- Email: [email protected]
The psychology of computer crime — Part 2
ComputerAudit Update
Appendix 3 : Password Procedures Security responsibility Passwords are established to effect security. It is the responsibility of each employee or other person (e.g. an outside consultant) authorized to use a password, to maintain strict confidentiality. It is a management responsibility to be sure these security guidelines are followed.
General procedures
Requestingpassword assignment The request to assign a password to an individual shall be made in writing by the person's immediate supervisor. Passwords are not to be shared. The individual desiring a password shall present the supervisor approved request in person to the person controlling the assignment (if feasible).
Assignment of passwords For a given system, the responsibility for assigning passwords and maintaining the appropriate related controls shall rest with one individual and a backup person. These people will be in the (user) department and considered the 'owner' of the system or its data. A master list of passwords shall be maintained and regularly accessed only by the control person. A record will be maintained by the control person of each access to the master list by the control person (desirable) or the back-up person (mandatory). Except for the master list, individual passwords are not to be recorded on paper, etc. They are only to be memorized. When a password is assigned, the control person will remind the recipient of his/her security responsibilities as outlined in this standard. For the more critical security areas, the recipient should sign some kind of 'password security pledge'.
Changingpasswords Passwords should be changed every 3-12 months on an irregular and unannounced basis.
12
October 1992
The password user is to be notified after the change is made. A password is to be changed as soon as a decision is made that a person will be leaving the company/department, or is no longer in need of a password to perform specific responsibilities.
Password control A password should contain a minimum of six characters, preferably more. Passwords should not comprise a code that could be readily deduced by another person. Thus, avoid common names, your name, initials, phone extension number, systems names, etc. Previously used passwords should not be reused for at least three years.
THE PSYCHOLOGY OF COMPUTER C R I M E - PART 2 Kathy Buckner and Guy Fielding The Computer Criminal The term 'computer crime' suggests that the essential component or problem is the computer, whereas there is little doubt that the real focus of the problem is the criminal. In dealing with computer crime there is a danger that the computer will absorb all our attention with very little emphasis being put on the perpetrator of the crime. How often do we hear the computer blamed for errors in billing? This blame is not only attached by c u s t o m e r s but also by representatives of the initiating organizations. 'Sorry for the mistake, it was a computer error', is often the response to a customer query! The computer itself is often seen either as the victim or the perpetrator (or at least the accomplice) to the crime. The apparent converse of the proposition that the computer is the problem is that the real problem must be people. This is not
©1992 Elsevier Science Publishers Ltd
October 1992
the case however. Whilst the problem of the abuse of computer systems is not primarily a technical, computer-oriented problem, it equally is not simply a 'people problem'. Rather it is a problem located in, and arising out of the interaction of complex social, psychological and technical systems. Turning to what might be considered to be the major focus of computer crime, that is, the criminal, how can we identify the 'typical' computer criminal? In general, there is no clear distinction b e t w e e n the criminal and the non-criminal. How many of us have never exceeded the speed limit, never borrowed office pens and paper and used them for domestic purposes, or never used an office phone for personal calls? The obvious but non-trivial difference b e t w e e n the criminal and the non-criminal is that the criminal has been caught, whereas the non-criminal has not.
ComputerAudit Update
which we call Watergate, Irangate, the Maxwell scandal, the Guinness scandal and so on. The alternative to the proposition that the controlling factor in criminal activity is the criminal personality, is that behaviour is controlled by the kind of situation a person is in. This is equally untenable. That is, the behaviour of different people in the same situation is not the same. For example, some people faced with finding a lost wallet will keep the contents and discard the wallet in the nearest bin: others will hand the wallet and contents in to the nearest police station. The situation is the same but the action is different. People do not necessarily behave identically in similar situations. In fact, the key to predicting a person's behaviour lies in understanding the interaction between the characteristics of the person (that is, their personality) and the specific characteristics of the situation.
