Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
Dissecting Computer Fraud: From Definitional Issues to a Taxonomy
Lucian Vasiu
Deakin University
Ioana Vasiu
Babeú-Bolyai University
Abstract
Computer frauds, while less dramatic than crimes of
violence, can inflict significant damage at community,
organizational or individual level. In order to properly
quantify and mitigate the risk, computer frauds needs to
be well understood.
In this paper, in a conceptual-analytical research
approach, we propose a dissection of computer fraud.
First, we look into the elements of an offense, the act of
fraud in general, than explain what is and what is not
computer fraud. Next, from a prevention perspective, we
propose a taxonomy of computer fraud with respect to
perpetration platform, and to perpetration method.
We believe that our contributions extend the existing
knowledge of the phenomenon, and can assist those
fighting computer fraud to better understand it and to
design means of preventing and reporting it.
1. Introduction
People may not be any greedier than in generations
past, however, the avenues to express greed had grown
enormously [21]. The fundamental principle of
criminology is that crime follows opportunity, and
opportunities abound in today’s computer-reliant world.
Criminal opportunities, as [42] explains, are
arrangements or situations that individuals encounter and
that offer attractive potential for criminal reward, largely
because they are accompanied by a very low perceived
risk of detection or policing.
Computers have created many opportunities for
fraudsters, and enabled them to mugging by remote
control (Blumenthal in [31]). [30] argues that computers
have increased the fraud problem in that several users,
from remote locations, can access them, therefore they
cannot be viewed as a passive object in the same sense
that a safe or a pencil is passive.
Further, as [43] observes, the ability to manipulate
computer data to derive benefit from its
misrepresentation increases significantly the fraud
opportunities.
In order to properly quantify and mitigate the risk,
computer fraud needs to be well understood. Yet, there is
some confusion as what is computer fraud. All computer
attacks are fraud? Is computer fraud just one aspect of
computer attacks? All frauds that involve computers
should be considered computer frauds? Computer
trespassing is computer fraud?
One important obstacle in understanding and
researching computer fraud is that relatively few studies
that focus on this subject have ever been done. In this
paper, in a conceptual-analytical research approach, we
seek to improve this situation, and propose a dissection of
computer fraud.
Our first aim is to explain what is computer fraud. To
this end, we first look at the elements of an offense and
the act of fraud in general. Second, we explain what
computer fraud is not. We use the U.S. Computer Fraud
and Abuse Act criminalization of computer fraud (18
U.S.C. § 1030 (a)(4)) as the guiding definition of
computer fraud and analyze its elements. The second and
main aim of this paper is to devise a taxonomy of
computer fraud with respect to perpetration platform, and
to perpetration method.
This paper is organized as follows. In the next section,
we explain the rationales for this paper. Next, we present
our theoretical background. In Section 4, we look into the
elements of an offense and the act of fraud in general, and
then we analyze the legal elements of computer fraud, as
defined by 18 U.S.C. § 1030 (a)(4), and introduce other
definitions of computer fraud. In Section 5, we present
our taxonomy of computer fraud with respect to
perpetration platform, and to perpetration method. The
paper concludes with conclusions and future research.
Case examples are interspersed throughout the paper
to illustrate important points (for consistency, most of the
cases selected have been prosecuted under the computer
crime statute, 18 U.S.C. §1030).
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
1
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
2. Rationales
The rationales for this paper are as follows:
‰ Computer frauds are highly destructive to
free-market
capitalism
and, more broadly, to the underpinnings of
society [21]. Computer frauds can cause
instability and uncertainty in a system, and
can impose a very significant cost on society
[12]. Therefore, computer fraud must be
well understood by those charged with
combating it;
‰ Without a clear definition of computer
fraud, it will not be possible to share
information that has the same meaning to
everyone, will not be possible to agree on
how to measure the problem, and what
resources need to be allocated to mitigate
the risk; and
‰ A
taxonomy can provide a better
understanding of the nature of computer
fraud, can be very useful in designing means
of prevention, and can be a useful tool for
education, effective measurement, and
reporting.
[36] proposes classes of computer misuse—the SRI
Computer Abuse Methods Model. [35] revises the work
presented in [36], while [28] extends [36]’s classification
of intrusions with respect to technique and to result.
