1 s2.0-s0167404801002097-main
Upcoming SlideShare
Loading in...5
×
 

1 s2.0-s0167404801002097-main

on

  • 214 views

 

Statistics

Views

Total Views
214
Views on SlideShare
214
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

1 s2.0-s0167404801002097-main 1 s2.0-s0167404801002097-main Document Transcript

  • Computers & Security Vol.20, No.2, pp.165-172, 2001 Copyright © 2001 Elsevier Science Limited Printed in Great Britain. All rights reserved 0167-4048/01$20.00 Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns Gurpreet Dhillon College of Business, University of Nevada, Las Vegas, Las Vegas, NV 89154-6009, USA, dhillon@nevada.edu.A majority of computer security breaches occur because internal discussion). These insiders could be dishonest or dis-employees of an organization subvert existing controls. Whileexploring the issue of violation of safeguards by trusted personnel, gruntled employees who would copy, steal, or sabotagewith specific reference to Barings Bank and the activities of information, yet their actions may remain undetected.Nicholas Leeson, this paper provides an understanding of relatedinformation security concerns. In a final synthesis, guidelines are Numerous security breaches have been reported inprovided which organizations could use to prevent computer the popular press describing the sequence of events. Insecurity breaches. the UK for example, a fraud against the National Heritage Department resulted in payments of overIntroduction £175 000 being made to fictitious organizations. In another case, a small US based Internet serviceBusinesses today are experiencing a problem with man- provider, Digital Technologies Group, had its comput-aging information security.This is so not only because ers completely erased, allegedly by a disgruntledof increased reliance of individuals and businesses on employee. The dismissed employee was later arrestedinformation and communication technologies, but also and faced a prison sentence of up to 20 years.because the attempts to manage information securityhave been rather skewed towards implementing increas- Clearly violations of safeguards by trusted personnelingly complex technological controls. The importance resulting in information security breaches are real andof technological controls should not be underplayed, need to be addressed. A requirement also exists forbut evidence suggests that the violation of safeguards by establishing guiding principles that organizations couldtrusted personnel of an organization is emerging as a adopt in moving a step forward to manage such infor-primary reason for information security concerns. mation security problems. In addressing these concernsBetween 61 and 81% of computer related crimes are and needs, this paper reviews the nature of informationbeing carried out because of such violations (see security breaches occurring because of violation ofDhillon [5]; Dhillon and Backhouse [6] for a detailed safeguards by trusted personnel. The case of Barings0167-4048/01$20.00 © 2001 Elsevier Science Ltd. All rights reserved 165
  • Violation of Safeguards by Trusted Personnel and UnderstandingRelated Information Security Concerns/Gurpreet DhillonBank and the violation of safeguards by Nicholas Since Leeson had gained an immense amount of trustLesson, a trusted employee, are used to interpret the through his profits, £30 million for Barings in 1994nature and scope of such security breaches.This is fol- alone, he was able to circumvent many of the securitylowed by a discussion that forms the basis for generat- inquiries against him without consequence. Leeson losting principles for effectively managing the violations of £126 million in Nikkei futures and Japanesesafeguards such that the security of computer based Government bonds on 23 February 1995 after losingsystems within organizations is not compromised. £701 million over the past two years. Given the lack- adaisical organizational and information security con- straints at BB&Co., Leeson was able to hide his lossesViolation of Safeguards at Barings in a secret account created using Barings’ accountingBank computer systems.This was account 88888.This section reviews the violation of internal orga- The basic problem at BB&Co. that is of relevance tonizational controls by an employee to gain undue this paper, is the lack of correctly enforced organiza-advantage. It stresses the importance of instituting tional information security measures. Even though ainformal controls if computer security situations are functional security plan was in place at BB&Co., itto be adequately managed.The security issues arising did not take into account any interpretive data in itsfrom the misuse affect information systems integrity, implementation, so leaving BB&Co vulnerable.formal and informal control mechanisms, andorganizational cohesion in terms of culture. Corporate Restructuring Challenges As BSL expanded and contributed increasing amountsBackground to the revenues of the entire Barings Group, rivalryBarings Brothers & Co. (BB&Co.), a 223-year-old developed between BSL