Biwer.net

CHAPTER III

METHODOLOGY

Three methods were used to obtain information for this thesis.  The literature review focused on computer and business publications. A mail survey of mid-range computer users in the Twin Cities area was conducted regarding computer crime and abuse.  Five key information sources: three law enforcement officials and two computer security authors were interviewed.  A limitation of the interviews was the unavailability of a fourth law enforcement official, a violator and a victim.

In an effort to obtain names for possible AS/400 victims of computer crime and abuse, I asked News 3X/400, a major magazine for the IBM AS/400 market, to run the following in their contacts and connections column:

“Computer Crime and Abuse Examples Wanted

A candidate for an M.A. in management seeks information for his thesis on computer crime and abuse involving AS/400s.   If you've been a victim, please share your story. Contact Jim Biwer ................................”.

The request was published in the August 1994 issue of News 3X/400 on page eleven.

On a monthly basis, 32,000 copies of the English edition are printed, with an estimated circulation of 90,000.  Only two responses were received.

The first case involved a business situation that was not an example of computer crime and abuse.  It involved some questionable sales and billing tactics by IBM.
I spoke with the owner of a New Jersey company that buys, sells and leases
IBM systems.  He stated that in 1992, IBM sold ten medium-sized AS/400 systems to a new software development company.   The owner of the New Jersey company stated that the new company could have used one smaller system, not ten.  IBM delivered ten systems to an empty room to the company that had been in business for two weeks.  IBM billed the company $5 million. The new company sold most of the computers to the New Jersey sales and leasing company at a loss.  The president of the New Jersey company later submitted a pre-paid order to IBM for $145,000 worth of features (parts) to be added to the systems.  IBM did not deliver the $145,000 in merchandise.  They kept the money, saying that it was a penalty for buying the computer at a discount within one year of the original sale. The New Jersey company tried to get the money back, IBM refused.  The New Jersey company suffered financial hardship and filed bankruptcy.

This is one side of the story, some of which does not make sense.  This is not directly related to the thesis topic, however it was one of the responses received.

The second response involves a letter I received from the country of Nauru.

Nauru is in the Central Pacific, with mail service through Melbourne, Australia. The letter stated that the government organization the writer works for had a case of computer crime.  Details were not provided.  After receiving the letter in September, 1994,   I mailed a cover letter, the victim interview questionnaire and a copy of the survey to Rajeev Sharma in Nauru.  I did not receive a response.
On July 7, 1995,
I mailed a second letter.  Again, I did not receive a response.
I mailed a third letter on
July 21, 1995.  I have not received a response.

The remainder of this chapter will examine, in detail, the methods used in this study. 

Literature Review

There were two primary areas focused on during the literature review.

The first focus area, general information on computer crime, abuse and security, was necessary to gain a basic understanding of the topic.  The second focus area related to IBM AS/400 computer security.  The types of documents used for the literature review included books, magazine articles, newspaper articles, technical reference manuals and video tapes.

Interviews

Five personal interviews, either in-person or by telephone, were conducted to gather information from experts with knowledge relating to computer crime and abuse or AS/400 security.  Eight interviews were attempted, three interviews could not be completed.  The interviews were designed to obtain information from four types of key information sources: law enforcement, author/expert, victim and perpetrator.

Three law enforcement officials and two authors were interviewed. The interviews were designed to augment information obtained from the other methods and to provide current viewpoints from experts in the area.  Sample interview forms are included in the appendix.  The pre-approved questions asked during the interview varied depending upon the key informant source group of the interviewee.  The interviewee was given a printed copy of the questions a few days before the interview.

The following section describes the questions asked and the purpose of the question.

Some of the questions are used in multiple types of interviews. 

Interview questions for law enforcement officials:

Q1. Describe any local examples of computer crime and abuse.

Why: To determine if there has been or is a problem in this area.   Looking for leads for other interviews.  Looking for a local angle.

Q2. Has there been "a problem" in this area with computer crime and abuse?  Are there any trends, patterns, recent changes, etc.?

Why: Similar to question one, to determine if there has been a problem in this area and if so, have there been any changes in numbers or types of incidents.  Also to determine if there has been any noticeable patterns or trends.

