Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

Dissecting Computer Fraud: From Definitional Issues to a Taxonomy

Lucian Vasiu Deakin University Ioana Vasiu Babe-Bolyai University

Abstract
Computer frauds, while less dramatic than crimes of violence, can inflict significant damage at community, organizational or individual level. In order to properly quantify and mitigate the risk, computer frauds needs to be well understood. In this paper, in a conceptual-analytical research approach, we propose a dissection of computer fraud. First, we look into the elements of an offense, the act of fraud in general, than explain what is and what is not computer fraud. Next, from a prevention perspective, we propose a taxonomy of computer fraud with respect to perpetration platform, and to perpetration method. We believe that our contributions extend the existing knowledge of the phenomenon, and can assist those fighting computer fraud to better understand it and to design means of preventing and reporting it.

1. Introduction
People may not be any greedier than in generations past, however, the avenues to express greed had grown enormously [21]. The fundamental principle of criminology is that crime follows opportunity, and opportunities abound in todays computer-reliant world. Criminal opportunities, as [42] explains, are arrangements or situations that individuals encounter and that offer attractive potential for criminal reward, largely because they are accompanied by a very low perceived risk of detection or policing. Computers have created many opportunities for fraudsters, and enabled them to mugging by remote control (Blumenthal in [31]). [30] argues that computers have increased the fraud problem in that several users, from remote locations, can access them, therefore they cannot be viewed as a passive object in the same sense that a safe or a pencil is passive.

Further, as [43] observes, the ability to manipulate computer data to derive benefit from its misrepresentation increases significantly the fraud opportunities. In order to properly quantify and mitigate the risk, computer fraud needs to be well understood. Yet, there is some confusion as what is computer fraud. All computer attacks are fraud? Is computer fraud just one aspect of computer attacks? All frauds that involve computers should be considered computer frauds? Computer trespassing is computer fraud? One important obstacle in understanding and researching computer fraud is that relatively few studies that focus on this subject have ever been done. In this paper, in a conceptual-analytical research approach, we seek to improve this situation, and propose a dissection of computer fraud. Our first aim is to explain what is computer fraud. To this end, we first look at the elements of an offense and the act of fraud in general. Second, we explain what computer fraud is not. We use the U.S. Computer Fraud and Abuse Act criminalization of computer fraud (18 U.S.C. 1030 (a)(4)) as the guiding definition of computer fraud and analyze its elements. The second and main aim of this paper is to devise a taxonomy of computer fraud with respect to perpetration platform, and to perpetration method. This paper is organized as follows. In the next section, we explain the rationales for this paper. Next, we present our theoretical background. In Section 4, we look into the elements of an offense and the act of fraud in general, and then we analyze the legal elements of computer fraud, as defined by 18 U.S.C. 1030 (a)(4), and introduce other definitions of computer fraud. In Section 5, we present our taxonomy of computer fraud with respect to perpetration platform, and to perpetration method. The paper concludes with conclusions and future research. Case examples are interspersed throughout the paper to illustrate important points (for consistency, most of the cases selected have been prosecuted under the computer crime statute, 18 U.S.C. 1030).

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

2. Rationales
The rationales for this paper are as follows: Computer frauds are highly destructive to free-market capitalism and, more broadly, to the underpinnings of society [21]. Computer frauds can cause instability and uncertainty in a system, and can impose a very significant cost on society [12]. Therefore, computer fraud must be well understood by those charged with combating it; Without a clear definition of computer fraud, it will not be possible to share information that has the same meaning to everyone, will not be possible to agree on how to measure the problem, and what resources need to be allocated to mitigate the risk; and A taxonomy can provide a better understanding of the nature of computer fraud, can be very useful in designing means of prevention, and can be a useful tool for education, effective measurement, and reporting.

[36] proposes classes of computer misusethe SRI Computer Abuse Methods Model. [35] revises the work presented in [36], while [28] extends [36]s classification of intrusions with respect to technique and to result. [3] develops a four-cell matrix that covers the types of perpetrators, based on whether they are authorized or not to use the computer and the programs or computer data. [26] discusses the nature of the computer fraud problem in the typical computer environment, the perpetration of computer frauds, and prevention controls and safeguards. [45] looks into the detection and prevention of computer fraud. A taxonomy of computer fraud is proposed by [7], however, the taxonomy has no explanation as why was selected, and how it can be used. While all these are very valuable contributions, we lack a useful taxonomy of computer fraud that can be used in the prevention function. As we stated in the Introduction, our main aim is to devise a taxonomy of computer fraud with respect to perpetration platform, and to perpetration method. The first step in the development of a taxonomy of computer fraud is to look at the ways it is defined.