and BB&Co.Also, as internalinstitution specializing in traditional merchant bank- competition between the companies accelerated, soing, decided to expand into investment banking in did the incentive to take on more risk at BSL. The1984 as a result of deregulation in the British financial risk-taking management style and fast expansion ofmarkets. BB&Co. established a brokerage firm under BSL left little time for implementing proper controlthe name of Barings Far East Securities, but this was mechanisms that would guard against financial impro-later changed to Barings Securities Limited (BSL). priety. Barings Group directors became concernedThe new company adopted the corporate culture and initiated a corporate restructuring.from its founder Christopher Heath, a man recruitedfrom the brokerage firm Henderson, Crosthwaite & The first thing that went wrong with the corporateCo. Heath brought many like-minded people into the restructuring was that the preferred corporate cul-new Barings subsidiary and created a strong corporate ture of fiscal conservatism could not be transferredculture. This culture was more profit seeking and from BB&Co. to BSL. Had the original conservativemoney-oriented than the traditional merchant bank- culture been instilled at BSL’s development, perhapsing culture that had existed at BB&Co for centuries. through the transfer of existing managers from BB&Co. instead of recruiting risk-takers, thereBB&Co collapsed in 1995 due to one individual’s probably would have been less rivalry and lesswrongdoing and many other individual’s security unwarranted risk-taking.negligence. Nicholas Leeson, the General Managerof Barings Futures Singapore Pte, Ltd. (BFS), a Problems could also have been controlled if it wassubsidiary of BB&Co. exploited substandard not for the matrix structure.The structure per se wasinformation security systems and caused the not wrong, but it was not implemented correctly,company to be placed under judicial management causing confusion and unclear reporting lines.and eventually to go bankrupt. Management’s lack of understanding of its own166
  • Computers & Security, Vol. 20, No. 2responsibilities allowed Leeson and others to go One of the first things accounting auditors learn inunsupervised locally, which could have prevented their studies is that examining the internal controlsthe unethical behaviour and its escalation. Adopting of an organization can tell a great deal about thea hierarchical control system that limits decision- company, how effectively it works, and how awaremaking could have prevented this. By standardizing management is of their business processes.jobs, implementing direct supervision, and making Management is responsible for maintaining the enti-sure that checks and balances were in place, no ty’s controls. Of course, the controls’ effectivenessemployee would have been able to take covert depends on the competency and dependability ofactions that would have jeopardized the entire orga- the people using it. Clearly, in this case the size,nization.The situation at Barings Group was a disas- structure, and personnel were available to have effec-ter waiting to happen. It defies probability that the tive controls, but Barings did not manage them,entire collapse did not happen earlier. There are prioritize them, or take responsibility for maintain-several factors that contribute to this assertion. ing them.The most problematic cause of disaster lies in the roots When management establishes its system of internalof BSL itself. BB&Co. began their subsidiary by hand- controls, there are several principals that are importanting over total control to Christopher Heath.The bank to their plan. One fundamental principal is segrega-even requested that the staff of the new subsidiary con- tion of duties. It is important to segregate the areas ofsist of employees of Heath’s current company, revenue generation, or custody of assets, and recordHenderson, Crosthwaite & Co., where he was a part- keeping. This principal is extremely importantner. It was from this moment that BB&Co. placed because it prevents a single individual from commit-complete trust of BSL in the hands of an entity unfa- ting misappropriation of company assets or revenuemiliar to Barings Group. BB&Co. had essentially relin- and then concealing the defalcation by altering thequished control. Even though Heath was a positive records. Some companies even separate controls eveninfluence in creating a company culture that fostered in further in such a way that it would require two orambition and individualism, he also created an envi- even three individuals to commit this crime andronment lacking in formal control mechanisms. conceal it on the books.Another factor that foreshadowed the demise ofBarings was the rivalry that developed between the two This internal control was not present at BFS. Leesonmain firms in Barings Group: BB&Co. and BSL. was responsible, as part of his position, for overseeing the trading and trade processing, settlement, andWhen Nicholas Leeson came to Barings Future administration. He had