[3] develops a four-cell matrix that covers the types of
perpetrators, based on whether they are authorized or not
to use the computer and the programs or computer data.
[26] discusses the nature of the computer fraud
problem in the typical computer environment, the
perpetration of computer frauds, and prevention controls
and safeguards. [45] looks into the detection and
prevention of computer fraud. A taxonomy of computer
fraud is proposed by [7], however, the taxonomy has no
explanation as why was selected, and how it can be used.
While all these are very valuable contributions, we
lack a useful taxonomy of computer fraud that can be
used in the prevention function. As we stated in the
Introduction, our main aim is to devise a taxonomy of
computer fraud with respect to perpetration platform, and
to perpetration method. The first step in the development
of a taxonomy of computer fraud is to look at the ways it
is defined.
4. Definitional issues
4.1. Preliminary remarks
3. Theoretical background
As [1] argues, a thorough understanding of fraud can
only be achieved through a comprehensive study
performed by an interdisciplinary team of researchers. For
this paper’s main purpose—devising a taxonomy of
computer fraud—, as computer fraud is one of the
computer attacks, the theoretical background draws
mainly from the computer security/attacks area.
[38] presents a model of computer attackers based on
several factors: skills, knowledge, resources, authority,
and motives. [41] devises a framework for understanding
and predicting insider attacks.
[23] presents a taxonomy with respect to types of
attackers, tools used, access information, results of the
break-in, and objectives of the attack. [29] devises a
taxonomy of attacks by genesis (how), time of
introduction (when), and location (where), while [39]
presents an attack matrix.
A taxonomy of security threats to networks is provided
in [24]. [33] presents a taxonomy of computer attacks
with applications to wireless networks. A taxonomy of
web attacks (i.e. attacks exclusively using the
HTTP/HTTPS protocol), is proposed in [2].
[25] introduces a taxonomy with respect to types of
computer vulnerability. [28] presents a classification of
software vulnerabilities, while [34] discusses seven
classes of integrity flaws.
In order to understand computer fraud, it is useful to
first look into the elements of an offense and the act of
fraud in general. Next, we look into what is not and what
is computer fraud.
As [18] explains, a crime consists, in most cases, of
conduct for which the defendant is responsible, specified
by the definition of that crime. This conduct has mental
and physical components (except in certain cases, when
the defendant is incriminated by virtue of a relationship
with, or other implication in, a static situation) [18].
This conception of a crime is reflected in the common
description of it as comprising an actus reus (an activity)
and a mens rea (a state of mind). These terms are drawn
from the Latin maxim actus non-facit reum nisi mens rea
(a person does not incur liability for a crime by virtue of
an act, unless they have as well a guilty mind) [18].
Lawyers still use the terms actus reus and mens rea
widely because they are convenient, in that they facilitate
the analysis and statement of the elements of criminal
liability.
Fraud, like other familiar concepts, is one that seems
to have a perfectly obvious meaning until we try to define
it (Green in [40]). Fraud is a deep legal concept, and few
really understand fraud or use a common definition [15].
The difficulty of giving an adequate definition of fraud
has been felt at all times [46:I.28]. There has always been
a great reluctance amongst lawyers to attempt to define
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
2
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
fraud, and this is only natural when we consider the
number of different kinds of conduct to which this word
is applied [46].
The term "fraud" is defined in [17:124] as
An act using deceit such as intentional distortion
of the truth of misrepresentation or concealment
of a material fact to gain an unfair advantage
over another in order to secure something of
value or deprive another of a right. Fraud is
grounds for setting aside a transaction at the
option of the party prejudiced by it or for
recovery of damages.
[8] argues that someone commits fraud if the following
four elements are proved beyond a reasonable doubt:
‰ Actus reus: The perpetrator communicates
false statements to the victim;
‰ Mens rea: The perpetrator communicates
what she knows are false statements with the
purpose of defrauding the victim;
‰ Attendant circumstances: The perpetrator's
statements are false; and
‰ Harm: The victim is defrauded out of
property or something of value.
Fraud is always intentional, intentional by appearance,
or intentional by inference from the act. Intent should not
be confused with motive, which is what prompts a person
to act. Intent refers only to the state of mind with which
the act is done. However, there is no scientific
measurement or yardstick for gauging a person's intent.