4. Definitional issues
4.1. Preliminary remarks

3. Theoretical background
As [1] argues, a thorough understanding of fraud can only be achieved through a comprehensive study performed by an interdisciplinary team of researchers. For this papers main purposedevising a taxonomy of computer fraud, as computer fraud is one of the computer attacks, the theoretical background draws mainly from the computer security/attacks area. [38] presents a model of computer attackers based on several factors: skills, knowledge, resources, authority, and motives. [41] devises a framework for understanding and predicting insider attacks. [23] presents a taxonomy with respect to types of attackers, tools used, access information, results of the break-in, and objectives of the attack. [29] devises a taxonomy of attacks by genesis (how), time of introduction (when), and location (where), while [39] presents an attack matrix. A taxonomy of security threats to networks is provided in [24]. [33] presents a taxonomy of computer attacks with applications to wireless networks. A taxonomy of web attacks (i.e. attacks exclusively using the HTTP/HTTPS protocol), is proposed in [2]. [25] introduces a taxonomy with respect to types of computer vulnerability. [28] presents a classification of software vulnerabilities, while [34] discusses seven classes of integrity flaws. In order to understand computer fraud, it is useful to first look into the elements of an offense and the act of fraud in general. Next, we look into what is not and what is computer fraud. As [18] explains, a crime consists, in most cases, of conduct for which the defendant is responsible, specified by the definition of that crime. This conduct has mental and physical components (except in certain cases, when the defendant is incriminated by virtue of a relationship with, or other implication in, a static situation) [18]. This conception of a crime is reflected in the common description of it as comprising an actus reus (an activity) and a mens rea (a state of mind). These terms are drawn from the Latin maxim actus non-facit reum nisi mens rea (a person does not incur liability for a crime by virtue of an act, unless they have as well a guilty mind) [18]. Lawyers still use the terms actus reus and mens rea widely because they are convenient, in that they facilitate the analysis and statement of the elements of criminal liability. Fraud, like other familiar concepts, is one that seems to have a perfectly obvious meaning until we try to define it (Green in [40]). Fraud is a deep legal concept, and few really understand fraud or use a common definition [15]. The difficulty of giving an adequate definition of fraud has been felt at all times [46:I.28]. There has always been a great reluctance amongst lawyers to attempt to define

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

fraud, and this is only natural when we consider the number of different kinds of conduct to which this word is applied [46]. The term "fraud" is defined in [17:124] as An act using deceit such as intentional distortion of the truth of misrepresentation or concealment of a material fact to gain an unfair advantage over another in order to secure something of value or deprive another of a right. Fraud is grounds for setting aside a transaction at the option of the party prejudiced by it or for recovery of damages. [8] argues that someone commits fraud if the following four elements are proved beyond a reasonable doubt: Actus reus: The perpetrator communicates false statements to the victim; Mens rea: The perpetrator communicates what she knows are false statements with the purpose of defrauding the victim; Attendant circumstances: The perpetrator's statements are false; and Harm: The victim is defrauded out of property or something of value. Fraud is always intentional, intentional by appearance, or intentional by inference from the act. Intent should not be confused with motive, which is what prompts a person to act. Intent refers only to the state of mind with which the act is done. However, there is no scientific measurement or yardstick for gauging a person's intent. An inference has to be drawn from all available evidence as to what was in the defendants mind at the material time (Justice Ackner in [19]). The element of the intent to defraud connotes the intention to produce a consequence that is in some sense detrimental to a lawful right, interest, opportunity, or advantage of the person to be defrauded, and is an intention distinct from and additional to the intention to use the forbidden means (King CJ in [50]). If there is no evidence that the victim has been defrauded (i.e. deprived of something of value), than we cannot talk of computer fraud.

Causing damage to a protected computer One such case is U.S. v. Brown [48]: the defendant knowingly caused the transmission of a program, information, code or command, and as a result of such conduct, intentionally caused damage, without authorization, to a protected computer; or Trafficking passwordsOne such case is U.S. v. Patterson [48]: the defendant was charged with trafficking in passwords and similar information that would have permitted others to gain unauthorized access to an organizations computer network, when he posted and maintained at a Yahoo hacker group posting board the username and password combinations of certain legitimate users together with instructions on how to hack into the network of the organization using those passwords. While these offenses can be perpetrated in connection with computer fraud, they should be regarded as distinct. In the next section, we explain what is computer fraud.

