurity Built Upon a Foundation of Trust
Security Built Upon a Foundation of Trust
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Fitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerceFitsum ristu lakew transaction security on e-commerce
Fitsum ristu lakew transaction security on e-commerce
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 
Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)Ict Compliance (Sept 2004)
Ict Compliance (Sept 2004)
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
 

Similar a 1 s2.0-s0167404801002097-main

Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxlorainedeserre
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docxjesusamckone
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityRahul Tyagi
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
A 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainA 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainPim Piepers
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991Jim Romeo
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 

Similar a 1 s2.0-s0167404801002097-main (20)

Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
The Future of Cybersecurity
The Future of CybersecurityThe Future of Cybersecurity
The Future of Cybersecurity
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
 
The case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firmThe case for a Cybersecurity Expert on the Board of an SEC firm
The case for a Cybersecurity Expert on the Board of an SEC firm
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 
27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx27featurearticle© 2015 Wiley P.docx
27featurearticle© 2015 Wiley P.docx
 
Cyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe SecurityCyber Risk Quantification for Employees | Safe Security
Cyber Risk Quantification for Employees | Safe Security
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
SEC Alert
SEC AlertSEC Alert
SEC Alert
 
A 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron MountainA 5 step guide to protecting backup data by Iron Mountain
A 5 step guide to protecting backup data by Iron Mountain
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
 

