Crown Tutors

Home

Order Now

by

admin
in

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now

Abstract

Corporate identity thefts involving unauthorized drawing of vital client information is currently on the rise as the most prevalent type of computer crimes. Processing of large volume of personal data, without proper security protection mechanisms make organizational information base vulnerable to malicious attacks by both external and internal agents. Based on a quantitative questionnaire survey method, this research identified theft/disclosure of corporate information and virus attacks as the most common form of security threats. Access control and firewalls are found to be the most common form of information security measures used by the corporate undertakings. Suggestion to compare the quantitative damages in case of potential security threats to organizational information security and the cost of installing appropriate protection mechanism is recommended.

Introduction

Proliferation of e-commerce has made the global business transactions easier and convenient. The consumers have found a comfortable way of purchasing goods and services through e-commerce using the internet as the medium. With the continued growth of internet along with technological developments and large volume of sales the crime of computer fraud has also become an issue larger in magnitude than the experts ever imagined. In modern times, sophisticated professionals have turned to be cyber criminals who have chosen to use their talents for fraudulent purposes. With their professional knowledge and skill these professionals get access to advanced software which enables them to activate computer systems of others to retrieve any sensitive information they can use for illegal purposes. The highlight of such an event is that the user may not even know that his/her computer system has been subjected to fraud. In this context this research extends to computer frauds and protection of information security.

Information Security  an Overview

Generally, organizations are concerned with the threats and vulnerabilities to their information systems and resources from the purview of confidentiality, integrity and availability (Gollmann, 1999; Pfleeger, 1997; Sebastian et al., 2003). Information security covers any action designed for the protection of information and information systems within an organizational context (Gordon & Loep, 2006). Information security relates not only to the information content but also to the entire spectrum of infrastructure that facilitates the flow and storage of information. Thus, information security is concerned with hardware, software, threats, physical security and human factors. It is to be appreciated that each of these components of information system has its own characteristics which has an influence on the overall information security. With the increased use of advanced information technology and internet, the role of information security has become overwhelming. With the increase in the number of security breaches in the commercial and government organizations and more accessibility to the information, there are increased threats to the security of information (Brown & Duguid, 2002).

Computer security as an integral part of information security is a general term that encompasses a wide range of processes involving computing and information processing. Business organizations that depend on different computer systems and networks for transacting their daily business dealings and for accessing crucial information consider their data as an important part of their overall assets. In the case of some industries like electronic commerce industries, the success or failure of individual organizations depends largely on the availability and trustworthiness of data. The issue of managing information security has taken the centre of focus with the increase in the magnitude and capacities of the networking facilities. The increase in networking facilities has put the information security at a very high priority especially in the wake of increased cyber crimes that are being perpetrated largely. Private business houses like those engaged in providing financial and investment services to their customers and several other customer centric business establishments carry a large amount of vital data pertaining to their valued clients in their computers, which are always subjected to the vulnerability of data and identity theft by unscrupulous hackers and perpetrators of cyber crimes. Thus, in the present highly mechanized business environment development of secure identities is one of the issues of critical importance for the protection of information and data stored in the computer systems. One type of computer crime as identified in the recent surveys is the perpetration of frauds on information technology and information systems (Graycar & Smith, 2002).

The proliferation of the Internet as the largest means of communication has led to the availability of a number of avenues for illegally breaking the security of information and to access them for illicit uses. Organizations both private and governmental face overflow of security threats both known and unknown from any possible source. The threats may emanate from outside the organizations premises through people known as hackers. The hackers often make attempts to invade corporate networks for monetary gains or just for fun. They also use programs which use the network vulnerabilities to extract information or obstruct the smooth information flow. Organizations protect their information networks and systems from unauthorized intrusion using several techniques. Firewalls and anti intrusion detection systems are some of the commonly adopted techniques. The information stored in the computer systems of any organization is subjected to the risk of disclosure by the employees either by mistake or intentionally.

With the increase in the potential information security threats from worms, viruses, and hackers coupled with the adoption of open system architecture to facilitate e-commerce, security professionals have been trying to find suitable solutions for meeting the challenges posed by these real threats. However, it needs to be understood that there is no single solution in the form of technology or methodology that will meet with the security needs of the corporate entities. Effectively securing data and other assets, calls for a holistic approach that covers all aspects of security including systems architecture and other policies and procedures in addition to educating the users. The holistic approach encompasses not only engaging the right solution but also getting the entire organization embrace a security state of mind.