Q3. Which laws are most frequently violated?

Why: To determine major types of violations in this area for comparison against other interviews and surveys.   

Q4. What is the conviction rate?

Why: To determine if those charged are being convicted, to determine the effectiveness of the arrest, prosecution and laws cited.

Q5. Do you believe that many violators go undetected, unreported or if reported, are not prosecuted?

Why: To determine if most crime and abuse is not prosecuted.   For comparison purposes against other sources.

Q6: How familiar are you, your staff and other members of the judicial system with state and federal laws dealing with computer crime and abuse?

Why: To determine if the interviewee is aware of the state and federal laws dealing with computer crime and abuse.

Q7: Do you feel that current computer crime laws are adequate?   If not, what changes do you feel are needed?

Why: To determine possible weak points in the current law.

Q8: Do you know of any cases of computer crime or abuse involving the IBM AS/400?

Why: To determine if there are any known cases relating to the AS/400.

Q9: Without violating data privacy laws, do you have the name of any local victims or violators that I could contact?

Why: To obtain leads for the other interviews and obtain a local angle, if present.

Q10. Do you have a computer system that allows data base retrieval of categories of "white collar" crime?

Why: To determine if an automated system exists for extracting data, based on category or type of crime.

Q11. What measures can organizations take to minimize their exposure to computer crime and abuse?

Why: To obtain suggestions that will be listed in chapter five.

Q12: Do prosecutors frequently use "traditional", non-computer related laws as a basis of charging violators?   If yes, why?

Why: To determine if current laws are adequate and used.  To determine if traditional laws are more effective than those designed for computer crime and abuse. 

Interview questions for authors:

Q1. Describe any local examples of computer crime and abuse.

Why: To determine if there has been or is a problem in this area.   Looking for leads for other interviews.  Looking for a local angle.

Q2. Has there been "a problem" in this area with computer crime and abuse?  Any trends, patterns, recent changes, etc.?

Why: Similar to question one, to determine if there has been a problem in this area and if so, have there been any changes in numbers or types of incidents.  Also to determine if there has been any noticeable change in patterns or trends.

Q3. Which laws are most frequently violated?

Why: To determine major types of violations in this area, for comparison against other interviews and surveys.

Q4. What is the conviction rate?

Why: To determine if those charged are being convicted, to determine the effectiveness of the arrest, prosecution and laws cited.

Q5. Do you believe that many violators go undetected, unreported or if reported, are not prosecuted?

Why: To determine if most crime and abuse is not prosecuted. For comparison purposes against other sources.

Q6: How familiar are you, your staff and other members of the judicial system with state and federal laws dealing with computer crime and abuse?

Why: To determine if interviewee is aware of the state and federal laws dealing with computer crime and abuse.

Q7: Do you feel that current computer crime laws are adequate?   If not, what changes do you feel are needed?

Why: To determine possible weak points in the current law.

Q8: Do you know of any cases of computer crime or abuse involving the IBM AS/400?  If yes, please describe.

Why: To determine if there are any known cases relating to the AS/400.

Q9: Without violating data privacy laws, do you have the name of any local victims or violators that I could contact?

Why: To obtain leads for the other interviews and obtain a local angle, if present.

Q10. Do you have a computer system that allows data base retrieval of categories of "white collar" crime?

Why: To determine if an automated system exists for extracting data, based on category or type of crime.

Q11. What measures can organizations take to minimize their exposure to computer crime and abuse?

Why: To obtain suggestions that will be listed in chapter five.

Q12: Do prosecutors frequently use "traditional", non-computer related laws as a basis of charging violators?   If yes, why?

Why: To determine if current laws are adequate and used. To determine if traditional laws are more effective than those designed for computer crime and abuse.

Q13: How, when and why did you become interested in computer security, crime and abuse?  What do you like/dislike about the topic?

Why: To determine author's reason for writing about the topic.

Q14. What are the major impacts of computer crime and abuse?   Discuss types and estimated losses.

Why: To obtain information, for comparison purposes against other sources. 

Interview questions for victims:

Q1: Please describe what happened, in detail.

Why: Do determine the sequence and severity of events.

