computer crimes: theorizing about the enemy within

715

Computer crimes: theorizingabout the enemy withinGurpreet Dhillon and Steve MooresCollege of Business, Box 456009, University of Nevada, Las Vegas, NV, 89154-6009, USATel: (702) 895 3676; Fax: (702) 895 4370, Email: [email protected]

Abstract

A majority of computer crimes occur because a cur-rent employee of an organization has subverted exist-ing controls. By considering two case studies, thispaper analyzes computer crimes resulting because ofviolations of safeguards by employees.The paper sug-gests that various technical, procedural and normativecontrols should be put in place to prevent illegal andmalicious acts from taking place. Ultimately a goodbalance between various kinds of controls would helpin instituting a cost-effective means to make bothaccidental and intentional misconduct difficult. Thiswould also ensure, wherever possible, individualaccountability for all potentially sensitive negativeactions.

Key words: Computer crime; malicious act; violationof safeguards; information security.

IntroductionComputer crime resulting from violation of safeguardsby current employees can be defined as a deliberatemisappropriation by which individuals intend to gaindishonest advantages through the use of the computersystems. Such violations constitute a significant pro-portion of computer crimes - as high as 81%10.Misappropriation itself may be opportunist, pressured,or a single-minded calculated contrivance. Computercrime committed by current employees is essentially arational act and could result because of a combination

of personal factors, work situations and availableopportunities.These insiders may be dishonest or dis-gruntled employees who would copy, steal, or sabotageinformation, yet their actions may remain undetected.Such illegal and often malicious acts can have seriousconsequences for a business, yet many companies donot follow the proper procedures so as to prevent ille-gal activities from taking place.This includes having asystem of controls in place to help prevent an employ-ee’s ability to perform illegal actions. It also involvespromoting the values that a business feels are positive,and monitoring employee behaviour.

This paper, by considering the cases of KidderPeabody and Daiwa Bank, presents an analysis of com-puter crimes and theorizes about establishing adequatecontrols. The paper argues that more often than not,computer crimes occur when a current employee ofan organization subverts existing controls to takeundue advantage from the situation.The paper is orga-nized into six sections. Following a brief introduction,section two and three describe the computer crimesituations at Kidder Peabody and Daiwa Bank. Sectionfour presents a comparison of the two situations andsection five draws lessons and principles for managingcomputer crimes. Finally section six draws broad con-clusions.

The Kidder Peabody caseConsider the case of illicit activities of Joseph Jett who defrauded Kidder Peabody & Co out of millions

Computers & Security Vol.20, No.8, pp.715-723, 2001

Copyright © 2001 Elsevier Science Limited

Printed in Great Britain. All rights reserved

0167-4048/01$20.00

COSE 2008.qxd 12/7/01 12:40 PM Page 715

Computer crimes: theorizing about the enemy within/Gurpreet Dhillonand Steve Moores

of dollars over a course of more than two and half years.Jett was able to exploit the Kidder trading and account-ing systems to fabricate profits of approximatelyUS$339 million. Jett was eventually removed from theservices of Kidder in April 1994.The US Securities andExchange Commission claimed that Jett engaged inmore than 1000 violations in creating millions of dol-lars in phony profits so as to earn millions in bonuses.During the course of Jett’s involvement with Kidder,heamassed a personal fortune of around $5.5 million andearned himself upwards of $9 million in salary andbonuses. In 1993 alone, he made nearly 80% of thefirm’s entire annual profit of $439 million.

The opportunityPrior to joining Kidder, Jett was aware of the mannerin which the brokerage business was conducted andthe specific conditions at Kidder. Jett realized theshortcomings of the accounting system and began tin-kering with it. The management overlooked Jett’sactions, especially because he seemed to be perform-ing very well and was adding to the firms’ profitabili-ty. Jett had been hired to perform arbitrage betweenTreasury bonds and Strips (Separate Trading ofRegistered Interest and Principal of Securities).Kidder relied heavily on Expert Systems to performand value transactions in the bond markets. Based onthe valuation of the transactions, Kidder systems auto-matically updated the firm’s inventory and Profit andLoss statements. Jett found out that by entering for-ward transactions on the reconstituted Strips, he couldindefinitely postpone the time when actual lossescould be recognized in a Profit and Loss statement.Jett was able to do this by racking up larger positionsand reconstituting the Strips. This resulted in Jett’s1992 trading profits touching a $32 million record,previously unheard of in dealing with Strips. Jett’s per-sonal bonus was $2 million. The following year Jettreported a $151 million profit and earned $12 millionin bonus. It was only in March 1994 that senior man-agement started looking into the dealings. This wasbecause Jett’s position included $47 billion worth ofStrips and $42 billion worth of reconstituted Strips.

