An insurance company maintained a computer-based security system that read employee badges to keep tabs on data processing personnel. Reportedly the company installed 70 automatic doors with badge readers, forcing employees to use their badges wherever they went within the data processsing facility. The system, using a computer clock, even noted when employees went to the lavatory. It also kept records of all pauses before vending machines and in front of bulletin boards. The employees objected, claiming that the system violated their privacy.
This is one example which illustrates how the introduction and integration of computers nto the mainstream of modern society promises to be a significant new catalyst for change in the coming years.
Like Dr. Jekyll and Mr. Hyde, the computer can be used for benevolent as well as malevolent ends. As computers aid in the performance of an increasing number of tasks that have the most serious impacts on people, such as air traffic control and surgery, the potential for abuse likewise expands. The more computers become a common aspect of modern life, the more concern about the abuse of computers proliferates. The potential types and seriousness of computer abuses are directly related to the nature of this new and widespread computer usage.
As we become increasingly dependent on computer technology, risks in business and national defense that we already face change markedly, and new risks occur. Nuclear warfare may become passe. Exploitation of computer-related national weaknesses may soon be more attractive to hostile foreign powers than use of nuclear war. In other words, it may soon be possible for one country to cause chaos in another nation by tempering with critical computerized information systems. Such interference could make an invasion or political coup significantly easier to accomplish.
This possibility arises because computers make possible the commission of a number of previously costly, time consuming, and impractical acts. The power that can be conferred by computers is illustrated by an SRI International study of US Controller of the Currency data for 1972. The study found that the average take in a conventional bank fraud or embezzlement was $19,000, whereas the average take in computer-related bank fraud or embezzlement was $450,000.
In 1975 the United States Chamber of Commerce estimated total US losses from computer fraud at $100 million per year. Research and consulting performed at SRI leads the authors to believe that this is a conservative estimate. Of course, no accurate measure is available because we simply cannot know how many incidents go undetected and/or unreported.
The computer, rather than the traditional bank vault, is becoming the repository of negotiable assets. The processing, storage, and transfer of funds in automated banking epitomize the transition from a physical (paper) to an electronic form of money. Furthermore, other assets or, more properly, other records of assets, rights, and obligations are also maintained with the aid of computers. Whereas the art of safeguarding physically manifested (paper) records of assets, rights, and obligations has been refined throughout history, the art of safeguarding records of assets, rights, and obligations maintained in computer systems has had only 35 years in which to develop.
The abuses themselves have not changed in name; that is, we still have fraud, theft, larceny, embezzlement, extortion, sabotage, espionage, and violation of privacy. However, many other aspects are new. Computer and associated communications technology has made possible new methods of automated abuse, The occupations of perpetrators, the timing of the acts, the geographic location of the parties involved, and the environments in which these acts take place have all changed.
What countermeasures are available to address these threats?
One is to define a standard of due care for security and privacy in the operation of computer systems. For manual accounting systems, such a standard has been defined and is referred to extensively by CPAs when performing independent audits. The Federal Foreign Corrupt Practices Act is an attempt to legally formalize the fact that management can be held liable (under the concept of negligence) for failing to install and operate the appropriate (computerized and manual) control systems. The Privacy Act of 1974 has similarly attempted in general terms to create a standard of due care for the computerized recordkeeping systems of the federal government.
Appropriate measures to be taken by management will be increasingly defined in terms of commercially available safeguards and the steps taken by other organizations operating in similar environments. For instance, in the banking environment, the use of encryption (data scrambling) is on the verge of being accepted as a standard of due care. If encryption were to become generally accepted as a prudent safeguard to use in bank systems, a bank that did not operate with encryption and suffered a loss that could have been prevented with encryption, could be held liable.
While standards of due care may assit data processing management in the identification of basic controls, more complex guidelines may be necessary for determining appropriate measures called for by the unique operating environment of an organization.
Auditors are often in a position to recommend these more complex requirements. One of the serious problems facing both external and internal auditiors is the knowledge gap between the computer technician and the auditor. The independence of auditors has been compromised because, in many instances, they no longer have direct access to data. This reliance places auditors in the unfortunate position of trusting individuals who could deceive them.
Some long-term solutions to this problem are to provide auditors with specialized technical training, refine available auditing tools, develop new techniques, and design systems that are more auditable.
Another approach to computer systems security is the formal establishment of computer security officers within organizations. These new specialists plan, develop, and oversee the operation of computer systems security and privacy controls.
Underlying all approaches to computer security and privacy, not just those mentioned here, is management policymaking. Management needs to set and and enforce policies on accepted ways in which employees and others can use organizational computing resources, proper ways to handle sensitive information, and corrct behavior relative to and organizational code of ethics. Policies should clearly define those circumstances under which employees are to be prosecuted, dismissed, or reprimanded for unacceptable behavior.
While the risk of computer-related abuses appears to be growing rapidly, there is a greater potential for security and protection of privacy when information is computerized than when it is handled manually. Similarly, errors and omissions can be reduced considerably when record-keeping is done with computers. The great power and versatility of computers can be used in the establishment and consistent enforcement of controls that may not be cost-effective or even possible in a manual recordkeeping environment. Hopefully, further research in the very near future will develop satisfactory controls . . . before losses grow to inordinate pr oportions.