A Characteristic Model of
Computer Criminals

by Ehud Avner

Recent personality analysis conducted in several countries enabled the construction of a model of character traits typical to computer criminals.

The model refers mainly to information systems department employees and users of on-line computer services.

The Model

Age 18 - 35 years old
Gender Mostly male
Position Manager or a high ranking clerk
Traits Bright, thorough, highly-motivated, diligent, trustworthy - the last to be considered suspect, hard working, stable, first to arrive and last to go, does not take vacations, apprehensive of intimate relationships and of losing prestige, individualist, solves problems independently.
Criminal Record None
The Methods Executing an apparently ordinary action in the course of normal and legal system operations such as: salary calculations, payments to suppliers, insurance payments, transferal of tax and V.A.T returns etc.
Aftermath Reaction It is not a crime, I hurt no one, everybody does that, the banks steal more, I only tried to prove to my employers that it is possible.
The Law Does not deal with it. Usually both sided compromise and the case is kept silent.

Computer Criminology

In approaching the issue of computer crimes and criminals, it is necessary to consider not only the technological aspects affecting the computer environment, but also additional unique circumstances which help create criminal options. Combining the system's environment with specific circumstances provides a high risk setting from which computer crimes evolve. Computer criminology rests on the same premise as any other type of crime, namely:

  1. The possibility to gain wealth or achieve an illegal objective easily and in a short time span.
  2. A small chance of detection and a relatively lenient punishment if caught.
  3. Ample opportunity.

The computer environment as a microcosm of modern society has created several options for different types of computer crimes; embezzlement, through the transfer of funds between accounts electronically, fraud, through changing computations or omitting transactions, information theft, through the access of data sources, and financial damage through malicious disruption of the central computing system of an organization.

Computer crimes and criminals are receiving increasing media coverage due to the rising numbers of companies and governmental agencies which are fully computerized and which give access to the system to an ever-increasing number of employees. In spite of this increased coverage, there is no clear indication of a strong negative societal attitude towards this type of crime. The lack of a clear social perception (norm) with regards to computer crimes could be attributable to the fact that computer crimes are a relatively new phenomenon, and public opinion is not yet sufficiently formulated. Other reasons could result from the technical nature of the crime, which many people lack an understanding of, and from the fact that frequently companies which have been subjected to a computer crime prefer not to publicize it in an attempt to minimize damages, and prevent harm to their credibility.

Few countries incorporate sufficient laws to regulate computer crimes. The drafting and enactment of such laws are hindered by the complexity of the information technology environment and by the difficulty in defining clearly terms such as "software"' "electronic media" etc.

In order for an actual computer related crime to take place, several factors must come into play. First, there must be an individual with the technical abilities to plan and execute the crime. Second, there are personal (subjective) grievances, which the perpetrator believes can be righted by instigating the crime. Third, the perpetrator must feel confident that the crime committed will be nearly impossible to trace (the perfect crime illusion). Last, the intended criminal must have ready and legitimate access to the system in both the physical and the logical sense, and the crime must be perpetrated in the course of ordinary system activity.

Computer crimes are hard to prevent, and yet prevention is possible through a combination of controlling the access and use to the system, and creating an "alert and prevent" policy directed at system users. While access controlling methods are rarely foolproof, security can be layered in such a way as to severely decrease the likelihood of a crime and to deter would be criminals by creating an auditing and monitoring system which will disclose the source, time and nature of a violation in the system.

Computer crime prevention is hinged on the existence of regular backups which enable comparisons of information, and more importantly, restorations of systems to their correct state if they were maliciously or accidentally disrupted or destroyed. Similarly, every organization today which provides employees with access to information stored on the system, has an obligation to install a security system complete with access control, encryption options, privilege definitions and monitoring options to deter and prevent would be computer criminals.

Copyright © 1997 EliaShim