Clearly basic safeguards had not been instituted atKidder. Although the junior traders at Kidder were

aware of Jett’s activities, the senior management didnot make any effort to access this information.Thesefactors certainly influenced Jett’s beliefs and hisintentions regarding the advantages and disadvan-tages of engaging in the illicit activities. As a conse-quence Jett manipulated the accounting informationsystem and deceived the senior management atKidder.

Prevalent normsAs is typical of many merchant banks, bonuses earnedare intricately linked with the profitability of the con-cern. Kidder offered substantial bonuses for individu-al contribution to company profits. Even within theparent company, General Electric, CEO Jack Welchhad told his employees that he wanted to create a‘cadre of professions’ who could perform and be moremarketable.This resulted in the employees being sub-jected to intense pressure to perform and having afocus on serving their self-interest.As a consequence,General Electric did not necessarily afford a culture ofloyalty and truthfulness.The employees were inadver-tently getting the silent message that they should ‘lookafter themselves and win at any cost’. Critics claimthat there was a certain hollowness of purposebeneath Welch’s relentlessly demanding managementstyle6.

Reports of ethical violations had also marred someof General Electric’s traditional lines of business.There had been allegations of conspiracy with De Beers mining company of South Africa to fixprices of industrial diamonds.The FBI has also beeninvestigating charges that General Electric hadrepeatedly ignored warnings about electrical prob-lems that could compromise the safety of aircraftengines. Jack Welch has dismissed these charges andhas contended that had General Electric notacquired Kidder Peabody, such discussions wouldnot have surfaced. Irrespective of the nature ofdefences put up by the General Electric senior man-agement, the fact remains that a dominant culture towin and an aspiration to be number one or two inevery market, created an internal context within the organization such that unethical practices couldbe overlooked.

716

COSE 2008.qxd 12/7/01 12:40 PM Page 716

717

External variables

Prior to Jett joining Kidder Peabody, no significantethical problems had been reported at Kidder. Overthe past few years the bank had been striving to per-form satisfactorily, because at some stage the CEOwanted to dispose of the loss making brokerage unit.It had stayed clear of all sorts of rogue dealings, a phe-nomenon so common to any merchant bank. In factlessons had been learnt from dealings in ‘junk bonds’elsewhere. For example, the horror stories surround-ing the demise of Drexel Burnham Lambert Inc.haunted every major bank involved in the derivativesmarket.

Kidder Peabody and the parent company GeneralElectric were determined to court political and busi-ness acclaim by recruiting a large number of peoplefrom ethnic minorities. The bank considered this tobe a means of paying back to the society and perhapsgaining esteem from others by lending a helping handto certain under-privileged sections of the society.Various investigative reports following the KidderPeabody swindling case have reported that the onlyreason why Jett got selected was because he happenedto be a Black American.There are claims that Jett hadfalsified information on his vitae, thus making itextremely impressive. The personnel department atKidder took this information on face value and didnot make any attempt to verify it. It follows thereforethat Jett’s risk taking character and involvement inunethical deeds may have influenced his beliefs, ulti-mately leading to the demise of Kidder.

Daiwa Bank scandal caseIn yet another case, illicit activities of ToshihideIguchi, a bond trader for the New York office ofJapan’s Daiwa Bank, resulted in the bank loosing atleast $1.1 billion. It is estimated that over a period ofeleven years Iguchi made 30,000 unauthorized tradesand allegedly fabricated profits at Daiwa, while inreality he was making substantial losses.The fact thatIguchi was able to get away without being caught forso long is astonishing. Iguchi seemingly never soughtany monetary gains from his actions.All he was appar-ently trying to do was conceal his mistakes.