4.2. What is computer fraud?

For this paper purpose, we chose the U.S. Computer Fraud and Abuse Act criminalization of computer fraud (18 U.S.C. 1030 (a)(4)) as the guiding definition: Knowingly and with intent to defraud, accesses a protected computer without, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period. According to this definition, the legal elements of computer fraud consist of: Knowingly and with intent to defraud; Accessing a protected computer without authorization, or exceeding authorization; Thereby furthers a fraud and obtains anything of value (other than minimal computer time). Regarding the first element, the phrase means that the offender is conscious of the natural consequences of his action (i.e. that someone will be defrauded), and intends that [14]. The second and third elements should be discussed together, as they show that more than mere unauthorized access is required to quality the offense as computer fraudthe thing obtained is not merely the unauthorized use. Some additional end, to which the unauthorized access is a means, is required [14]. Merely

4.2. What is not computer fraud?

Computer fraud is sometimes confused with other offenses: Intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining protected informationOne such case is U.S. v. Czubinski (106 F.3d 1069 (1st Cir. 1997)): the court found that Czubinski has not obtained valuable information in furtherance of a fraudulent scheme;

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

viewing information cannot be deemed the same as obtaining something of value for the purpose of this statute (as in U.S. v. Czubinsky). According to [14], the phrase thereby furthers a fraud insures that prosecutions are limited to cases where use of a computer is central to a criminal scheme, rather than those where a computer is used simply as a recordkeeping convenience. The broad language of this definition may be confusing for non-lawyers, in that it defines computer fraud in terms of fraud. In a legal sense the definition is not circular, however, we considered useful to look into two state definitions of computer fraud that are more specific: Virginia ( 18.2-152.3.1.) () 1. Obtain property or services by false pretences; 2. Embezzle or commit larceny; or 3. Convert the property of another; and Hawaii (Rev. Stat. 708-891): (a) () Devising or executing any scheme or artifice to defraud; or (b) () Obtaining money, property, or services by means of embezzlement or false or fraudulent representations; or (c) () Obtaining credit information on another person; or (d) () Introducing or causing to be introduced false information to damage or enhance the credit rating of any person.

5. Taxonomy
5.1. Taxonomic considerations
The drive to categorize and organize knowledge has been ubiquitous throughout human intellectual development. An early step toward understanding any set of a phenomenon is to learn what kinds of things there are in the setto develop a taxonomy. The main properties a taxonomy must have are outlined in [23, 28, 33]. [29] argues that a taxonomy embodies a theory of the universe from which those specimens are drawn. A taxonomy is an approximation of the phenomenon, and may fall short in some respects. This may be particularly the case of a computer fraud taxonomy, considering that there is a consistent lack of comprehensive data, and that any taxonomy in the area of computer fraud is likely to require periodic expansion or refinement, as technology and perpetrators methods evolve. For our taxonomy, we have selected categories that we believe are useful from a prevention perspective. We have tried and avoided excessive subclassification, and subdivided into subclasses only where we considered that helpful for the prevention function. In terms of terminology, we are drawing primarily on [22]. In the following sections, we introduce our taxonomy of computer fraud with respect to perpetration platform, and to perpetration method.

5.2. Methodology
To devise our taxonomy, we used a 5-phase methodology. First, we developed a comprehensive understanding of the phenomenon through an extensive survey of literature that relates to computer fraud (journal and newspaper articles, speeches and books), and by analyzing the publicized cases of computer fraud (some of them included in this paper), and fraud scenarios (e.g. [9]). Second, we reduced the phenomenon to its essential elements (bracketing). For our taxonomy, we considered only computer fraud that is perpetrated by an action (it can be argued that computer fraud can also be perpetrated by willful inactione.g. not recording sales returns). Third, we devised the first-cut taxonomy. Fourth, we used logical verification to test it. This was concerned (inter alia) with mutual exclusivenessinclusion of any element in one category only, consistencythere are no internal conflicts between individual elements in the taxonomy, completenessthe taxonomy encompasses all relevant aspects of the phenomenon considered, and coherenceestablished theories are in agreement with our taxonomy. Fifth, we refined the taxonomy to its present form.

