Abstract
The problem of the insider threat is extremely challenging to manage as it involves trusted entities who have legitimate authorization to the information infrastructure of an organization. It has been reasoned that the framing of the Fraud Pentagon may assist in predicting and preventing white collar crimes such as fraud. The Fraud Pentagon considers the elements of motivation, capability, rationalization, opportunity and arrogance which converge in a crime scenario. The current study considers the value of using the Fraud Pentagon in examining insider attacks. This paper evaluates this theoretical framing from an insider threat perspective, thereby assisting researchers, organizations and information security practitioners in understanding its complexity and its application to the insider threat problem.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cybersecurity Insiders: Insider Threat Report (2019). https://www.cybersecurity-insiders.com/portfolio/insider-threat-report/, Accessed 28 May 2021
Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley, Upper Saddle River (2012)
Farahmand, F., Spafford, E.H.: Understanding insiders: an analysis of risk-taking behavior. Inf. Syst. Front. 15(1), 5–15 (2013)
Schultz, E.E.: A framework for understanding and predicting insider attacks. Comput. Secur. 21(6), 526–531 (2002)
Tan, S.-S., Na, J.-C., Duraisamy, S.: Unified psycholinguistic framework: an unobtrusive psychological analysis approach towards insider threat prevention and detection. J. Inf. Sci. Theory Pract. 7, 52–71 (2019)
Cressey, D.R.: Other People’s Money; A Study of the Social Psychology of Embezzlement. Free Press, New York (1953)
Wolfe, D.T., Hermanson, D.R.: The fraud diamond: Considering the four elements of fraud. CPA J. 2004, 38–42 (2004)
Mekonnen, S., Padayachee, K., Meshesha, M.: A privacy preserving context-aware insider threat prediction and prevention model predicated on the components of the fraud diamond. In: Annual Global Online Conference on Information and Computer Technology (GOCICT), pp. 60–65. IEEE, Louisville (2015)
Goel, S., Williams, K.J., Zavoyskiy, S., Rizzo, N.S.: Using active probes to detect insiders before they steal data. In: 23rd Americas Conference on Information Systems, pp. 1–8. AIS, Boston, Massachusetts (2017)
Padayachee, K.: An insider threat neutralisation mitigation model predicated on cognitive dissonance (ITNMCD). South African Comput. J. 56(1), 50–79 (2015)
Fagade, T., Tryfonas, T.: Hacking a bridge: an exploratory study of compliance-based information security management in banking organization. In: Callaos, N., Gaile-Sarkane, E., Hashimoto, S., Lace, N., Sánchez, B. (eds.) Proceedings of the 21st World Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI 2017), pp. 94–99. International Institute of Informatics and Systemics, Orlando (2017)
Marks, J.: Fraud Pentagon – Enhancements to the Three Conditions Under Which Fraud May Occur (2020). https://boardandfraud.com/2020/05/21/fraud-pentagon-enhancements-to-the-fraud-triangle-and-under-which-fraud-may-occur/, Accessed 31 May 2021
Schuchter, A., Levi, M.: The fraud triangle revisited. Secur. J. 29(2), 107–121 (2016)
Beebe, N.L., Roa, V.S.: Improving organizational information security strategy via meso-level application of situational crime prevention to the risk management process. Commun. Assoc. Inf. Syst. 26(1), 329–358 (2010)
Harrison, A.J.: The Effects of Technology on Interpersonal Fraud. Iowa State University, Ames (2014)
Analisa, A.: Factors influencing unethical behaviour in banking industry. J. Contemp. Account. 2(2), 97–107 (2020). https://doi.org/10.20885/jca.vol2.iss2.art4
Dellaportas, S.: Conversations with inmate accountants: motivation, opportunity and the fraud triangle. Account. Forum 37(1), 29–39 (2013)
Dorminey, J.W., Fleming, A.S., Kranacher, M.-J., Riley, R.A., Jr.: Beyond the fraud triangle. CPA J. 80(7), 17–23 (2010)
Ahmad, A.H., Masri, R., Zeh, C.M., Shamsudin, M.F., Fauzi, R.U.A.: The impact of digitalization on occupational fraud opportunity in telecommunication industry: a strategic review. PalArch’s J. Archaeol. Egypt/Egyptol. 17(9), 1308–1326 (2020)
Rea-Guaman, A., San Feliu, T., Calvo-Manzano, J., Sanchez-Garcia, I.: Systematic review: cybersecurity risk taxonomy. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) International Conference on Software Process Improvement, pp. 137–146. Springer, Cham, Switzerland (2017). https://doi.org/10.1007/978-3-319-69341-5_13
Greitzer, F., Purl, J., Becker, D., Sticha, P., Leong, Y.M.: Modeling expert judgments of insider threat using ontology structure: effects of individual indicator threat value and class membership. In: Bui, T.X. (ed.). Proceedings of the 52nd Hawaii International Conference on System Sciences, Grand Wailea, Maui, Hawaii, pp. 3202–3211 (2019).
