کشف کلاه برداری حساب پیچیده در شرکت: نقش کنترل های فنی و غیر فنی
کد مقاله | سال انتشار | تعداد صفحات مقاله انگلیسی |
---|---|---|
17736 | 2011 | 13 صفحه PDF |
Publisher : Elsevier - Science Direct (الزویر - ساینس دایرکت)
Journal : Decision Support Systems, Volume 50, Issue 4, March 2011, Pages 702–714
چکیده انگلیسی
Complex fraud, involving heightened offender knowledge of organizational processes, can be especially damaging to the firm. Much research has focused on technical, quantitative detection methods. This paper uses multidimensional scaling of empirical fraud event data from a large telecommunications firm to illustrate how technical and socio-technical fraud controls are used to detect fraud at varying levels of time exposure and dollar loss. The evidence suggests that technical controls only detect one third of fraud cases with zero time exposure and loss. More complex fraud is detected with a range of technical and socio-technical controls from inside and outside the firm. Interviews with twelve fraud managers and investigators are used to confirm the findings.
مقدمه انگلیسی
Corporate and financial fraud, the obtaining of money, goods and services through illicit or deceptive means, is a serious ongoing problem for the modern enterprise [4] and [37]. Holtfreter [34] cites figures of up to US$600 billion in employee-related frauds. Newer threats to the financial sector, involving techniques of social engineering to gather account details and remote network-based attacks [13], are increasingly the purview of organized criminal networks [69]. The popular literature, in particular, provides coverage to a range of these types of fraud, including intellectual property theft, financial mismanagement, identity and ownership fraud. A number of authors argue that general fraud levels are increasing [35] and [74]. Scholarly research in the area of fraud is difficult. Studies of financial fraud are hampered by problems of access to offender, organization and offence data. Firms can also be reluctant to admit that they have a security or fraud problem within their operations. Managers may not wish to open their firm to enquiry or analysis from outside groups, including academic researchers, lest it affect their reputation in the market. It is rare for external researchers to be granted access to original, unsanitized data. In addition, empirical analysis of fraud incidents is made harder because the data itself can be poorly organized or incomplete [22]. Further, many authors hold that this control environment is the purview of the audit function [16] and [51], comprising a significant political and regulatory mandate [26]. Indeed, formal normative control frameworks exist for the purposes of effective audit conduct [12]. Amid the problem of increasing fraud levels on one hand, and the difficulty associated with researching fraud on the other, important gaps exist in research understanding of fraud identification and fraud detection. Much prior work has focused on theoretical approaches for developing technical detection systems (such as [4], [7], [20], [30], [37] and [49]) and operational methods for fraud prevention and awareness (such as [66]). However, as Caplan [8, p.103] notes, “fraud risk factors cannot easily be combined into effective predictive models”. We know little of the system controls actually used in firms to detect and handle fraud [21], and the social approaches that complement these technical means [3]. In the words of D'Arcy and Hovav [17, p.117], the “disproportionate focus on technical security countermeasures may partially explain why IS misuse remains a significant problem”. The research corpus needs input on the types of controls that comprise the firm's security posture and how these controls interact with each other with respect to different threat types. A second gap in understanding exists with respect to the response of controls to new fraud species. Much prior work has also focused on individual fraud types, such as identity theft [29], intellectual property fraud [31] or insurance fraud [14]. However, given the modern firm's level of popularity and interconnection, it may not be feasible to focus on just one kind of fraud at the expense of all others that could befall the firm. Also, in order to obtain the greatest business case value, managers will likely need to be able to justify control funding based on detection success rates: employing networks of controls is hence a cost-effective approach to detect and prosecute fraud. Non-technical (or socio-technical) controls may also assist in this context. In the words of Dhillon and Backhouse [21, p.126], “computer security is not, per se, a technical problem. It is a social and organizational problem because the technical systems have to be operated and used by people”. To further complicate matters, analysis of real world data is made more difficult by the number of organizational and individual actors that interact with the firm with respect to fraud commission, detection and prevention. Neither the firm nor the offenders operate in isolation: they share information and techniques, altering their behavior and strategy accordingly. An analysis method is hence needed that can effectively simplify our view of these control mechanisms. This paper presents a case study of a large telecommunications carrier in the Asia Pacific region. The paper reveals the types of controls used to detect account-related fraud. This detection is compared against the degree of loss (equivalent dollars lost) and time exposure (the length of time for which the offender has been able to execute damage in the firm). The aim of this paper is to illustrate and explore how technical and non-technical controls relate to each other in order to detect and investigate fraud. The goal of this paper is not to develop a new method for detecting fraud, but rather to highlight the use of non-technical controls as part of the control mix. In doing so, we aim to answer calls