An inference has to be drawn from all available evidence
as to what was in the defendant’s mind at the material
time (Justice Ackner in [19]).
The element of the intent to defraud connotes the
intention to produce a consequence that is in some sense
detrimental to a lawful right, interest, opportunity, or
advantage of the person to be defrauded, and is an
intention distinct from and additional to the intention to
use the forbidden means (King CJ in [50]). If there is no
evidence that the victim has been defrauded (i.e. deprived
of something of value), than we cannot talk of computer
fraud.
4.2. What is not computer fraud?
Computer fraud is sometimes confused with other
offenses:
‰ Intentionally accessing a computer without
authorization or exceeding authorized
access, and thereby obtaining protected
information—One such case is U.S. v.
Czubinski (106 F.3d 1069 (1st Cir. 1997)):
the court found that Czubinski has not
obtained valuable information in furtherance
of a fraudulent scheme;
Causing damage to a protected computer—
One such case is U.S. v. Brown [48]: the
defendant
knowingly
caused
the
transmission of a program, information,
code or command, and as a result of such
conduct, intentionally caused damage,
without authorization, to a protected
computer; or
‰ Trafficking passwords—One such case is
U.S. v. Patterson [48]: the defendant was
charged with trafficking in passwords and
similar information that would have
permitted others to gain unauthorized
access to an organization’s computer
network, when he posted and maintained at
a Yahoo hacker group posting board the
username and password combinations of
certain legitimate users together with
instructions on how to hack into the network
of the organization using those passwords.
While these offenses can be perpetrated in connection
with computer fraud, they should be regarded as distinct.
In the next section, we explain what is computer fraud.
‰
4.2. What is computer fraud?
For this paper purpose, we chose the U.S. Computer
Fraud and Abuse Act criminalization of computer fraud
(18 U.S.C. § 1030 (a)(4)) as the guiding definition:
Knowingly and with intent to defraud, accesses a
protected computer without, or exceeds
authorized access, and by means of such conduct
furthers the intended fraud and obtains anything
of value, unless the object of the fraud and the
thing obtained consists only of the use of the
computer and the value of such use is not more
than $5,000 in any 1-year period.
According to this definition, the legal elements of
computer fraud consist of:
‰ Knowingly and with intent to defraud;
‰ Accessing a protected computer without
authorization, or exceeding authorization;
‰ Thereby furthers a fraud and obtains
anything of value (other than minimal
computer time).
Regarding the first element, the phrase means that the
offender is conscious of the natural consequences of his
action (i.e. that someone will be defrauded), and intends
that [14]. The second and third elements should be
discussed together, as they show that more than mere
unauthorized access is required to quality the offense as
computer fraud—the ‘thing obtained’ is not merely the
unauthorized use. Some additional end, to which the
unauthorized access is a means, is required [14]. Merely
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
3
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
viewing information cannot be deemed the same as
obtaining something of value for the purpose of this
statute (as in U.S. v. Czubinsky).
According to [14], the phrase ‘thereby furthers a fraud’
insures that prosecutions are limited to cases where use of
a computer is central to a criminal scheme, rather than
those where a computer is used simply as a recordkeeping convenience. The broad language of this
definition may be confusing for non-lawyers, in that it
defines computer fraud in terms of fraud. In a legal sense
the definition is not circular, however, we considered
useful to look into two state definitions of computer fraud
that are more specific:
‰ Virginia (§ 18.2-152.3.1.) (…) 1. Obtain
property or services by false pretences; 2.
Embezzle or commit larceny; or 3. Convert
the property of another; and
‰ Hawaii (Rev. Stat. 708-891): (a) (…)
Devising or executing any scheme or artifice
to defraud; or (b) (…) Obtaining money,
property, or services by means of
embezzlement or false or fraudulent
representations; or (c) (…) Obtaining credit
information on another person; or (d) (…)
Introducing or causing to be introduced false
information to damage or enhance the credit
rating of any person.
