FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |   ...   | 16 |

«Item type text; Dissertation-Reproduction (electronic) Authors DUNN, THURMAN STANLEY. Publisher The University of Arizona. Rights Copyright © is ...»

-- [ Page 4 ] --

The typology in Chapter 2 identified and ranked, by

vulnerability, automated systems based on reported incidents of computer fraud, in order that emphasis could be directed to these systems, thus establishing the first level of prioritization and ranking among systems. The risk assessment in this chapter goes the next step in identifying and ranking specific threats within these systems.

Constraints Like many other management decisions, computer fraud detection becomes a matter of resource allocation in an environment of 1imited time, people and dollar resources. Typically, as indicated above, there is not enough time, people or dollars in many of today's systems to fully monitor every transaction or change. However, the resource allocation responsibility goes beyond this. Even if resources are plentiful, it is incumbent upon management to utilize them in a prudent manner. Thus, it is not good management to spend $10,000 to preclude a probable loss of $1,000 by computer fraud unless some other factor more than offsets the $9,000 difference. (It is conceivable that other factors such as embarrassment or loss of confidence would more than offset the $9,000 in this example.) Time Criticality Time criticality, or the time constraint, is typically set to a large extent by the system or conditions surrounding it. Contrast, for example, the classic payroll system and a near real-time banking system. In the payroll system, transactions are usua 11y entered all during the pay period; commonly a weekly, bi-weekly or monthly period.

To a large extent, by relaxing the constraints on people and dollars, time periods in such a system would be adequate to track all transactions and changes between pay periods although the costs might be prohibitive. In the banking system, on the other hand, the time between a deposit and authorized withdrawal against that deposit may be very short, perhaps minutes or seconds. Given that thousands or tens of thousands of transactions may occur in the brief period of a few hours in a large banking system, it may be virtually impossible to track all transactions or changes even with unlimited people and dollar resources due to the difficulties of administering such a program.

Prevailing conditions may also determine or affect the time criticality of system. For example, in certain Latin American countries where inflation rates have soared well beyond 100 percent, employees have demanded their pay on a daily basis in order to spend it as soon as possible on commodities as a hedge against inflation (Fitzgerald 1980). Time criticality in this environment would be considerably different than in the classic payroll example cited above.

Human and Dollar Constraints Human and dollar constraints will be considered together since, for the most part, management may elect to utilize more or less of either resource for various activities, one of which is computer fraud detection. There are obvious constraints in terms of total people or dollars available but, within limits, management is free to adjust levels of either resource.

There are various factors which might influence the levels of people or dollar resources devoted to the detection of computer fraud.

For example, management may decide that a certain number of people or dollars will be dedicated to computer fraud detection based on their intuitive judgment regarding the honesty of people. Thus, one manager may require that two percent of total systems costs be expended in computer fraud detection. Another, with infinite trust in people, may not apply any resources to detection. Still another may have an inherent distrust in people but feel elaborate controls built into systems under his or her control provide adequate protection to preclude fraud and, thus, may not apply further resources to fraud detection.

A more sophisticated approach would be to develop, through some means, an estimated value of loss through computer fraud and dedicate corresponding resources to its detection. For example, a manager might estimate annual losses of $50,000 through computer fraud if no attempt is made at detection. Then, assuming relative linearity between resources applied to detection and decreases in losses through computer fraud, be willing to spend up to $50,000 for detection. If this same manager worked for a bank or some other institution which depends heavily upon public trust and confidence, he or she might be willing to spend considerably more than the estimated loss value to aviod the embarrassment and loss of confidence associated with an inability to uncover computer fraud.

If management is totally unyielding in the level of human and dollar resources which may be applied to computer fraud detection, then 1ikely, these constraints essentially become fixed constraints. More however, management wi 11 be wi 11 i ng to adjust the level of 30.

these resources if it can be shown that such a move is cost effective or vital to the firm's existence.

The threat assessment provides insight into the amount of resources which should be used for computer fraud detection, given management's basic aversion to being defrauded. Further, the threat assessment provides more specific guidance in the distribution of these resources to the various threats surrounding a system.

