violation of safeguards by trusted personnel and understanding related information security concerns

0167-4048/01$20.00 © 2001 Elsevier Science Ltd. All rights reserved 165

Violation of Safeguards byTrusted Personnel andUnderstanding RelatedInformation SecurityConcernsGurpreet DhillonCollege of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6009, USA, [email protected].

A majority of computer security breaches occur because internalemployees of an organization subvert existing controls. Whileexploring the issue of violation of safeguards by trusted personnel,with specific reference to Barings Bank and the activities ofNicholas Leeson, this paper provides an understanding of relatedinformation security concerns. In a final synthesis, guidelines areprovided which organizations could use to prevent computersecurity breaches.

IntroductionBusinesses today are experiencing a problem with man-aging information security.This is so not only becauseof increased reliance of individuals and businesses oninformation and communication technologies, but alsobecause the attempts to manage information securityhave been rather skewed towards implementing increas-ingly complex technological controls.The importanceof technological controls should not be underplayed,but evidence suggests that the violation of safeguards bytrusted personnel of an organization is emerging as aprimary reason for information security concerns.Between 61 and 81% of computer related crimes arebeing carried out because of such violations (seeDhillon [5]; Dhillon and Backhouse [6] for a detailed

discussion). These insiders could be dishonest or dis-gruntled employees who would copy, steal, or sabotageinformation, yet their actions may remain undetected.

Numerous security breaches have been reported inthe popular press describing the sequence of events. Inthe UK for example, a fraud against the NationalHeritage Department resulted in payments of over£175 000 being made to fictitious organizations. Inanother case, a small US based Internet serviceprovider, Digital Technologies Group, had its comput-ers completely erased, allegedly by a disgruntledemployee. The dismissed employee was later arrestedand faced a prison sentence of up to 20 years.

Clearly violations of safeguards by trusted personnelresulting in information security breaches are real andneed to be addressed. A requirement also exists forestablishing guiding principles that organizations couldadopt in moving a step forward to manage such infor-mation security problems. In addressing these concernsand needs, this paper reviews the nature of informationsecurity breaches occurring because of violation ofsafeguards by trusted personnel. The case of Barings

Computers & Security Vol.20, No.2, pp.165-172, 2001

Copyright © 2001 Elsevier Science Limited

Printed in Great Britain. All rights reserved

0167-4048/01$20.00

Bank and the violation of safeguards by NicholasLesson, a trusted employee, are used to interpret thenature and scope of such security breaches.This is fol-lowed by a discussion that forms the basis for generat-ing principles for effectively managing the violations ofsafeguards such that the security of computer based systems within organizations is not compromised.

Violation of Safeguards at BaringsBankThis section reviews the violation of internal orga-nizational controls by an employee to gain undueadvantage. It stresses the importance of institutinginformal controls if computer security situations areto be adequately managed.The security issues arisingfrom the misuse affect information systems integrity,formal and informal control mechanisms, and organizational cohesion in terms of culture.

BackgroundBarings Brothers & Co. (BB&Co.), a 223-year-oldinstitution specializing in traditional merchant bank-ing, decided to expand into investment banking in1984 as a result of deregulation in the British financialmarkets. BB&Co. established a brokerage firm underthe name of Barings Far East Securities, but this waslater changed to Barings Securities Limited (BSL).The new company adopted the corporate culturefrom its founder Christopher Heath, a man recruitedfrom the brokerage firm Henderson, Crosthwaite &Co. Heath brought many like-minded people into thenew Barings subsidiary and created a strong corporateculture. This culture was more profit seeking andmoney-oriented than the traditional merchant bank-ing culture that had existed at BB&Co for centuries.

BB&Co collapsed in 1995 due to one individual’swrongdoing and many other individual’s securitynegligence. Nicholas Leeson, the General Managerof Barings Futures Singapore Pte, Ltd. (BFS), a subsidiary of BB&Co. exploited substandard information security systems and caused the company to be placed under judicial managementand eventually to go bankrupt.

