1. Reading review questions.

a. What four common classifications are often associated with computer crime?
Target. This category is comprised of computer crimes where the criminal targets the system or
its data. The objective of these crimes is to impact the confidentiality, availa- bility, and/or
integrity of data stored on the computer.
Instrumentality. Computer as the instrumentality of the crime uses the computer to fur- ther a
criminal end. In crimes targeting the computer, the data are the object of the crime; in this case,
the computer is used to commit a crime.
Incidental. This type of computer crime encompasses crimes where the computer is not
required for the crime but is related to the criminal act. The use of the computer simpli- fies the
criminal actions and may make the crime more difficult to trace.
Associated. The simple presence of computers, and notably the growth of the Internet, has
generated new versions of fairly traditional crimes. In these cases, technological growth
essentially creates new crime targets and new ways of reaching victims.
b. What computer crimerelated risks and threats are associated with information systems?
Fraud, Error, Service Interruption and Delays, Disclosure of confidential information, Intrusions,
Information theft, Information manipulation, Malicious software, Denial-of-service attacks, Web
site defacements, Extortion
c. What categories are commonly associated with computer criminals? Describe each category.
A script kiddie describes a young, inexperienced hacker who uses tools and scripts writ- ten by
others for the purpose of attacking systems.
Hacker refers to someone who invades an information system for malicious purposes.
Cyber-criminals are hackers driven by financial gain. These individuals possess advanced skills
and have turned to hackingnot for the challenge, but for the money.
Organized crime: criminal organizations have been getting into spamming, phishing, extortion,
and all other profitable branches of computer crime.
Corporate spies: information is now stored on network systems with physical access no longer
required to access it. Corporate spies have begun taking advantage of this by turning to
computer intrusion techniques to gather the information they desire.
As critical infrastructures become reliant on computers and networks for their operations,
terrorists could seriously disrupt power grids, telecommunications, transportation, and others if
they were to exploit vulnerabilities to disrupt or shut down critical functions.

Insiders represent the largest threat to a companys information systems and underlying
computer infrastructure, but, as the network perimeter gradually disappears, the threat from
external sources is likely to increase.
d. How can organizations safeguard against computer crime? How can they detect it and
recover from it if it happens? What role does CoBIT play in those tasks?
Physical security controls are required to protect computers, related equipment, and their
contents from espionage, theft, and destruction or damage by accident, fire, or natural disasters.
They involve the use of locks, security guards, badges, alarms, and similar measures to control
access to computers, network equipment, and the processing facility. Other forms of controls
such as smoke and fire detectors and generators are implemented to protect against threats
such as fire and power outages. Sometimes referred to as logical controls, technical security
controls involve the use of safeguards incorporated in computer and telecommunication
hardware and soft- ware. Firewalls, encryption, access control software, antivirus software, and
intrusion detection systems fall into the category of technical security controls.
e. What is CoBIT? What are the seven information criteria discussed in the CoBIT framework?
CoBIT is ISACAs Control Objectives for Information and Related Technology.
Effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability of
information.
f. Respond to the questions for this chapters AIS in the Business World.
What is computer crime? Computers also have become facilitators for criminals, providing them
with new methods of perpetrating classic forms of crimes and creating many new business
oppor- tunities for these criminals.
3. Multiple choice review.
1. Carter suggested a four-part taxonomy of computer crime, comprising:
b.

Target, instrumentality, incidental, and associated.

2. According to the U.S. Department of Justice, which of the following is defined as any illegal act
for which knowledge of computer technology is used to commit the offense?
a. Fraud
3. The largest threat to a companys information systems comes from:
d. Insiders.
4. The three fundamental principles that guide the development and implementation of IT
controls are:

c.

Confidentiality, availability, and data integrity.

5. In the CoBIT accountability framework, disclosures about information governance control

flow from ___ to ___.
a.

IT and information security management; board of directors

6. Applying Carters taxonomy. Which element(s) of Carters taxonomy apply to each of the
following situations? If more than one category applies, explain why.
a. A bookkeeper steals cash as it comes into the company. The bookkeeper later falsifies
accounting entries using general ledger software to cover the trail: instrumentality and
incidental
b. A bored teenager initiates a denial-of-service attack on his Internet service providers
information system: instrumentality
c. A disgruntled employee uses a previously installed back door into an information system to
lock out other users by changing their passwords: target and associated
d. A gang of criminals breaks into a local retail store. They steal all the stores computers and
then later hack into them for the purpose of identity theft: associated
e. A pair of computer criminals uses e-mail to contact victims for an illegal pyramid scheme.
They use money from new investors, rather than profits, to pay off old investors, keeping most
of the money themselves: instrumentality
f. A recently fired employee laid the groundwork for corporate espionage by installing spy- ware
on the companys network: target and instrumentality
g. A student discovers the password to his universitys information system. He then hacks the
system to change grades for himself and his friends: target and instrumentality
h. A woman impersonates her wealthy employer, stealing personal information about the
employer from her banks information system: incidental
9. CoBIT information criteria. Indicate which of the CoBIT information criteria are violated in
each of the following independent scenarios. Justify your choices.
a. Financial statements for the year ended December 31, 2011, are completed and published in
June 2012: efficiency, the information is provided through the optimal (most productive and
eco- nomical) use of resources.
b. A company with $1 million in annual revenues maintains an accounting information system
with paper journals and ledgers: availability, the information is available when required by the
business process, now and

in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
c. Employee names, identification numbers, job classifications, and addresses are posted on a
company Web site: confidentiality, sensitive information is protected from unauthorized
disclosure.
d. A careless employee spilled a soft drink on a file server. The server was damaged and could
not be used for three day: efficiency, make everything slow and delay the works.
e. The CEO and CFO fail to provide the documents required by the Sarbanes-Oxley Act:
compliance: the information complies with those laws, regulations and contractual
arrangements to which the business process is subject.
10. Internal controls. For each situation presented in the preceding problem, suggest one or
more internal controls. Classify the controls as preventive, detective, or corrective.
Internal control is at least as impor- tant in a computerized information system as it is in manual
systems. Physical controls are perhaps the simplest type: locking doors, installing alarms, and
requiring identifica- tion badges are some examples. Technical controls are part of the computer
hardware and software themselves; think of firewalls, virus detection software, and access controls in this group. Finally, administrative controls refer to management policies and procedures
designed to promote information security. For example, organizations may develop a clear
information security policy and/or require periodic security training for employees.