5. Taxonomy
5.1. Taxonomic considerations
The drive to categorize and organize knowledge has
been ubiquitous throughout human intellectual
development. An early step toward understanding any set
of a phenomenon is to learn what kinds of things there are
in the set—to develop a taxonomy. The main properties a
taxonomy must have are outlined in [23, 28, 33].
[29] argues that a taxonomy embodies a theory of the
universe from which those specimens are drawn. A
taxonomy is an approximation of the phenomenon, and
may fall short in some respects. This may be particularly
the case of a computer fraud taxonomy, considering that
there is a consistent lack of comprehensive data, and that
any taxonomy in the area of computer fraud is likely to
require periodic expansion or refinement, as technology
and perpetrators’ methods evolve.
For our taxonomy, we have selected categories that we
believe are useful from a prevention perspective. We have
tried and avoided excessive subclassification, and
subdivided into subclasses only where we considered that
helpful for the prevention function. In terms of
terminology, we are drawing primarily on [22]. In the
following sections, we introduce our taxonomy of
computer fraud with respect to perpetration platform, and
to perpetration method.
5.2. Methodology
Figure 1. The legal elements of computer
fraud
Another definition that we consider useful, for this
paper’s purpose, is that of [11], in that it gives us insight
into the criminal conduct:
The causing of a loss of property to another by:
a. Any input, alteration, deletion or suppression
of computer data,
b. Any interference with the functioning of a
computer system,
with fraudulent or dishonest intent of procuring,
without right, an economic benefit for oneself or
for another.
In the next section, we make some considerations on
the importance of a taxonomy, explain how we devised
our taxonomy, and present our taxonomy of computer
fraud with respect to perpetration platform, and to
perpetration method.
To devise our taxonomy, we used a 5-phase
methodology. First, we developed a comprehensive
understanding of the phenomenon through an extensive
survey of literature that relates to computer fraud (journal
and newspaper articles, speeches and books), and by
analyzing the publicized cases of computer fraud (some
of them included in this paper), and fraud scenarios (e.g.
[9]). Second, we reduced the phenomenon to its essential
elements (bracketing). For our taxonomy, we considered
only computer fraud that is perpetrated by an action (it
can be argued that computer fraud can also be perpetrated
by willful inaction—e.g. not recording sales returns).
Third, we devised the first-cut taxonomy. Fourth, we used
logical verification to test it. This was concerned (inter
alia) with mutual exclusiveness—inclusion of any
element in one category only, consistency—there are no
internal conflicts between individual elements in the
taxonomy, completeness—the taxonomy encompasses all
relevant aspects of the phenomenon considered, and
coherence—established theories are in agreement with
our taxonomy. Fifth, we refined the taxonomy to its
present form.
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
4
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
5.3. Perpetration platform
When discussing offenders, one important distinction
should be made between insiders and outsiders.
Computer fraudsters are often insiders—they are much
more likely to evade detection when they commit frauds
because they understand the system, its weaknesses, and
are more likely to cover their tracks. However, for the
computer frauds to succeed, in some cases, the
perpetrators do not have to be insiders—they only need to
impersonate an authorized user (opportunity created), or
to exploit a vulnerability (that is, a weakness in a system
allowing unauthorized action—opportunity exploited).
Figure 2. The world of computer
fraudsters
In a collusion case named the Volkswagen Currency
Exchange, four employees and one outsider used a
computer to create phony currency exchange
transactions and then cover them with real ones.
They stole the differences that resulted from the rate
changes. The act involved tampering with programs
and the erasure of tapes [35].
As discussed in section 3, one legal element of
computer fraud consists in accessing a protected computer
without authorization (that is, not approved by the system
owner or administrator), or exceeding authorization (that
is, a legitimate user that exceeds the authorized access)—
this is what we call the perpetration platform.
One case of exceeding authorization is U.S. v.
Osowski. Accountants Geoffrey Osowski and Wilson
Tang pled guilty to exceeding their authorized access
to the computer systems of Cisco Systems in order to
illegally issue almost $8 million in Cisco stock to
themselves [48].
The Without authorization (WOA) class is very
interesting from a categorization perspective. In devising
the taxonomy with respect to accessing a protected
computer without authorization, we draw, to a certain
extent, from [35], and extend [28] with respect to
password attacks.