Implementation of a holistic security strategy involves making the organization a business centric security process from a technology-centric entity. This process involves assessing risks and managing potential threats.

A secure environment is an important element of meaningful knowledge management. Knowledge represents an important asset of any organization signifying the need to protect it securely. The security is to be applied both within and outside the organization. However, information security is not perfectly secured by nature and is always vulnerable to breaches. Therefore, organizations cannot completely eliminate the danger of misusing the information by applying a single solution. It is necessary to arrive at a level of information security suitable to particular situations. The organization should decide on the level of security as a proportion of the value the information possesses. The potential loss that may arise to the organization because of the misuse of information should also be considered in deciding the level of security. This substantiates the statement that information security is about risk management.

Aims and Objectives

This research aims to make an overall review of the corporate identity frauds and the protection of loss or misuse of information from such corporate identity frauds. In order to achieve this overall aim, the research undertakes to accomplish the following objectives.

  1. To have an overview of information security at corporate level to understand the nature and ways of ensuring information security;
  2. To identify and study the features of most common corporate identity frauds;
  3. To study and present an overview of the nature of crimes associated with corporate identity;
  4. To study the existing ways of safeguarding information security and to make a critical analysis of the current solutions to information security;
  5. To make a risk assessment with the emphasis on cost, social effects and corporate effects.

Significance

Information security clearly establishes the setting for the creation and use of more comprehensive approach to the creation of information security systems that can guarantee the protection to the security of information (Cranor & Garfinkel, 2005). This presupposes the necessity of creating and using better security systems to ensure basic security of information stored in the computer systems. This has made the study of the salient features of the security aspects relating to the creation and use of meaningful information security systems an important one. Past research has identified that improperly used or badly designed protection systems are one of the major causes for information security concerns (Tari et al., 2006). Ultimate purposes of computer fraud is either financial and many other resources and privilege gains which might affect the reputation of an organization. Computer frauds and corporate identity thefts may lead to financial and criminal repercussions of significant impact. This has necessitated a reexamination of the existing information security systems to comment on their shortcomings and at the same time to suggest new systems of information security so that the information remains secure. Thus, this study has taken the objective of critically examining the computer frauds and corporate identity thefts and the ways of protecting these identities and to suggest any possible improvement in them.

Structure

In order to present a comprehensive and cohesive analysis, this paper is structured to have different chapters. The first chapter introduces the topic of study and details the aims and objectives of the research. The second chapter reviews the available literature on computer fraud and corporate identity thefts. This chapter also details the research methodology chosen to complete the research. While the third chapter presents the findings of the research and an analysis of the findings, chapter five is the concluding chapter which also contains few recommendations for further research and an evaluation of the research undertaken.

Literature Review

Introduction

The following finding of a recent study brings out the magnitude of computer crimes in relation to business organizations.

the complexity of modern enterprises, their reliance on technology, and the heightened interconnectivity among organizations that is both a result and a driver of e-businessthese are rapidly evolving developments that create widespread opportunities for theft, fraud, and other forms of exploitation by offenders both outside and inside an organization (KPMG, 2000).

Computer frauds have been one of the major concerns for all types of organizations, whether public or private. The computer crimes have also affected consumers, regulatory agencies and the society in general. A survey taken in the United States during the year 2002 has identified that more than 90% of the organization out of the 500 participants have experienced computer security breaches within the last one year (Power, 2002). Investigations conducted on similar lines in Australia have also revealed that computer frauds occur at somewhat lower levels compared to US; however there is an increasing trend observed. Investigation conducted by Australian Computer Crime and Security Survey reports that the security breaches have doubled during the period between 1999 and 2002 and during the year 2002, 67% of the organizations participated in the survey have experienced computer frauds (Power, 2002).