The Typology Revisited Recall that the typology in Chapter 2 analyzed reported incidents of computer fraud to establish relative vulnerabilities of various types of computer systems to computer fraud. The cases in the typology were primarily from Parker ' s database at Stanford Research Institute as reported by Allen (1977) and the files of the General Accounting Office (GAO 1977).

In Allen's 1977 study which included 150 computer fraud cases, the cases were categorized by method of computer manipulation as depicted in Figure 5.

Figure 5 presents Allen's Methods of computer manipulation further categorized by type of victim. In Figure 6 the same 150 cases are presented by method of computer manipulation but are further categorized by the type of system victimized in his 1977 study plus additional cases into the categories shown in Figure 7.

In a more recent study Allen (1979) categorized cases reported in his 1977 study plus additional cases into the categories shown in Figure 7.

–  –  –

Note: Case totals do not add up to 150 because some are classified in more than one category.

Figure 5. Methods of Computer Manipulation By Type of Victim

–  –  –

Note: Totals do not add up to 150 because some cases are classified in more than one category.

Figure 6. Methods of Computer Manipulation By Type of System

–  –  –

Computer Hardware, etc.

Figure 7. Methods of Manipulation by Percentage Allen concluded that the most common method of computer manipulation is the manipulation of transactions.

He gives examples of transaction manipulation as (I) changing the batch controls or creating a new batch control document or record; (2) adding to a batch by substituting a fraudulent transaction for a legitimate one; (3) altering an otherwise legitimate transaction or a dummy transaction that had previously been introduced in some other fashion; (4) introducing an entire batch of fraudulent and dummy transactions; (5) deleting transactions by changing batch controls; and (6) altering or deleting through file maintenance.

In another study Krauss and MacGahan (1979) suggest that there are surprisingly few common forms of computer fraud manipulation - in

fact, just these three:

Input Transaction Manipulation Schemes Unauthorized Program Modification Schemes File Alteration and Substitution Schemes Referring back to Figure 7, it is apparent that Allen would agree that most computer fraud cases do, in fact, fall into one of these three categories. Krauss and MacGahan present various techniques for invoking the schemes. Abstracts are shown below.

Input Transaction Manipulation Schemes Extraneous Transactions. Making up extra transactions and getting them processed by the system is a rather straightforward form of input manipulation. A perpetrator may either enter extraneous monetary transactions to benefit himse lf, or he may enter file maintenance transactions that change the indicative data about a master file entity {customer, vendor, product, general ledger account, salesman, department, etc.} in some way that he will later exploit.

Failure To Enter Transactions. Perpetrators can obtain substantial benefits simply by failing to enter properly authorized transactions. One of the simplest examples involved action on the part of check-processing clerks who simply destroyed their own canceled checks before they were debited to their accounts. The same thing can happen in a customer billing system. File maintenance can also be excluded dishonestly with similar b~~efits.

Modification of Transactions. Fraudulent gains can be realized by altering the amount of a proper1y authorized monetary transaction. For example a perpetrator may reduce the amount of charges against a particular account or increase payments into a particular account. Another scheme involves changing indicative data on file maintenance transactions. Examples are name, address, monthly closing date, account type and status, privileges and so on. Since errors in indicative data are fairly common and since controls over such transactions tend to be weak in many companies, this method is particularly promising to the perpetrator. The most insidious of all transaction modification methods involves "exploitation of blanket file maintenance transactions". More specifically, a transaction that instructs the system to change the corresponding master file data element for any and an corresponding fields filled out on the input form. (Best advice is to avoid the use of such transactions).

Misuse of Adjustment Transactions. Misuse of adjustment transactions is a common ingredient in input manipulation schemes. Here the term lIadjustmentll refers to monetary corrections of past errors or inaccuracies that have come about in a system through physical loss or spoilage of materials.

Often, perhaps out of concern to set things straight as quickly as possible, adjustment transactions are processed without adequate control. The result can be computer fraud of massive proportions.