Personality vs situation We may ask, 'Does the criminal personality exist?'. When applied to the area of deviant behaviour, com mon-sense thinking suggests that the 'criminal personality' will be central to an understanding of that behaviour. The number of people who have criminal personalities is assumed to be relatively small. Therefore the amount of crime must be relatively small, and the distinction between the criminal and non-criminal is c l e a r - c u t . The p r o b l e m is that this common-sense analysis is not supportable. The problem with the c o m m o n - s e n s e concept of personality is that, in fact, the consistency of a person's behaviour across time and across situations is rather low. People do not seem to have 'personalities' in the clear-cut fashion which common sense suggests. A series of experiments have shown that it is surprisingly easy to set up situations where perfectly normal people agree to act immorally or abnormally. They are, for instance, prepared to administer electrical shocks to innocent strangers, or take part in an armed robbery or fraudulent activities. A glance at our daily newspapers tells us that real life is constantly running experiments of this kind,
©1992 Elsevier Science Publishers Ltd
The implications of this 'interactionist' way of thinking for increasing computer security are that: There are many more threats to security than is generally assumed; the threats will be diverse and will continue to evolve. We are not considering a static situation. The threats come from people who might not be assumed to be 'the type'. There is no easily identifiable criminal type. Because increased security measures create new situations, they may have unexpected consequences (we will return to this later). Criminal behaviour According to common sense, criminal behaviour constitutes some kind of character defect. It is assumed that it is somehow abnormal and shows an aberration of the normal ways of thinking; a failure of socialization. This is a very comforting way of thinking, for it suggests that the average person (amongst whom we of course number ourselves and our friends) cannot possibly be criminals. It also suggests that those criminals who do exist are going to be few and far
13
Computer Audit Update
October 1992
Benefits
Costs
money personal gratification
effort stress time
social esteem
loss of esteem
direct
indirect risk net profit = benefits - costs
Figure 1. Identification of costs and benefits between, and easily detectable. Unfortunately, this reassuring view does not accord with the evidence. The evidence suggests that, like other aspects of behaviour, criminal behaviour is in general the result of rational choice processes. People choose particular courses of action, including criminal courses of action, because they anticipate that such a choice of action has a high 'expected utility'. The expected utility of a criminal activity can be said to be the value of the outcome of such an activity as a function of its probability of occurrence. That is, when faced with a very attractive, but highly risky outcome, we may opt for a less attractive outcome which is nonetheless more likely to come about because its expected utility is in fact greater. It should also be noted that many of the costs and benefits that we take into a c c o u n t will be subjective (psychological and social), and not merely objective, for example, financial and material. People are in general trying to maximize the 'net profit' resulting from their behaviours (they are carrying out a cost/benefit analysis), and such calculations can lead to the choice of a criminal course of action in exactly the same way that they can lead to the choice of one (non-criminal) behaviour rather than another (non-criminal) behaviour. Some of the expected benefits, direct costs and indirect costs of behaviour are shown in Figure 1. The expected net profit associated with a
14
behaviour is calculated by subtracting the perceived costs from the expected benefits. The criminal act may be chosen when the pay-off from acting in this way is more positive than that presented by other, alternative, available courses of action. It is not chosen simply because it is a positive outcome, but because it is the most positive outcome. Two implications for systems security of accepting this view of why people engage in criminal behaviour are that: Criminal threats to security cannot be c o m b a t e d by a s s u m i n g that they are 'irrational', and t h e r e b y random, unpredictable, etc. They are not, for the most part; the outcome of criminal activity is evaluated carefully and rationally. If the rationale underlying the decision to act in a criminal manner is examined, ways of intervening so as to change the expected utility of the outcome can be identified. People base the calculation of the expected utility of their actions on two things: motivation and ability (see Figure 2). Two s e c u r i t y implications arise from considering the above. The first is that the most likely source of threats to security are from inside the organization, as this is where skills, opportunities for access, and time are all
©1992 Elsevier Science Publishers Ltd
October 1992
Computer Audit Update
Motivation need / or monetary gain frustration revenge greed bellieved minimal detection rate no perceived significant deterrent
Ability necessary computer skills time access to computers opportunity / privacy
Figure 2. Basis for deciding on expected utility of actions
maximized, that is, where the ability factors are met. Ability is relative, and can be countered by increasing task difficulty. However, actual ability is not the most direct predictor of behaviour. Rather it is perceived ability and the associated self perceived efficiency (confidence) that affects the decision to act. The decision as to whether or not to commit computer crime can be influenced by altering the visibility or perceived effectiveness of the controls, not simply by altering the controls themselves. Hence, effective security controls must be visible, and must be believed to be effective. The insider threat
As indicated above and confirmed by many studies of computer crime, the most likely source of threat to computer security comes from within the organization itself. A 1985 study by ICL indicated that 75% of the primary threats to computer security came from 'insiders'. Given the prevalence of the insider problem, it is important to identity which insiders represent the greatest threat. A 1987 report by the UK's Institute of Chartered Accountants noted that such threats were equally likely to come from supervisory as from clerical staff, and there was a tendency for the losses due to supervisory staff to be larger (and hence more significant) than those due to clerical staff. It is at this point that thinking about the problem of the insider becomes most confused.
