NCJ Number
46832
Date Published
1978
Length
80 pages
Annotation
THE USE OF AN EXTENSIVE FILE OF ACTUAL CASES OF COMPUTER MISUSE AS A BASIS TO DEVELOP RANKED LISTS OF COMPUTER SAFEGUARDS THAT WOULD HAVE PREVENTED OR DETECTED THE RECORDED INTENTIONS IS REPORTED.
Abstract
A TAXONOMY OF COMPUTER VULNERABILITY WAS DEVELOPED AND IT FORMED THE BASIS FOR A DEFINITION OF INTENTIONAL COMPUTER MISUSE. AS A WORKING DEFINITION, COMPUTER MISUSE IS DEFINED AS AN INTENTIONAL ACT DIRECTED AT OR COMMITTED WITH A COMPUTER SYSTEM OR ITS ASSOCIATED EXTERNAL DATA OR PROGRAM ACTIVITIES IN WHICH THERE IS UNAUTHORIZED MODIFICATION, DISCLOSURE, DESTRUCTION OR THEFT OF DATA, PROGRAMS, EQUIPMENT, SUPPLIES, OR UNAUTHORIZED USE OR DENIAL OF A COMPUTER SERVICE OR PROCESS. THE CASE FILE OF COMPUTER MISUSE WAS REVIEWED AND CASES WERE DISTRIBUTED INTO APPROPRIATE VULNERABILITY CATEGORIES. NEXT THE CASE FILES WERE REVIEWED TO IDENTIFY THE PREVENTION AND SAFEGUARD MECHANISM IN EACH CASE THAT WOULD HAVE MITIGATED THE MISUSES. A SAFEGUARD MODEL BASED ON ORGANIZATIONAL STRUCTURE WAS DEVELOPED TO PROVIDE A BASIS FOR DESCRIBING, IDENTIFYING, AND DISTRIBUTING EACH SAFEGUARD. ACCORDINGLY, SAFEGUARD WERE CLASSIFIED INTO CATEGORIES BEARING THE NAMES OF THE ORGANIZATIONAL ELEMENT RESPONSIBLE FOR STARTING OR CARRYING OUT THE SAFEGUARD. THIS TYPE OF MODEL ALLOWS USERS TO CHANGE THE MODEL TO REFLECT THE STRUCTURE OF THEIR ORGANIZATION. FURTHER, IT EMPHASIZES THAT COMPUTER SECURITY IS AN ORGANIZATIONAL PROBLEM AND NOT JUST A DATA PROCESSING OR INTERNAL AUDIT PROBLEM. IN ADDITION, LISTS ARE PROVIDED RANKING PREVENTION AND DETECTION SAFEGUARDS WITHIN A VULNERABILITY CATEGORY, WITH AN EXPLANATION OF THE METHOD OF APPROACH USED TO ARRIVE AT THE LISTS. THE RANKING OF NECESSITY IS NOT ABSOLUTE AND REFLECTS THE APPLICABILITY OF THE SAFEGUARDS AGAINST PAST CASES OF MISUSE. A LIST OF 88 COMPUTER SAFEGUARDS IS GIVEN IN AN APPENDIX.