Último

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

1 s2.0-s0167404801002097-main

  • 1. Computers & Security Vol.20, No.2, pp.165-172, 2001 Copyright © 2001 Elsevier Science Limited Printed in Great Britain. All rights reserved 0167-4048/01$20.00 Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns Gurpreet Dhillon College of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6009, USA, dhillon@nevada.edu. A majority of computer security breaches occur because internal discussion). These insiders could be dishonest or dis- employees of an organization subvert existing controls. While exploring the issue of violation of safeguards by trusted personnel, gruntled employees who would copy, steal, or sabotage with specific reference to Barings Bank and the activities of information, yet their actions may remain undetected. Nicholas Leeson, this paper provides an understanding of related information security concerns. In a final synthesis, guidelines are Numerous security breaches have been reported in provided which organizations could use to prevent computer the popular press describing the sequence of events. In security breaches. the UK for example, a fraud against the National Heritage Department resulted in payments of over Introduction £175 000 being made to fictitious organizations. In another case, a small US based Internet service Businesses today are experiencing a problem with man- provider, Digital Technologies Group, had its comput- aging information security.This is so not only because ers completely erased, allegedly by a disgruntled of increased reliance of individuals and businesses on employee. The dismissed employee was later arrested information and communication technologies, but also and faced a prison sentence of up to 20 years. because the attempts to manage information security have been rather skewed towards implementing increas- Clearly violations of safeguards by trusted personnel ingly complex technological controls. The importance resulting in information security breaches are real and of technological controls should not be underplayed, need to be addressed. A requirement also exists for but evidence suggests that the violation of safeguards by establishing guiding principles that organizations could trusted personnel of an organization is emerging as a adopt in moving a step forward to manage such infor- primary reason for information security concerns. mation security problems. In addressing these concerns Between 61 and 81% of computer related crimes are and needs, this paper reviews the nature of information being carried out because of such violations (see security breaches occurring because of violation of Dhillon [5]; Dhillon and Backhouse [6] for a detailed safeguards by trusted personnel. The case of Barings 0167-4048/01$20.00 © 2001 Elsevier Science Ltd. All rights reserved 165
  • 2. Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon Bank and the violation of safeguards by Nicholas Since Leeson had gained an immense amount of trust Lesson, a trusted employee, are used to interpret the through his profits, £30 million for Barings in 1994 nature and scope of such security breaches.This is fol- alone, he was able to circumvent many of the security lowed by a discussion that forms the basis for generat- inquiries against him without consequence. Leeson lost ing principles for effectively managing the violations of £126 million in Nikkei futures and Japanese safeguards such that the security of computer based Government bonds on 23 February 1995 after losing systems within organizations is not compromised. £701 million over the past two years. Given the lack- adaisical organizational and information security con- straints at BB&Co., Leeson was able to hide his losses Violation of Safeguards at Barings in a secret account created using Barings’ accounting Bank computer systems.This was account 88888. This section reviews the violation of internal orga- The basic problem at BB&Co. that is of relevance to nizational controls by an employee to gain undue this paper, is the lack of correctly enforced organiza- advantage. It stresses the importance of instituting tional information security measures. Even though a informal controls if computer security situations are functional security plan was in place at BB&Co., it to be adequately managed.The security issues arising did not take into account any interpretive data in its from the misuse affect information systems integrity, implementation, so leaving BB&Co vulnerable. formal and informal control mechanisms, and organizational cohesion in terms of culture. Corporate Restructuring Challenges As BSL expanded and contributed increasing amounts Background to the revenues of the entire Barings Group, rivalry Barings Brothers & Co. (BB&Co.), a 223-year-old developed between BSL and BB&Co.Also, as internal institution specializing in traditional merchant bank- competition between the companies accelerated, so ing, decided to expand into investment banking in did the incentive to take on more risk at BSL. The 1984 as a result of deregulation in the British financial risk-taking management style and fast expansion of markets. BB&Co. established a brokerage firm under BSL left little time for implementing proper control the name of Barings Far East Securities, but this was mechanisms that would guard against financial impro- later changed to Barings Securities Limited (BSL). priety. Barings Group directors became concerned The new company adopted the corporate culture and initiated a corporate restructuring. from its founder Christopher Heath, a man recruited from the brokerage firm Henderson, Crosthwaite & The first thing that went wrong with the corporate Co. Heath brought many like-minded people into the restructuring was that the preferred corporate cul- new Barings subsidiary and created a strong corporate ture of fiscal conservatism could not be transferred culture. This culture was more profit seeking and from BB&Co. to BSL. Had the original conservative money-oriented than the traditional merchant bank- culture been instilled at BSL’s development, perhaps ing culture that had existed at BB&Co for centuries. through the transfer of existing managers from BB&Co. instead of recruiting risk-takers, there BB&Co collapsed in 1995 due to one individual’s probably would have been less rivalry and less wrongdoing and many other individual’s security unwarranted risk-taking. negligence. Nicholas Leeson, the General Manager of Barings Futures Singapore Pte, Ltd. (BFS), a Problems could also have been controlled if it was subsidiary of BB&Co. exploited substandard not for the matrix structure.The structure per se was information security systems and caused the not wrong, but it was not implemented correctly, company to be placed under judicial management causing confusion and unclear reporting lines. and eventually to go bankrupt. Management’s lack of understanding of its own 166
