Security Lessons Learned from Soci&amp;#x0E9;t&amp;#x0E9; G&amp;#x0E9;n&amp;#x0E9;rale

Epstein, Jeremy

doi:10.1109/msp.2008.71

Cited by 10 publications

(12 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It again involves software installed by the insider that hid the traces of unauthorized transactions and an event outside the insider's control that caused the fraud to be exposed, in this case the Kobe earthquake on January 17, 1995. Similar observations apply to the case of Jérôme Kerviel (2008) [8].…”

Section: It Security and Commercesupporting

confidence: 74%

From Insider Threats to Business Processes that are Secure-by-Design

Gollmann

2011

2011 Third International Conference on Intelligent Networking and Collaborative Systems

View full text Add to dashboard Cite

We argue that insider threat is a placeholder term that accompanies the transition from securing IT infrastructures to securing the socio-technical systems made possible by these IT infrastructures. The term insider in its literal interpretation loses meaning in a context where there are no stable perimeters one can refer to. Business practices such as outsourcing, employing temporary contractors, and the very use of IT, have removed security perimeters in the search for short-term efficiency gains, which may result in mid-term losses due to increased vulnerabilities. We conclude that securing socio-technical systems calls for the design of organisational (business) processes that remain viable once inside information about their implementation becomes available to potential attackers rather than for the deployment of secure IT infrastructures.

show abstract

Section: It Security and Commercesupporting

confidence: 74%

From Insider Threats to Business Processes that are Secure-by-Design

Gollmann

2011

2011 Third International Conference on Intelligent Networking and Collaborative Systems

View full text Add to dashboard Cite

show abstract

“…In particular, it is assumed that potential "shadow processes" have been found and are known (i.e., visible to application owners and auditors). This assumption can be false because, for example, fraudulent insiders such as Jerome Kerviel of Société Générale (Epstein, 2008) can know loopholes that circumvent the official processes. More generally, attackers and fraudsters always target the "weakest link" in a system, while sampling or walkthroughs are inherently limited in their ability to identify all "weak links".…”

Section: Assumptionsmentioning

confidence: 99%

Compliance by design – Bridging the chasm between auditors and IT architects

Julisch

Suter²,

Woitalla³

et al. 2011

Computers & Security

View full text Add to dashboard Cite

System and process auditors assure -from an information processing perspective -the correctness and integrity of the data that is aggregated in a company's financial statements. To do so, they assess whether a company's business processes and information systems process financial data correctly. The audit process is a complex endeavor that in practice has to rely on simplifying assumptions. These simplifying assumptions mainly result from the need to restrict the audit scope and to focus it on the major risks. This article describes a generalized audit process. According to our experience with this process, there is a risk that material deficiencies remain undiscovered when said simplifying assumptions are not satisfied. To address this risk of deficiencies, the article compiles thirteen control patterns, which -according to our experience -are particularly suited to help information systems satisfy the simplifying assumptions. As such, use of these proven control patterns makes information systems easier to audit and IT architects can use them to build systems that meet audit requirements by design. Additionally, the practices and advice offered in this interdisciplinary article help bridge the gap between the architects and auditors of information systems and show either role how to benefit from an understanding of the other role's terminology, techniques, and general work approach.

show abstract

“…Other motives or reasons This category could include subjects who were defrauding the firm in order to avenge a perceived wrong-doing, or to right a perceived moral wrong 5.3 research, professional standard setting and regulatory discourse we have, during the same period, seen substantial levels of corporate malfeasance (Epstein, 2008). Employee fraud is an ongoing problem.…”

Section: Alcohol Problemmentioning

confidence: 99%

Revisiting employee fraud: gender, investigation outcomes and offender motivation

Bonny

Goode

Lacey

2015

Journal of Financial Crime

View full text Add to dashboard Cite

Purpose – This paper aims to present the findings of a study examining fraud in the workplace setting, principally in the Australasian context. Although prior research into occupational fraud is conceptually rich, there is a lack of empirical evidence of this important but elusive problem. Design/methodology/approach – Based on investigative data from 14 participating firms, the paper provides insights into the gender breakdowns and stated motivations of offenders. The paper also provides evidence of the number of investigations, interviews and reports to law enforcement in these firms. Findings – The study finds that genders are evenly balanced for most firms, with females significantly outnumbering males in banking firms. Self-imposed financial hardship was the most popular motivator. Of the number of admissions to wrongdoing, only half were subsequently reported to law enforcement. Research limitations/implications – Particularly complex or advanced types of occupational fraud may go unreported or undetected: as a result, the figures presented in this study may be incomplete. Reported figures are based largely on historical data provided by respondents, and the authors are unable to report accurate details of the respondent firms. This makes it difficult to determine the frequency of offending against the background population. Practical implications – Investigators should continue to look for changes in the life circumstances of their staff. Such changes will give an indication of instances of staff living beyond their means and the sudden financial pressures that can compel occupational fraud. Instead of trying to supervise staff to an impractical degree, managers and proprietors would be well advised to be alert to the kind of pressures that their staff might experience. Social implications – Social control and detection measures are likely to be easier to implement and less invasive than technical controls. The study provides additional pressure to update traditional conceptualisations of the male white collar offender. While male offenders were responsible for larger losses per case, females were more numerous in the summary offence data. Originality/value – Gaining insights into the problem of employee fraud and white collar crime is difficult. The authors’ contribution in this paper is to provide empirical insights into the makeup of white collar offenders, including insights on gender.

show abstract

Security Lessons Learned from Société Générale

Cited by 10 publications

References 0 publications

From Insider Threats to Business Processes that are Secure-by-Design

From Insider Threats to Business Processes that are Secure-by-Design

Compliance by design – Bridging the chasm between auditors and IT architects

Revisiting employee fraud: gender, investigation outcomes and offender motivation

Contact Info

Product

Resources

About