from authors such as [22], [39] and [60] for further work into non-technical organizational security controls. The paper contributes in two ways. First, analysis by way of empirical data is rare in the published research literature. This paper provides insight into both the theatre of real world threats and the methods used to detect fraud in an actual firm. Second, this paper provides some of the first published evidence of the use of different control combinations to detect and ameliorate different fraud types and their complexities. This work hence illustrates the effectiveness of quantitative detection response with respect to fraud complexity. This discussion leads to the study's research questions: What is the relationship between technical and non-technical controls in preventing and detecting fraud losses? How does this relationship change in the context of time exposure and the prevention and detection of losses? The rest of this paper is structured as follows. The next section provides a brief overview of prior theory on control and detection management. The paper then details the research method, including the multidimensional scaling (MDS) technique for data analysis. This is followed by an overview of the fraud environment at play with respect to the case firm. In order to lend context to the analysis, the paper first presents an overview of the types of fraud seen in the case firm. The paper then presents the analysis of the controls in use, dividing the analysis into quantitative controls used to detect fraud at its inception, and the collections of controls used to detect more complex fraud with positive time exposure levels. Finally, conclusions are offered.
نتیجه گیری انگلیسی
This paper examined the relationship between fraud controls and the types of fraud they detected, using a case study of a large telecommunications firm and a set of confirmatory interviews. The paper provided insight into fraud control structures at work in a real firm. The study's findings with respect to the research questions are as follows. What is the relationship between technical and non-technical controls in preventing and detecting fraud losses? Technical controls are typically suited to well known fraud types where sufficient behavioral data already exists, and can be drawn upon to build a record of norms. Classification and detection of such well-known cases is typically quick, and need not rely on significant human intervention or judgment. Non-technical controls, on the other hand, play an important role in detecting new, rare or complex types of fraud. Ideally, these non-technical controls may assist in gathering enough case and investigative data to be able to automate their invocation and use, thereby significantly reducing the costs and effort associated with their operation. Interview evidence also highlighted the value of technical controls as tools for error prevention. How does this relationship change in the context of time exposure and the prevention and detection of losses? The evidence presented in this case study revealed that technical controls are a useful method for dealing with straightforward fraud types in a time and cost-effective manner. However, as the fraud and threat environment became more complex and adapted, non-technical controls became more useful in detecting fraud. Multidimensional scaling was used to classify control use according to frauds with respect to losses and time exposure. The scaling analysis first revealed that a small number of controls were used to detect the majority of zero exposure, zero loss cases. However, technical controls only detected approximately a third of fraud cases affecting the firm. Interview evidence suggested that these controls were useful in capturing unprepared offenders, who didn't know about the control structure, or possibly lacked the social networks that could furnish them with information. Positive time exposure, zero loss cases typically included cases where the offender had initially subscribed legitimately to the firm's services. The scaling revealed the use of controls that focused on behavioral changes or social associations. Technical controls were still used, in order to detect associated accounts also held or controlled by the offender. Positive time exposure, positive loss cases represented more complex and adapted fraud cases. For these fraud events, the scaling revealed significant use of non-technical controls (such as Suspicious Customer Behaviour). This analysis also illustrated the use of controls external to the firm, involving information from other telecommunications firms, for example. This paper has illustrated the use of different control combinations for detecting frauds of varying levels of complexity. Controls exhibit differing attributes and effectiveness, depending on the type of fraud and investigation at hand. Some investigations require more than one control to build an effective case. While internal controls can be effective, sharing security information can lead to superior investigative outcomes. Controls are likely to be deployed as part of a process, rather than a simple end-state. This process could involve feedback to other controls in the organization. The study has highlighted a number of other important lessons regarding fraud management in the modern firm. First, the analysis has highlighted the idea that the investigator may not know what type of fraud is being committed when the evidence is first brought to their attention. Whereas particular controls may detect some degree of irregularity, subsequently reporting the circumstances to the fraud unit, the modern fraud environment is such that a range of different types of fraud could be in progress. The analysis showed different control combinations in use for detecting different severities of fraud. These combinations exist not only to detect the existence of fraud, but also to identify the type of fraud that is taking place. Second, the evidence