©1992 Elsevier Science Publishers Ltd
Reports of insider computer crime commonly distinguish between insiders using categories such as 'staff' and 'managers'. Whilst useful in some ways, there is a danger in such conventional and taken-for-granted categorizations. The danger is that other characterizations which may not have been thought through in a rational manner may be assigned to these categorizations, for instance, that 'managers', as people like us, as senior people with responsibilities, are more trustworthy than 'staff'. Such arbitrary classifications will not only obscure the real problem but, because of the underlying attitudes that they betray, they will also tend to engender the very problem they are trying to prevent. It is important that people concerned with computer security recognize and accept that insiders are people just like themselves. Indeed, it is the people who are most like them who are, because they have the necessary expertise and opportunity, in fact, the people most likely to be computer criminals, and are the people who are likely to be the most damaging and the most successful computer criminals. The practical implication is clear. When security policies and systems are developed they have to apply to all insiders, not just to particular sub-groups. A rise in the percentage of computer fraud crimes committed by directors, managers and supervisors from 29% in 1987 to 35% in 19901 adds weight to this argument.
15
ComputerAudit Update
Social and cultural pressures A common characteristic of criminals is that of different patterns of social association and affiliation, and the consequent differences in their definition of what constitutes acceptable behaviour. This is because one of the factors influencing behaviour is the subjective norm. The subjective norm can be thought of as an internalized social conscience. It consists of beliefs about the reactions of other people who are liked and respected towards specific behaviours, and it acts as a counterpart to the person's own feelings about whether they would like to or would not like to do some specific action. Clearly, if an individual associates with and likes and respects people who do not share the values and norms of the organization, then the potential for behaviour which the organization will find unacceptable is increased. On the other hand, if those who are liked and respected within the organization share the values of the organization, then the subjective norm will act as a powerful guardian of o r g a n i z a t i o n a l l y acceptable behaviour. In this type of organization it will be much more difficult for an individual to act on their own against the perceived norms. An additional aspect of acceptable or unacceptable behaviour is computer crime which develops into a group activity. Here a relatively harmless activity initially undertaken by one individual may be reinforced and strengthened by a group of colleagues who all have a grievance against the company. The group sees the opportunity to undertake criminal activity which one person alone would not consider, nor be able to undertake on their own.
October 1992
Some research suggests that the typical computer criminal is a man of 55, who feels that his skills and efforts have not been, and are not going to be, appropriately recognized by the company. He no longer feels loyalty to the organization, and no longer shares the ambitions of that organization. On the other hand, because of his long experience, he is trusted, is often unnoticed (which is part of his grievance), and is highly competent. He is classically an example of someone with both motivation and ability. The other typical computer criminal is a woman of 25-45, often motivated by some external cause rather than by wanting to use the money for her own needs. Other studies (cited by Sacco and Zureik 2, and Roufaiel 3) describe the typical offender as male, young, educated, possessing technical skills, in a position of trust and of middle or upper socioeconomic status: someone who sees computer crime as a challenge. This may be a person who considers that his skills are undervalued or it may be someone who has insufficient work to occupy his mental capacity and so embarks on computer crime to fulfil his intellectual need. The typical computer criminal is not then very easy to identify. It could in fact be anyone within the organization who can gain access to the necessary equipment and has time to undertake the work required to perpetrate the crime. The computer criminal will almost certainly be an 'insider' but may be an input clerk, a computer programmer, a consultant or manager. Each will undertake their own cost/benefit analysis to determine the likely outcome of undertaking any criminal activity.
Identifying s typical computer criminal profile References As previously discussed, computer crime is difficult to define precisely, ranging in type from hacking to fraud, to theft of hardware and software. Similarly the computer criminal type will be extremely varied depending on the particular type of computer crime under consideration. Thus, each type of computer crime will have its own type and population of criminals.
16
1. Audit Commission, Surveyof ComputerFraud andAbuse, 1991, pp. 20-21. 2. Sacco V.F. and Zureik E., Correlates of computer misuse: Dataform - a self-reporting sample. Behaviourand Information Technology, 1990, Vol 9, No 5, pp. 353-369.