access to the authorizationSingapore (BFS), a subsidiary of BSL, as General and creation of trading accounts on the IT system;Manager, he would soon be credited with bringing responsibility for generating income by trading adown the entire banking organization. He effectively ‘book of business’, and also the ability to make jour-kept his gross misconduct from being openly discov- nal entries that were posted to the system, apparentlyered because of two main reasons: (1) the autonomy without review.of BFS from the central hierarchy and (2) the absurdlack of internal controls throughout the entire Another key problem was the lack of an effectiveBarings Group. internal auditing department. Problems or weakness- es with the design of the internal controls and dis- crepancies with the adherence to those internal con-Evaluation Of Organizational Controls trols are the primary responsibility of the internal auditing department. Internal auditing departmentsInternal Controls prioritize their activities based on a risk analysis.The implementation of internal controls for any Areas that are potentially more vulnerable to theorganization is key to running a ‘well-oiled’ business. company are their responsibility. Obviously this 167
  • Violation of Safeguards by Trusted Personnel and UnderstandingRelated Information Security Concerns/Gurpreet Dhillondepartment failed to do its job if the activities of a was discovered in later years that there was evidencesmall branch in Singapore were able to bring down of memoranda flying around about this blatant lack ofthe entire bank. separation of duties long before the collapse, yet noth- ing was done to change it. Fourth, information tech-The key risk items that should have been looked at nology is used to gather company transactions and towas, first of all, the lack of segregation of internal con- maintain accountability to clearly communicate whattrol at the branch level. Leeson was a General is happening in the organization. At Barings Bank theManager who was responsible for both making trades management, internal auditors, and external auditorsand recording them. Second, a small branch in were all staring at the ‘88888’ account problem, afterSingapore was showing abnormally large profits. all, it was a glaring piece of information, yet no-oneThird, account balances were not reconciled. Daily attempted to reconcile this piece of reported infor-reconciliation in the computer age is not unreason- mation. It is true that Leeson hid things, forged doc-able. Fourth, why were receivables in the Singapore uments, had information shredded by subordinates,Office so high? The internal audit department was restricted access to financial information, etc., but theeither incompetent or lacking in sufficient fraud could still have been uncovered. Leeson simplyorganizational support to be effective. had the confidence that even with all the controls in place and the inquiries into discrepancies that wereThere are five components of an ideal internal control found, he would still be able to beat the internal con-mechanism that management should use to design trol system and recover the severe losses he was accu-and implement controls to give reasonable assurance mulating because the system was weak, flaky, and,that the control objectives are being met.These com- therefore, easily circumvented. Fifth, monitoring theponents are the control environment, risk assessment, quality of controls periodically is essential to havecontrol activities, information and communication, effective controls. The internal audit department ofand monitoring. Barings can best be described as pathetic. Clearly it seems that people at all levels of Barings’ control func-First, the control environment consists of actions, tions used varying degrees of the ‘hands-off ’ approachpolicies, and procedures that reflect the overall atti- in performing their jobs.tudes of top management about control and itsimportance to the corporation. Clearly Barings Bank External Controlshad some internal controls in place, but they wereperformed more as a checklist than for true discovery The external auditors also failed in their professionalor prevention. Second, management should assess the responsibility to detect material fraud at the Singaporerisk in the design of its internal controls to minimize office. Deloitte & Touche were the auditors througherrors and fraud. Having the level of autonomy that 1993, the time during which account 88888 wasBFS did from the Bank, the risk was much greater and established. By then Leeson’s loss was £23 million;should have caused increased sensitivity for strict this clearly would have been material to BFS’ opera-adherence to a good internal control system. Third, tions. Essentially, on the financial statement, Leesoncontrol activities include other policies and proce- was booking an entry to record the loss as income anddures that help to ensure that necessary actions are as a receivable in order to conceal this loss. Deloitte &taken to address risks in the achievement of the com- Touche failed in their audit of both the revenue ofpany’s objectives. Such control activities, adequate BFS and the assets of BFS.The unprofessional mannerdocuments and records, physical control, and inde- that they used to satisfy themselves that the receivablependent checks on performance are important com- was correct was a major factor contributing to theirponents of internal control mechanisms. Barings’ demise.management knew Leeson had control of both thefront and back offices of a After 1993, Coopers & Lybrand were the auditorsdivision (BFS) they hardly knew anything about. It for BFS. Coopers also failed in their confirmation of168
