2. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
Bank and the violation of safeguards by Nicholas Since Leeson had gained an immense amount of trust
Lesson, a trusted employee, are used to interpret the through his profits, £30 million for Barings in 1994
nature and scope of such security breaches.This is fol- alone, he was able to circumvent many of the security
lowed by a discussion that forms the basis for generat- inquiries against him without consequence. Leeson lost
ing principles for effectively managing the violations of £126 million in Nikkei futures and Japanese
safeguards such that the security of computer based Government bonds on 23 February 1995 after losing
systems within organizations is not compromised. £701 million over the past two years. Given the lack-
adaisical organizational and information security con-
straints at BB&Co., Leeson was able to hide his losses
Violation of Safeguards at Barings in a secret account created using Barings’ accounting
Bank computer systems.This was account 88888.
This section reviews the violation of internal orga- The basic problem at BB&Co. that is of relevance to
nizational controls by an employee to gain undue this paper, is the lack of correctly enforced organiza-
advantage. It stresses the importance of instituting tional information security measures. Even though a
informal controls if computer security situations are functional security plan was in place at BB&Co., it
to be adequately managed.The security issues arising did not take into account any interpretive data in its
from the misuse affect information systems integrity, implementation, so leaving BB&Co vulnerable.
formal and informal control mechanisms, and
organizational cohesion in terms of culture.
Corporate Restructuring Challenges
As BSL expanded and contributed increasing amounts
Background to the revenues of the entire Barings Group, rivalry
Barings Brothers & Co. (BB&Co.), a 223-year-old developed between BSL and BB&Co.Also, as internal
institution specializing in traditional merchant bank- competition between the companies accelerated, so
ing, decided to expand into investment banking in did the incentive to take on more risk at BSL. The
1984 as a result of deregulation in the British financial risk-taking management style and fast expansion of
markets. BB&Co. established a brokerage firm under BSL left little time for implementing proper control
the name of Barings Far East Securities, but this was mechanisms that would guard against financial impro-
later changed to Barings Securities Limited (BSL). priety. Barings Group directors became concerned
The new company adopted the corporate culture and initiated a corporate restructuring.
from its founder Christopher Heath, a man recruited
from the brokerage firm Henderson, Crosthwaite & The first thing that went wrong with the corporate
Co. Heath brought many like-minded people into the restructuring was that the preferred corporate cul-
new Barings subsidiary and created a strong corporate ture of fiscal conservatism could not be transferred
culture. This culture was more profit seeking and from BB&Co. to BSL. Had the original conservative
money-oriented than the traditional merchant bank- culture been instilled at BSL’s development, perhaps
ing culture that had existed at BB&Co for centuries. through the transfer of existing managers
from BB&Co. instead of recruiting risk-takers, there
BB&Co collapsed in 1995 due to one individual’s probably would have been less rivalry and less
wrongdoing and many other individual’s security unwarranted risk-taking.
negligence. Nicholas Leeson, the General Manager
of Barings Futures Singapore Pte, Ltd. (BFS), a Problems could also have been controlled if it was
subsidiary of BB&Co. exploited substandard not for the matrix structure.The structure per se was
information security systems and caused the not wrong, but it was not implemented correctly,
company to be placed under judicial management causing confusion and unclear reporting lines.
and eventually to go bankrupt. Management’s lack of understanding of its own
166
3. Computers & Security, Vol. 20, No. 2
responsibilities allowed Leeson and others to go One of the first things accounting auditors learn in
unsupervised locally, which could have prevented their studies is that examining the internal controls
the unethical behaviour and its escalation. Adopting of an organization can tell a great deal about the
a hierarchical control system that limits decision- company, how effectively it works, and how aware
making could have prevented this. By standardizing management is of their business processes.
jobs, implementing direct supervision, and making Management is responsible for maintaining the enti-
sure that checks and balances were in place, no ty’s controls. Of course, the controls’ effectiveness
employee would have been able to take covert depends on the competency and dependability of
actions that would have jeopardized the entire orga- the people using it. Clearly, in this case the size,
nization.The situation at Barings Group was a disas- structure, and personnel were available to have effec-
ter waiting to happen. It defies probability that the tive controls, but Barings did not manage them,
entire collapse did not happen earlier. There are prioritize them, or take responsibility for maintain-
several factors that contribute to this assertion. ing them.