Figure 1. The legal elements of computer fraud Another definition that we consider useful, for this papers purpose, is that of [11], in that it gives us insight into the criminal conduct: The causing of a loss of property to another by: a. Any input, alteration, deletion or suppression of computer data, b. Any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another. In the next section, we make some considerations on the importance of a taxonomy, explain how we devised our taxonomy, and present our taxonomy of computer fraud with respect to perpetration platform, and to perpetration method.

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

5.3. Perpetration platform

When discussing offenders, one important distinction should be made between insiders and outsiders. Computer fraudsters are often insidersthey are much more likely to evade detection when they commit frauds because they understand the system, its weaknesses, and are more likely to cover their tracks. However, for the computer frauds to succeed, in some cases, the perpetrators do not have to be insidersthey only need to impersonate an authorized user (opportunity created), or to exploit a vulnerability (that is, a weakness in a system allowing unauthorized actionopportunity exploited).

perspective, to further subdivide Masquerade into Impersonation (e.g. use of another persons password or authentication ticket reuse) and Spoofing attacks. We also subdivide the Impersonation class into Password attacks, and Password trafficking. A financial consultant defrauded the Commonwealth by transferring $8,735,692 electronically to private companies in which he held an interest. He did this by logging on to the Departments network using another persons name and password. To obscure the audit trail, he used other employees logon codes and passwords [20]. Since different countermeasures apply to the techniques in the Password attacks subclass, we further subdivided it into Guess, Crack and Harvest. If a password was guessed, it may suggest a weak password approach. If a password was cracked, it may suggest access to the password file (e.g. from a backup tape). If a password was harvested (e.g. through visual spying, social engineering, sniffing or key logging attacks), it may suggest low awareness in the password protection area. In January 2003, a former employee of a company used the username and password he held while employed at the company to remotely log into the company's network, then changed customers credit card details, and proceeded to make refunds to his credit card through the altered accounts. The perpetrator modified various pricing and availability of the products provided, reducing the price of some to $0.00 [4]. The above case leads us into another avenue for accessing a computer without authorization Vulnerability exploitation. One of the difficulties in subdividing this class consists in the fact that such attacks can be complex and involve the exploitation of a combination of vulnerabilities. For this papers purpose, and to observe the mutually exclusive property, we would consider the vulnerability that is most directly linked to the subsequent perpetration of a fraud. We further divided the Vulnerability exploitation class into Software (e.g. bugs or back doors), Personnel (other than those leading to successful password attackse.g. error of omission, incompetence, recklessness or malice; we include here system administration errors, as in the above case: user account active after employment termination), Communications, and Physical (e.g. failure of an electronic access control systemthis can lead to interference with the functioning of a computer system see Council of Europes definition). Table 1 presents our taxonomy of computer fraud with respect to perpetration platform.

Figure 2. The world of computer fraudsters In a collusion case named the Volkswagen Currency Exchange, four employees and one outsider used a computer to create phony currency exchange transactions and then cover them with real ones. They stole the differences that resulted from the rate changes. The act involved tampering with programs and the erasure of tapes [35]. As discussed in section 3, one legal element of computer fraud consists in accessing a protected computer without authorization (that is, not approved by the system owner or administrator), or exceeding authorization (that is, a legitimate user that exceeds the authorized access) this is what we call the perpetration platform. One case of exceeding authorization is U.S. v. Osowski. Accountants Geoffrey Osowski and Wilson Tang pled guilty to exceeding their authorized access to the computer systems of Cisco Systems in order to illegally issue almost $8 million in Cisco stock to themselves [48]. The Without authorization (WOA) class is very interesting from a categorization perspective. In devising the taxonomy with respect to accessing a protected computer without authorization, we draw, to a certain extent, from [35], and extend [28] with respect to password attacks. We subdivided the Without authorization into Masquerade and Vulnerability exploitation. Masquerade is the unauthorized impersonation of an authorized user or of an entity. As is not limited to usersthere may be attacks that attempt to impersonate authorized systems and services, we considered useful, from a prevention