Maasberg, M., Warren, J., Beebe, N.L.: The dark side of the insider: detecting the insider threat through examination of dark triad personality traits. In: Bui, T.X., Sprague, R.H. (eds.) 48th Hawaii International Conference on System Sciences (HICSS), pp. 3518–26. IEEE, Los Alamitos (2015)
Kandias, M., Mylonas, A., Virvilis, N., Theoharidou, M., Gritzalis, D.: An insider threat prediction model. In: Katsikas, S., Soriano, M., Lopez, J. (eds.) International Conference on Trust, Privacy and Security in Digital Business, pp. 26–37. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15152-1_3
Hoyer, S., Zakhariya, H., Sandner, T., Breitner, M.H.: Fraud prediction and the human factor: an approach to include human behavior in an automated fraud audit. In: 45th Hawaii International Conference on System Sciences, pp. 2382–2391. IEEE, Maui (2012)
Kassem, R., Higson, A.: The new fraud triangle model. J. Emerg. Trends Econ. Manag. Sci. 3(3), 191–195 (2012)
Clarke, R.V.: Situational crime prevention: theory and practice. Br. J. Criminol. 20(2), 136–147 (1980)
Kaptein, M., Van Helvoort, M.: A model of neutralization techniques. Deviant Behav. 40(10), 1260–1285 (2019)
Sykes, G.M., Matza, D.: Techniques of neutralization: a theory of delinquency. Am. Sociol. Rev. 22(6), 664–670 (1957)
Siponen, M., Vance, M.: Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q. 34(3), 487–502 (2010)
Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)
Minor, W.W.: Techniques of neutralization: a reconceptualization and empirical examination. J. Res. Crime Delinq. 18(2), 295–318 (1981)
Klockars, C.: The Professional Fence. Free Press, New York (1974)
Magklaras, G.B., Furnell, S.M.: Insider threat prediction tool: evaluating the probability of IT misuse. Comput. Secur. 21(1), 62–73 (2002)
Huff, S.L., Munro, M.C., Marcolin, B.: Modelling and measuring end user sophistication. In: Lederer, A.L. (ed.) Proceedings of the 1992 ACM SIGCPR conference on Computer personnel research, pp. 1–10. ACM, New York (1992)
Marks, J.: The Mind Behind The Fraudsters Crime: key Behavioral and Enviromental Elements, Crowe Holrath LLP (presentation) (2012). https://www.fraudconference.com/uploadedFiles/Fraud_Conference/Content/Course-Materials/presentations/23rd/ppt/10C-Jonathan-Marks.pdf, Accessed 28 May 2021
Nindito, M.: Financial statement fraud: perspective of the Pentagon Fraud model in Indonesia. Acad. Account. Finan. Stud. J. 22(3), 1–9 (2018)
Muhsin, K., Nurkhin, A.: What determinants of academic fraud behavior? from fraud triangle to fraud pentagon perspective. In: International Conference on Economics, Business and Economic Education, pp. 154–167. KnE Social Sciences, Dubai (2018)
Evana, E., Metalia, M., Mirfazli, E.: Business ethics in providing financial statements: the testing of fraud pentagon theory on the manufacturing sector in Indonesia. Bus. Ethics Leadersh. 3(3), 68–77 (2019)
Christian, N., Basri, Y., Arafah, W.: Analysis of fraud triangle, fraud diamond and fraud pentagon theory to detecting corporate fraud in Indonesia. Int. J. Bus. Manag. Technol. 3(4), 1–6 (2019)
Ajzen, I.: From intentions to actions: a theory of planned behavior. In: Kuhl, J., Beckmann, J. (eds.) Action control. SSSSP, pp. 11–39. Springer, Heidelberg (1985). https://doi.org/10.1007/978-3-642-69746-3_2