  • Computers & Security, Vol. 20, No. 2the bogus Spear, Leeds & Kellogg (a New York trad- combination of personal factors, work situations ander) receivable. Leeson had earlier claimed it to be a available opportunities [2]. Hearnden [8] believes thatcomputer error. However, when the auditors pur- most of the perpetrators are motivated by greed,sued the point further, he claimed that it was a financial and other personnel problems. Forester andreceivable. Confirmations should be requested Morrison [7] suggest that sometimes even love anddirectly from the debtor by the creditor but returned sex could provide a powerful stimulus for carryingdirectly to the auditor. Since Leeson produced the out computer crimes. A survey conducted by the UKdocuments himself, it was not credible evidence for Audit Commission in 1994 found, in addition to per-auditing purposes. Second, if they were to be relied sonal factors, disregard for basic internal controlsupon, Coopers & Lybrand could have made a phone (password not changed, computer activities not trace-call to Leeson’s point of contact to confirm the doc- able etc.) and ineffective monitoring procedures con-uments. The biggest question was why no-one tributed significantly to incidents of computer crime.noticed that BSL’s Singapore branch had one indi- An earlier study by Parker [13] found that in mostvidual responsible for both the front and back organizations, sufficient methods of deterrence, detec-offices, and realized the possibility for fraud. tion, prevention and recovery did not exist. ClearlyEverybody involved with BSL knew the answer: the Barings Bank situation was a case in point.they were enjoying the benefits accrued from thestatus quo and did not see a need to scrutinize the In the previous section, a number of issues have beenBFS’ business processes. presented which could be considered as reasons why information system security breaches occur in the first place. However there is considerable debate asUnderstanding the Issue to the extent to which information system securityThe discussion on Barings Bank and the violation of problems exist in reality. Parker [12] found that theresafeguards by Leeson, a trusted employee, constitutes was a wide range of opinions regarding the extent ofa kind of an information system security breach that computer security breaches due to the subversion ofis intentional in nature. Generally, intentional acts controls by internal employees. There were reportscould result in frauds, virus infections, and invasion suggesting that only 374 cases were directly relatedof privacy and sabotage. Parker [11] uses the term to computer misuse, hence portraying computer‘computer abuse’ to describes such acts as vandalism crimes as being of minor significance. However dur-and malicious mischief and places them in the same ing the same period nearly 150 000 computers hadcategory as white-collar crime.White-collar crime is been installed within US organizations. Clearly thedefined by Parker as “any endeavour or practice reported computer crime cases were an underesti-involving the stifling of free enterprise or promoting mation and what we actually see is just the tip of theof unfair competition; a breach of trust against an iceberg.The UK Audit Commission’s study suggestsindividual or an institution; a violation of occupa- that many individuals and organizations fail to rec-tional conduct or jeopardizing of consumers and ognize computer crime as a problem. Its surveyclientele”. Information system security breaches found employees at the managerial and supervisoryresulting from the violation of safeguards by internal levels as falling short of understanding the risks thatemployees can therefore be defined as a deliberate computer misuse presents. In fact two-thirds of themisappropriation by which individuals intend to perpetrators were supervisors who had been in thegain dishonest advantages through the use of the organization for a minimum four years [1]. Anothercomputer systems. Misappropriation itself may be study based in the US found an astonishing 31% ofopportunist, pressured, or a single-minded calculated computer crimes were being carried out by low paidcontrivance. clerks, 25% by managers and 24% by computer per- sonnel [10]. Indeed Balsmeier and Kelly [3] suggestComputer crime committed by internal employees that most organizations had no method to minimizeis essentially a rational act and could result from a or deter computer crime and that the rewards for 169