The most problematic cause of disaster lies in the roots When management establishes its system of internal
of BSL itself. BB&Co. began their subsidiary by hand- controls, there are several principals that are important
ing over total control to Christopher Heath.The bank to their plan. One fundamental principal is segrega-
even requested that the staff of the new subsidiary con- tion of duties. It is important to segregate the areas of
sist of employees of Heath’s current company, revenue generation, or custody of assets, and record
Henderson, Crosthwaite & Co., where he was a part- keeping. This principal is extremely important
ner. It was from this moment that BB&Co. placed because it prevents a single individual from commit-
complete trust of BSL in the hands of an entity unfa- ting misappropriation of company assets or revenue
miliar to Barings Group. BB&Co. had essentially relin- and then concealing the defalcation by altering the
quished control. Even though Heath was a positive records. Some companies even separate controls even
influence in creating a company culture that fostered in further in such a way that it would require two or
ambition and individualism, he also created an envi- even three individuals to commit this crime and
ronment lacking in formal control mechanisms. conceal it on the books.
Another factor that foreshadowed the demise of
Barings was the rivalry that developed between the two This internal control was not present at BFS. Leeson
main firms in Barings Group: BB&Co. and BSL. was responsible, as part of his position, for overseeing
the trading and trade processing, settlement, and
When Nicholas Leeson came to Barings Future administration. He had access to the authorization
Singapore (BFS), a subsidiary of BSL, as General and creation of trading accounts on the IT system;
Manager, he would soon be credited with bringing responsibility for generating income by trading a
down the entire banking organization. He effectively ‘book of business’, and also the ability to make jour-
kept his gross misconduct from being openly discov- nal entries that were posted to the system, apparently
ered because of two main reasons: (1) the autonomy without review.
of BFS from the central hierarchy and (2) the absurd
lack of internal controls throughout the entire Another key problem was the lack of an effective
Barings Group. internal auditing department. Problems or weakness-
es with the design of the internal controls and dis-
crepancies with the adherence to those internal con-
Evaluation Of Organizational Controls trols are the primary responsibility of the internal
auditing department. Internal auditing departments
Internal Controls prioritize their activities based on a risk analysis.
The implementation of internal controls for any Areas that are potentially more vulnerable to the
organization is key to running a ‘well-oiled’ business. company are their responsibility. Obviously this
167
4. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
department failed to do its job if the activities of a was discovered in later years that there was evidence
small branch in Singapore were able to bring down of memoranda flying around about this blatant lack of
the entire bank. separation of duties long before the collapse, yet noth-
ing was done to change it. Fourth, information tech-
The key risk items that should have been looked at nology is used to gather company transactions and to
was, first of all, the lack of segregation of internal con- maintain accountability to clearly communicate what
trol at the branch level. Leeson was a General is happening in the organization. At Barings Bank the
Manager who was responsible for both making trades management, internal auditors, and external auditors
and recording them. Second, a small branch in were all staring at the ‘88888’ account problem, after
Singapore was showing abnormally large profits. all, it was a glaring piece of information, yet no-one
Third, account balances were not reconciled. Daily attempted to reconcile this piece of reported infor-
reconciliation in the computer age is not unreason- mation. It is true that Leeson hid things, forged doc-
able. Fourth, why were receivables in the Singapore uments, had information shredded by subordinates,
Office so high? The internal audit department was restricted access to financial information, etc., but the
either incompetent or lacking in sufficient fraud could still have been uncovered. Leeson simply
organizational support to be effective. had the confidence that even with all the controls in
place and the inquiries into discrepancies that were
There are five components of an ideal internal control found, he would still be able to beat the internal con-
mechanism that management should use to design trol system and recover the severe losses he was accu-
and implement controls to give reasonable assurance mulating because the system was weak, flaky, and,
that the control objectives are being met.These com- therefore, easily circumvented. Fifth, monitoring the
ponents are the control environment, risk assessment, quality of controls periodically is essential to have
control activities, information and communication, effective controls. The internal audit department of
and monitoring. Barings can best be described as pathetic. Clearly it
seems that people at all levels of Barings’ control func-
First, the control environment consists of actions, tions used varying degrees of the ‘hands-off ’ approach
policies, and procedures that reflect the overall atti- in performing their jobs.