Misuse of Error-Correction Procedures. Millions of dollars have been embezzled by perpetrators under the guise of error corrections. Although many of these abuses are special cases of previously mentioned methods of manipulating input, it is felt that error corrections are often a problem and deserve special attention. Ways that perpetrators abuse errorcorrection procedures include entering extra error corrections, fai lure to enter necessary corrections, and modifications of properly authorized corrections.

Program Modification Schemes Program modification schemes are the most insidious and difficult to detect. Even though the reported instances of such cases is fairly low, leading auditors and security consultants share a IIreported inc i dence bears no

chill ing view of reported statistics:

relation to the actual enormity of the problem ll.

To explain this commonly held view, consider the following:

Some program modification schemes are untraceable.

All program modification schemes are difficult to detect.

Motivation for perpetrators is high because a single blitz can effect large benefits rapidly with little chance of detection or prosecution.

Larcenous Strategies for Modifying Programs Breakage. Siphoning off small sums from numerous sources is commonly referred to as breakage. This method is particularly well suited to being implemented via program modification, because a few simple lines of code can bring about repeated theft of a large number of amounts. Breakage can be employed

whenever a computation is called for:

Computation of applicable service charge Computation of discounts Payroll withholding computations Computation of retirement benefits Computation of interest on savings Computation of ~elfare, medicare, social security, or unemployment benefits.

In any of these situations, all the perpetrator has to do is to instruct the computer to accumulate amounts resulting from rounding, and possibly small additional amounts, and to allocate the sum of all such amounts to a single account to which he or she has access. This activity will not be readily detected by systems controls because the total amount of money involved will agree with any predetermined control totals. The individuals involved are unlikely to notice a discrepancy in their accounts. Even if they do notice a discrepancy they are unlikely to comment if the amounts involved are small.

Undocumented Transaction Codes. By programming the computer to accept undocumented types of transactions, perpetrators can arrange to receive substantial profits in a very short time.

Once having made provisions for processing of the extra transaction type, there are several means of getting the necessary transactions into the system. The transactions may be computer generated, input by the programmer where controls (or lack or controls) allow it, input via the addition of an extra input file - etc.

Balance Manipulation. Simple, undisguised balance manipulation 1S a method that involves assuming that processing results will not be properly reviewed. A dishonest programmer can modify appropriate programs so that all totals and balances appear to be correct for any given day. The "work factor" involved in modifying all programs involved is typically high so the programmer will more often attack just one or two programs.

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |   ...   | 16 |

Similar works:

«In framing an ideal we may assume what we wish, but should avoid impossibilities.ARISTOTLE Island by Aldous Huxley 1 Attention, a voice began to call, and it was as though an oboe had suddenly become articulate. Attention, it repeated in the same high, nasal monotone. Attention. Lying there like a corpse in the dead leaves, his hair matted, his face grotesquely smudged and bruised, his clothes in rags and muddy, Will Farnaby awoke with a start. Molly had called him. Time to get up. Time to get...»

«Learn To Speak Chinese Overnight ® 611 K Street, Suite B-333 San Diego, CA 92101 Tel: 858-201-9076 speakchineseovernight@gmail.com www.learnchineseovernight.com Learning to Speak Mandarin Chinese has never been Easier We have created a revolutionary way to help you learn to speak Chinese. Our incredible new method has literally cracked the code of learning Mandarin for English speakers, simply because our entire curriculum was written from an English speaker’s perspective. We believe this...»

«TRENDS OF LOCAL GOVERNANCE IN TIMOR-LESTE: SUCO GOVERNANCE PERFORMANCE SCALE Trends of Local Governance in Timor-Leste: Suco Governance Performance Scale (SGPS) March 2012 ACRONYMS AND ABBREVIATIONS DNAAS National Directorate for Suco Administration DNDLOT National Directorate for Local Development and Territorial Management FGD Focus Group Dialogue GEC Support for Governance, Elections and Civil Society MSATM Ministry of State Administration and Territorial Management SGPS Suco Governance...»