  • 3. Computers & Security, Vol. 20, No. 2 responsibilities allowed Leeson and others to go One of the first things accounting auditors learn in unsupervised locally, which could have prevented their studies is that examining the internal controls the unethical behaviour and its escalation. Adopting of an organization can tell a great deal about the a hierarchical control system that limits decision- company, how effectively it works, and how aware making could have prevented this. By standardizing management is of their business processes. jobs, implementing direct supervision, and making Management is responsible for maintaining the enti- sure that checks and balances were in place, no ty’s controls. Of course, the controls’ effectiveness employee would have been able to take covert depends on the competency and dependability of actions that would have jeopardized the entire orga- the people using it. Clearly, in this case the size, nization.The situation at Barings Group was a disas- structure, and personnel were available to have effec- ter waiting to happen. It defies probability that the tive controls, but Barings did not manage them, entire collapse did not happen earlier. There are prioritize them, or take responsibility for maintain- several factors that contribute to this assertion. ing them. The most problematic cause of disaster lies in the roots When management establishes its system of internal of BSL itself. BB&Co. began their subsidiary by hand- controls, there are several principals that are important ing over total control to Christopher Heath.The bank to their plan. One fundamental principal is segrega- even requested that the staff of the new subsidiary con- tion of duties. It is important to segregate the areas of sist of employees of Heath’s current company, revenue generation, or custody of assets, and record Henderson, Crosthwaite & Co., where he was a part- keeping. This principal is extremely important ner. It was from this moment that BB&Co. placed because it prevents a single individual from commit- complete trust of BSL in the hands of an entity unfa- ting misappropriation of company assets or revenue miliar to Barings Group. BB&Co. had essentially relin- and then concealing the defalcation by altering the quished control. Even though Heath was a positive records. Some companies even separate controls even influence in creating a company culture that fostered in further in such a way that it would require two or ambition and individualism, he also created an envi- even three individuals to commit this crime and ronment lacking in formal control mechanisms. conceal it on the books. Another factor that foreshadowed the demise of Barings was the rivalry that developed between the two This internal control was not present at BFS. Leeson main firms in Barings Group: BB&Co. and BSL. was responsible, as part of his position, for overseeing the trading and trade processing, settlement, and When Nicholas Leeson came to Barings Future administration. He had access to the authorization Singapore (BFS), a subsidiary of BSL, as General and creation of trading accounts on the IT system; Manager, he would soon be credited with bringing responsibility for generating income by trading a down the entire banking organization. He effectively ‘book of business’, and also the ability to make jour- kept his gross misconduct from being openly discov- nal entries that were posted to the system, apparently ered because of two main reasons: (1) the autonomy without review. of BFS from the central hierarchy and (2) the absurd lack of internal controls throughout the entire Another key problem was the lack of an effective Barings Group. internal auditing department. Problems or weakness- es with the design of the internal controls and dis- crepancies with the adherence to those internal con- Evaluation Of Organizational Controls trols are the primary responsibility of the internal auditing department. Internal auditing departments Internal Controls prioritize their activities based on a risk analysis. The implementation of internal controls for any Areas that are potentially more vulnerable to the organization is key to running a ‘well-oiled’ business. company are their responsibility. Obviously this 167
  • 4. Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon department failed to do its job if the activities of a was discovered in later years that there was evidence small branch in Singapore were able to bring down of memoranda flying around about this blatant lack of the entire bank. separation of duties long before the collapse, yet noth- ing was done to change it. Fourth, information tech- The key risk items that should have been looked at nology is used to gather company transactions and to was, first of all, the lack of segregation of internal con- maintain accountability to clearly communicate what trol at the branch level. Leeson was a General is happening in the organization. At Barings Bank the Manager who was responsible for both making trades management, internal auditors, and external auditors and recording them. Second, a small branch in were all staring at the ‘88888’ account problem, after