highlights the fact that quantitative controls alone may not be enough to detect and extinguish fraud. The paper has presented evidence of a case firm where certain quantitative controls are used to initially detect a fraudulent act, but then a range of other socio-technical controls are then used to build the evidence chain. Over time, these socio-technical controls could be enshrined as a more quantitative, technical control that is automatically invoked at particular points in the customer management process. However, until such controls are automated, fraud detection relies on ad-hoc, discretionary and even serendipitous instances of fraud detection. Empirical evidence in this paper suggested that control combinations for detecting complex fraud are more involved than those used to detect more straightforward fraud types. Our empirical evidence reinforces the notion that “technical approaches alone can't solve security problems for the simple reason that information security isn't merely a technical problem” [3, p.37]. With regard to detection effectiveness, the evidence in this paper showed that only a third of fraud cases were identified without time exposure or loss to the firm. The majority of cases involved some positive loss or time exposure. This finding, in itself, may be a useful platform on which to highlight the number of fraud cases that can be missed or overlooked through the use of an unduly narrow control environment. This evidence suggests that there is a genuine risk of neglecting particular types of fraud in the interests of maintaining an inexpensive or under-funded control environment. In the same way that effective technical controls were needed at the application and admission end of the customer management process, so too were effective fraud unit investigators required to detect more complex offender behavior. Some prior research work has categorized controls according to their ability to increase the probability of detection and decrease the probability of commission. For example, Gopal and Sanders [31] developed a theoretical control system in response to software piracy. Their control model was divided into preventive and deterrent controls, using a criminological perspective of rational choice to develop a series of control dimensions. Dhillon et al. [24] adopted a case study approach to examine the inappropriateness of controls prior to the detection of an internal fraud as well as subsequent control introductions following detection. The evidence provided in this paper illustrates how non-technical controls can be effective in detecting complex fraud, and are useful complements to technical methods such as data mining. This finding adds weight to prior argument from Dhillon and Backhouse [21, p.128] that “elaborate systems of control are much more expensive; informally secure arrangements come free'. Managers can take heart that non-technical control mechanisms can be just as valuable in the firm's overall security posture. The study provided some empirical evidence of the rate at which new fraud attacks confront the firm. This rate of attack heightens the emphasis to be placed on information sharing and knowledge management in the fraud environment. This sharing occurs in both the threat environment and the fraud units that investigate these frauds. Quantitative methods can assist the modern fraud unit but qualitative discretionary controls are still needed to maintain fraud response effectiveness as the threat element also adapts to the control structure of the firm. As Im and Baskerville [39] argued, “security should not simply be viewed as a means of protecting something concrete, but need to broaden its horizon by taking into account individuals and their social relationships”. A number of avenues for further work arise from this study. First, given the mounting financial pressures to deliver security value, future work should also focus on detection methods that can identify a range of fraud types. Based on evidence in this paper, authors could examine how networks of controls and detection methods could provide greater value to security managers. Second, some controls are costly to acquire and maintain. For example, subscriptions to credit monitoring agencies can be expensive both to acquire and to retain. Evidence in this study illustrated the value of having such controls in place (especially for zero time exposure, zero loss cases, in the instance of the Credit Agency Report control). However, the study also showed how a significant number of offenders are able to bypass such controls, allowing them to execute loss actions without detection. Given this problem, future work can help empirically illustrate the cost-effectiveness of these control structures. Such work could explore the degree to which funding should be allocated to groups of operational controls, rather than individual measures. Third, this study has provided some empirical evidence of the threat posed by agents of the firm. These actors are better able to command information networks with respect to the principal firm and hence are in a good position to bypass these controls. However there has been very little empirical work that explores these potential effects. Unfortunately, such agents are frequently vital to ongoing distribution and customer operations: such necessity emphasizes the need for further work in this area. Finally, focusing on a single fraud control dimension may not only provide an incomplete view of the firm's security posture, but may also bias understanding towards those individual controls that are best known, most prominent or easiest to identify. This bias could also affect management, funding or budgetary requirements, and understanding of the vulnerability by the threat environment. Future research could focus on social and behavioral controls used in the organizational environment, with an emphasis on rich interpretations. Sociological lenses might yield useful insights in this regard.