We subdivided the Without authorization into
Masquerade and Vulnerability exploitation. Masquerade
is the unauthorized impersonation of an authorized user or
of an entity. As is not limited to users—there may be
attacks that attempt to impersonate authorized systems
and services—, we considered useful, from a prevention
perspective, to further subdivide Masquerade into
Impersonation (e.g. use of another person’s password or
authentication ticket reuse) and Spoofing attacks. We also
subdivide the Impersonation class into Password attacks,
and Password trafficking.
A financial consultant defrauded the Commonwealth
by transferring $8,735,692 electronically to private
companies in which he held an interest. He did this
by logging on to the Department’s network using
another person’s name and password. To obscure
the audit trail, he used other employee’s logon codes
and passwords [20].
Since different countermeasures apply to the
techniques in the Password attacks subclass, we further
subdivided it into Guess, Crack and Harvest. If a
password was guessed, it may suggest a weak password
approach. If a password was cracked, it may suggest
access to the password file (e.g. from a backup tape). If a
password was harvested (e.g. through visual spying,
social engineering, sniffing or key logging attacks), it
may suggest low awareness in the password protection
area.
In January 2003, a former employee of a company
used the username and password he held while
employed at the company to remotely log into the
company's network, then changed customers’ credit
card details, and proceeded to make refunds to his
credit card through the altered accounts. The
perpetrator modified various pricing and availability
of the products provided, reducing the price of some
to $0.00 [4].
The above case leads us into another avenue for
accessing a
computer
without
authorization—
Vulnerability exploitation. One of the difficulties in
subdividing this class consists in the fact that such attacks
can be complex and involve the exploitation of a
combination of vulnerabilities. For this paper’s purpose,
and to observe the mutually exclusive property, we would
consider the vulnerability that is most directly linked to
the subsequent perpetration of a fraud.
We further divided the Vulnerability exploitation class
into Software (e.g. bugs or back doors), Personnel (other
than those leading to successful password attacks—e.g.
error of omission, incompetence, recklessness or malice;
we include here system administration errors, as in the
above case: user account active after employment
termination), Communications, and Physical (e.g. failure
of an electronic access control system—this can lead to
interference with the functioning of a computer system—
see Council of Europe’s definition). Table 1 presents our
taxonomy of computer fraud with respect to perpetration
platform.
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
5
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
Table 1. Taxonomy of computer fraud –
perpetration platform
Guess
Masquerade
WOA
Vulnerability
exploitation
Impersonation
Password
attacks
Crack
Harvest
Password
trafficking
Spoofing attacks
Software
Personnel
Communications
Physical
Exceeding authorization
5.4. Perpetration method
The perpetration methods are generally described as
Input, Program, and Output [47]. The greatest concern
present the frauds that involve manipulation of data
records or computer programs to disguise the true nature
of transactions, cracking into an organization’s computer
system to manipulate business information, and
unauthorized transfers of funds electronically [5].
Input fraud (“data diddling” or “number fudging”)
represents the major avenue through which computer
frauds take place [47]. In these frauds, the offender
dishonestly enters improper data or data improperly,
suppresses, appends, or otherwise changes data stored. It
is the most common computer crime [47], and can be
committed by anyone having access to normal
data/processing functions at the input stage.
A contractor working for a Commonwealth agency
was convicted of defrauding the Commonwealth of
$1.4 millions. The contractor, while performing his
regular duties, was able to access and alter system
data-to change the status of rebate claims from 'paid'
to 'unpaid' on the system, and transfer bogus rebate
payments into his own account. The contractor was
then able to delete the record of the illegal
transaction and return the 'paid' status and dates to
their original state [6].
Program fraud involves either the creation of a program
with a view to defraud, or the alteration or amendment of
a program to such ends. It is difficult to discover and is
often not recognized [47]. It requires computer-specific
knowledge and access to computer databases and/or
software. One of the most notorious species of program
fraud is the so-called salami fraud.
In an effort to cover up trading losses, the defendant
engaged in a series of fictitious currency trades that
were entered into the books and records of Allfirst
Bank. Defendant’s manipulation of the Bank's
computerized system for tracking trading activities
allowed him to earn performance bonuses of over
$650,000 in addition to his salary when, in reality, his
trades resulted in millions of dollars in losses [49].
