Wednesday, 5 December 2018

Managing and Controlling Computer misuse

1. Understanding the phenomena of “insecurity”
The UK Audit Commission has defined computer fraud as any fraudulent behaviour connected with computerisation by which someone intends to gain dishonest advantage.
Computer fraud falls into three broad categories which are input, throughput and output fraud. Input frauds are the easiest to commit and are carried out by entering false or manipulated information into the computer systems. In most cases input frauds are carried out by insiders who have access to the systems and who probably have responsibility to input certain kinds of data. The second category of frauds are the throughput frauds. The throughput frauds are most lethal of the computer-related crimes. Various other kinds of throughput frauds have resulted in either heavy losses for the companies or have even led to the demise of major institutions. The third category of frauds are the output frauds. The output frauds are relatively unsophisticated as compared to other kinds of frauds. Usually these occur in conjunction with the input frauds (when they are conducted to conceal bogus input). In other cases the output of the computer systems is misused in various ways. As in the case of input frauds, the majority of output frauds are also carried out by internal employees of a concern.

2. Managing and controlling computer misuse
Implementation of a broad range of interventions. These can be classified into three categories which are technical, formal and informal. Typically an organization can implement controls to limit access to buildings, rooms or computer systems (technical interventions). Commensurate with this, the organizational hierarchy could be expanded or shortened (formal interventions) and an education, training and awareness program put in place (informal interventions).

  • Technical interventions
Implementation of technical controls is conceptualized in a rather narrow and a mechanistic manner. Although notable advances have been made in the area of identifying risks and in establishing relevant countermeasures, but the implementation has taken the form of simple access control mechanisms.

  • Formal interventions
Formal interventions pertain to reorienting information and security practices around a reorganized structure. If an organization has created new processes for conducting its business, then adequate emphasis needs to be placed on developing controls and rules that reflect the emergent structure.

  • Informal interventions
Increasing awareness of security issues. Increased awareness should be supplemented with an ongoing education and training program.


Reference : 
Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer Security, 7(4), 171–175. https://doi.org/10.1108/09685229910292664



No comments:

Post a Comment