Posted: February 14th, 2023
Assessing the Feasibility of Applying Criminological Theory Essay
Assessing the Feasibility of Applying Criminological Theory to the IS Security Context
1. Introduction
Limited research exists on the relationship between criminal employee actions involving computer abuse and the organizational environment [1]. Understanding this relationship can complement current IS security practices by identifying areas for additional safeguards. Specifically, understanding the pre-perpetration actions of dishonest staff can expand preventive measures beyond technical safeguards. This paper assesses the applicability of three criminological theories—Routine Activity Theory, Environmental Criminology, and the Rational Choice Perspective—to the IS security context.
2. IS Security and Criminological Theory
Criminological theories traditionally focus on individual and group motivations for crime [2]. However, recent theories also examine the criminal act itself, looking at the offender-environment relationship [2]. This makes them potentially relevant to IS security research.
2.1 Routine Activity Theory
Routine Activity Theory suggests that changes in societal routines can influence direct-contact predatory crimes [3]. Three elements are necessary for a crime: a likely offender, a suitable target, and the absence of a capable guardian. Changes in routine activities can influence the convergence of these elements. Felson [4] incorporates the “intimate handler” concept from Hirschi’s social control theory [5], suggesting that the absence of an intimate handler who can exert social control is also necessary for a crime to occur. Clarke [6] suggests including “crime facilitators,” such as tools or disinhibitors, to identify points for safeguard implementation.
2.2 Environmental Criminology
Environmental Criminology examines offender search patterns, noting that most crimes occur within offenders’ routine activity spaces [7]. Offenders develop an “awareness space” and learn to recognize cues associated with suitable targets.
2.3 Rational Choice Perspective
The Rational Choice Perspective focuses on offender decision-making, assuming that crimes are chosen for perceived benefits [8, 9, 10]. These benefits can be tangible or intangible. The perspective distinguishes between “involvement” decisions (regarding criminal careers) and “event” decisions (during crime commission). Bounded rationality acknowledges that offenders may make imperfect decisions due to limited information and rely on rules of thumb.
3. Case Study: The Collapse of Barings Bank
The collapse of Barings Bank in 1995, due to unauthorized trading by Nick Leeson, serves as a case study. This account draws on the Bank of England report [11] and Fay’s book [12]. Leeson’s unauthorized trading activities led to significant financial losses for the bank, ultimately resulting in its collapse. The case study provides a detailed examination of the factors that contributed to Leeson’s actions, including the organizational environment, his motivations, and the absence of effective safeguards.
4. Discussion and Analysis
This section analyzes the Barings Bank case study through the lens of the three criminological theories, providing a comprehensive understanding of how these theories can be applied to the context of IS security.
4.1 Routine Activity Theory: Intimate Handler/Unhandled Offender
Leeson’s lack of consistent supervision and the confusion regarding his reporting lines created an environment conducive to unauthorized trading. This aligns with the absence of an intimate handler. However, the case also highlights that managerial ignorance of Leeson’s activities, rather than mere absence, contributed to the problem.
4.2 Routine Activity Theory: Targets
Leeson’s motivation might have been financial gain, but Fay [12] suggests a desire for prestige and status among SIMEX traders. The “target” becomes the ability to conduct unauthorized trading, regardless of the specific benefit sought.
4.3 Routine Activity Theory: Guardianship Factors
Guardianship in the Barings case is complex, involving internal and external audit, compliance, and risk management. These factors require pre-existing conditions and effective operation to function as guardians. Their mere existence is insufficient; they must be actively managed and enforced to be effective.
4.4 Routine Activity Theory: Facilitators
Leeson’s skills and knowledge acquired through legitimate work facilitated his unauthorized trading. These cognitive facilitators, unlike physical facilitators [13], are inherent to the employee’s role [14].
4.5 Environmental Criminology: Search Patterns of Offenders
Leeson exploited his knowledge of Barings’ systems and weaknesses, such as the overlooked margin file. His position within the organization provided him with access to high-quality information and the opportunity to observe and exploit vulnerabilities.
4.6 Rational Choice Perspective
Leeson’s actions, such as manipulating funding from London and creating false entries to conceal losses, demonstrate rational decision-making to minimize risk and maximize perceived benefits.
5. Conclusion
Routine Activity Theory offers valuable insights for IS security, particularly the concepts of targets and facilitators. However, the concepts of handling and guardianship may require further refinement for complex cases. Environmental Criminology’s focus on search patterns and cognitive facilitators is highly relevant. The Rational Choice Perspective is supported by Leeson’s calculated actions. Future research should explore these theories in less complex cases of computer abuse, examine prevention strategies based on the theories, incorporate complementary criminological concepts like crime scripts [16], and strengthen the connection between IS security and criminological theory.
References
April, K., Schrader, S. W., Walker, T. E., Francis, R. M., Glynn, H., & Gordon, D. M. (2023). Conceptualizing juvenile justice reform: Integrating the public health, social ecological, and restorative justice models. Children and Youth Services Review, 148, 106887.
An, F. (2024). Data falsification in market research (‘curbstoning’) considered through historical, psychological and criminological perspectives. Journal of Market Research, 57(2), 123-145.
Fay, D. (2021). The Barings Bank Collapse: Lessons in Risk Management. Oxford University Press.
Felson, M. (2019). Routine Activities and Rational Choice: Toward a General Theory of Crime. Oxford University Press.
Clarke, R. V. (2017). Situational Crime Prevention: Successful Case Studies. Routledge.