Since Leeson had gained an immense amount of trustthrough his profits, £30 million for Barings in 1994alone, he was able to circumvent many of the securityinquiries against him without consequence. Leeson lost£126 million in Nikkei futures and JapaneseGovernment bonds on 23 February 1995 after losing£701 million over the past two years. Given the lack-adaisical organizational and information security con-straints at BB&Co., Leeson was able to hide his lossesin a secret account created using Barings’ accountingcomputer systems.This was account 88888.

The basic problem at BB&Co. that is of relevance tothis paper, is the lack of correctly enforced organiza-tional information security measures. Even though afunctional security plan was in place at BB&Co., itdid not take into account any interpretive data in itsimplementation, so leaving BB&Co vulnerable.

Corporate Restructuring ChallengesAs BSL expanded and contributed increasing amountsto the revenues of the entire Barings Group, rivalrydeveloped between BSL and BB&Co.Also, as internalcompetition between the companies accelerated, sodid the incentive to take on more risk at BSL. Therisk-taking management style and fast expansion ofBSL left little time for implementing proper controlmechanisms that would guard against financial impro-priety. Barings Group directors became concernedand initiated a corporate restructuring.

The first thing that went wrong with the corporaterestructuring was that the preferred corporate cul-ture of fiscal conservatism could not be transferredfrom BB&Co. to BSL. Had the original conservativeculture been instilled at BSL’s development, perhapsthrough the transfer of existing managers from BB&Co. instead of recruiting risk-takers, thereprobably would have been less rivalry and lessunwarranted risk-taking.

Problems could also have been controlled if it wasnot for the matrix structure.The structure per se wasnot wrong, but it was not implemented correctly,causing confusion and unclear reporting lines.Management’s lack of understanding of its own

166

Violation of Safeguards by Trusted Personnel and UnderstandingRelated Information Security Concerns/Gurpreet Dhillon

167

responsibilities allowed Leeson and others to gounsupervised locally, which could have preventedthe unethical behaviour and its escalation. Adoptinga hierarchical control system that limits decision-making could have prevented this. By standardizingjobs, implementing direct supervision, and makingsure that checks and balances were in place, noemployee would have been able to take covertactions that would have jeopardized the entire orga-nization.The situation at Barings Group was a disas-ter waiting to happen. It defies probability that theentire collapse did not happen earlier. There are several factors that contribute to this assertion.

The most problematic cause of disaster lies in the rootsof BSL itself. BB&Co. began their subsidiary by hand-ing over total control to Christopher Heath.The bankeven requested that the staff of the new subsidiary con-sist of employees of Heath’s current company,Henderson, Crosthwaite & Co., where he was a part-ner. It was from this moment that BB&Co. placedcomplete trust of BSL in the hands of an entity unfa-miliar to Barings Group. BB&Co. had essentially relin-quished control. Even though Heath was a positiveinfluence in creating a company culture that fostered inambition and individualism, he also created an envi-ronment lacking in formal control mechanisms.Another factor that foreshadowed the demise ofBarings was the rivalry that developed between the twomain firms in Barings Group: BB&Co. and BSL.

When Nicholas Leeson came to Barings FutureSingapore (BFS), a subsidiary of BSL, as GeneralManager, he would soon be credited with bringingdown the entire banking organization. He effectivelykept his gross misconduct from being openly discov-ered because of two main reasons: (1) the autonomyof BFS from the central hierarchy and (2) the absurdlack of internal controls throughout the entireBarings Group.

Evaluation Of Organizational Controls

Internal ControlsThe implementation of internal controls for anyorganization is key to running a ‘well-oiled’ business.

One of the first things accounting auditors learn intheir studies is that examining the internal controls of an organization can tell a great deal about the company, how effectively it works, and how awaremanagement is of their business processes.Management is responsible for maintaining the enti-ty’s controls. Of course, the controls’ effectivenessdepends on the competency and dependability ofthe people using it. Clearly, in this case the size,structure, and personnel were available to have effec-tive controls, but Barings did not manage them,prioritize them, or take responsibility for maintain-ing them.