tudes of top management about control and its
importance to the corporation. Clearly Barings Bank External Controls
had some internal controls in place, but they were
performed more as a checklist than for true discovery The external auditors also failed in their professional
or prevention. Second, management should assess the responsibility to detect material fraud at the Singapore
risk in the design of its internal controls to minimize office. Deloitte & Touche were the auditors through
errors and fraud. Having the level of autonomy that 1993, the time during which account 88888 was
BFS did from the Bank, the risk was much greater and established. By then Leeson’s loss was £23 million;
should have caused increased sensitivity for strict this clearly would have been material to BFS’ opera-
adherence to a good internal control system. Third, tions. Essentially, on the financial statement, Leeson
control activities include other policies and proce- was booking an entry to record the loss as income and
dures that help to ensure that necessary actions are as a receivable in order to conceal this loss. Deloitte &
taken to address risks in the achievement of the com- Touche failed in their audit of both the revenue of
pany’s objectives. Such control activities, adequate BFS and the assets of BFS.The unprofessional manner
documents and records, physical control, and inde- that they used to satisfy themselves that the receivable
pendent checks on performance are important com- was correct was a major factor contributing to their
ponents of internal control mechanisms. Barings’ demise.
management knew Leeson had control of both the
front and back offices of a After 1993, Coopers & Lybrand were the auditors
division (BFS) they hardly knew anything about. It for BFS. Coopers also failed in their confirmation of
168
5. Computers & Security, Vol. 20, No. 2
the bogus Spear, Leeds & Kellogg (a New York trad- combination of personal factors, work situations and
er) receivable. Leeson had earlier claimed it to be a available opportunities [2]. Hearnden [8] believes that
computer error. However, when the auditors pur- most of the perpetrators are motivated by greed,
sued the point further, he claimed that it was a financial and other personnel problems. Forester and
receivable. Confirmations should be requested Morrison [7] suggest that sometimes even love and
directly from the debtor by the creditor but returned sex could provide a powerful stimulus for carrying
directly to the auditor. Since Leeson produced the out computer crimes. A survey conducted by the UK
documents himself, it was not credible evidence for Audit Commission in 1994 found, in addition to per-
auditing purposes. Second, if they were to be relied sonal factors, disregard for basic internal controls
upon, Coopers & Lybrand could have made a phone (password not changed, computer activities not trace-
call to Leeson’s point of contact to confirm the doc- able etc.) and ineffective monitoring procedures con-
uments. The biggest question was why no-one tributed significantly to incidents of computer crime.
noticed that BSL’s Singapore branch had one indi- An earlier study by Parker [13] found that in most
vidual responsible for both the front and back organizations, sufficient methods of deterrence, detec-
offices, and realized the possibility for fraud. tion, prevention and recovery did not exist. Clearly
Everybody involved with BSL knew the answer: the Barings Bank situation was a case in point.
they were enjoying the benefits accrued from the
status quo and did not see a need to scrutinize the In the previous section, a number of issues have been
BFS’ business processes. presented which could be considered as reasons why
information system security breaches occur in the
first place. However there is considerable debate as
Understanding the Issue to the extent to which information system security
The discussion on Barings Bank and the violation of problems exist in reality. Parker [12] found that there
safeguards by Leeson, a trusted employee, constitutes was a wide range of opinions regarding the extent of
a kind of an information system security breach that computer security breaches due to the subversion of
is intentional in nature. Generally, intentional acts controls by internal employees. There were reports
could result in frauds, virus infections, and invasion suggesting that only 374 cases were directly related
of privacy and sabotage. Parker [11] uses the term to computer misuse, hence portraying computer
‘computer abuse’ to describes such acts as vandalism crimes as being of minor significance. However dur-
and malicious mischief and places them in the same ing the same period nearly 150 000 computers had
category as white-collar crime.White-collar crime is been installed within US organizations. Clearly the
defined by Parker as “any endeavour or practice reported computer crime cases were an underesti-
involving the stifling of free enterprise or promoting mation and what we actually see is just the tip of the
of unfair competition; a breach of trust against an iceberg.The UK Audit Commission’s study suggests
individual or an institution; a violation of occupa- that many individuals and organizations fail to rec-
tional conduct or jeopardizing of consumers and ognize computer crime as a problem. Its survey
clientele”. Information system security breaches found employees at the managerial and supervisory
resulting from the violation of safeguards by internal levels as falling short of understanding the risks that
employees can therefore be defined as a deliberate computer misuse presents. In fact two-thirds of the
misappropriation by which individuals intend to perpetrators were supervisors who had been in the
gain dishonest advantages through the use of the organization for a minimum four years [1]. Another
computer systems. Misappropriation itself may be study based in the US found an astonishing 31% of
opportunist, pressured, or a single-minded calculated computer crimes were being carried out by low paid
contrivance. clerks, 25% by managers and 24% by computer per-
sonnel [10]. Indeed Balsmeier and Kelly [3] suggest
Computer crime committed by internal employees that most organizations had no method to minimize
is essentially a rational act and could result from a or deter computer crime and that the rewards for
169
6. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
unethical behaviour seem to outweigh the risks.This auditors from both firms made a serious mistake.