A number of reasons are attributed for the proliferation of computer frauds. These include the increase in the connectivity within the community and increased use of internet services gives more opportunities for perpetrators of frauds. The complex nature of the recently developed computer software makes them open to different types of attacks, easily performed by the hackers. The attackers have abundant chances of getting malicious codes and tools which enlarges the opportunities for computer frauds. Increased use of high speed internet access provided for home users with the aid of cable modem or DSL with their lesser security capabilities provide the necessary bandwidth and availability for the attackers to indulge in more crimes. The rates at which technology changes take place increase the rate at which the computer frauds are committed. The slow pace of adoption of established safety practices by the users as against the range of connectivity and use of internet by them is one of the most important reasons for increased rate of computer crimes. One of the most common types of computer crimes is concerning the information technology and information systems engaged by any organization. Power found that the rate of computer crimes having financial implications have doubled from 3% of the participants in a 2000 survey to 6% of the participants in the 2002 survey in the context of the United States. The cost of these frauds has been found to be disproportionately high in the overall cost of all computer frauds. This trend has necessitated identifying and installing suitable system-centric security applications to prevent the occurrence of frauds and unauthorized access of information for illicit uses.

Methodology

Research Philosophy

Social science research follows several research methods to collect information and data relating to the issue under study. Ontology and epistemology enables the formation of the basic framework for many of the social research methods. The term ontology is defined as a branch of philosophy concerned with communicating on the environment and arrangement of the world (Wand & Weber, 1993). Ontology thus is concerned with what is said to be in existence in the real world. The ontological questions always try to find the arrangement of worldly truth and the things that need to be learnt about the real things in the world.

On the other hand, epistemology talks about the nature of human knowledge and understanding (Hirschheim et al., 1995). This philosophy advocates that such knowledge and understanding can be acquired by employing various types of inquiry and alternative methods of investigation (Hirschheim et al., 1995). According to Guba & Lincoln, (1994) the inquiry paradigms can be considered in ontological, epistemological and methodological questions. The methodological questions decide the ways in which the researcher can proceed to find out what he or she believes that can be known about the existing things in the world. The research methods generally follow:

experimental,

correlation,

natural observation,

survey,

case study methods.

The researcher must evolve a suitable research design specifying the research method the researcher intends to follow for completing the study. In choosing the particular research method to be followed, the researcher has to take into account a variety of variables like the subject matter under research, and the range of interests of the researcher, difficulties involved in accumulating the time and resources and other funding issues. The major classification of the research methods takes the form of qualitative and quantitative research methods.

Considering the nature of the current research to assess the necessity of using information security techniques and tools by the corporate entities, use of epistemology was considered appropriate. Since epistemology is concerned about the ways in which the human actors would act to inquire and acquire knowledge on things, which really exist in the world, this research proposes to follow an epistemological approach. Moreover according to Hirschheim et al., (1995) since epistemology talks about the nature of human knowledge and understanding and that such knowledge and understanding can be acquired by employing various types of inquiry and alternative methods of investigation this research proposes to use an epistemological approach.

During the process of this examination, the research will also extend to analyzing the salient features of information security and the impact of computer crimes on corporate identity theft issues. This includes the study of various techniques including firewalls and intrusion protection systems to safeguard the information resources of companies. In the present business models of large corporate undertakings there is an excessive dependence on networked applications and this naturally leads to innumerable chances of perpetrators attempting to gain unauthorized access to corporate data systems and networks. Therefore it is proposed to use a quantitative research method of questionnaire survey among the IT professionals of large and medium companies to gather the necessary primary data for completing the study.

Research Design

For any research in the realm of social science, research design provides the bondage that keeps the research project together (Webcenter for Research Methods, 2006). The research design is expected to attribute a formal structure to the research. This is accomplished by exhibiting the manner in which different components of the research project will proceed to deal with the central research question. The research design may take the form of a randomized or true experiment, quasi experiment or non-experiment (Webcenter for Research Methods, 2006). It is necessary to have this three-fold classification for describing the research design with respect to internal validity. In general, although the randomized experimental basis is the strongest for establishing a cause and effect relationship, since the research adopts a quantitative research method and is non-experimental in nature it adopts a non- experiment research design for conducting the research.

Quantitative Research Methods

Quantitative research methods have their root in natural sciences. In the realm of natural sciences the quantitative methods involve themselves in diagnosing and analyzing natural issues. There are certain generally adopted quantitative methods. Questionnaire surveys and laboratory experiments are some of the techniques being used by quantitative method. According to White, (2000), there are various investigative processes which will provide the results of the research in quantitative and numerical values form part of the quantitative research method. The quantitative expressions represent the results of the research. Such quantitative results are put under a variety of statistical analysis so that the findings of the research can be reported in a comprehensive way. Quantitative research is rooted on positivism supporting measurements made in researches considered attaining precision and exactness (White, 2000). A quantitative research is said to be well conducted when objectivity in the treatment of results and the process used to generate the results is attained (Cavana et al, 2001).