©1992 Elsevier Science Publishers Ltd
Appendix 3 : Password Procedures Security responsibility Passwords are established to effect security. It is the responsibility of each employee or other person (e.g. an outside consultant) authorized to use a password, to maintain strict confidentiality. It is a management responsibility to be sure these security guidelines are followed.
General procedures
Requestingpassword assignment The request to assign a password to an individual shall be made in writing by the person's immediate supervisor. Passwords are not to be shared. The individual desiring a password shall present the supervisor approved request in person to the person controlling the assignment (if feasible).
Assignment of passwords For a given system, the responsibility for assigning passwords and maintaining the appropriate related controls shall rest with one individual and a backup person. These people will be in the (user) department and considered the 'owner' of the system or its data. A master list of passwords shall be maintained and regularly accessed only by the control person. A record will be maintained by the control person of each access to the master list by the control person (desirable) or the back-up person (mandatory). Except for the master list, individual passwords are not to be recorded on paper, etc. They are only to be memorized. When a password is assigned, the control person will remind the recipient of his/her security responsibilities as outlined in this standard. For the more critical security areas, the recipient should sign some kind of 'password security pledge'.
Changingpasswords Passwords should be changed every 3-12 months on an irregular and unannounced basis.
12
October 1992
The password user is to be notified after the change is made. A password is to be changed as soon as a decision is made that a person will be leaving the company/department, or is no longer in need of a password to perform specific responsibilities.
Password control A password should contain a minimum of six characters, preferably more. Passwords should not comprise a code that could be readily deduced by another person. Thus, avoid common names, your name, initials, phone extension number, systems names, etc. Previously used passwords should not be reused for at least three years.
THE PSYCHOLOGY OF COMPUTER C R I M E - PART 2 Kathy Buckner and Guy Fielding The Computer Criminal The term 'computer crime' suggests that the essential component or problem is the computer, whereas there is little doubt that the real focus of the problem is the criminal. In dealing with computer crime there is a danger that the computer will absorb all our attention with very little emphasis being put on the perpetrator of the crime. How often do we hear the computer blamed for errors in billing? This blame is not only attached by c u s t o m e r s but also by representatives of the initiating organizations. 'Sorry for the mistake, it was a computer error', is often the response to a customer query! The computer itself is often seen either as the victim or the perpetrator (or at least the accomplice) to the crime. The apparent converse of the proposition that the computer is the problem is that the real problem must be people. This is not
©1992 Elsevier Science Publishers Ltd
October 1992
the case however. Whilst the problem of the abuse of computer systems is not primarily a technical, computer-oriented problem, it equally is not simply a 'people problem'. Rather it is a problem located in, and arising out of the interaction of complex social, psychological and technical systems. Turning to what might be considered to be the major focus of computer crime, that is, the criminal, how can we identify the 'typical' computer criminal? In general, there is no clear distinction b e t w e e n the criminal and the non-criminal. How many of us have never exceeded the speed limit, never borrowed office pens and paper and used them for domestic purposes, or never used an office phone for personal calls? The obvious but non-trivial difference b e t w e e n the criminal and the non-criminal is that the criminal has been caught, whereas the non-criminal has not.
ComputerAudit Update
which we call Watergate, Irangate, the Maxwell scandal, the Guinness scandal and so on. The alternative to the proposition that the controlling factor in criminal activity is the criminal personality, is that behaviour is controlled by the kind of situation a person is in. This is equally untenable. That is, the behaviour of different people in the same situation is not the same. For example, some people faced with finding a lost wallet will keep the contents and discard the wallet in the nearest bin: others will hand the wallet and contents in to the nearest police station. The situation is the same but the action is different. People do not necessarily behave identically in similar situations. In fact, the key to predicting a person's behaviour lies in understanding the interaction between the characteristics of the person (that is, their personality) and the specific characteristics of the situation.
