Understanding and Addressing Criminal Opportunity: The Application of Situational Crime Prevention to IS Security

This paper examines the concept of criminal opportunity. More precisely, it focuses on the nature of such opportunities that are to be found within an IS context, and the threat posed by dishonest staff who may act on them. Although hackers and their activities may be given ample column space in the lay press, the potential threat posed by dishonest staff should not be underestimated. The 1998 NCC Business Information Survey reports that the greatest risk of security breaches arose from the activities of personnel within organisations, accounting for nearly 52 per cent of all (physical and logistical) security breaches detected. Similarly, the 1998 CSI/FBI Survey found that the largest single source of financial loss (almost 37 per cent) was attributable to unauthorised insider access. These facts are not lost on security practitioners who, as a rule of thumb, work on the principle that 25 per cent of people are dishonest whenever possible, 25 per cent are always honest and 50 per cent can be either, depending on the nature of security controls and personal motivation.