Interpreting computer fraud committed by employees

Abstract

This research provides a "rich insight'' into the management of Information
Systems (IS) security within the context of computer fraud committed by employees. It
argues that management within organisations can impact the understanding of
employees (at low-level positions) as to what is 'acceptable" practice when abiding by
IS security policies and procedures. Therefore, the growing problem of computer fraud
does not occur because of "bad people', but rather because of IS security loopholes
within the organisation. Such loopholes can create 'suitable opportunities' where
employees may find that the rewards of committing an act are higher than the chances
of being caught.
This research departs from the traditional functionalist view and approaches the
problem of computer fraud from a socio-technical perspective to employ an interpretive
research approach. This constitutes a major contribution to IS security studies. It uses
the Crime Specific Opportunity Structure model from criminology, as the conceptual
framework for initial data collection of the single embedded case study. The findings of
the case study (at Technology Corporation) suggest that perceptions of IS security held
by employees at high-level positions influence how employees at low-level positions
comply with IS security guidelines. To illustrate this argument, this research introduces
the notion of "Shared Responsibility" from victimology to reduce the gap between
"espoused theory' and 'theory-in-use'. Although, there were no 'reported' cases of
computer fraud committed by employees in Technology Corporation, implications are
drawn on the role management's perceptions about IS security play in the context of
facilitation, precipitation and provocation and consequently, a working environment
created where k suitable opportunities' may exist for employees to commit computer
fraud (input type in particular).