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

Table 1. Taxonomy of computer fraud perpetration platform Guess Impersonation Password attacks Crack Harvest

were entered into the books and records of Allfirst Bank. Defendants manipulation of the Bank's computerized system for tracking trading activities allowed him to earn performance bonuses of over $650,000 in addition to his salary when, in reality, his trades resulted in millions of dollars in losses [49]. Output fraud is concerned with dishonestly suppressing or amending data being output. It is often linked with input fraud (e.g. suppressing or changing balance reports to hide misappropriated funds). The goal with this type of scheme is to conceal bogus inputs or to prevent or postpone detection of such input fraud. Because computer output is normally accepted as being accurate and genuine, its authenticity is taken for granted. For devising our taxonomy with respect to perpetration method, we adopt a different approach, and merge the Input and Output categories into a new oneData, while maintaining the Program category. This approach allows us to best observe the mutual exclusiveness property. We subdivide the Data category into Insert, Improper obtaining or use (e.g. read, copy, print, or disseminate this must be done in close connection with the intent to further a fraudsee the case below), Integrity attacks, and Availability attacks. The Insert class is further subdivided into Improper data and Data improperly. As the integrity and availability attacks are generally known, we did not consider necessary to subdivide. In U.S. v. Turner, the defendants, while employed by Chase Financial Corporation, knowingly and with the intent to further a scheme to defraud, accessed one or more Chase Manhattan Bank and Chase Financial Corporation computer systems without authorization or in excess of their authorized access on said computer systems, thereby obtaining credit card account numbers and other information, which they were not authorized to access in connection with their duties at Chase Financial. That information was distributed and transmitted to one or more individuals who, in turn, used that information to fraudulently obtain goods and services [49]. Moving to the Program category, we subdivided it into Run, Integrity attacks, and Availability attacks. We further subdivided Run into Without authorization, In excess of authorization, Improper parameters (we include here changing the system date), and Transit attacks [44] (arguably, this types of attacks, can also be in the Data category). This classification overcomes the inclusion dilemma when the fraud consists, for example, of a combination of input and program attackssuch cases should be included in the Run/Improper parameters category. Table 2 presents out taxonomy of computer fraud with respect to perpetration method.

Masquerade WOA

Vulnerability exploitation Exceeding authorization

Password trafficking Spoofing attacks Software Personnel Communications Physical

5.4. Perpetration method

The perpetration methods are generally described as Input, Program, and Output [47]. The greatest concern present the frauds that involve manipulation of data records or computer programs to disguise the true nature of transactions, cracking into an organizations computer system to manipulate business information, and unauthorized transfers of funds electronically [5]. Input fraud (data diddling or number fudging) represents the major avenue through which computer frauds take place [47]. In these frauds, the offender dishonestly enters improper data or data improperly, suppresses, appends, or otherwise changes data stored. It is the most common computer crime [47], and can be committed by anyone having access to normal data/processing functions at the input stage. A contractor working for a Commonwealth agency was convicted of defrauding the Commonwealth of $1.4 millions. The contractor, while performing his regular duties, was able to access and alter system data-to change the status of rebate claims from 'paid' to 'unpaid' on the system, and transfer bogus rebate payments into his own account. The contractor was then able to delete the record of the illegal transaction and return the 'paid' status and dates to their original state [6]. Program fraud involves either the creation of a program with a view to defraud, or the alteration or amendment of a program to such ends. It is difficult to discover and is often not recognized [47]. It requires computer-specific knowledge and access to computer databases and/or software. One of the most notorious species of program fraud is the so-called salami fraud. In an effort to cover up trading losses, the defendant engaged in a series of fictitious currency trades that

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

Table 2. Taxonomy of computer fraud perpetration method Improper data Insert Data improperly Data Improper obtaining or use Integrity attacks Availability attacks Without authorization In excess of authorization Improper parameters Run Interruption attacks Interception Transit Program attacks Modification Fabrication Integrity attacks Availability attacks

used in connection with an encoding scheme to encode the incidents. Fourth, our taxonomy can be used to design reporting forms and accompanying databases. Last, the taxonomy can provoke future research. This research can be continued in the following directions: A taxonomy with respect to types of computer frauds and consequences for organizations; The use of malware in perpetrating computer fraud; and Information security strategies for the prevention of computer fraud.