Singapore was showing abnormally large profits. all, it was a glaring piece of information, yet no-one Third, account balances were not reconciled. Daily attempted to reconcile this piece of reported infor- reconciliation in the computer age is not unreason- mation. It is true that Leeson hid things, forged doc- able. Fourth, why were receivables in the Singapore uments, had information shredded by subordinates, Office so high? The internal audit department was restricted access to financial information, etc., but the either incompetent or lacking in sufficient fraud could still have been uncovered. Leeson simply organizational support to be effective. had the confidence that even with all the controls in place and the inquiries into discrepancies that were There are five components of an ideal internal control found, he would still be able to beat the internal con- mechanism that management should use to design trol system and recover the severe losses he was accu- and implement controls to give reasonable assurance mulating because the system was weak, flaky, and, that the control objectives are being met.These com- therefore, easily circumvented. Fifth, monitoring the ponents are the control environment, risk assessment, quality of controls periodically is essential to have control activities, information and communication, effective controls. The internal audit department of and monitoring. Barings can best be described as pathetic. Clearly it seems that people at all levels of Barings’ control func- First, the control environment consists of actions, tions used varying degrees of the ‘hands-off ’ approach policies, and procedures that reflect the overall atti- in performing their jobs. tudes of top management about control and its importance to the corporation. Clearly Barings Bank External Controls had some internal controls in place, but they were performed more as a checklist than for true discovery The external auditors also failed in their professional or prevention. Second, management should assess the responsibility to detect material fraud at the Singapore risk in the design of its internal controls to minimize office. Deloitte & Touche were the auditors through errors and fraud. Having the level of autonomy that 1993, the time during which account 88888 was BFS did from the Bank, the risk was much greater and established. By then Leeson’s loss was £23 million; should have caused increased sensitivity for strict this clearly would have been material to BFS’ opera- adherence to a good internal control system. Third, tions. Essentially, on the financial statement, Leeson control activities include other policies and proce- was booking an entry to record the loss as income and dures that help to ensure that necessary actions are as a receivable in order to conceal this loss. Deloitte & taken to address risks in the achievement of the com- Touche failed in their audit of both the revenue of pany’s objectives. Such control activities, adequate BFS and the assets of BFS.The unprofessional manner documents and records, physical control, and inde- that they used to satisfy themselves that the receivable pendent checks on performance are important com- was correct was a major factor contributing to their ponents of internal control mechanisms. Barings’ demise. management knew Leeson had control of both the front and back offices of a After 1993, Coopers & Lybrand were the auditors division (BFS) they hardly knew anything about. It for BFS. Coopers also failed in their confirmation of 168
  • 5. Computers & Security, Vol. 20, No. 2 the bogus Spear, Leeds & Kellogg (a New York trad- combination of personal factors, work situations and er) receivable. Leeson had earlier claimed it to be a available opportunities [2]. Hearnden [8] believes that computer error. However, when the auditors pur- most of the perpetrators are motivated by greed, sued the point further, he claimed that it was a financial and other personnel problems. Forester and receivable. Confirmations should be requested Morrison [7] suggest that sometimes even love and directly from the debtor by the creditor but returned sex could provide a powerful stimulus for carrying directly to the auditor. Since Leeson produced the out computer crimes. A survey conducted by the UK documents himself, it was not credible evidence for Audit Commission in 1994 found, in addition to per- auditing purposes. Second, if they were to be relied sonal factors, disregard for basic internal controls upon, Coopers & Lybrand could have made a phone (password not changed, computer activities not trace- call to Leeson’s point of contact to confirm the doc- able etc.) and ineffective monitoring procedures con- uments. The biggest question was why no-one tributed significantly to incidents of computer crime. noticed that BSL’s Singapore branch had one indi- An earlier study by Parker [13] found that in most vidual responsible for both the front and back organizations, sufficient methods of deterrence, detec- offices, and realized the possibility for fraud. tion, prevention and recovery did not exist. Clearly Everybody involved with BSL knew the answer: the Barings Bank situation was a case in point. they were enjoying the benefits accrued from the status quo and did not see a need to scrutinize the In the previous section, a number of issues have been BFS’ business processes. presented which could be considered as reasons why information system security breaches occur in the first place. However there is considerable debate as Understanding the Issue to the extent to which information system security The discussion on Barings Bank and the violation of problems exist in reality. Parker [12] found that there safeguards by Leeson, a trusted employee, constitutes was a wide range of opinions regarding the extent of a kind of an information system security breach that computer security breaches due to the subversion of is intentional in nature. Generally, intentional acts controls by internal employees. There were reports could result in frauds, virus