Carter's taxonomy provides a four-part system for classifying computer crimes: target crimes target systems or data, instrumentality crimes use computers to further criminal ends, incidental crimes are not computer-dependent but related to computers, and associated crimes are new versions of traditional crimes. The chapter discusses risks and threats to information systems like fraud, interruptions, and information disclosure, and controls to prevent computer crimes through physical, technical, and administrative measures. It also explains that COBIT provides a framework for IT governance and management through principles and enablers that match IT capabilities to user needs.

1. Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 11
Computer Crime and Information
Technology Security

2. 11-2
Outline
• Learning objectives
• Carter’s taxonomy
• Risks and threats
• IT controls
• COBIT

3. 11-3
Learning objectives
1. Explain Carter’s taxonomy of computer
crime.
2. Identify and describe business risks and
threats to information systems.
3. Discuss ways to prevent and detect
computer crime.
4. Explain the main components of the CoBIT
framework and their implications for IT
security.

4. 11-4
Carter’s
taxonomy
• Target
– Targets system or its data
– Example: DOS attack
• Instrumentality
– Uses computer to further
criminal end
– Example: Phishing
• Four-part system for
classifying computer
crime
• A specific crime may fit
more than one
classification
• The taxonomy provides
a useful framework for
discussing computer
crime in all types of
organizations.

5. 11-5
Carter’s
taxonomy
• Incidental
– Computer not required,
but related to crime
– Example: Extortion
• Associated
– New versions of old
crimes
– Example: Cash larceny
• Four-part system for
classifying computer
crime
• A specific crime may fit
more than one
classification
• The taxonomy provides
a useful framework for
discussing computer
crime in all types of
organizations.

6. 11-6
Risks and threats
• Fraud
• Service interruption and delays
• Disclosure of confidential information
• Intrusions
• Malicious software
• Denial-of-service attacks
Please consult the
chapter for the full
list.

7. 11-7
IT controls
Confidentiality
Data integrity Availability
C-I-A triad

8. 11-8
IT controls
• Physical controls
Guards, locks, fire
suppression systems
• Technical controls
Biometric access
controls, malware
protection
• Administrative
controls
Password rotation policy,
password rules, overall
IT security strategy

9. 11-9
COBIT
• Two main parts
– Principles
Five ideas that form the
foundation of strong IT
governance and
management
– Enablers
Seven tools that match the
capabilities of IT tools with
users’ needs
• Control Objectives for
Information and
Related Technology
• Information Systems
Audit and Control
Association (ISACA)
• Framework for IT
governance and
management

10. 11-10
COBIT

11. 11-11
COBIT

12. 11-12