When management establishes its system of internalcontrols, there are several principals that are importantto their plan. One fundamental principal is segrega-tion of duties. It is important to segregate the areas ofrevenue generation, or custody of assets, and recordkeeping. This principal is extremely importantbecause it prevents a single individual from commit-ting misappropriation of company assets or revenueand then concealing the defalcation by altering therecords. Some companies even separate controls evenfurther in such a way that it would require two oreven three individuals to commit this crime and conceal it on the books.

This internal control was not present at BFS. Leesonwas responsible, as part of his position, for overseeingthe trading and trade processing, settlement, andadministration. He had access to the authorizationand creation of trading accounts on the IT system;responsibility for generating income by trading a‘book of business’, and also the ability to make jour-nal entries that were posted to the system, apparentlywithout review.

Another key problem was the lack of an effectiveinternal auditing department. Problems or weakness-es with the design of the internal controls and dis-crepancies with the adherence to those internal con-trols are the primary responsibility of the internalauditing department. Internal auditing departmentsprioritize their activities based on a risk analysis.Areas that are potentially more vulnerable to thecompany are their responsibility. Obviously this

Computers & Security, Vol. 20, No. 2

department failed to do its job if the activities of asmall branch in Singapore were able to bring downthe entire bank.

The key risk items that should have been looked atwas, first of all, the lack of segregation of internal con-trol at the branch level. Leeson was a GeneralManager who was responsible for both making tradesand recording them. Second, a small branch inSingapore was showing abnormally large profits.Third, account balances were not reconciled. Dailyreconciliation in the computer age is not unreason-able. Fourth, why were receivables in the SingaporeOffice so high? The internal audit department waseither incompetent or lacking in sufficientorganizational support to be effective.

There are five components of an ideal internal controlmechanism that management should use to designand implement controls to give reasonable assurancethat the control objectives are being met.These com-ponents are the control environment, risk assessment,control activities, information and communication,and monitoring.

First, the control environment consists of actions,policies, and procedures that reflect the overall atti-tudes of top management about control and itsimportance to the corporation. Clearly Barings Bankhad some internal controls in place, but they wereperformed more as a checklist than for true discoveryor prevention. Second, management should assess therisk in the design of its internal controls to minimizeerrors and fraud. Having the level of autonomy thatBFS did from the Bank, the risk was much greater andshould have caused increased sensitivity for strictadherence to a good internal control system. Third,control activities include other policies and proce-dures that help to ensure that necessary actions aretaken to address risks in the achievement of the com-pany’s objectives. Such control activities, adequatedocuments and records, physical control, and inde-pendent checks on performance are important com-ponents of internal control mechanisms. Barings’management knew Leeson had control of both thefront and back offices of a division (BFS) they hardly knew anything about. It

was discovered in later years that there was evidenceof memoranda flying around about this blatant lack ofseparation of duties long before the collapse, yet noth-ing was done to change it. Fourth, information tech-nology is used to gather company transactions and tomaintain accountability to clearly communicate whatis happening in the organization.At Barings Bank themanagement, internal auditors, and external auditorswere all staring at the ‘88888’ account problem, afterall, it was a glaring piece of information, yet no-oneattempted to reconcile this piece of reported infor-mation. It is true that Leeson hid things, forged doc-uments, had information shredded by subordinates,restricted access to financial information, etc., but thefraud could still have been uncovered. Leeson simplyhad the confidence that even with all the controls inplace and the inquiries into discrepancies that werefound, he would still be able to beat the internal con-trol system and recover the severe losses he was accu-mulating because the system was weak, flaky, and,therefore, easily circumvented. Fifth, monitoring thequality of controls periodically is essential to haveeffective controls. The internal audit department ofBarings can best be described as pathetic. Clearly itseems that people at all levels of Barings’ control func-tions used varying degrees of the ‘hands-off ’ approachin performing their jobs.

External Controls

The external auditors also failed in their professionalresponsibility to detect material fraud at the Singaporeoffice. Deloitte & Touche were the auditors through1993, the time during which account 88888 wasestablished. By then Leeson’s loss was £23 million;this clearly would have been material to BFS’ opera-tions. Essentially, on the financial statement, Leesonwas booking an entry to record the loss as income andas a receivable in order to conceal this loss. Deloitte &Touche failed in their audit of both the revenue ofBFS and the assets of BFS.The unprofessional mannerthat they used to satisfy themselves that the receivablewas correct was a major factor contributing to theirdemise.