infections, and invasion suggesting that only 374 cases were directly related of privacy and sabotage. Parker [11] uses the term to computer misuse, hence portraying computer ‘computer abuse’ to describes such acts as vandalism crimes as being of minor significance. However dur- and malicious mischief and places them in the same ing the same period nearly 150 000 computers had category as white-collar crime.White-collar crime is been installed within US organizations. Clearly the defined by Parker as “any endeavour or practice reported computer crime cases were an underesti- involving the stifling of free enterprise or promoting mation and what we actually see is just the tip of the of unfair competition; a breach of trust against an iceberg.The UK Audit Commission’s study suggests individual or an institution; a violation of occupa- that many individuals and organizations fail to rec- tional conduct or jeopardizing of consumers and ognize computer crime as a problem. Its survey clientele”. Information system security breaches found employees at the managerial and supervisory resulting from the violation of safeguards by internal levels as falling short of understanding the risks that employees can therefore be defined as a deliberate computer misuse presents. In fact two-thirds of the misappropriation by which individuals intend to perpetrators were supervisors who had been in the gain dishonest advantages through the use of the organization for a minimum four years [1]. Another computer systems. Misappropriation itself may be study based in the US found an astonishing 31% of opportunist, pressured, or a single-minded calculated computer crimes were being carried out by low paid contrivance. clerks, 25% by managers and 24% by computer per- sonnel [10]. Indeed Balsmeier and Kelly [3] suggest Computer crime committed by internal employees that most organizations had no method to minimize is essentially a rational act and could result from a or deter computer crime and that the rewards for 169
  • 6. Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon unethical behaviour seem to outweigh the risks.This auditors from both firms made a serious mistake. clearly suggests that Barings Bank, with all the flaws They relied on the internal controls of BFS when the in its internal reporting and control structures, was a internal controls were defective in the first place. victim of an information system security breach that They did not perform any substantive procedures to has been considered a significant threat for a while. ensure that this material weakness was not causing Yet no learning was incorporated into Baring Bank’s materially incorrect balances to certain accounts.The thinking process. auditors then reported to the board of directors that everything was fine when in reality that could not From an auditing perspective, consideration could have been further from the truth. have been given to at least two aspects. First, the internal audit should have been reported to the audit committee, comprised of the board of directors of Discussion the company. Additionally, these members of the Since most of the computer security breaches occur audit committee should have been independent because internal employees have subverted the exist- board members, rather than board members who ing controls (see Dhillon [4]), it is important that work for the company in the capacity of manage- emphasis is placed on the more pragmatic aspects of ment or other professionals who provide service to an organization. Considering the particular case of the company. The independent, external auditors Leeson, an individual gets involved in particular acts as should also have reported to the audit committee. a consequence of a combination of a person’s This is necessary to ensure that the auditors are behavioural and normative beliefs. If a person’s atti- reporting to a level high enough to ensure that rec- tude to perform an illicit act needs to be influenced, ommendations and warnings do not fall on ‘deaf one has to focus of changing the primary belief sys- ears’. Internal and external audits are designed to tem. More than any specific communication instru- help assure the board of directors and stockholders ment, an organization-wide feeling of working that the financial statements of management are together to solve problems and not hide them is the materially correct and that management is acting key.This ties together the cultural and reporting stan- responsibly to maximize shareholder value and safe- dards, so that Barings could have moved forward and guard their assets. If they were to report to anyone its subsidiaries would not have hidden losses. Rather but the audit committee, that responsibility could be they should have worked together to solve problems. jeopardized by internal politics. This, combined with proper auditing techniques, would have allowed Barings and its subsidiaries to Second, an accountability and responsibility structure avoid collapse. The paragraphs below identify some for internal auditors should have been created. specific guidelines that organizations should consider Although internal auditors report directly to a com- if violations of safeguards by trusted personnel are to mittee of the board of directors, the internal audit be avoided. department still needs to be accountable and respon- sible in order to use the resources that they are given in the most effective manner. The fact that internal Formalized Rules auditors let a serious problem with the segregation of It has been argued that if an organization has a high duties pass without ‘raising a major ruckus’ was neg- level of dependence on IT, there is a greater likelihood ligent. External auditors also needed to be held of it being vulnerable to computer related misuse accountable. In public accounting, a partner with }(e.g. see Moor [9]). It is therefore important that over 20 years of experience would normally sell the organizations implement effective and systematic engagements.The client then will not see the partner policies.The demand for establishing security policies until the job is over. Unfortunately, most of the audit within organizations has long been made by is performed by staff members, who are usually just academics and practitioners alike, however such calls one to three years out of college. In this case, the have largely gone unheeded. Formalized rules in the 170