clearly suggests that Barings Bank, with all the flaws They relied on the internal controls of BFS when the
in its internal reporting and control structures, was a internal controls were defective in the first place.
victim of an information system security breach that They did not perform any substantive procedures to
has been considered a significant threat for a while. ensure that this material weakness was not causing
Yet no learning was incorporated into Baring Bank’s materially incorrect balances to certain accounts.The
thinking process. auditors then reported to the board of directors that
everything was fine when in reality that could not
From an auditing perspective, consideration could have been further from the truth.
have been given to at least two aspects. First, the
internal audit should have been reported to the audit
committee, comprised of the board of directors of Discussion
the company. Additionally, these members of the Since most of the computer security breaches occur
audit committee should have been independent because internal employees have subverted the exist-
board members, rather than board members who ing controls (see Dhillon [4]), it is important that
work for the company in the capacity of manage- emphasis is placed on the more pragmatic aspects of
ment or other professionals who provide service to an organization. Considering the particular case of
the company. The independent, external auditors Leeson, an individual gets involved in particular acts as
should also have reported to the audit committee. a consequence of a combination of a person’s
This is necessary to ensure that the auditors are behavioural and normative beliefs. If a person’s atti-
reporting to a level high enough to ensure that rec- tude to perform an illicit act needs to be influenced,
ommendations and warnings do not fall on ‘deaf one has to focus of changing the primary belief sys-
ears’. Internal and external audits are designed to tem. More than any specific communication instru-
help assure the board of directors and stockholders ment, an organization-wide feeling of working
that the financial statements of management are together to solve problems and not hide them is the
materially correct and that management is acting key.This ties together the cultural and reporting stan-
responsibly to maximize shareholder value and safe- dards, so that Barings could have moved forward and
guard their assets. If they were to report to anyone its subsidiaries would not have hidden losses. Rather
but the audit committee, that responsibility could be they should have worked together to solve problems.
jeopardized by internal politics. This, combined with proper auditing techniques,
would have allowed Barings and its subsidiaries to
Second, an accountability and responsibility structure avoid collapse. The paragraphs below identify some
for internal auditors should have been created. specific guidelines that organizations should consider
Although internal auditors report directly to a com- if violations of safeguards by trusted personnel are to
mittee of the board of directors, the internal audit be avoided.
department still needs to be accountable and respon-
sible in order to use the resources that they are given
in the most effective manner. The fact that internal Formalized Rules
auditors let a serious problem with the segregation of It has been argued that if an organization has a high
duties pass without ‘raising a major ruckus’ was neg- level of dependence on IT, there is a greater likelihood
ligent. External auditors also needed to be held of it being vulnerable to computer related misuse
accountable. In public accounting, a partner with }(e.g. see Moor [9]). It is therefore important that
over 20 years of experience would normally sell the organizations implement effective and systematic
engagements.The client then will not see the partner policies.The demand for establishing security policies
until the job is over. Unfortunately, most of the audit within organizations has long been made by
is performed by staff members, who are usually just academics and practitioners alike, however such calls
one to three years out of college. In this case, the have largely gone unheeded. Formalized rules in the
170
7. Computers & Security, Vol. 20, No. 2
form of security policies will help in facilitating prevalent work situation and the opportunity to
bureaucratic functions such that ambiguities and mis- commit criminal acts affected the primary belief
understandings within organizations can be resolved. system of Leeson, thus creating an environment con-
Lack of formal rules or an inability to enforce the ducive to a crime being committed.This suggests that
rules was very well evidenced in the case of Barings monitoring of employee behaviour is an essential
Bank and Leeson’s activities. Most regulatory bodies step in maintaining the integrity of an organization.