What went wrong

Iguchi’s troubles began soon after he was promoted tobe a trader in 1984. Daiwa’s New York office wassmall, and in order to save money, Iguchi had alsobeen put in charge of keeping the books. He wassimultaneously in charge of making trades and thenrecording them.This meant that Iguchi himself con-trolled the input and processing of everything that hebought and sold, and what the bank owned. Onbecoming a trader, Iguchi misjudged the market, andlost an estimated $200,000 trading U.S. governmentbonds, an insignificant sum to a bank as large asDaiwa. However Iguchi did not feel he could admitto a mistake, even one relatively as harmless as this.And since he had total control over the input, pro-cessing and output of all data, Iguchi was able to con-ceal his actions without much difficulty. In coveringup his actions, Iguchi doctored the data to make itappear that he was making enormous profits for thecompany. Unlike some of the actors in other high-profile banking scandals, Iguchi apparently never prof-ited from his illegal actions.

What Iguchi did to cover his initial losses was to ille-gally take government bonds from Daiwa’s ownaccounts or the accounts of Daiwa’s customers andsell them. He would order Bankers Trust New YorkCorp. to sell the bonds, and, because of the way thesystem was set up, the statements came directly toIguchi. He would then forge duplicate copies to makeit look as if Bankers Trust still held the bonds that hehad just sold. The money he made from these saleswent only to recoup his losses, and the plan may haveworked if it was used only once. Unfortunately forIguchi, he kept making bad business decisions, and hislosses began to mount. He began trading more andlarger sums, up to $500 million in bonds in one day.As his losses grew, so did the cover-up. Over the nexteleven years, Iguchi made an estimated 30,000 unau-thorized trades while losing $1.1 billion7.

By 1993, it was becoming more and more difficult forIguchi to continue covering-up his losses.That year,Daiwa’s New York office separated the bond-tradingand record-keeping sections of its business. Iguchi nolonger had direct and unsupervised control of both

Computers & Security, Vol. 20, No. 8

COSE 2008.qxd 12/7/01 12:40 PM Page 717


functions. Still, Iguchi was able to continue the fraudfor another two years.This fact led to suspicions thatsomeone else within the organization was helpingIguchi carry out his scheme.Whether he was workingalone or with the help of someone else, Iguchi’s unau-thorized actions finally came to light in 1995 when hewrote a 30-page letter of confession to Daiwa’s thenpresident,Akira Fujita. In the letter Iguchi said that hecould no longer withstand the pressure of his mis-deeds.

The cover-upDuring Iguchi’s trial in a Manhattan courtroom, hewas quoted as saying:“they asked me to continue con-cealing the losses”. While admitting his role in thefraud, Iguchi also suggested involvement of otherDaiwa officials in the scandal. Soon after Iguchi’sadmission in court, the Federal Reserve Bank revokedDaiwa’s charter to do business in the United States.Asthe evidence mounted, the U.S. Attorney’s Officecharged Daiwa Bank with 24 counts of conspiracyand fraud. Several top executives were charged withcrimes related to the scandal.The cover-up apparent-ly had been going on for nearly ten years, and includ-ed lies to federal officials, forged documents, CaymanIsland transfers, to name a few.

Even with evidence of such criminal activity by exec-utives at Daiwa, Federal Reserve officials were mostinterested in the events that took place after July 21,1995, when Iguchi mailed his confession to Fujita. Itis alleged that on July 24, Iguchi mailed another letterto Fujita, this one:“...warning that (Iguchi’s) $1.1 bil-lion loss might be detected if headquarters did notreplace Treasury bonds from a customer custodialaccount that Iguchi had secretly sold to cover his loss-es.”8 Iguchi also said in the letter that it would beimpossible for officials in the U.S. to find out aboutthe losses if the Treasuries could be bought back.Daiwa officials apparently even asked for Iguchi’s helpin devising ways to continue concealing his losses.

Daiwa then sent a team of its executives to NewYork to take control of the situation.They met withIguchi and the then New York branch managerMasahiro Tsuda. The executives told Iguchi and

Tsuda that Daiwa planned to release information ofthe losses in November of that year, and until then, the situation must remain secret. They alsoallegedly asked Iguchi to rewrite his confession,and specifically instructed him to exclude all otherinformation, except the one pertaining to unautho-rized trading. Iguchi was also asked to destroy the computer records of his communications.