After 1993, Coopers & Lybrand were the auditorsfor BFS. Coopers also failed in their confirmation of

168


169

the bogus Spear, Leeds & Kellogg (a New York trad-er) receivable. Leeson had earlier claimed it to be acomputer error. However, when the auditors pur-sued the point further, he claimed that it was areceivable. Confirmations should be requesteddirectly from the debtor by the creditor but returneddirectly to the auditor. Since Leeson produced thedocuments himself, it was not credible evidence forauditing purposes. Second, if they were to be reliedupon, Coopers & Lybrand could have made a phonecall to Leeson’s point of contact to confirm the doc-uments. The biggest question was why no-onenoticed that BSL’s Singapore branch had one indi-vidual responsible for both the front and backoffices, and realized the possibility for fraud.Everybody involved with BSL knew the answer:they were enjoying the benefits accrued from thestatus quo and did not see a need to scrutinize theBFS’ business processes.

Understanding the IssueThe discussion on Barings Bank and the violation ofsafeguards by Leeson, a trusted employee, constitutesa kind of an information system security breach thatis intentional in nature. Generally, intentional actscould result in frauds, virus infections, and invasionof privacy and sabotage. Parker [11] uses the term‘computer abuse’ to describes such acts as vandalismand malicious mischief and places them in the samecategory as white-collar crime.White-collar crime isdefined by Parker as “any endeavour or practiceinvolving the stifling of free enterprise or promotingof unfair competition; a breach of trust against anindividual or an institution; a violation of occupa-tional conduct or jeopardizing of consumers andclientele”. Information system security breachesresulting from the violation of safeguards by internalemployees can therefore be defined as a deliberatemisappropriation by which individuals intend togain dishonest advantages through the use of thecomputer systems. Misappropriation itself may beopportunist, pressured, or a single-minded calculatedcontrivance.

Computer crime committed by internal employees is essentially a rational act and could result from a

combination of personal factors, work situations andavailable opportunities [2]. Hearnden [8] believes thatmost of the perpetrators are motivated by greed,financial and other personnel problems. Forester andMorrison [7] suggest that sometimes even love andsex could provide a powerful stimulus for carryingout computer crimes.A survey conducted by the UKAudit Commission in 1994 found, in addition to per-sonal factors, disregard for basic internal controls(password not changed, computer activities not trace-able etc.) and ineffective monitoring procedures con-tributed significantly to incidents of computer crime.An earlier study by Parker [13] found that in mostorganizations, sufficient methods of deterrence, detec-tion, prevention and recovery did not exist. Clearlythe Barings Bank situation was a case in point.

In the previous section, a number of issues have beenpresented which could be considered as reasons whyinformation system security breaches occur in thefirst place. However there is considerable debate asto the extent to which information system securityproblems exist in reality. Parker [12] found that therewas a wide range of opinions regarding the extent ofcomputer security breaches due to the subversion ofcontrols by internal employees. There were reportssuggesting that only 374 cases were directly relatedto computer misuse, hence portraying computercrimes as being of minor significance. However dur-ing the same period nearly 150 000 computers hadbeen installed within US organizations. Clearly thereported computer crime cases were an underesti-mation and what we actually see is just the tip of theiceberg.The UK Audit Commission’s study suggeststhat many individuals and organizations fail to rec-ognize computer crime as a problem. Its surveyfound employees at the managerial and supervisorylevels as falling short of understanding the risks thatcomputer misuse presents. In fact two-thirds of theperpetrators were supervisors who had been in theorganization for a minimum four years [1]. Anotherstudy based in the US found an astonishing 31% ofcomputer crimes were being carried out by low paidclerks, 25% by managers and 24% by computer per-sonnel [10]. Indeed Balsmeier and Kelly [3] suggestthat most organizations had no method to minimizeor deter computer crime and that the rewards for


unethical behaviour seem to outweigh the risks.Thisclearly suggests that Barings Bank, with all the flawsin its internal reporting and control structures, was avictim of an information system security breach thathas been considered a significant threat for a while.Yet no learning was incorporated into Baring Bank’sthinking process.