7. References
[1] Albrecht, W. S., Howe, K. R., Romney, M. B. (1984) Deterring Fraud: The Internal Auditor's Perspective, The Institute of Internal Auditors Research Foundation, Almonte Springs, Florida. [2] lvarez, G. and Petrovi, S. (2003) A new taxonomy of Web attacks suitable for efficient encoding, Computers & Security, Vol. 22, No. 5, pp. 435-449. [3] Anderson, J. P. (1980) Computer Security Threat Monitoring and Surveillance, Technical Report Contract 79F296400, April 1980. [4] AusCERT (2003) Australian computer crime & security survey, Last accessed: 18 May, 2003, URL: http://www.auscert.org.au/render.html?it=2001&cid=1920. [5] AusCERT (2002) Australian Computer Crime and Security Survey, Last Accessed: 12 June, 2002, URL: http://www.auscert.org/Information/Auscert_info/new.html. [6] Australian National Audit Office (2000) Australian Taxation Office Internal Fraud Control Arrangements, Report No. 16. [7] Bologna, J. and Shaw, P. (1996) Corporate Crime Investigation, Butterworth-Heinemann. [8] Brenner, S. W. (2001) Is There Such a Thing as "Virtual Crime"?, 4 Cal. Crim. Law Rev. 1 [9] Cohen, F. (2002) Computer Fraud Scenarios: Robbing the Rich to Feed the Poor, Computer Fraud & Security, Vol. 2002, Iss. 1, December, pp. 5-6. [10] Collier, P. A., Dixon, R and Marston, C. L. (1990) The prevention and detection of Computer Fraud, The Chartered Institute of Management Accountants. [11] Council of Europe (2001) Final Draft Convention on Cyber-crime, Last Accessed: 1 August, 2002, URL: http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.ht m. [12] Dhillon, G. and Moores, S. (2001) Computer crimes: theorizing about the enemy within, Computers & Security, Vol. 20, No. 8, pp. 715-723.

6. Conclusions and future research

When opportunities abound, and there is a potential supply of motivated offenders that perceive the chances of detection and prosecution as being very low [16], the risk of computer fraud must be considered as being very high. The very stealth of computer fraud often avoids attention. However, as consequences of high-grade attacks, such as financial fraud or theft of proprietary information, can be very high [12, 13] and far-reaching, they must not be overlooked in security planning [37]. As [1] remarks, no industry is left untouched by this fast-growing phenomenon. The technical aspects of electronic systems are designed to be fraud-proof, however, human nature is such that fraud is likely to be a perennial problem [27]. Further, as [1] argues, there is no such thing as small fraudsonly large ones given insufficient time to grow (that is, detected). Although the computer fraud risk cannot be eliminated, proactive steps can reduce it considerably. The risk of loss is higher with strategies of detection because the crime is on going or has just occurred, hence the ability to stop or recover the loss is limited. Therefore, proactive measures should prevail, be appropriate to the level of risk, and be reassessed regularly [6]. The contribution of this paper, written from a prevention perspective, is twofold. First, it clearly explained what computer fraud is and is not. Second, it proposed a taxonomy of computer fraud with respect to perpetration platform, and to perpetration method. The taxonomy presented in this paper, devised from a prevention perspective, can be used in the several ways. First, the taxonomy can be used as an awareness and education tool. Second, it can assist those charged with combating computer fraud to design and implement policies that address the risk. Third, the taxonomy can be

0-7695-2056-1/04 $17.00 (C) 2004 IEEE

Proceedings of the 37th Hawaii International Conference on System Sciences - 2004

[13] Dhillon, G. (1999) Managing and controlling computer misuse, Information Management & Computer Security, 7/4, pp. 171-175. [14] Doyle, C. (2002) Computer fraud and abuse laws: An overview of federal criminal laws, Novinka, New York. [15] Ellingson, J. F. (1998) Devising an Information Based Strategy for Fighting Fraud, Journal of Internet Security, Vol. 1, No. 1, September. [16] Etter, B. (2001) The forensic challenges of e-crime, 7th Indo-Pacific Congress on Legal Medicine and Forensic Sciences, Melbourne, Australia. [17] Gilbert (1997), Law Dictionary, Harcourt Brace Legal and Professional Publications. [18] Gillies, P. (1993) Criminal Law, Law Book Co., North Ryde, N.S.W., Australia. [19] Goldstein, J., Dershowitz, A. M. and Swartz, R. D. (1974) Criminal law: Theory and process, The Free Press, New York. [20] Graycar, A. and Smith, R. (2002) Identifying and Responding to Corporate Fraud in the 21st Century, speech to the Australian Institute of Management (20 March 2002). [21] Greenspan, A. (2002) Monetary Policy Report to the Congress, July 16, 2002. [22] Howard, J. D. and Longstaff, T. A. (1998) A Common Language for Computer Security Incidents, Sandia Report SAND98-8667. [23] Howard, J. D. (1997) An Analysis of Security Incidents on the Internet, Ph.D. dissertation, Carnegie Mellon University, Pittsburgh, Pennsylvania. [24] Jayaram, N. D. and Morse, P. L. R. (1997) Network Security - A Taxonomic View, European Conference on Security and Detection, School of Computer Science, University of Westmister, UK, 28-30 April 1997. [25] Knight, E. (2000) Computer www.securityparadigm.com, March 2000. Vulnerabilities,