«Bases of primitive permutation groups Martin W. Liebeck and Aner Shalev 1 Introduction Let G be a permutation group on a finite set Ω of size n. A subset of Ω is said to be a base for G if its pointwise stabilizer in G is trivial. The minimal size of a base for G is denoted by b(G). Bases have been studied since the early years of permutation group theory, particularly in connection with orders of primitive groups and, more recently, with computational group theory. In this paper we survey...»

«Creative Activities Rules & Premium Book 2016 Needlecraft This is a division specific edition of the 2016 Creative Activities Rules and Premiums. There are additional rules and regulations that you must abide by if you choose to enter the competition. Click here for the entire premium book which includes the additional information you are responsible for. Entries for Creative Activities will be accepted at the exhibit building (except Baked Products and Canned and Preserved Foods) Saturday,...»

«Cambridge University Press 978-0-521-76380-6 Courting Democracy in Bosnia and Herzegovina: The Hague Tribunal’s Impact in a Postwar State Lara J. Nettelfield Frontmatter More information Courting DemoCraCy in Bosnia anD Herzegovina The International Criminal Tribunal for the former Yugoslavia (ICTY) struggled to apprehend and try high-profile defendants such as Serbian leader Slobodan Milošević, and often received more criticism than praise. This volume argues that the underappreciated...»

«Headteacher: Mr A Daly BA NPQH Patron: His Grace the Archbishop of York Newsletter: 199 Please follow us on Twitter @AHSYork to keep up to date with the latest news and events. 1 October 2015 Dear Parents and Carers, It was really good to have the opportunity on Monday evening to chat to parents and hear their views about the future of our school uniform. As we continue to gather feedback from staff, students and parents it is clear that there are a variety of opinions on the four possible...»

«IMPORTANT INFORMATION! PLEASE READ CAREFULLY! Dear Commercial Vendor, Welcome to the Puyallup Main Street Association's 2016 Meeker Days Festival. Meeker Days is the largest street festival in Pierce County with attendances reaching more than 135,000 people during the three-day event. We strive for the best in entertainment, a variety of tasty food booths and top notch arts and crafts! We work very hard on creating a profitable and enjoyable festival experience for all of ourvendors. Our...»

«Right Hound Right Home™ Greyhound Adoption Cheat Sheet Coming Home Sometimes circumstances prevent us from doing all the reading we should or asking all the questions we’d like. I’ve prepared this handout on essential issues to help you get started until you have time to get and read my book, Retired Racing Greyhounds for Dummies. These guidelines apply to the average GH in the average home situation. If you have questions or problems, consult your group, your veterinarian or a Greyhound...»

«COLLABORATION THROUGH OPEN SUPERPOSITION Forthcoming in Management Information Systems Quarterly (MISQ), accepted Feb 2013. JAMES HOWISON KEVIN CROWSTON School of Information School of Information Studies University of Texas at Austin Syracuse University 1616 Guadalupe Ave, Austin, TX 78701 343 Hinds Hall, Syracuse, NY 13244 jhowison@ischool.utexas.edu crowston@syr.edu Keywords: open source, information systems development, materiality, socio-technical system, collaboration, coordination...»

«Typing the Numeric Tower Vincent St-Amour1, Sam Tobin-Hochstadt1, Matthew Flatt2, and Matthias Felleisen1 1 Northeastern University {stamourv,samth,matthias}@ccs.neu.edu 2 University of Utah mflatt@cs.utah.edu Abstract. In the past, the creators of numerical programs had to choose between simple expression of mathematical formulas and static type checking. While the Lisp family and its dynamically typed relatives support the straightforward expression via a rich numeric tower, existing...»

«THOMAS WEISEL Thomas “Thom” Weisel (Thomas Weisel Partners LLC), HBS 1966, helped launch a niche investment bank based in San Francisco designed to serve emerging-growth companies on the West Coast. In the 1970s, the idea of an investment bank thriving outside of Wall Street was, as he puts it, “almost blasphemous.” Montgomery Securities became an integral part of the Silicon Valley story, however, and emerged as a top-tier investment bank. Montgomery merged with NationsBank in 1997....»

<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.