  • Violation of Safeguards by Trusted Personnel and UnderstandingRelated Information Security Concerns/Gurpreet Dhillonunethical behaviour seem to outweigh the risks.This auditors from both firms made a serious mistake.clearly suggests that Barings Bank, with all the flaws They relied on the internal controls of BFS when thein its internal reporting and control structures, was a internal controls were defective in the first place.victim of an information system security breach that They did not perform any substantive procedures tohas been considered a significant threat for a while. ensure that this material weakness was not causingYet no learning was incorporated into Baring Bank’s materially incorrect balances to certain accounts.Thethinking process. auditors then reported to the board of directors that everything was fine when in reality that could notFrom an auditing perspective, consideration could have been further from the truth.have been given to at least two aspects. First, theinternal audit should have been reported to the auditcommittee, comprised of the board of directors of Discussionthe company. Additionally, these members of the Since most of the computer security breaches occuraudit committee should have been independent because internal employees have subverted the exist-board members, rather than board members who ing controls (see Dhillon [4]), it is important thatwork for the company in the capacity of manage- emphasis is placed on the more pragmatic aspects ofment or other professionals who provide service to an organization. Considering the particular case ofthe company. The independent, external auditors Leeson, an individual gets involved in particular acts asshould also have reported to the audit committee. a consequence of a combination of a person’sThis is necessary to ensure that the auditors are behavioural and normative beliefs. If a person’s atti-reporting to a level high enough to ensure that rec- tude to perform an illicit act needs to be influenced,ommendations and warnings do not fall on ‘deaf one has to focus of changing the primary belief sys-ears’. Internal and external audits are designed to tem. More than any specific communication instru-help assure the board of directors and stockholders ment, an organization-wide feeling of workingthat the financial statements of management are together to solve problems and not hide them is thematerially correct and that management is acting key.This ties together the cultural and reporting stan-responsibly to maximize shareholder value and safe- dards, so that Barings could have moved forward andguard their assets. If they were to report to anyone its subsidiaries would not have hidden losses. Ratherbut the audit committee, that responsibility could be they should have worked together to solve problems.jeopardized by internal politics. This, combined with proper auditing techniques, would have allowed Barings and its subsidiaries toSecond, an accountability and responsibility structure avoid collapse. The paragraphs below identify somefor internal auditors should have been created. specific guidelines that organizations should considerAlthough internal auditors report directly to a com- if violations of safeguards by trusted personnel are tomittee of the board of directors, the internal audit be avoided.department still needs to be accountable and respon-sible in order to use the resources that they are givenin the most effective manner. The fact that internal Formalized Rulesauditors let a serious problem with the segregation of It has been argued that if an organization has a highduties pass without ‘raising a major ruckus’ was neg- level of dependence on IT, there is a greater likelihoodligent. External auditors also needed to be held of it being vulnerable to computer related misuseaccountable. In public accounting, a partner with }(e.g. see Moor [9]). It is therefore important thatover 20 years of experience would normally sell the organizations implement effective and systematicengagements.The client then will not see the partner policies.The demand for establishing security policiesuntil the job is over. Unfortunately, most of the audit within organizations has long been made byis performed by staff members, who are usually just academics and practitioners alike, however such callsone to three years out of college. In this case, the have largely gone unheeded. Formalized rules in the170