Privacy, Oakland, California, USA, May 4-7, IEEE Computer Society Press, 154163. [33] Lough, L. D. (2001) A taxonomy of computer attacks with applications to wireless networks, PhD dissertation, Faculty of the Virginia Polytechnic Institute and State University, Blacksburg, Virginia. [34] McPhee, W. S. (1974) Operating System Integrity in OS/VS2, IBM System Journal, 13(3), pp. 230-252. [35] Neumann, P. G. (1995) Computer related risks, ACM Press. [36] Neumann, P. G. and Parker, D. B. (1989) A Summary of Computer Misuse Techniques, 12th National Computer Security Conference, pp. 396-407. [37] Panko, R. R. (2002) Corporate Computer and Network Security, Prentice Hall. [38] Parker, D.B. (1998) Fighting computer crime: A new framework for protecting information, New York, John Wiley and Sons. [39] Perry, T. S. and Wallich, P. (1984) Can Computer Crime Be Stopped?, IEEE Spectrum, 21(5), pp. 34-45, May 1984. [40] Podgor, ES (1999) 'Criminal Fraud, American University Law Review, Vol. 48, No. 4. [41] Schultz, E. E. (2002) A framework for understanding and predicting insider attacks, Computers & Security, Vol. 21, No. 6, pp. 526-531. [42] Shover, N. and Wright, J. P. (2001) Crimes of privilege: readings in white-collar crime, Oxford University Press. [43] Smedinghoff, T. J. (1996) Online Law, The SPAs Legal Guide to Doing Business on the Internet, Addison-Wesley Developers Press. [44] Stallings, W. (1995) Network and Internetwork Security Principles and Practice, Prentice Hall, Englewood Cliffs, NJ. [45] Stevenson, G. (2000) Computer Fraud: Detection and Prevention, Computer Fraud & Security, vol. 2000, no. 11, pp. 13-15. [46] Stephen, J. F. (1883) A history of the Criminal Law of England, Vols. I-III, Macmillan and Co. (reprinted by William S. Hein & Co., Inc., Buffalo, New York). [47] United Nations (1994) Manual on the prevention and control of computer-related crimes, International review of criminal policy, Nos. 43 and 44. [48] U.S. Department of Justice (2003) Computer Intrusion Cases, Last accessed: 21 May, 2003, URL: http://www.usdoj.gov/criminal/cybercrime/cccases.html. [49] U.S. Department of Justice (2002) Last accessed: 21 May, 2003, URL: http://www.usdoj.gov/usao/md/press_releases/press02/john_m_r usnak_pleads_guilty.htm. [50] Waller, L. and Williams, C. R. (2001) Criminal law: Text and cases, 9th Ed., Butterworths.

[26] Krauss, L. I. and MacGaham, A. (1979) Computer Fraud and Countermeasures, Prentice-Hall, New Jersey. [27] Kreltszheim, D. (1999) Identifying the proceeds of electronic money fraud, Information Management & Computer Security, 7/5, pp. 223-231. [28] Krsul, I. V. (1998) Software Vulnerability Analysis, Ph.D. dissertation, Purdue University, May 1998. [29] Landwehr, C. E., Bull, A. R., McDermott, J. P. and Choi, W. S. (1994) A Taxonomy of Computer Program Security Flaws, with examples, ACM Computing Surveys 26, 3 (Sept.). [30] Landwehr, C. E. (1981) Formal models for computer security, Computing Surveys, Vol. 13, No. 3, September. [31] Lanham, D., Weinberg, M., Brown, K. E. and Ryan, G. W. (1987) Criminal fraud, The Law Book Company Limited, Sydney. [32] Lindqvist, U. and Jonsson, E. (1997) How to Systematically Classify Computer Security Intrusions, Proceedings of the 1997 IEEE Symposium on Security &

0-7695-2056-1/04 $17.00 (C) 2004 IEEE