External variablesIguchi’s ability to defraud Daiwa of $1.1 billion waslargely due to the fact that he controlled both the salesand the recording of the transactions. More wasinvolved, though, for Iguchi to get away with it.Japanese businesses tend to “trust” their employeesmore than American businesses do. Japanese firmsexpect their employees to be loyal and work for thegood of the company. It is relatively unthinkable for aperson to behave in a way that is detrimental to thecompany. Therefore, Japanese firms are traditionally“loose”, with few direct controls on the employees.

This idea of employee loyalty only applies to theJapanese employees of a company. Japanese firmsconstantly monitor American employees. Eventhough Iguchi had become an American citizen bythe time the scandal began, he was Japanese and hespoke Japanese, and his bosses gave him completetrust. Iguchi had almost complete autonomy, some-thing an American employee could never attain.

Daiwa’s lack of controls also played a huge role ingiving Iguchi the room he needed to pull off hisdeception. Although Daiwa would perform internalaudits at various times, but never contacted BankersTrust, who held the bonds, to confirm the figures. Ifthey had, it is likely that Iguchi’s deeds would havebeen found out. Daiwa also did not enforce a policyrequiring its employees to take vacations. Many busi-nesses, especially banks, force their employees to takevacations because that makes it more difficult tomanipulate the data. Iguchi apparently never left formore than a few days at a time. If Daiwa had insist-ed that its employees take time off for a week or two,it is probable that Iguchi’s actions would have beendiscovered.

718

COSE 2008.qxd 12/7/01 12:40 PM Page 718

719

Jett vs. Iguchi

There are a few similarities between Jett’s and Iguchi’sactions. Both were able to subvert the controls at theirrespective businesses. And clearly their actions wereillegal and unethical, which caused each of their com-panies to loose huge amounts of money. Jett’s appar-ent motives were to increase Kidder’s profits whilemaking huge bonuses for himself. His attitude seemedto be that it didn’t matter what he was doing was ille-gal or unethical as long as he was making money. Hehas been quoted several times as saying that he didn’tdo anything wrong, and that what he did was no dif-ferent from what other traders do.The implication isthat Jett believed that it was perfectly acceptable toperform illegal actions as long as ‘everyone else isdoing it’. Jett is an example of one of those employ-ees who, no matter how hard a business tries toencourage fair and ethical behaviour, may never beconverted.

Iguchi’s attitudes were the exact opposite of Jett’s,although the outcome was the same. Iguchi’s beliefsand attitudes were shaped by the Japanese culture,where loyalty and hard work are held in high esteem.As stated before, Iguchi never personally profited fromwhat he did. His actions were motivated by loyalty tohis employer, as well as his desire to avoid embarrass-ment. Iguchi seemed to think that he could fix theproblem, although it kept getting worse. He wantedhis company to do well, and he felt that it was hisobligation to Daiwa to correct his mistakes.

Even though the fundamental attitudes and beliefs ofJett and Iguchi were very different, the ultimate out-come was the same. One employee was motivated bygreed, and wound up causing problems. The otheremployee was motivated by loyalty to his company,but also caused his company major problems. Thisshows that encouraging desirable beliefs and attitudescan have major benefits in influencing the behaviourof employees, but is not adequate to prevent disaster.

Although it is very important for a company to focuson the values, beliefs, and attitudes of its employees,this is not enough to ensure that computer relatedcrimes will be prevented. No matter how hard a

business tries to shape and enhance its employees’ideals, there are always bound to be a few who wouldresist. Hence it is essential that a firm have in placecontrols that will prevent the odd employee fromperforming illegal actions. However, just having con-trols does not mean that they will be effective.Thesecontrols also need to be used properly. KidderPeabody had implemented controls that could havecaught Jett’s actions early if they had been used theway they were designed to be used. A report by for-mer Securities & Exchange Commission enforce-ment chief Gary Lynch stated that the scandal atKidder was the result of ‘lax oversight’ and ‘poorjudgments’.11 The report also claims that Kidder hada:“cavalier disregard for normal operating proceduresin pursuit of profits.”9 As long as Jett seemed to bemaking tremendous profits for Kidder, officials werehappy to look the other way, and any scepticismabout Jett’s actions was dismissed.