  • Computers & Security, Vol. 20, No. 2form of security policies will help in facilitating prevalent work situation and the opportunity tobureaucratic functions such that ambiguities and mis- commit criminal acts affected the primary beliefunderstandings within organizations can be resolved. system of Leeson, thus creating an environment con-Lack of formal rules or an inability to enforce the ducive to a crime being committed.This suggests thatrules was very well evidenced in the case of Barings monitoring of employee behaviour is an essentialBank and Leeson’s activities. Most regulatory bodies step in maintaining the integrity of an organization.(e.g. the Securities and Exchange Commission in the Such monitoring does not necessarily have to beUS) demand that certain procedures should be fol- formal and rule based. In fact, informal monitoring,lowed. There are even explicit rules regarding super- such as interpreting behavioural changes and identi-vision. However because of an increased pressure to fying personal and group conflicts, can help inperform and be profitable, many of the formal rules establishing adequate checks and balances.were overlooked at Barings Bank.The case of BaringsBank suggests that although organizations cherish toinstill a culture of efficiency and good practice, poor Conclusioncommunication often has a negative impact.The case This paper has presented an analysis of violation ofalso suggests that formalized rules are essential for the safeguards by trusted personnel by considering thefunctioning of an organization and often something case of Barings Bank and the activities of Nicholasmore needs to be done. Perhaps there should be an Leeson. The analysis has suggested that organizationsadequate emphasis on informal or normative controls. need to focus on the underlying beliefs that lead indi- viduals to engage in intentional illicit acts resulting in computer security breaches. Clearly, behaviouralNormative Controls change is ultimately the result of changes in beliefs.Clearly, mere technical or formal control measures are Thus it is important that people within organizationsinadequate to prevent computer security breaches. In are exposed to information which will produceother related work Dhillon [4] cites cases where it was changes in their beliefs. In proactively managing therelatively easy for insiders to gain access to informa- occurrence of adverse events, it is essential that wetion systems and camouflage fictitious and fraudulent trace those changes in primary beliefs that result intransactions. In the US, one of the most publicized particular attitudes and subjective norms.examples of this kind of behaviour is evidenced bythe demise of the Kidder Peabody and the dealings of AcknowledgmentsJoseph Jett. Jett was able to exploit a loophole in theaccounting system to inflate the profits. It was possi- Acknowledgments are due to Dr. James Backhouse,ble to engage in criminal activities because the person director of Computer Security Research Center atinvolved was an insider. It therefore becomes obvious the London School of Economics, for extensive dis-that no matter what the extent of formal and techni- cussions, comments and feedback on various aspectscal controls, prevention of insider security breaches of information security management. The assistancedemands certain normative controls. Such controls and comments of number of graduate students at theessentially deal with the culture, value and belief sys- University of Nevada, Las Vegas and London Schooltem of the individuals concerned (for details see of Economics, including Russell Cook, Roy DajalosDhillon [4]). and Freddy Tan are also acknowledged.Employee Behaviour ReferencesPrevious research has shown that besides personal [1] Audit Commission, Opportunity makes a thief.circumstances, work situations and opportunities Analysis of computer abuse, The Audit Commissionavailable allow individuals to perform criminal for Local Authorities and the National Healthacts (e.g. see [2]). In the case of Barings Bank the Service in England and Wales, 1994. 171
  • Violation of Safeguards by Trusted Personnel and UnderstandingRelated Information Security Concerns/Gurpreet Dhillon[2] Backhouse, J. and Dhillon, G., Managing comput- [8] Hearnden, K., “Computer crime and people,” in er crime: a research outlook, Computers & Security, Hearnden, K., ed., A handbook of computer crime, 14, 7, (1995), 645-651. London: Kogan Page, 1990.[3] Balsmeier, P. and Kelly, J.,The ethics of sentencing [9] Moor, J.H., What is computer ethics, white-collar criminals, Journal of Business Ethics, 15, Metaphilosophy, 16, 4, (1985), 266-275. 2, (1996), 143-152. [10]Oz, E., Ethics for the information age, Business[4] Dhillon, G., Managing information system security, and Educational Technologies, 1994. Macmillan, London, 1997. [11]Parker, D.B., Crime by computer, Charles[5] Dhillon, G.,“Challenges in managing information Scribner’s Sons, New York, 1976. security in the new millennium,” in Dhillon, G., ed., Information security management: global challenges [12]Parker, D.B.,“Ethical dilemmas in computer tech- in the new millennium, Hershey: Idea Group, 2001. nology,” in Hoffman, W.M. and Moore, J.M., ed., Ethics and the management of computer technology,[6] Dhillon, G. and Backhouse, J., Information system Cambridge, MA: Oelgeschlager, Gunn, and Hain, security management in the new millennium, 1982. Communications of the ACM, 43, 7, (2000), 125-128. [13]Parker, D.B. and Nycum, S.H., Computer Crime,[7] Forester, T. and Morrison, P., Computer ethics: cau- Communication of the ACM, 27, 4, (1984), tionary tales and ethical dilemmas in computing, The MIT Press, Cambridge, 1994.172