Summary: | This research provides a "rich insight'' into the management of Information Systems (IS) security within the context of computer fraud committed by employees. It argues that management within organisations can impact the understanding of employees (at low-level positions) as to what is 'acceptable" practice when abiding by IS security policies and procedures. Therefore, the growing problem of computer fraud does not occur because of "bad people', but rather because of IS security loopholes within the organisation. Such loopholes can create 'suitable opportunities' where employees may find that the rewards of committing an act are higher than the chances of being caught. This research departs from the traditional functionalist view and approaches the problem of computer fraud from a socio-technical perspective to employ an interpretive research approach. This constitutes a major contribution to IS security studies. It uses the Crime Specific Opportunity Structure model from criminology, as the conceptual framework for initial data collection of the single embedded case study. The findings of the case study (at Technology Corporation) suggest that perceptions of IS security held by employees at high-level positions influence how employees at low-level positions comply with IS security guidelines. To illustrate this argument, this research introduces the notion of "Shared Responsibility" from victimology to reduce the gap between "espoused theory' and 'theory-in-use'. Although, there were no 'reported' cases of computer fraud committed by employees in Technology Corporation, implications are drawn on the role management's perceptions about IS security play in the context of facilitation, precipitation and provocation and consequently, a working environment created where k suitable opportunities' may exist for employees to commit computer fraud (input type in particular).
|