Output fraud is concerned with dishonestly
suppressing or amending data being output. It is often
linked with input fraud (e.g. suppressing or changing
balance reports to hide misappropriated funds). The goal
with this type of scheme is to conceal bogus inputs or to
prevent or postpone detection of such input fraud.
Because computer output is normally accepted as being
accurate and genuine, its authenticity is taken for granted.
For devising our taxonomy with respect to perpetration
method, we adopt a different approach, and merge the
Input and Output categories into a new one—Data, while
maintaining the Program category. This approach allows
us to best observe the mutual exclusiveness property.
We subdivide the Data category into Insert, Improper
obtaining or use (e.g. read, copy, print, or disseminate—
this must be done in close connection with the intent to
further a fraud—see the case below), Integrity attacks,
and Availability attacks. The Insert class is further
subdivided into Improper data and Data improperly. As
the integrity and availability attacks are generally known,
we did not consider necessary to subdivide.
In U.S. v. Turner, the defendants, while employed by
Chase Financial Corporation, knowingly and with
the intent to further a scheme to defraud, accessed
one or more Chase Manhattan Bank and Chase
Financial Corporation computer systems without
authorization or in excess of their authorized access
on said computer systems, thereby obtaining credit
card account numbers and other information, which
they were not authorized to access in connection
with their duties at Chase Financial. That
information was distributed and transmitted to one
or more individuals who, in turn, used that
information to fraudulently obtain goods and
services [49].
Moving to the Program category, we subdivided it
into Run, Integrity attacks, and Availability attacks. We
further subdivided Run into Without authorization, In
excess of authorization, Improper parameters (we include
here changing the system date), and Transit attacks [44]
(arguably, this types of attacks, can also be in the Data
category). This classification overcomes the inclusion
dilemma when the fraud consists, for example, of a
combination of input and program attacks—such cases
should be included in the Run/Improper parameters
category. Table 2 presents out taxonomy of computer
fraud with respect to perpetration method.
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
6
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
Table 2. Taxonomy of computer fraud perpetration method
Improper data
Insert
Data improperly
Data
Improper obtaining or use
Integrity attacks
Availability attacks
Without authorization
In excess of authorization
Improper parameters
Run
Interruption
attacks
Interception
Transit
Program
attacks
Modification
Fabrication
Integrity attacks
Availability attacks
6. Conclusions and future research
When opportunities abound, and there is a potential
supply of motivated offenders that perceive the chances
of detection and prosecution as being very low [16], the
risk of computer fraud must be considered as being very
high. The very stealth of computer fraud often avoids
attention. However, as consequences of high-grade
attacks, such as financial fraud or theft of proprietary
information, can be very high [12, 13] and far-reaching,
they must not be overlooked in security planning [37].
As [1] remarks, no industry is left untouched by this
fast-growing phenomenon. The technical aspects of
electronic systems are designed to be fraud-proof,
however, human nature is such that fraud is likely to be a
perennial problem [27]. Further, as [1] argues, there is no
such thing as small frauds—only large ones given
insufficient time to grow (that is, detected).
Although the computer fraud risk cannot be eliminated,
proactive steps can reduce it considerably. The risk of
loss is higher with strategies of detection because the
crime is on going or has just occurred, hence the ability to
stop or recover the loss is limited. Therefore, proactive
measures should prevail, be appropriate to the level of
risk, and be reassessed regularly [6].
The contribution of this paper, written from a
prevention perspective, is twofold. First, it clearly
explained what computer fraud is and is not. Second, it
proposed a taxonomy of computer fraud with respect to
perpetration platform, and to perpetration method.
The taxonomy presented in this paper, devised from a
prevention perspective, can be used in the several ways.
First, the taxonomy can be used as an awareness and
education tool. Second, it can assist those charged with
combating computer fraud to design and implement
policies that address the risk. Third, the taxonomy can be
used in connection with an encoding scheme to encode
the incidents. Fourth, our taxonomy can be used to design
reporting forms and accompanying databases. Last, the
taxonomy can provoke future research.
This research can be continued in the following
directions:
‰ A taxonomy with respect to types of
computer frauds and consequences for
organizations;
‰ The use of malware in perpetrating
computer fraud; and
‰ Information security strategies for the
prevention of computer fraud.