From an auditing perspective, consideration couldhave been given to at least two aspects. First, theinternal audit should have been reported to the auditcommittee, comprised of the board of directors of the company. Additionally, these members of theaudit committee should have been independentboard members, rather than board members whowork for the company in the capacity of manage-ment or other professionals who provide service tothe company. The independent, external auditorsshould also have reported to the audit committee.This is necessary to ensure that the auditors arereporting to a level high enough to ensure that rec-ommendations and warnings do not fall on ‘deafears’. Internal and external audits are designed tohelp assure the board of directors and stockholdersthat the financial statements of management arematerially correct and that management is actingresponsibly to maximize shareholder value and safe-guard their assets. If they were to report to anyonebut the audit committee, that responsibility could bejeopardized by internal politics.

Second, an accountability and responsibility structurefor internal auditors should have been created.Although internal auditors report directly to a com-mittee of the board of directors, the internal auditdepartment still needs to be accountable and respon-sible in order to use the resources that they are givenin the most effective manner. The fact that internalauditors let a serious problem with the segregation ofduties pass without ‘raising a major ruckus’ was neg-ligent. External auditors also needed to be heldaccountable. In public accounting, a partner withover 20 years of experience would normally sell theengagements.The client then will not see the partneruntil the job is over. Unfortunately, most of the auditis performed by staff members, who are usually justone to three years out of college. In this case, the

auditors from both firms made a serious mistake.They relied on the internal controls of BFS when theinternal controls were defective in the first place.They did not perform any substantive procedures toensure that this material weakness was not causingmaterially incorrect balances to certain accounts.Theauditors then reported to the board of directors thateverything was fine when in reality that could nothave been further from the truth.

DiscussionSince most of the computer security breaches occurbecause internal employees have subverted the exist-ing controls (see Dhillon [4]), it is important thatemphasis is placed on the more pragmatic aspects ofan organization. Considering the particular case ofLeeson, an individual gets involved in particular acts asa consequence of a combination of a person’sbehavioural and normative beliefs. If a person’s atti-tude to perform an illicit act needs to be influenced,one has to focus of changing the primary belief sys-tem. More than any specific communication instru-ment, an organization-wide feeling of workingtogether to solve problems and not hide them is thekey.This ties together the cultural and reporting stan-dards, so that Barings could have moved forward andits subsidiaries would not have hidden losses. Ratherthey should have worked together to solve problems.This, combined with proper auditing techniques,would have allowed Barings and its subsidiaries toavoid collapse. The paragraphs below identify somespecific guidelines that organizations should considerif violations of safeguards by trusted personnel are tobe avoided.

Formalized RulesIt has been argued that if an organization has a highlevel of dependence on IT, there is a greater likelihoodof it being vulnerable to computer related misuse}(e.g. see Moor [9]). It is therefore important thatorganizations implement effective and systematicpolicies.The demand for establishing security policieswithin organizations has long been made byacademics and practitioners alike, however such callshave largely gone unheeded. Formalized rules in the

170


171

form of security policies will help in facilitatingbureaucratic functions such that ambiguities and mis-understandings within organizations can be resolved.Lack of formal rules or an inability to enforce therules was very well evidenced in the case of BaringsBank and Leeson’s activities. Most regulatory bodies(e.g. the Securities and Exchange Commission in theUS) demand that certain procedures should be fol-lowed.There are even explicit rules regarding super-vision. However because of an increased pressure toperform and be profitable, many of the formal ruleswere overlooked at Barings Bank.The case of BaringsBank suggests that although organizations cherish toinstill a culture of efficiency and good practice, poorcommunication often has a negative impact.The casealso suggests that formalized rules are essential for thefunctioning of an organization and often somethingmore needs to be done. Perhaps there should be anadequate emphasis on informal or normative controls.

