«Item type text; Dissertation-Reproduction (electronic) Authors DUNN, THURMAN STANLEY. Publisher The University of Arizona. Rights Copyright © is ...»
METHODOLOGY FOR THE OPTIMIZATION OF
RESOURCES IN THE DETECTION OF COMPUTER
Item type text; Dissertation-Reproduction (electronic)
Authors DUNN, THURMAN STANLEY.
Publisher The University of Arizona.
Rights Copyright © is held by the author. Digital access to this
material is made possible by the University Libraries,
University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the author.
Downloaded 21-Oct-2016 15:14:06 Link to item http://hdl.handle.net/10150/143042
INFORMATION TO USERSThis reproduction was made from a copy of a document sent to us for.microfilming.
While the most advanced technology has been used to photograph and reproduce this document, the quality of the reproduction is heavily dependent upon the quality of the material submitted.
The following explanation of techniques is provided to help clarify markings or notations which may appear on this reproduction.
I. The sign or "target" for pages apparently lacking from the document photographed is "Missing Page(s)". If it was possible to obtain the missing page(s) or section, they are spliced into the film along with adjacent pages. This may have necessitated cutting through an image and duplicating adjacent pages to assure complete continuity.
2. When an image on the film is obliterated with a round black mark, it is an indication of either blurred copy because' of movement during exposure, duplicate copy, or copyrighted materials that should not have been filmed. For blurred pages, a good image of the page can be found in the adjacent frame. If copyrighted materials were deleted, a target note will appear listing the pages in the adjacent frame.
3. When a map, drawing or chart, etc., is part of the material being photographed, a definite method of "sectioning" the material has been followed. It is customary to begin filming at the upper left hand comer of a large sheet and to continue from left to right in equal sections with small overlaps. If necessary, sectioning is continued again-beginning below the first row and continuing on until complete.
4. For illustrations that cannot be satisfactorily reproduced by xerographic means, photographic prints can be purchased at additional cost and inserted into your xerographic copy. These prints are available upon request from the Dissertations Customer Services Department.
'5. Some page.) in any document may have indistinct print. In all cases the best available copy has been filmed.
Final approval and acceptance of this dissertation is contingent upon the candidate's submission of the final copy of the dissertation to the Graduate College.
This dissertation has been submitted in partial fulfillment of requirements for an advanced degree at the University of Arizona and is deposited in the University Library to be made available to borrowers under rules of the library.
Brief quotations from this dissertation are allowed without special permission, provided that accurate acknowledgement of source is made. This manuscript in whole or in part may be granted by the copyright holder.
PREFACE This dissertation deals with computer fraud detection as a resource allocation problem. Based on the premise of limited resources, the methodologies presented do not allocate any resources to detection if other computer fraud abatement techniques are adequate.
Thus, if it can be shown that deterrents such as high morals or fear of imprisonment are adequate to eliminate the possibility of fraud, zero resources would be allocated to the detection of fraud. Likewise, if deterrents are not adequate but prevention controls are adequate to thwart all would be perpetrators, zero resources would be spent in computer fraud detection.
For those situations where deterrents and prevention techniques are not adequate to preclude computer fraud, a methodology is presented for allocating resources to the detection of fraud in a near optimum fashion. Embedded in this methodology is the realization that organizations exist to do much more than' protect themselves from possible computer rip-offs. It is assumed that a very small percentage of organizational resources will be available for the detection of computer fraud. Further, the avail ab le resources wi 11 probably be a very small percentage of those required to track every activity and transaction through computer systems.
The research for this dissertation included several objectives.
The first objective was to assess the magnitude of the computer fraud
contributions of the dissertation are further highlighted in Chapter One.
The last two chapters included as Appendices A and B, deal with Investigative and Automated techniques and tools associated with the general area of audit and evaluation of propriety in computer systems.
Although the dissertation assumes a capability within organizations to examine the various components of computer systems for fraud once specific threats havE! been identified and resources made available, some background in the associated techniques and tools which are available was considered essential. In addition, the concept of "Live Monitoring" is introduced in Appendix A for those situations in today's computer environment where audit trails are not adequate or can be altered.
The most significant limitation confronting the researcher in computer fraud is the limitation on information available in the area of computer fraud occurrences. As shown in Chapter One, it has been estimated that only one percent of all computer crime is detected and only about seven percent of those that are detected are reported.
Thus, existing data on specific computer fraud cases probably represents a very small percentage of actual cases. An associated limitation is that threat assessment techniques, lacking a compreh.ensive historical data base of actual cases from which vi probabilities of various types of computer fraud may be drawn, must be subjective. The Threat Assessment technique presented in Chapter Five attempts to overcome this limitation by combining the features of the Delphi approach and the Churchman - Ackoff technique with a Matrix approach developed for this dissertation.
Several areas addressed in this dissertation would lendthemselves to additional research. The most obvious is expansion of case data. This is probably the most difficult because of the deficiencies in reporting and the hesitance of many organizations to share this information for fear of being considered vulnerable to computer fraud, therefore ineffective. It should be noted that attempts have been made without much success to expand research in this area. An example of such an attempt is provided in Chapter One.