7. References
[1] Albrecht, W. S., Howe, K. R., Romney, M. B. (1984)
Deterring Fraud: The Internal Auditor's Perspective, The
Institute of Internal Auditors Research Foundation, Almonte
Springs, Florida.
[2] Álvarez, G. and Petroviü, S. (2003) ‘A new taxonomy of
Web attacks suitable for efficient encoding’, Computers &
Security, Vol. 22, No. 5, pp. 435-449.
[3] Anderson, J. P. (1980) Computer Security Threat Monitoring
and Surveillance, Technical Report Contract 79F296400, April
1980.
[4] AusCERT (2003) Australian computer crime & security
survey,
Last
accessed:
18
May,
2003,
URL:
http://www.auscert.org.au/render.html?it=2001&cid=1920.
[5] AusCERT (2002) Australian Computer Crime and Security
Survey,
Last
Accessed:
12
June,
2002,
URL:
http://www.auscert.org/Information/Auscert_info/new.html.
[6] Australian National Audit Office (2000) Australian Taxation
Office Internal Fraud Control Arrangements, Report No. 16.
[7] Bologna, J. and Shaw, P. (1996) Corporate Crime
Investigation, Butterworth-Heinemann.
[8] Brenner, S. W. (2001) ‘Is There Such a Thing as "Virtual
Crime"?’, 4 Cal. Crim. Law Rev. 1
[9] Cohen, F. (2002) ‘Computer Fraud Scenarios: Robbing the
Rich to Feed the Poor’, Computer Fraud & Security, Vol. 2002,
Iss. 1, December, pp. 5-6.
[10] Collier, P. A., Dixon, R and Marston, C. L. (1990) The
prevention and detection of Computer Fraud, The Chartered
Institute of Management Accountants.
[11] Council of Europe (2001) Final Draft Convention on
Cyber-crime, Last Accessed: 1 August, 2002, URL:
http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.ht
m.
[12] Dhillon, G. and Moores, S. (2001) ‘Computer crimes:
theorizing about the enemy within’, Computers & Security, Vol.
20, No. 8, pp. 715-723.
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
7
Proceedings of the 37th Hawaii International Conference on System Sciences - 2004
[13] Dhillon, G. (1999) ‘Managing and controlling computer
misuse’, Information Management & Computer Security, 7/4,
pp. 171-175.
[14] Doyle, C. (2002) Computer fraud and abuse laws: An
overview of federal criminal laws, Novinka, New York.
[15] Ellingson, J. F. (1998) ‘Devising an Information Based
Strategy for Fighting Fraud’, Journal of Internet Security, Vol.
1, No. 1, September.
[16] Etter, B. (2001) ‘The forensic challenges of e-crime’, 7th
Indo-Pacific Congress on Legal Medicine and Forensic
Sciences, Melbourne, Australia.
Privacy, Oakland, California, USA, May 4-7, IEEE Computer
Society Press, 154–163.
[33] Lough, L. D. (2001) A taxonomy of computer attacks with
applications to wireless networks, PhD dissertation, Faculty of
the Virginia Polytechnic Institute and State University,
Blacksburg, Virginia.
[34] McPhee, W. S. (1974) ‘Operating System Integrity in
OS/VS2’, IBM System Journal, 13(3), pp. 230-252.
[35] Neumann, P. G. (1995) Computer related risks, ACM
Press.
[17] Gilbert (1997), Law Dictionary, Harcourt Brace Legal and
Professional Publications.
[36] Neumann, P. G. and Parker, D. B. (1989) ‘A Summary of
Computer Misuse Techniques’, 12th National Computer
Security Conference, pp. 396-407.
[18] Gillies, P. (1993) Criminal Law, Law Book Co., North
Ryde, N.S.W., Australia.
[37] Panko, R. R. (2002) Corporate Computer and Network
Security, Prentice Hall.
[19] Goldstein, J., Dershowitz, A. M. and Swartz, R. D. (1974)
Criminal law: Theory and process, The Free Press, New York.
[38] Parker, D.B. (1998) Fighting computer crime: A new
framework for protecting information, New York, John Wiley
and Sons.
