I’ve decided that Sarbanes-Oxley Auditors have it wrong. After 4 years, they look for the wrong things, often costing companies millions of dollars. Their focus is often on minutia leaving the lowest hanging fruit untouched.
Why did this happen? Because they haven’t learned from history and they don’t understand the root cause of it all: corrupted humans.
In February, I wrote Psychology of Fraud – Today’s Issues (http://securitycatalyst.com/2007/02/20/psychology-of-fraud-todays-issues/). It was an attempt to remind readers that no matter how well we lock down the technology, it only takes one human to corrupt the system. We need to understand the psychology of fraud and why humans do what they do in order to prevent it from occurring. It’s my way of educating our readers on what’s been said in the past to address today’s issues.
I’ve done some thinking on the subject since then and I’ve decided to revisit Cressey’s fraud triangle. To commit fraud or any other illegal / immoral action, a person needs three things: Access, Knowledge, and Intent. Without all three, intentional fraud will not occur. This is different than the Cressey’s triangle, which didn’t take into account today’s information technology.
Here’s my definition of each requirement:
– Access. Physical or logical ability to enter, touch, or reach a resource. In computers, this is often controlled by network rules and a user id and password.
– Knowledge. To be familiar or have experience with an object or resource. This means having the concepts and ability on what to do after you have accessed the resource.
– Intent. The purpose or an anticipated outcome that guides a person’s planned actions. Knowingly causing damage to the resource.
This example illustrates how the three requirements fit together: I am given a login id and password to our Mainframe, therefore I have access. Not only that, but I am given full adminstrator rights to it. The problem is that I’m a neophyte on the Mainframe; I barely even know how to log on. Plus, I like my organization and don’t want to cause them harm. Therefore, I’m mission two of the three requirements for fraud: knowledge and intent. Even though I have access, there is little risk of my causing harm. Granted, the biggest risk in this scenario is my making a mistake, but that’s another issue.
This is where auditors and Sarbanes-Oxley have it wrong: You can’t audit against knowledge and intent. You can only audit access rights. So that’s what auditors do. They make the wrong assumption equating access to equal potential fraud or abuse. However, that’s not true. Just because a certain user has access does not mean they know what they’re doing and that they will cause meaningful harm.
Auditors and security professionals need to understand this new fraud triangle and how it fits into the risk equation. Using these concepts promote the proper balance of security within an organization, thereby reducing costs while improving security.
What do you think? Does this make sense? Is it something you can use? Join us in the Security Catalyst forums to discuss this and other hot security topics.
By working together, we all become stronger.
0 comments