Padayachee, K.: Joint effects of neutralisation techniques and the dark triad of personality traits on gender: an insider threat perspective. In: 2021 Conference on Information Communications Technology and Society (ICTAS), pp. 40–45. IEEE, Durban (2021)
Simola, P., Virtanen, T., Sartonen, M.: Information security is more than just policy; it is in your personality. In: Cruz, T., Simoes, P. (eds.) ECCWS 2019 18th European Conference on Cyber Warfare and Security, pp. 459–465. Academic Conferences and publishing limited, UK (2019)
Payne, B.K.: White-collar cybercrime: white-collar crime, cybercrime, or both. Criminol. Crim. Just. Law Soc. 19(3), 16–32 (2018)
Coles-Kemp, L., Theoharidou, M.: Insider threat and information security management. In: Probst, C.W., Hunker, J., Gollmann, D., Bishop, M. (eds.) Insider Threats in Cyber Security, pp. 45–71. Springer, Boston, MA (2010). https://doi.org/10.1007/978-1-4419-7133-3_3
Beebe, N.L., Roa, V.S.: Using situational crime prevention theory to explain the effectiveness of information systems security. In: 2005 SoftWars Conference, pp. 1–18. Las Vegas, Nevada (2005)
Willison, R.: Understanding the perpetration of employee computer crime in the organisational context. Inf. Organ. 16(4), 304–324 (2006)
Hinduja, S., Kooi, B.: Curtailing cyber and information security vulnerabilities through situational crime prevention. Secur. J. 26(4), 383–402 (2013)
Willison, R., Siponen, M.: Overcoming the insider: reducing employee computer crime through situational crime prevention. Commun. ACM 52(9), 133–137 (2009)
Smith, T.R., Scott, J.: Policing and crime prevention. In: Mackey, D.A., Levan, K. (eds.) Crime prevention, pp. 6–88. Jones & Bartlett, Burlington, Massachusetts (2011)
Cornish, D.B., Clarke, R.V.: Opportunities, precipitators and criminal decisions: a reply to Wortley’s critique of situational crime prevention. Crime Prev. Stud. 16, 41–96 (2003)
Brown, C.R., Watkins, A., Greitzer, F.L.: Predicting insider threat risks through linguistic analysis of electronic communication. In: 46th Hawaii International Conference on System Sciences, pp. 1849–1858. IEEE, Wailea (2013)
Memory, A., Goldberg, H.G., Senator, T.E.: Context-aware insider threat detection. In: Twenty-Seventh AAAI Conference on Artificial Intelligence Workshop, pp. 44–47. Bellevue, Seattle (2013)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Toscano, R., Price, G., Scheepers, C.: The impact of CEO arrogance on top management team attitudes. Eur. Bus. Rev. 30(6), 630–644 (2018)
Lokanan, M.E.: Challenges to the fraud triangle: questions on its usefulness. Account. Forum 39(3), 201–224 (2015)
Sorunke, O.A.: Personal ethics and fraudster motivation: the missing link in fraud triangle and fraud diamond theories. Int. J. Acad. Res. Bus. Social Sci. 6(2), 159–165 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Padayachee, K. (2021). A Theoretical Underpinning for Examining Insider Attacks Leveraging the Fraud Pentagon. In: Furnell, S., Clarke, N. (eds) Human Aspects of Information Security and Assurance. HAISA 2021. IFIP Advances in Information and Communication Technology, vol 613. Springer, Cham. https://doi.org/10.1007/978-3-030-81111-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-81111-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81110-5
Online ISBN: 978-3-030-81111-2
eBook Packages: Computer ScienceComputer Science (R0)