At Daiwa, it was a lack of controls that allowed thescandal to take place.There was little direct oversightof Iguchi, and he was free to conduct business as hesaw fit. Daiwa had put the ‘fox’ in charge of the ‘henhouse’. Daiwa neglected the most basic safeguards,and made a huge error in risk control by lettingIguchi record his own transactions.

In both cases, management put too much trust in itsemployees, and failed to supervise them closelyenough. They just assumed that their employeeswouldn’t do anything wrong. Both Daiwa and Kidderofficials did not follow the practices generally accept-ed in the finance industry for monitoring tradingactivities and for risk management. In both cases thisproved disastrous. Key lessons from the two cases arediscussed in the following section.

Drawing lessons for managingcomputer crime situationsThe cases of Kidder Peabody and Daiwa Bank suggest that there are certain basic safeguards thatorganizations can put in place thereby minimizingchances of a computer crime taking place. Safe-guards or controls that could be put in place can be


COSE 2008.qxd 12/7/01 12:40 PM Page 719


classified into three categories – technical, formal orinformal interventions3. However the success inimplementing controls is achieved by establishing theright balance between various controls (c.f.Dhillon).4 Technical interventions essentially dealwith restricting access, which may be to the buildingsand rooms or to computer systems and programs.Formal interventions deal with establishing rules andensuring compliance to the laws and procedures.Usually formal interventions can be instituted byconsidering and establishing the requisite organiza-tional structures and processes. It also entails identify-ing roles and responsibilities that go with formalorganizational structures. Informal interventionsrelate to the educational and awareness programs thatcould be put in place within organizations.

Technical controlsClearly, both in the case of Kidder Peabody andDaiwa Bank, there were opportunities to establishappropriate technical controls that could have prevented crimes from taking place in the first place.As described earlier, Kidder relied on advancedinformation technology systems to manage the various transactions. And Jett identified a means topostpone the actual time when a loss could appearon the Profit and Loss statement. Simply put, this is a systems and analysis design problem. When thesystems were developed in the first instance, littleattention was perhaps placed on instituting the con-trols. Baskerville1 suggests this to be typical of mostsystems development activities where the introduc-tion of controls is not even considered during thesystems analysis and design stages of system develop-ment. As a consequence security of systems is anafter thought at best. There were certainly otherproblems with Kidder Peabody in that there wasover-reliance on one individual to post all transac-tions, an issue also identified by Dhillon5 in review-ing the shortcoming in the case of Barings Bank. Inthe case of Daiwa bank, a similar situation existed.The computer-based systems used by Iguchi had vir-tually no established controls. As a result one indi-vidual could input and doctor the data. Obviouslythere was lack of supervision and separation ofresponsibilities.

As Dhillon3 suggests implementation of technicalcontrols is usually considered in a rather narrow andmechanistic manner. There is practically little or noemphasis on incorporating numerous technical con-trol structures into the systems development process-es. Merely establishing a password is not enough.Whatis really needed is an understanding of the organiza-tional structures and business processes and identifyinga range of checks and balances that could be estab-lished.These could then be incorporated into the sys-tems development processes. Even today this remainsa far-fetched idea. Dhillon2 provides evidence, wherein a British Hospital CRAMM, the risk managementmethodology, was used in a haphazard manner henceforgoing the potential benefits in instituting the controls.

Formal controlsFormal controls deal with establishing adequatebusiness structures and processes so as to maintainhigh integrity data flow and the general conduct ofthe business. Establishing adequate processes alsoensures compliance to regulatory bodies, organiza-tional rules and policies. Therefore it goes withoutsaying, good business processes and structures ensurethe safe running of the business and preventingcrime from taking place. Clearly mature organiza-tions have well established and institutionalized pro-cesses and newer enterprises have to engage in theprocess of innovation and institutionalization. To alarge extent high integrity processes are a conse-quence of adequate planning and policy implemen-tation. In the realm of information security there isa general lack of appreciation for the importance ofplanning and policy issues. In cases where consider-ation has been given to security policy formulationand implementation, security and computer crimeprevention has been treated largely as a technicalissue with a predominance of technical controls.These are usually in the form of passwords, firewallsand encryption (for a detailed discussion see4).