Personality vs situation We may ask, 'Does the criminal personality exist?'. When applied to the area of deviant behaviour, com mon-sense thinking suggests that the 'criminal personality' will be central to an understanding of that behaviour. The number of people who have criminal personalities is assumed to be relatively small. Therefore the amount of crime must be relatively small, and the distinction between the criminal and non-criminal is c l e a r - c u t . The p r o b l e m is that this common-sense analysis is not supportable. The problem with the c o m m o n - s e n s e concept of personality is that, in fact, the consistency of a person's behaviour across time and across situations is rather low. People do not seem to have 'personalities' in the clear-cut fashion which common sense suggests. A series of experiments have shown that it is surprisingly easy to set up situations where perfectly normal people agree to act immorally or abnormally. They are, for instance, prepared to administer electrical shocks to innocent strangers, or take part in an armed robbery or fraudulent activities. A glance at our daily newspapers tells us that real life is constantly running experiments of this kind,
©1992 Elsevier Science Publishers Ltd
The implications of this 'interactionist' way of thinking for increasing computer security are that: There are many more threats to security than is generally assumed; the threats will be diverse and will continue to evolve. We are not considering a static situation. The threats come from people who might not be assumed to be 'the type'. There is no easily identifiable criminal type. Because increased security measures create new situations, they may have unexpected consequences (we will return to this later). Criminal behaviour According to common sense, criminal behaviour constitutes some kind of character defect. It is assumed that it is somehow abnormal and shows an aberration of the normal ways of thinking; a failure of socialization. This is a very comforting way of thinking, for it suggests that the average person (amongst whom we of course number ourselves and our friends) cannot possibly be criminals. It also suggests that those criminals who do exist are going to be few and far
13
Computer Audit Update
October 1992
Benefits
Costs
money personal gratification
effort stress time
social esteem
loss of esteem
direct
indirect risk net profit = benefits - costs
Figure 1. Identification of costs and benefits between, and easily detectable. Unfortunately, this reassuring view does not accord with the evidence. The evidence suggests that, like other aspects of behaviour, criminal behaviour is in general the result of rational choice processes. People choose particular courses of action, including criminal courses of action, because they anticipate that such a choice of action has a high 'expected utility'. The expected utility of a criminal activity can be said to be the value of the outcome of such an activity as a function of its probability of occurrence. That is, when faced with a very attractive, but highly risky outcome, we may opt for a less attractive outcome which is nonetheless more likely to come about because its expected utility is in fact greater. It should also be noted that many of the costs and benefits that we take into a c c o u n t will be subjective (psychological and social), and not merely objective, for example, financial and material. People are in general trying to maximize the 'net profit' resulting from their behaviours (they are carrying out a cost/benefit analysis), and such calculations can lead to the choice of a criminal course of action in exactly the same way that they can lead to the choice of one (non-criminal) behaviour rather than another (non-criminal) behaviour. Some of the expected benefits, direct costs and indirect costs of behaviour are shown in Figure 1. The expected net profit associated with a
14
behaviour is calculated by subtracting the perceived costs from the expected benefits. The criminal act may be chosen when the pay-off from acting in this way is more positive than that presented by other, alternative, available courses of action. It is not chosen simply because it is a positive outcome, but because it is the most positive outcome. Two implications for systems security of accepting this view of why people engage in criminal behaviour are that: Criminal threats to security cannot be c o m b a t e d by a s s u m i n g that they are 'irrational', and t h e r e b y random, unpredictable, etc. They are not, for the most part; the outcome of criminal activity is evaluated carefully and rationally. If the rationale underlying the decision to act in a criminal manner is examined, ways of intervening so as to change the expected utility of the outcome can be identified. People base the calculation of the expected utility of their actions on two things: motivation and ability (see Figure 2). Two s e c u r i t y implications arise from considering the above. The first is that the most likely source of threats to security are from inside the organization, as this is where skills, opportunities for access, and time are all
©1992 Elsevier Science Publishers Ltd
October 1992
Computer Audit Update
Motivation need / or monetary gain frustration revenge greed bellieved minimal detection rate no perceived significant deterrent
Ability necessary computer skills time access to computers opportunity / privacy
Figure 2. Basis for deciding on expected utility of actions
maximized, that is, where the ability factors are met. Ability is relative, and can be countered by increasing task difficulty. However, actual ability is not the most direct predictor of behaviour. Rather it is perceived ability and the associated self perceived efficiency (confidence) that affects the decision to act. The decision as to whether or not to commit computer crime can be influenced by altering the visibility or perceived effectiveness of the controls, not simply by altering the controls themselves. Hence, effective security controls must be visible, and must be believed to be effective. The insider threat
As indicated above and confirmed by many studies of computer crime, the most likely source of threat to computer security comes from within the organization itself. A 1985 study by ICL indicated that 75% of the primary threats to computer security came from 'insiders'. Given the prevalence of the insider problem, it is important to identity which insiders represent the greatest threat. A 1987 report by the UK's Institute of Chartered Accountants noted that such threats were equally likely to come from supervisory as from clerical staff, and there was a tendency for the losses due to supervisory staff to be larger (and hence more significant) than those due to clerical staff. It is at this point that thinking about the problem of the insider becomes most confused.