Normative ControlsClearly, mere technical or formal control measures areinadequate to prevent computer security breaches. Inother related work Dhillon [4] cites cases where it wasrelatively easy for insiders to gain access to informa-tion systems and camouflage fictitious and fraudulenttransactions. In the US, one of the most publicizedexamples of this kind of behaviour is evidenced bythe demise of the Kidder Peabody and the dealings ofJoseph Jett. Jett was able to exploit a loophole in theaccounting system to inflate the profits. It was possi-ble to engage in criminal activities because the personinvolved was an insider. It therefore becomes obviousthat no matter what the extent of formal and techni-cal controls, prevention of insider security breachesdemands certain normative controls. Such controlsessentially deal with the culture, value and belief sys-tem of the individuals concerned (for details seeDhillon [4]).

Employee BehaviourPrevious research has shown that besides personalcircumstances, work situations and opportunitiesavailable allow individuals to perform criminal acts (e.g. see [2]). In the case of Barings Bank the

prevalent work situation and the opportunity tocommit criminal acts affected the primary belief system of Leeson, thus creating an environment con-ducive to a crime being committed.This suggests thatmonitoring of employee behaviour is an essentialstep in maintaining the integrity of an organization.Such monitoring does not necessarily have to be formal and rule based. In fact, informal monitoring,such as interpreting behavioural changes and identi-fying personal and group conflicts, can help in establishing adequate checks and balances.

ConclusionThis paper has presented an analysis of violation ofsafeguards by trusted personnel by considering thecase of Barings Bank and the activities of NicholasLeeson.The analysis has suggested that organizationsneed to focus on the underlying beliefs that lead indi-viduals to engage in intentional illicit acts resulting incomputer security breaches. Clearly, behaviouralchange is ultimately the result of changes in beliefs.Thus it is important that people within organizationsare exposed to information which will producechanges in their beliefs. In proactively managing theoccurrence of adverse events, it is essential that wetrace those changes in primary beliefs that result inparticular attitudes and subjective norms.

Acknowledgments

Acknowledgments are due to Dr. James Backhouse,director of Computer Security Research Center atthe London School of Economics, for extensive dis-cussions, comments and feedback on various aspectsof information security management. The assistanceand comments of number of graduate students at theUniversity of Nevada, Las Vegas and London Schoolof Economics, including Russell Cook, Roy Dajalosand Freddy Tan are also acknowledged.

References[1] Audit Commission, Opportunity makes a thief.

Analysis of computer abuse, The Audit Commissionfor Local Authorities and the National HealthService in England and Wales, 1994.


[2] Backhouse, J. and Dhillon, G., Managing comput-er crime: a research outlook, Computers & Security,14, 7, (1995), 645-651.

[3] Balsmeier, P. and Kelly, J.,The ethics of sentencingwhite-collar criminals, Journal of Business Ethics, 15,2, (1996), 143-152.

[4] Dhillon, G., Managing information system security,Macmillan, London, 1997.

[5] Dhillon, G.,“Challenges in managing informationsecurity in the new millennium,” in Dhillon, G.,ed., Information security management: global challengesin the new millennium, Hershey: Idea Group, 2001.

[6] Dhillon, G. and Backhouse, J., Information systemsecurity management in the new millennium,Communications of the ACM, 43, 7, (2000), 125-128.

[7] Forester, T. and Morrison, P., Computer ethics: cau-tionary tales and ethical dilemmas in computing, TheMIT Press, Cambridge, 1994.

[8] Hearnden, K., “Computer crime and people,” inHearnden, K., ed., A handbook of computer crime,London: Kogan Page, 1990.

[9] Moor, J.H., What is computer ethics,Metaphilosophy, 16, 4, (1985), 266-275.

[10]Oz, E., Ethics for the information age, Businessand Educational Technologies, 1994.

[11]Parker, D.B., Crime by computer, CharlesScribner’s Sons, New York, 1976.

[12]Parker, D.B.,“Ethical dilemmas in computer tech-nology,” in Hoffman, W.M. and Moore, J.M., ed.,Ethics and the management of computer technology,Cambridge, MA: Oelgeschlager, Gunn, and Hain,1982.

[13]Parker, D.B. and Nycum, S.H., Computer Crime,Communication of the ACM, 27, 4, (1984),

172


violation of safeguards by trusted personnel and understanding related information security concerns

Documents