  • 7. Computers & Security, Vol. 20, No. 2 form of security policies will help in facilitating prevalent work situation and the opportunity to bureaucratic functions such that ambiguities and mis- commit criminal acts affected the primary belief understandings within organizations can be resolved. system of Leeson, thus creating an environment con- Lack of formal rules or an inability to enforce the ducive to a crime being committed.This suggests that rules was very well evidenced in the case of Barings monitoring of employee behaviour is an essential Bank and Leeson’s activities. Most regulatory bodies step in maintaining the integrity of an organization. (e.g. the Securities and Exchange Commission in the Such monitoring does not necessarily have to be US) demand that certain procedures should be fol- formal and rule based. In fact, informal monitoring, lowed. There are even explicit rules regarding super- such as interpreting behavioural changes and identi- vision. However because of an increased pressure to fying personal and group conflicts, can help in perform and be profitable, many of the formal rules establishing adequate checks and balances. were overlooked at Barings Bank.The case of Barings Bank suggests that although organizations cherish to instill a culture of efficiency and good practice, poor Conclusion communication often has a negative impact.The case This paper has presented an analysis of violation of also suggests that formalized rules are essential for the safeguards by trusted personnel by considering the functioning of an organization and often something case of Barings Bank and the activities of Nicholas more needs to be done. Perhaps there should be an Leeson. The analysis has suggested that organizations adequate emphasis on informal or normative controls. need to focus on the underlying beliefs that lead indi- viduals to engage in intentional illicit acts resulting in computer security breaches. Clearly, behavioural Normative Controls change is ultimately the result of changes in beliefs. Clearly, mere technical or formal control measures are Thus it is important that people within organizations inadequate to prevent computer security breaches. In are exposed to information which will produce other related work Dhillon [4] cites cases where it was changes in their beliefs. In proactively managing the relatively easy for insiders to gain access to informa- occurrence of adverse events, it is essential that we tion systems and camouflage fictitious and fraudulent trace those changes in primary beliefs that result in transactions. In the US, one of the most publicized particular attitudes and subjective norms. examples of this kind of behaviour is evidenced by the demise of the Kidder Peabody and the dealings of Acknowledgments Joseph Jett. Jett was able to exploit a loophole in the accounting system to inflate the profits. It was possi- Acknowledgments are due to Dr. James Backhouse, ble to engage in criminal activities because the person director of Computer Security Research Center at involved was an insider. It therefore becomes obvious the London School of Economics, for extensive dis- that no matter what the extent of formal and techni- cussions, comments and feedback on various aspects cal controls, prevention of insider security breaches of information security management. The assistance demands certain normative controls. Such controls and comments of number of graduate students at the essentially deal with the culture, value and belief sys- University of Nevada, Las Vegas and London School tem of the individuals concerned (for details see of Economics, including Russell Cook, Roy Dajalos Dhillon [4]). and Freddy Tan are also acknowledged. Employee Behaviour References Previous research has shown that besides personal [1] Audit Commission, Opportunity makes a thief. circumstances, work situations and opportunities Analysis of computer abuse, The Audit Commission available allow individuals to perform criminal for Local Authorities and the National Health acts (e.g. see [2]). In the case of Barings Bank the Service in England and Wales, 1994. 171
  • 8. Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns/Gurpreet Dhillon [2] Backhouse, J. and Dhillon, G., Managing comput- [8] Hearnden, K., “Computer crime and people,” in er crime: a research outlook, Computers & Security, Hearnden, K., ed., A handbook of computer crime, 14, 7, (1995), 645-651. London: Kogan Page, 1990. [3] Balsmeier, P. and Kelly, J.,The ethics of sentencing [9] Moor, J.H., What is computer ethics, white-collar criminals, Journal of Business Ethics, 15, Metaphilosophy, 16, 4, (1985), 266-275. 2, (1996), 143-152. [10]Oz, E., Ethics for the information age, Business [4] Dhillon, G., Managing information system security, and Educational Technologies, 1994. Macmillan, London, 1997. [11]Parker, D.B., Crime by computer, Charles [5] Dhillon, G.,“Challenges in managing information Scribner’s Sons, New York, 1976. security in the new millennium,” in Dhillon, G., ed., Information security management: global challenges [12]Parker, D.B.,“Ethical dilemmas in computer tech- in the new millennium, Hershey: Idea Group, 2001. nology,” in Hoffman, W.M. and Moore, J.M., ed., Ethics and the management of computer technology, [6] Dhillon, G. and Backhouse, J., Information system Cambridge, MA: Oelgeschlager, Gunn, and Hain, security management in the new millennium, 1982. Communications of the ACM, 43, 7, (2000), 125-128. [13]Parker, D.B. and Nycum, S.H., Computer Crime, [7] Forester, T. and Morrison, P., Computer ethics: cau- Communication of the ACM, 27, 4, (1984), tionary tales and ethical dilemmas in computing, The MIT Press, Cambridge, 1994. 172