(e.g. the Securities and Exchange Commission in the Such monitoring does not necessarily have to be
US) demand that certain procedures should be fol- formal and rule based. In fact, informal monitoring,
lowed. There are even explicit rules regarding super- such as interpreting behavioural changes and identi-
vision. However because of an increased pressure to fying personal and group conflicts, can help in
perform and be profitable, many of the formal rules establishing adequate checks and balances.
were overlooked at Barings Bank.The case of Barings
Bank suggests that although organizations cherish to
instill a culture of efficiency and good practice, poor Conclusion
communication often has a negative impact.The case This paper has presented an analysis of violation of
also suggests that formalized rules are essential for the safeguards by trusted personnel by considering the
functioning of an organization and often something case of Barings Bank and the activities of Nicholas
more needs to be done. Perhaps there should be an Leeson. The analysis has suggested that organizations
adequate emphasis on informal or normative controls. need to focus on the underlying beliefs that lead indi-
viduals to engage in intentional illicit acts resulting in
computer security breaches. Clearly, behavioural
Normative Controls change is ultimately the result of changes in beliefs.
Clearly, mere technical or formal control measures are Thus it is important that people within organizations
inadequate to prevent computer security breaches. In are exposed to information which will produce
other related work Dhillon [4] cites cases where it was changes in their beliefs. In proactively managing the
relatively easy for insiders to gain access to informa- occurrence of adverse events, it is essential that we
tion systems and camouflage fictitious and fraudulent trace those changes in primary beliefs that result in
transactions. In the US, one of the most publicized particular attitudes and subjective norms.
examples of this kind of behaviour is evidenced by
the demise of the Kidder Peabody and the dealings of Acknowledgments
Joseph Jett. Jett was able to exploit a loophole in the
accounting system to inflate the profits. It was possi- Acknowledgments are due to Dr. James Backhouse,
ble to engage in criminal activities because the person director of Computer Security Research Center at
involved was an insider. It therefore becomes obvious the London School of Economics, for extensive dis-
that no matter what the extent of formal and techni- cussions, comments and feedback on various aspects
cal controls, prevention of insider security breaches of information security management. The assistance
demands certain normative controls. Such controls and comments of number of graduate students at the
essentially deal with the culture, value and belief sys- University of Nevada, Las Vegas and London School
tem of the individuals concerned (for details see of Economics, including Russell Cook, Roy Dajalos
Dhillon [4]). and Freddy Tan are also acknowledged.
Employee Behaviour References
Previous research has shown that besides personal [1] Audit Commission, Opportunity makes a thief.
circumstances, work situations and opportunities Analysis of computer abuse, The Audit Commission
available allow individuals to perform criminal for Local Authorities and the National Health
acts (e.g. see [2]). In the case of Barings Bank the Service in England and Wales, 1994.
171
8. Violation of Safeguards by Trusted Personnel and Understanding
Related Information Security Concerns/Gurpreet Dhillon
[2] Backhouse, J. and Dhillon, G., Managing comput- [8] Hearnden, K., “Computer crime and people,” in
er crime: a research outlook, Computers & Security, Hearnden, K., ed., A handbook of computer crime,
14, 7, (1995), 645-651. London: Kogan Page, 1990.
[3] Balsmeier, P. and Kelly, J.,The ethics of sentencing [9] Moor, J.H., What is computer ethics,
white-collar criminals, Journal of Business Ethics, 15, Metaphilosophy, 16, 4, (1985), 266-275.
2, (1996), 143-152.
[10]Oz, E., Ethics for the information age, Business
[4] Dhillon, G., Managing information system security, and Educational Technologies, 1994.
Macmillan, London, 1997.
[11]Parker, D.B., Crime by computer, Charles
[5] Dhillon, G.,“Challenges in managing information Scribner’s Sons, New York, 1976.
security in the new millennium,” in Dhillon, G.,
ed., Information security management: global challenges [12]Parker, D.B.,“Ethical dilemmas in computer tech-
in the new millennium, Hershey: Idea Group, 2001. nology,” in Hoffman, W.M. and Moore, J.M., ed.,
Ethics and the management of computer technology,
[6] Dhillon, G. and Backhouse, J., Information system Cambridge, MA: Oelgeschlager, Gunn, and Hain,
security management in the new millennium, 1982.
Communications of the ACM, 43, 7, (2000), 125-128.
[13]Parker, D.B. and Nycum, S.H., Computer Crime,
[7] Forester, T. and Morrison, P., Computer ethics: cau- Communication of the ACM, 27, 4, (1984),
tionary tales and ethical dilemmas in computing, The
MIT Press, Cambridge, 1994.
172