Qualitative Research Methods

Qualitative research methods of employed to help the researchers to make an extensive study into various aspects covering social and cultural issues. Action research and case study are some of the techniques being used by the qualitative method. According to Creswel, (1994) qualitative research is an enquiry process which is undertaken to analyse the issues connected with the social or human behaviour. The success of the enquiry process under qualitative method depends on the viewpoints of various informants to the research who express their views in a natural setting. The impressions, viewpoints and expressions of the researcher would also be a part of the data source. Byrne (2001) believes that defining qualitative research using a single definition is not at all practical because the term qualitative itself a broad term. In addition, inferential statistics that is usually applied to data that are generated from quantitative researches is not used for qualitative research.

Since the research aims to examine the role of information security and the use of different techniques to safeguard the security, it is considered appropriate to employ the quantitative research method for completing the research. The study of information security and the techniques to safeguard the information involves the expression of viewpoints and perceptions by the industry professionals and managers with any numerical values it was considered appropriate that the perceptions of the respondents are observed through a set of pre-designed questions contained in a questionnaire and for this purpose the quantitative research method was considered suitable. In view of the decision to adopt the quantitative research method of questionnaire survey among the IT professionals and its suitability the qualitative method was not considered necessary.

Research Methodology

The process of this research engages the methodology primarily involving collection of the required data. The collection process is followed by the activities of organizing and integrating the data collected. The major step in the process of this research is the collection of data from the informants and the success of the research depends largely on the data collection process. Efficient data collection process ensures and leads the researcher to valid and credible findings from the research. This research will be founded on a quantitative study on information security in the context of corporate undertakings. Collection of primary data using the information and data collected from a number of participants based on questionnaire will provide the base for a firsthand experience of the researcher. Therefore this research uses the research technique of questionnaire survey method for conducting the research. The questionnaires containing closed and open ended questions were distributed to respondent organizations chosen from the yellow pages and through references from friends through email. The respondents were requested to send back the completed questionnaire by email to the researcher for further analysis.

The subject matter of study as such can invariably be supported by primary data collected through quantitative research method of questionnaire survey. The researcher considered using a qualitative method of face-to-face interviews in the place of survey. However, since the samples would be having the opportunity to express their views more freely when they were asked to respond to survey questionnaire, the survey method was considered more appropriate. This would enhance the credibility of the study. Further, since the interview method is a time consuming process and there is the likelihood that the industry professionals and managers may not find time to answer the interview questions. Since the topic of information security being an exhaustive one it was considered better to have frank opinions and viewpoints expressed as answers to the survey questionnaire to add value to the findings.

Research Approach

In order to collect the required information and data for conducting the study it was necessary to conduct the survey through a questionnaire distributed to a certain number of construction organizations. 150 such organizations were chosen as respondents to the survey, from the industry database collected from industry directories and yellow pages. Out of the 150 respondents to whom questionnaires were sent, only 31 of them returned the questionnaire duly filled with their views. The questionnaires were sent to the chosen organizations through email along with a covering note explaining the background and the purpose of the survey. The sampling method that was used for this research is by choosing the organizations based on the sizes of the firms based on their turnover. It is important to arrange the distribution of samples as fully representing the total population. Therefore, the researcher took maximum care in the selection of samples for the survey.

Construction of the Research Instrument

The research instrument in the form of a questionnaire (as exhibited in Appendix 1) contained two different sections with questions in a broader in perspective on the information security in general and with respect to the experiences of the participants in the individual firms in particular.

Section 1of the questionnaire contained questions on the general information relating to the respondent companies such as nature of business, activity undertaken by them, volume of business and the status of the respondent in their respective organizations. This information is required to analyze the homogeneity of the samples. Section 2 of the questionnaire contained questions on the general perceptions of the samples towards information security and measures being adopted by the companies to mitigate the issues relating to information security. Questions on the specific context of information security with respect to the individual firms were also contained in Section two of the questionnaire.