©1992 Elsevier Science Publishers Ltd
Reports of insider computer crime commonly distinguish between insiders using categories such as 'staff' and 'managers'. Whilst useful in some ways, there is a danger in such conventional and taken-for-granted categorizations. The danger is that other characterizations which may not have been thought through in a rational manner may be assigned to these categorizations, for instance, that 'managers', as people like us, as senior people with responsibilities, are more trustworthy than 'staff'. Such arbitrary classifications will not only obscure the real problem but, because of the underlying attitudes that they betray, they will also tend to engender the very problem they are trying to prevent. It is important that people concerned with computer security recognize and accept that insiders are people just like themselves. Indeed, it is the people who are most like them who are, because they have the necessary expertise and opportunity, in fact, the people most likely to be computer criminals, and are the people who are likely to be the most damaging and the most successful computer criminals. The practical implication is clear. When security policies and systems are developed they have to apply to all insiders, not just to particular sub-groups. A rise in the percentage of computer fraud crimes committed by directors, managers and supervisors from 29% in 1987 to 35% in 19901 adds weight to this argument.
15
ComputerAudit Update
Social and cultural pressures A common characteristic of criminals is that of different patterns of social association and affiliation, and the consequent differences in their definition of what constitutes acceptable behaviour. This is because one of the factors influencing behaviour is the subjective norm. The subjective norm can be thought of as an internalized social conscience. It consists of beliefs about the reactions of other people who are liked and respected towards specific behaviours, and it acts as a counterpart to the person's own feelings about whether they would like to or would not like to do some specific action. Clearly, if an individual associates with and likes and respects people who do not share the values and norms of the organization, then the potential for behaviour which the organization will find unacceptable is increased. On the other hand, if those who are liked and respected within the organization share the values of the organization, then the subjective norm will act as a powerful guardian of o r g a n i z a t i o n a l l y acceptable behaviour. In this type of organization it will be much more difficult for an individual to act on their own against the perceived norms. An additional aspect of acceptable or unacceptable behaviour is computer crime which develops into a group activity. Here a relatively harmless activity initially undertaken by one individual may be reinforced and strengthened by a group of colleagues who all have a grievance against the company. The group sees the opportunity to undertake criminal activity which one person alone would not consider, nor be able to undertake on their own.
October 1992
Some research suggests that the typical computer criminal is a man of 55, who feels that his skills and efforts have not been, and are not going to be, appropriately recognized by the company. He no longer feels loyalty to the organization, and no longer shares the ambitions of that organization. On the other hand, because of his long experience, he is trusted, is often unnoticed (which is part of his grievance), and is highly competent. He is classically an example of someone with both motivation and ability. The other typical computer criminal is a woman of 25-45, often motivated by some external cause rather than by wanting to use the money for her own needs. Other studies (cited by Sacco and Zureik 2, and Roufaiel 3) describe the typical offender as male, young, educated, possessing technical skills, in a position of trust and of middle or upper socioeconomic status: someone who sees computer crime as a challenge. This may be a person who considers that his skills are undervalued or it may be someone who has insufficient work to occupy his mental capacity and so embarks on computer crime to fulfil his intellectual need. The typical computer criminal is not then very easy to identify. It could in fact be anyone within the organization who can gain access to the necessary equipment and has time to undertake the work required to perpetrate the crime. The computer criminal will almost certainly be an 'insider' but may be an input clerk, a computer programmer, a consultant or manager. Each will undertake their own cost/benefit analysis to determine the likely outcome of undertaking any criminal activity.
Identifying s typical computer criminal profile References As previously discussed, computer crime is difficult to define precisely, ranging in type from hacking to fraud, to theft of hardware and software. Similarly the computer criminal type will be extremely varied depending on the particular type of computer crime under consideration. Thus, each type of computer crime will have its own type and population of criminals.
16
1. Audit Commission, Surveyof ComputerFraud andAbuse, 1991, pp. 20-21. 2. Sacco V.F. and Zureik E., Correlates of computer misuse: Dataform - a self-reporting sample. Behaviourand Information Technology, 1990, Vol 9, No 5, pp. 353-369.
©1992 Elsevier Science Publishers Ltd