Portal de Periódicos da CAPES

Organizational Data Breaches 2005-2010: Applying SCP to the Healthcare and Education Sectors

2011; International Journal of Cyber Criminology; Volume: 5; Issue: 1 Linguagem: Inglês

0974-2891

Jason D. Collins, Vincenzo A. Sainato, David N. Khey,

Crime, Illicit Activities, and Governance

(ProQuest: ... denotes formula omitted.)IntroductionSituational crime prevention (SCP) is a practical application of routine activity theory (RAT) that reduces the frequency of likely criminal opportunities (Felson & Clarke, 1998). Cohen and Felson (1979) originally proposed RAT when attempting to analyze the increase in crime rates following World War II. Specifically, these researchers developed a criminal theory that focused on the environmental 'opportunities for crime' to occur characterizing the temporal and spatial attributes of a criminal transgression. Their model stated that a criminal act possessed three fundamental variables: (1) a suitable target, (2) a motivated offender, and (3) the absence of a capable guardian. Essentially, when a potential criminal opportunity arises the act will occur at a juncture in time and space between a motivated offender and a suitable for victimization. This crime will ultimately take place in a location that lacks a capable guardian to protect the 'suitable target,' which is considered to be either a vulnerable person or one's unguarded property. Thus, the absence of any one of these three situational factors should theoretically make the commission of a crime impossible (Davis, 2002). As a result, routine activity theory is considered to be a macro-level theory applicable to numerous types of crime as it seeks to explain the criminal victimization process and not a criminal's specific motivations (Akers & Sellers, 2009).Information Security (IS) officers can use SCP to reduce the possible motives for an offender to engage in crime by: increasing the effort and risks of a crime; reducing the potential rewards and provocations; and removing the excuses for committing a crime (Willison & Siponen, 2009). SCP achieves these goals through a preventative technique called target that identifies the specific situational exploits that allow criminals to commit an offense in a particular area (Felson & Clarke, 1998, p.27). Applications of hardening include: installing entry-phones to apartment buildings to regulate access; visible security cameras and guards to deter crime; rapid clean up of graffiti to deny the visual benefit to an offender; and requiring registration at the front desk of a hotel to discourage people from leaving without paying.Willison and Siponen (2009) applied SCP methodology to the information technology (IT) divisions of corporations in an effort to deter employees from stealing valuable information from the company. An effective way of applying SCP techniques is through the creation of 'crime scripts'4 that outline the various steps potential offenders would need to execute in order to circumvent security measures and gain access to the restricted areas of an organization. Consequently, these scripts allow security officers to devise countermeasures for each step preventing these would-be offenders from taking advantage of ambiguities in an organization's security procedures. For example, if an offender knew where a coworker wrote down their passwords they could potentially access the employee's account without their knowledge. To deter this scenario from unfolding, a crime script would recommend that the company respond by reducing the number of passwords employees have to remember, incorporate biometric technology into login procedures, or mandate that the staff attend refresher classes on basic security protocols. Thus, incorporating SCP practices into corporate security procedures can be advantageous in reducing the number of deliberate and accidental security breaches.Highlighting the current procedures for security threats within corporations, Willison (2008) found that roughly fifty percent of the security breaches reported in the 2004 CSI/FBI Computer Crime Security Survey and the 2006 Global Security Survey occurred within the victimized organization. Furthermore, it was discovered that much of the literature on IS does not employ a concrete analytical theory in their research. …