The objective in preparing the questionnaire was to keep the respondents answering the questions quickly and efficiently. The questionnaire has utilized simple questions with numbered ranking scale and yes or no type questions along with open ended questions where the respondents have to provide specific replies. There was one question requesting respondents to make suggestions for better information security. The questions at the beginning of the questionnaire were introductory in nature to assist the respondents to get a feel for the answering style and the sections have been ordered with more taxing questions placed in the later parts of the questionnaire. The questions contained in the questionnaire might have required the collection of additional information before answering the questions on estimating the monetary value of information security risks and cost of security measures in the individual organizations. However this was not expected to be a problem as all the respondents have been chosen to be IT professionals having fuller knowledge on the topic of information security and the tools available to mitigate the issues. The layout and question sequence and even the wordings of some of the questions of the final version of the questionnaire were subjected to many changes before it was finally sent out to the samples.

Information Security and Computer Frauds

Even though there have been a number of studies focusing on human computer interaction and role of passwords and information security, not much of research has been conducted in the area of computer frauds and associated crimes from the perspective of a total understanding of the phenomenon of computer frauds. Studies have been conducted from business perspectives (Tan, 2002), from a general/legal perspective (Graham, 2002), from a specialized computer crime perspective (Graycar & Smith, 2002), from a technological perspective (Power, 2002; AusCert, 2002) or a victim perspective (Graycar & Smith, 2002). Within the scope of this limited literature there have been a number of definitional issues pointing in the direction of a lack of common understanding of computer frauds or their financial and other impact on the different organizational activities. Along with this, the alarmingly increasing rate of e-fraud and the importance of creating awareness among the users have underpinned the need for further research in the area towards better understanding of computer fraud in the context of corporate identity thefts. The findings of the research are expected to be beneficial to those who are entrusted with the controlling of this problem and those who are interested in pursuing further research.

Computer crime or e-crime can be defined as offences where a computer is used as a tool in the commission of an offence, or as a target of an offence, or used as a storage device in the commission of an offence. (Etter, 2001) This definition of e-crime purports to be inclusive of fraud, theft, unauthorized access, sabotage and abuse of computer resources. For the purposes of this paper the term computer fraud would be construed as e-crime as quoted in the definition of the term by Etter. Theft in this context includes theft of intellectual property, hardware and software, while abuse of computer resources denotes the use of a wide range of mediums extending from facsimiled to email with ulterior motives.

Such computer frauds perpetrated against corporate undertakings and government organizations impact the security of their intellectual property. The concerns in this context from the commercial and government organizations may include: (i) Flow in and out of their corporate information network of unwarranted, unauthorized and unscrupulous data undertaken with fraudulent intentions (ii) Stealing and/or exchanging for monetary or other considerations confidential data over corporate network in any electronic format (iii) Running parallel/personal businesses on corporate networks (iv) subscribing to emails or internet sites containing malicious contents or with intent to view pornographic materials and (v) creating adverse publicity through misuse and abuse of corporate network.

Stages in Information Security

With the increase in the number of employees, applications and sophistication of information systems, the information management within an organization becomes more complex, and it also leads to potential increase in the vulnerabilities. VonSolms, (1996) observes three stages in the evolution of information security. In the first stage during 1960s the primary concern of information security was to ensure the existence of physical security control of the infrastructural facilities that aided information generation and flow within the organizations. For example, the printouts of reports were circulated in protected ways just to prevent misuse of information. During the second stage, in 1970s information security was in place to meet the specific needs of the individual organizations, without really taking in to account the enlargement in the scope of information security In the third stage, organizations by reason of using advanced information and communication technology, had to interlink their IT services. This has made the organizations to move from a closed environment to a networked environment which is more complex as the information flow was based on distributed and connected networks of machines.

Even in the third stage of evolution, different waves of information security could be observed (Kansal, 2006). Before mid 90s there was no connectivity to internet making the inter-office connectivity rare or intermittent. Confidentiality and integrity of information were regarded as the main purposes of ensuring information security. The objective of Information security is to control the access to information and later on to make it available to those in need of such information and are authorized to use. During the mid to late 90s connectivity to internet improved and increased security threats took the form of worm and viruses which exist even today. This made anti-virus products as the prime solution for tackling information security related problems. This also resulted in perpetrators using improved software to commit computer crimes. This has also affected corporate web-se

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now