Lack of consideration to formal controls is evidencedin the case of Daiwa Bank were no organizationalstructure or business process was defined for keepingbooks and recording trades.As a matter of fact, Iguchi

720

COSE 2008.qxd 12/7/01 12:40 PM Page 720

721

was in charge of both making trades and keeping thebooks. Consequently there was a significant vulnera-bility because of lack of segregation of duties and sep-aration of roles.

Many organizations are attempting to institute formalcontrols by either developing their own standards oradopting codes of conduct developed by independentbodies such as the BS7799. However simply adoptinga code or a best practice does little in terms of com-pliance of individual ownership. Simply adopting acode, mission statement or a credo, without followingit up with training and publicity to reinforce the mes-sage, will not be enough to prevent employee trans-gressions. In order for the campaign to be effective,upper management must be highly visible in the con-duct of the campaign. Management must makeemployees at all levels really accept (in other words,internalize) the code of conduct they want theemployees to follow.

Another formal control that companies need to con-sider is to establish procedures and practices to moni-toring and preventing deviant behaviour. Since com-panies want to avoid deviant behaviour from theiremployees, it is in their best interests to reinforce pos-itive beliefs and attitudes, while at the same timemodifying undesirable ones. However, before a busi-ness can begin to reinforce these positive aspects in itsemployees, it must first determine what behaviourand actions that are considered desirable.The businesscan then consider what kinds of beliefs and attitudeswill help achieve the specified behavioural outcomes.At the same time, it would also be useful to determinethe range of undesirable behaviours. This will allowthe company to take proactive steps to reduce oreliminate certain deviant beliefs and attitudes beforethey can lead to adverse consequences. Such an ori-entation would allow a company to develop adequatemethods and procedures for promoting certain kindsof behaviour and for monitoring negative changes inemployee attitude.

Monitoring employee behaviour is important fordetermining how well its workers are conforming tothe desired ‘code of conduct’, and to deal with anydeviations before they become serious. A company,

however, should not be content with fixing problemsas they occur. There should also be an emphasis toprevent any problems from occurring in the firstplace. To a large extent this can be accomplished byinstilling a company’s values and beliefs in its employ-ees. Businesses and other organizations have a duty tothemselves, and to their shareholders, to make abso-lutely certain that all of their employees fully under-stand the organization’s goals and objectives.Achieving this should begin with the developmentand publicizing of such things as ‘Mission Statements’and ‘Company Credos’.

Informal controlsInformal controls, perhaps the most cost-effectivetype of controls, essentially centre around increasingawareness of employees, ongoing education and train-ing programs, and management development pro-grams focusing on developing a sub-culture thatenables everyone to understand the intentions of var-ious stakeholders.

In particular, informal controls could take the form ofcommunicating appropriate behaviour and attitudes,making the employees believe in the organization andassuring individual accountability for any misconduct.Communicating appropriate behaviour and attitude isan important informal control that an organizationcan establish. Many companies conduct periodic (e.g.,annual) briefings for their employees on such topics assexual harassment, personal responsibility andemployee excellence. Similarly there is a need to haveseminars to communicate an organization’s attitudeon various subjects such as computer crime and whitecollar crime. Such briefings and classes demonstrate totheir employees how they are supposed to act, andthat there may be consequences for not following thegiven norms of behaviour. Certain companies havebeen proactive in conducting such training sessions,albeit following a fraud or some illegal activity. Forexample, some years ago, six employees of RockwellInternational were accused of illegal actions regardingcharging to government contracts. Even though theemployees were at fault, Rockwell was still heldaccountable for its employees’ actions. As part of thesettlement of the case, Rockwell agreed to ensure that


COSE 2008.qxd 12/7/01 12:40 PM 21


every single employee of the corporation attended anannual ‘Ethics Training’ sessions.