[20] Graycar, A. and Smith, R. (2002) Identifying and
Responding to Corporate Fraud in the 21st Century, speech to
the Australian Institute of Management (20 March 2002).
[39] Perry, T. S. and Wallich, P. (1984) ‘Can Computer Crime
Be Stopped?’, IEEE Spectrum, 21(5), pp. 34-45, May 1984.
[21] Greenspan, A. (2002) Monetary Policy Report to the
Congress, July 16, 2002.
[40] Podgor, ES (1999) ‘'Criminal Fraud’, American University
Law Review, Vol. 48, No. 4.
[22] Howard, J. D. and Longstaff, T. A. (1998) A Common
Language for Computer Security Incidents, Sandia Report
SAND98-8667.
[41] Schultz, E. E. (2002) ‘A framework for understanding and
predicting insider attacks’, Computers & Security, Vol. 21, No.
6, pp. 526-531.
[23] Howard, J. D. (1997) An Analysis of Security Incidents on
the Internet, Ph.D. dissertation, Carnegie Mellon University,
Pittsburgh, Pennsylvania.
[42] Shover, N. and Wright, J. P. (2001) Crimes of privilege:
readings in white-collar crime, Oxford University Press.
[24] Jayaram, N. D. and Morse, P. L. R. (1997) Network
Security - A Taxonomic View, European Conference on Security
and Detection, School of Computer Science, University of
Westmister, UK, 28-30 April 1997.
[25]
Knight,
E.
(2000) Computer
www.securityparadigm.com, March 2000.
Vulnerabilities,
[26] Krauss, L. I. and MacGaham, A. (1979) Computer Fraud
and Countermeasures, Prentice-Hall, New Jersey.
[27] Kreltszheim, D. (1999) ‘Identifying the proceeds of
electronic money fraud’, Information Management & Computer
Security, 7/5, pp. 223-231.
[43] Smedinghoff, T. J. (1996) Online Law, The SPA’s Legal
Guide to Doing Business on the Internet, Addison-Wesley
Developers Press.
[44] Stallings, W. (1995) Network and Internetwork Security
Principles and Practice, Prentice Hall, Englewood Cliffs, NJ.
[45] Stevenson, G. (2000) ‘Computer Fraud: Detection and
Prevention’, Computer Fraud & Security, vol. 2000, no. 11, pp.
13-15.
[46] Stephen, J. F. (1883) A history of the Criminal Law of
England, Vols. I-III, Macmillan and Co. (reprinted by William
S. Hein & Co., Inc., Buffalo, New York).
[28] Krsul, I. V. (1998) Software Vulnerability Analysis, Ph.D.
dissertation, Purdue University, May 1998.
[47] United Nations (1994) ‘Manual on the prevention and
control of computer-related crimes’, International review of
criminal policy, Nos. 43 and 44.
[29] Landwehr, C. E., Bull, A. R., McDermott, J. P. and Choi,
W. S. (1994) ‘A Taxonomy of Computer Program Security
Flaws, with examples’, ACM Computing Surveys 26, 3 (Sept.).
[48] U.S. Department of Justice (2003) Computer Intrusion
Cases,
Last
accessed:
21
May,
2003,
URL:
http://www.usdoj.gov/criminal/cybercrime/cccases.html.
[30] Landwehr, C. E. (1981) ‘Formal models for computer
security’, Computing Surveys, Vol. 13, No. 3, September.
[49] U.S. Department of Justice (2002) Last accessed: 21 May,
2003,
URL:
http://www.usdoj.gov/usao/md/press_releases/press02/john_m_r
usnak_pleads_guilty.htm.
[31] Lanham, D., Weinberg, M., Brown, K. E. and Ryan, G. W.
(1987) Criminal fraud, The Law Book Company Limited,
Sydney.
[32] Lindqvist, U. and Jonsson, E. (1997) ‘How to
Systematically Classify Computer Security Intrusions’,
Proceedings of the 1997 IEEE Symposium on Security &
[50] Waller, L. and Williams, C. R. (2001) Criminal law: Text
and cases, 9th Ed., Butterworths.
0-7695-2056-1/04 $17.00 (C) 2004 IEEE
8