Skip to content

Text-only Version

Home
In the News
Research Resources
Teaching Resources
Student Resources
Links
The Gallery
Staff

The End of the (Ab)User-Friendly Era:
Comments on Peter Neumann’s “Computer Security and Human Values”

Sanford Sherizen

1. Introduction

Today truly is a wonderful time to be a computer criminal. Not only are there increasing number of criminal opportunities but these are the perfect crimes for the 1990’s. Persons who would not be willing to use a gun to hold up someone on the street may be quite willing to simply press a few computer keys in order to steal. For those who like a clean crime, it can be a bloodless act and the victim need not be faced directly. The public views these acts as less than serious crimes, equal to but different than other white collar crimes. Prevention is quite difficult while the chances of getting caught are minimal and of getting punished almost zero. What great incentives to commit crime!

And what great public crime control policy issues to resolve. Computer crimes have evolved from exotic incidents to a major societal issue. They have quickly moved from hacks to attacks, from fooling around to fouling up, and from violations to virucide. In order to fight computer crime, the society, and computer professionals in particular, face some very difficult decisions on some very fundamental issues. This is a serious moment in our society, as we seek to establish an appropriate balance between old law and new technology.

Peter Neumann’s quite difficult task in developing his paper on “Computer Security and Human Values” was to consider appropriate measures to protect against computer criminals while, at the same time, to stress fundamental human values. To his credit, Neumann has successfully resisted easy answers and abstract theory. He drew from his expertise and his intimate knowledge of the world of risks to present a broad perspective on what computer security can and should mean. His analysis serves as a useful supplement to the excellent Computers at Risk.

The strength of his paper is that he has expanded the usual definitions of computer problems and computer security objectives. That perspective is quite appropriate for this time and this conference, since it does not restrict public policy discussions to time-limited or technology-limited considerations. Peter Neumann has once again served the computing community with his insights, providing us with an important agenda to consider.

He has also avoided getting stalled on some of the current hot computer security topics, such as encryption standards, export controls, and Operation Sun Devil. Yet, he has given us a “vocabulary” containing the types of questions to raise in evaluating some of these emerging issues as well as those issues that we cannot even anticipate at this time.

There are several points that I feel have not been sufficiently covered in this fine paper. What has been covered in the paper is excellent but there is more that needs to be added. Those I will cover in my comments.

My only complaint about his paper is that he has said so much and said it so clearly that he has not left much room for discussion. That creates a difficulty in reviewing his paper. Nevertheless, I am guided by the great words of the unknown author who said, “One who hesitates is not only lost but miles from the nearest exit.” So, without any hesitation, here are my comments.

2. Understanding the Computerization of Crime

Neumann introduces his paper by stating that he will take a broad view of undesirable human activities. That is a very necessary perspective and it is also refreshing to find in information security. Too often, human aspects are neglected or put into quite separate and often under-appreciated security awareness/management sections. Seldom is there an integrated socio-technical approach to the computer crime problem.

However, as pleased as I am that social aspects are considered, I think that his paper contains just the tip of the behavioral issues that must underlie a sophisticated and effective computer security approach. It is necessary to understand even more of the human aspects than are found in his discussion. We need to establish where the social and psychological lines are drawn between normal and deviant, between allowed and disallowed, between expected and unexpected, between wanted and unwanted.

To start with, we need to know more about typical users and their normal uses of computers and information. We do not even know, for example, the ways by which average users define authorized and unauthorized activities in their work (as distinct from official policy and system decisions). How do users draw their own lines as to what they consider as appropriate and inappropriate? How many employees view certain use of their office computers as similar to pens, pencils, and paper in the office – as perquisites or benefits that are available for the taking? Is there something about computer-mediated work (Zuboff), which “disappears behind the screen,” that is more prone to crime and abuse? Do certain organizations structure their work relationships in such a way that they become “criminogenic” (See Sherizen [90]) environments, i.e., crime producing or inducing structures?

Beyond the “normal,” Neumann’s model also needs more details about the crime aspect of the computer crime concept. While information security practitioners talk about crime, the field of information security does not understand the basics of criminal behavior and crime control measures. More directly stated (Sherizen [90]):

It is ironic that the field of information systems security lacks sufficient insights concerning computer criminals. Information security’s operating models and procedures contain a number of largely untested and possibly quite incorrect assumptions about how and why computer criminals function. These assumptions serve as the platform upon which controls and safeguards have been established.

Certainly, the computer aspects of computer crime have quite appropriately been stressed. Yet, other important aspects addressing how opportunities are created for crime and the motivations that shape the crime are given short shrift. In order to meet the challenge created by increasing computer crimes, the field of information security needs to add criminological concepts to the information security database and to more definitively place crime control concepts within the information security process.

Computer crime can best be understood as the computerization of traditional crimes, particularly economic or white collar crimes, as discussed by Sherizen [87]. While new crimes are possible with the use of computers (either those for which laws have not been defined or which are so unique that they were not possible without the technology), the majority of computer crimes are well known behaviors that existed prior to computerization. While computers have changed the nature and potential damage that can occur, computer crime developments have quite predictable features that follow the history of other crimes.

Computer crime must also be understood as composed of individual behavior as well as organizational behavior. We must move away from the “good organization/bad individual” model of computer crime. Neumann mentions that organizations may also commit computer crimes. This point is not well recognized or often discussed. There is an almost unconscious dichotomy that suggests that computer crime is composed of individuals as attackers and organizations as victims. The “Organization as Computer Criminal” needs to be recognized as a problem area. Examples of this type of crime are aspects of competitor intelligence gathering, insider trading activities, programming of supermarket scanners that overcharge shoppers, government snooping, illegal collection of personal information, money laundering, and many other examples found in RISKS.

Finally, there is a need to build on our knowledge of the history of crime to prepare for what could turn out to be very different computer crime in the future. One specific aspect of this is to understand that crime often evolves from an activity of individuals to an organized activity. Hackers (the bad kind) are indeed a problem but they may pale in comparison with what I would consider as an almost inevitable progression into larger scale, coordinated, and well planned computer crime onslaught led by professional criminals. We may look back at 1991 as the quite benign days when hackers and virus makers were the only problem.

While these behavioral issues add complexity to the Neumann model and require additional sets of questions to be answered, they also add conceptual substance to controlling computer crime while meeting human values, the theme that Neumann and the conference so well represent.

Back to the top

Go to:3. The End of the (AB)User Friendly Era

Home > Research Resources > Computing Security > The End of the (AB)User-Friendly Era: Comments on Peter Neumann’s “Computer Security and Human Values”
   

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES
LINKS | THE GALLERY | STAFF

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street • New Haven, CT 06515
Director: (203) 392-6790 • e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society