An important informal control that organizationsshould establish relates to making the employeesbelieve in the company and assure individual account-ability for any misconduct. The beliefs and attitudesconveyed by the company to its employees must alsobe consistent, and should be continuously communi-cated to the employees over a long period of time.Exposing the employees to the company’s moral andethical beliefs only sporadically is not enough. Theywill not internalize them, and are not likely to followthem.The same message should always be present, dayin and day out, in the work environment. Manage-ment also needs to make certain that it does not allowits desire to succeed to take precedence over the com-pany’s own beliefs and attitudes regarding personaland business ethics.

Clearly ethical training and ‘wheel alignment’ cam-paigns can have the desired effect on the bulk of theemployees of an organization. Most of the employeescan be endowed with a strong enough set of beliefsand morals to act as effective controls over the waythey conduct themselves within a company. It can besafe to assume that most employees will perform theirduties according to the company credos, and will nottry to subvert controls by engaging in illegal activities.However, there will always be a small percentage ofemployees who remain immune to the ethical train-ing and to the attitudes surrounding them.These peo-ple present a real threat to the company. Even when asystem of controls is in place, a company can beseverely damaged, or even destroyed, due to theunethical or illegal actions of a single employee. It istherefore important to devise methods to identifysuch individuals and keep a tab on them.

Some employees might also evade normative controlsbecause of cultural idiosyncrasies. Employees steepedin certain cultures might find it extremely difficult toadmit mistakes, and could resort to unethical or illegalactivities to try and hide such mistakes. Employeesfrom other cultures might put faith in personal rela-tionships at the expense of company procedures, and,for example, ignore competitive bidding requirements

in the awarding of contracts. In any case personalaccountability for misconduct needs to be ingrainedinto the organizational procedures.A policy statementon personal accountability and its communication tothe relevant stakeholders will go a long way inaddressing the need for informal controls.

ConclusionClearly there are a number of controls that could beestablished to prevent situations like those at Kidderand Daiwa from occurring.As has been stated in theprevious sections, such controls are at three possiblelevels – technical, formal and informal. In particularsetting standards for proper business conduct, moni-toring employees to detect deviations from stan-dards, implementing risk management procedures toreduce the opportunities for things to go wrong,implementing rigorous employee training, institut-ing individual accountability for misconduct aresome of the immediate steps that businesses couldtake.

The key guiding principle for any control implemen-tation has to relate to identifying the exact level ofresource allocation. Certainly the amount spentshould be in proportion to the criticality of the sys-tem, cost of the control and probability of the occur-rence of an event.Appropriate controls are also neces-sary to protect organizations from suits against negli-gent duty and compliance to computer misuse anddata protection legislation. Indeed for any controlmeasure to be effective, both management andemployees must take them seriously. Encouragingpositive attitudes and beliefs and implementing safe-guards may not prevent every breach of conduct, butit is well worth the effort.

References[1] Baskerville, R., Designing information systems security, John

Wiley & Sons, New York, 1988.[2] Dhillon, G., Managing information system security,

Macmillan, London, 1997.[3] Dhillon, G., Managing and controlling computer misuse,

Information Management & Computer Security, 7, 5, (1999).[4] Dhillon, G., “Principles for managing information security

in the new millennium,” in Dhillon, G., ed., Information

722

COSE 2008.qxd 12/7/01 12:40 PM Page 722

723

security management: global challenges in the new millenni-um, Hershey: Idea Group, 2001, p. 173-177.

[5] Dhillon, G.,Violation of safeguards by trusted personnel andunderstanding related information security concerns,Computers & Security, 20, 2, (2001), 165-172.

[6] Greenwald, J., Jack in the box,Time, 1994.[7] Greenwald, J.,A blown billion,Time, 1995.

[8] Hirsch, M., Tossed out, Newsweek, 1995, p.42-46.[9] Pare,T.P., Nightmare on Wall Street, Fortune, 1994, p.40-48.[10] Parker, D., “Seventeen information security myths

debunked,” in Dittrich, K., Rautakivi, S., and Saari, J., ed.,Computer Security and Information Integrity, Amsterdam:Elsevier Science Publishers, 1991, p.363-370.

[11] Smart,T.,Wall Street’s bitter lessons for GE,Business Week,1994.


COSE 2008.qxd 12/7/01 12:40 PM Page 723

computer crimes: theorizing about the enemy within

Documents