In lieu of an abstract, here is a brief excerpt of the content:

122 “Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing had happened.” —Winston Churchill The focus of this chapter is on the development of a general model for managing data, identity theft and fraud risks. The purpose of the model is to provide advice in how to contain and counter such risks in an organized manner. The model’s concept is similar for organizations and for consumers, although the details of the risks and how to manage them differ substantially between these two classifications. Small businesses also differ from large businesses in the approach they need to take to managing IDTF risks, because they typically cannot afford to employ security specialists to manage these risks, but usually assign this responsibility to an employee as just one among multiple responsibilities. For this reason, the first section of this chapter deals with an organizational model for large organizations, the second section tailors the organizational model to small and medium business, and the third deals with the same conceptual model but adapted specifically for consumers. Organizational IDTF Risk Management Identity theft and fraud criminal activities are, or should be, strong motivators for governments and organizations to protect Chapter 7 Managing the Risks of Data Theft, Identity Theft and Fraud Managing the Risks of Data Theft, Identity Theft and Fraud | 123 and secure their systems, databases and other assets against intrusion and loss. The continuing increase in the number and cost of data breaches, primarily from external attacks, should be incentive enough to assign a high priority to securing the organization against such attacks. A recent survey of IT security specialists at Canadian organizations (Hejazi and Lefort 2008) studied the costs of data breaches and found that these are growing at a rapid rate, with average annual loss per organization now exceeding $400,000. This figure can provide some guidance in determining suitable resource allocation to manage related issues, subject of course to the size of the organization and those aspects of its operations that involve confidential databases. Although the focus of this book is on IDTF, this specific risk is only one of multiple risks that need to be addressed in an integrated manner through enterprise risk management (ERM) (Beasley , Clune et al. 2005; Fraser, Schoening-Thiessen et al. 2007; Walker and Shenkir 2008). ERM is emerging as a new paradigm for policy makers interested in mechanisms to improve corporate governance and risk management. Information security and privacy assurance are responsibilities in all organizations, but setting up a comprehensive fully-assured environment is likely to be both technically and financially difficult. Organizations often handle these responsibilities with a ‘bottom up,’ ad hoc and uncoordinated perspective that deals separately with each type of risk and has no comprehensive plan. In the case of IDTF, this may mean certifying individual systems through ad hoc processes or by focusing on protection from external threats alone. What organizations need is a comprehensive, enterprise-wide risk management approach that is economically practicable and that includes the management of information security and privacy across the organization. The requirements must be addressed through both business processes and the technical infrastructure (Anderson and Rachamadugu 2008), beginning with a knowledge base of both processes and infrastructures that can support strategic planning and prioritized risk-based investment and management. [18.118.150.80] Project MUSE (2024-04-25 22:20 GMT) 124 | Identity Theft and Fraud Based partially on a framework proposed by Jamieson, Smith et al. (2009) for managing IDTF in organizations, we will develop frameworks in this chapter for managing risks from IDTF, first for medium to large organizations, then for small businesses and then for consumers. The organizational perspective differs between medium to large organizations and small organizations due primarily to the resources, organizational units and strategies required. For consumers, the perspectives are again different, since consumer concerns are directed towards protecting themselves as individuals, while organizations need to guard against both internal and external threats to the organization and to its customers. Our model in each instance is based on the three phases of Jamieson et al.’s model (anticipatory, reactionary and remediation) for managing identity fraud in organizations, with a significant adaptation of the model for consumer management of identity theft. Managing IDTF Risks In this section, we develop a general framework for organizations and individuals to manage and mitigate IDTF threats. The framework includes three phases in a process that can deal with different aspects: a) understand...

Share