Another candidate for research is the deterring effects of computer fraud detection capabilities, or perhaps more appropriately, the perception of these capabilities in the minds of would be perpetrators. It would be highly beneficial to know whether a small perceived detection capability would discourage only a small percentage of would be perpetrators or whether a much larger percentage would be This topic is introduced in Appendix A, where it is discouraged.
suggested, on an intuitive basis, that the latter is probably a more accurate assessment. Quantification of this relationship would greatly expand the usefulness of the Computer Fraud Detection Model presented in Figure 8 of this dissertation.
vii A final area which should provide a good research potential is expansion of the concept of "Live Monitoring" introduced in Appendix A.
In today's rapidly expanding use of distributed systems, mini and micro computers, communications networks and real-time processing, the concept of "Live Monitoring" presents challenges, both manual and automated, well beyond the cursory treatment in Appendix A.
A methodology is proposed for optimizing the allocation of resources in the detection of computer fraud. The methodology consists of four major segments. First, a threat assessment is performed. A general threat assessment is provided which relies upon reported incidents of computer fraud. Then, recognizing the limitations of computer fraud reporting, a specific threat assessment technique is provided which is based entirely on the characteristics of a given computer system. Both the general and specific threat assessment techniques use a matrix approach which evaluates and assigns threat values by type of computer fraud and perpetrator.
Second, a Detection Quotient is established which measures the effectiveness of computer fraud detection resource allocation for all of the possible combinations of computer fraud types and perpetrators.
However, for many computer systems, the large number of possible resource allocation alternatives results in a Combinatorial Dilemma whereby the phenomenally large number of alternatives precludes comprehensive analysis.
This leads to the third major segment of the dissertation, a General Solution to the Combinatorial Dilemma which ensures an alternative very near the optimum while evaluating only an extremely small percentage of possible alternatives.
This dissertation proposes a methodology for optimizingresources in detecting computer fraud in vulnerable computer systems.
Vulnerabil ity is measured in terms of the frequency of reported cases and their significance, as measured in monetary losses.
Among the objectives of the research for this dissertation is the desire to achieve a proper perspective of the elements or parameters involved in computer fraud. The need to develop this perspective was emphasized early in the research when a computerized legal data base was searched for computer fraud cases. The search included all cases with the words "fraud" and "computer" found in the narrative description of the cases contained in the data base. The resulting extract provided numerous cases meeting these criteria.
However, the terms :'fraud" and "computer" were found to have widely varying meanings with little consistency of use from one case to another.
For example, in one case the defendant was accused of fraudulently obtaining money from persons looking for dates or marriages by inducing them to use the facilities of a "computer matching institute" without having the intent or capability of performance. In another, a computer manufacturer was charged with breach of computer warranty.
Clearly, the term "computer fraud may cause a problem in II communicating, given such diverse usage.
The word "fraud" is often used in conjunction with another word or descriptive term which attempts to define the fraud by its most readily identifiable and distinguishable characteristic. The following examples are typical: art fraud, bank loan fraud, bankruptcy fraud, check fraud, commodity fraud, consumer fraud, contract fraud, creditcard fraud, disbursement fraud, employee fraud, insurance fraud, inventory fraud, mail fraud, payroll fraud, pens.ion fraud, securities fraud, tax fraud and wire fraud.
When used with one of the above, "fraud" takes on a fairly specific meaning. Unfortunately, this is not the case when "fraud" is used with the word "computer". For instance, "computer fraud II might indicate any of the above types of fraud with computer involvement.
Further, the computer may be primarily involved in the perpetration of the fraud or may be only incidentally involved.
Generally, "fraud" refers to a deception or form of trickery perpetrated in order to secure unlawful gain where the perpetrator's gain is the victim's loss. For purposes of this dissertation, "computer fraud" wi 11 refer to any perpetration of fraud wherein the computer is actively and significantly involved. The computer will be considered actively and significantly involved when input data or data files are tampered with or when computer operations, programs or equipment are manipulated in order to perpetrate the fraud. The is not actively and significantly involved simply because compute~ fraudulent data are processed through the computer. Following these guidelines, if a person fraudulently obtains a bank loan by overstating his or her income on a loan application, the fact that the computer is used in processing the loan is only incidental and the perpetration is not considered computer fraud. On the other hand, if the same person modified the bank's personal data files or manipulated input data in order to overstate his (her) net wealth and obtain the loan, it would be considered computer fraud.
The following are several cases fitting the above guidelines which have been reported in the literature (Parker 1976, Whiteside 1978, Leibhotz and Wilson 1974).
CASE 1. PHONY MICR DEPOSIT SLIPS, WASHINGTON, D.
A depositor exchanged blank deposit slips on the counter in the bank with his own magnetically coded deposit slips, giving his own account number. Norma lly processed by mach i ne, the depos it sl ips were not verified by the bank as to name and address of the depositor. He accumulated $250,000 in four days from other people's deposits. He then withdrew $100,000 and disappeared.