You cannot ingore a pyschological side to IT crime, the ASIS summer quarterly meeting heard recently.
The speaker was a forensic IT consultant at accountants Grant Thornton, Simone Zimmermann, who has also been working in the digital forensics unit at the Serious Fraud Office. A native of Cologne with a business degree and a background in investigations, she is studying part-time for a master’s degree in psychology. Hence her observations on the psychology behind IT and other crime. She gave the example of Dr Harold Shipman altering electronic patient records to cover his murders; that is, there is a digital side to even violent crime. To audience chuckles she said: “Anyone who says we are rational beings needs to have their heads examined.” <br><br>Robin Hood<br><br>Yet computer crime is seen as non-violent, she suggested; here is a Robin Hood mentality – that is, of robbing the rich, whether diverting from bank accounts or a hacker getting an on-line casino to lose, so all players won. And the media does not help; for one thing, much forensic investigation can be boring, not as TV drama would have you believe. Equally the perception of computer criminals is that they are of higher than average IQ; non-violent; and still not seen as a real criminal. But Simone Zimmermann doubted there was a typical computer criminal. How can psychology contribute? By profile offenders, for one thing. What of rehabilitation – once a criminal, always a criminal? (This is relevant to corporate security if you propose to recruit a former hacker.) As Simone said, some are for such use of ex-hackers; some see it as too much of a risk. She suggested instead that the motivations for computer crime are mainly financial gain; sheer fun; anger and revenge, maybe by disgruntled staff; mental illness; and political-terror or sexual motives. If someone is made redundant, they may delete data before they leave. “These motivations are not clear cut, there could be a combination; but it is important to actually understand where someone is coming from, what makes that person commit that crime, to be able to prevent it.” <br><br>Digital ease<br><br>She argued that the criminal’s objective is to protect their identity – such as the bank robber wearing a balaclava – and to complete the crime and escape. So it is with the computer criminal. She suggested that the digital world makes it so easy for the computer criminal. Such a criminal can negate their feelings of guilt, with excuses such as ‘everybody else is doing it’. We may put up firewalls on the boundaries of our computer systems, but there really aren’t cybercops in cyberspace; and police face a ‘huge backlog of cases’ of child exploitation. In cyber-crime it is difficult to say where to draw the line, and investigations may be given up due to cost. Nor may organisations be able to afford to examine the ‘crime scene’ to recover all the money lost to a computer fraud – the victim may not even know how wide the ‘crime scene’ is. <br><br>Emotional need<br><br>What of the computer virus that goes around, saying ‘I love you’? Will the emotionally needy click on it? That is, the soft targets in the western world for such viruses may be those sitting at their computers, their needs not satisfied. Or, Simone added, might there be pseudo-victims, as part of a plot, just as there are car accidents staged for an insurance fraud? Once we know more about victims, we know how to educate against such crimes – sometimes very serious crimes, she said. Criminals run computer crimes like a business, she suggested; with research and development, even using anti-forensics tools to cover their tracks. Crime is getting more organised and groups may recruit hackers such as students who need to get by; insidres, for access to information; and money launderers, people who answer job-style adverts allowing use of their bank accounts. <br><br>Normal behaviour<br><br>Given that there has always been a criminal element to human behaviour, she suggested that criminologists and psychologists are talking to each other. And talking of normal social behaviour, does the normal workplace mentality of holding doors open for others fit with security? she asked. That way, an organisation becomes vulnerable to ‘social engineering’. Signing that you have read a workplace security policy is no use – and if imposed on staff inappropriately, it might create resistance against listening to security people. Yet no-one will leave home without locking their door. Hence Simone suggested bringing about a security consciousness in the workplace. As she said: “The bottom line is people.” You need more than technology such as firewalls; you need buy-in from everyone, not just the security guard who stops people at the door. Everyone should be vigilant.<br><br>Men and women<br><br>Questions from the floor included: what percentage of (IT) criminals are male, and female? Simone replied that she has investigated hundreds of men but only two women. But that does not necessarily mean that women are morally better than men; it could be because there are more men in corporate life.
Separately, a link to a Guardian article on ‘the shambles of cybercrime’:
http://technology.guardian.co.uk/weekly/story/0,,2118146,00.html