Q2: How and when did you discover the problem?

Why: To determine how long the event went unnoticed.  To determine how the event came to the attention of the organization.

Q3: Describe the hardware and software involved.

Why: To determine the operating environment of the organization.

Q4: What security changes, if any, have been made since the incident?

Why: To determine if the victim organization corrected factors that may have contributed to the incident.

Q5. Do you believe that many violators go undetected, unreported or if reported, are not prosecuted?  Please estimate numbers or percentages.

Why: To determine if most crime and abuse is not prosecuted.   For comparison purposes against other sources.

Q6: How familiar are you, your staff and other members of the judicial system with state and federal laws dealing with computer crime and abuse?

Why: To determine if interviewee is aware of the state and federal laws dealing with computer crime and abuse.

Q7: Do you feel that current computer crime laws are adequate?   If not, what changes do you feel are needed?

Why: To determine possible weak points in the current law.

Q8: Do you know of any cases of computer crime or abuse involving the IBM AS/400?  If yes, please describe.

Why: To determine if there are any known cases relating to the AS/400.

Q9: Describe your feeling concerning the investigation and prosecution process. What suggestions do you have for improving the process.

Why: To determine the victim's thoughts regarding how the case was handled by the law enforcement and prosecution officials.

Q10: What measures can organizations take to minimize their exposure to computer crime and abuse?

Why: To determine the victim's awareness and interest. 

Interview questions for violators:

Q1: Please describe what happened, in detail.

Why: To determine the sequence and severity of events.

Q2: What were you charged with?

Why: To determine which laws were used by the prosecutor.

Q3: Describe the hardware and software involved.

Why: To determine the operating environment of the organization.

Q4: What security changes, if any, would have prevented you from doing these activities?

Why: To determine if the victim could have been prevented the incident.

Q5. Do you believe that many violators go undetected, unreported or if reported, are not prosecuted?  Please estimate numbers or percentages.

Why: To determine if most crime and abuse is not prosecuted.   For comparison purposes against other sources.

Q6: How familiar are you, your staff and other members of the judicial system with state and federal laws dealing with computer crime and abuse?

Why: To determine if interviewee is aware of the state and federal laws dealing with computer crime and abuse.

Q7: Do you feel that current computer crime laws are adequate?   If not, what changes do you feel are needed?

Why: To determine possible weak points in the current law.

Q8: Do you know of any cases of computer crime or abuse involving the IBM AS/400?  If yes, please describe.

Why: To determine if there are any known cases relating to the AS/400.

Q9: Describe your feelings concerning the investigation and prosecution process.

What suggestions do you have for improving the process.

Why: To determine the violator's thoughts regarding how the case was handled by the law enforcement and prosecution officials.

Q10: What measures can organizations take to minimize their exposure to computer crime and abuse?

Why: To determine the violator's awareness and interest.

Q11: Please describe your computer training and experience.

Why: To determine the violator's formal computer training and experience. 

Survey

A survey was mailed to 120 non-vendor members of QUSER, the Twin Cities AS/400 user group.  The purpose of the survey was to obtain information relating to computer security, crime and abuse from the viewpoint of local mid-range computer users.  The majority of the information obtained from the previous two methods, the literature review and key informant interviews, was general in nature and across multiple computer platforms.  The survey focused on those professionals responsible for the IBM AS/400 computers in the local area.  The QUSER membership consists of professionals from organizations, both non-profit and for profit, using one or more multi-user AS/400 computer.

The survey was primarily designed to gather information relating to the respondent's experience with computer security, crime and abuse on the AS/400.

The four general topics covered were: familiarity with laws, AS/400 environment, problems with computer crime or abuse, and demographics.  A sample of the complete survey form is included in the appendix.  The following section contains abbreviated questions without the multiple choice responses.  The results of the survey are summarized in chapter four.

Q1: I am knowledgeable of current state laws involving computer crime and abuse.

Why: To determine respondent's awareness of the subject.

Q2: I am knowledgeable of current federal laws involving computer crime and abuse.

Why: To determine respondent's awareness of the subject.

Q3: How many security related system values have been modified to something other than the original (shipped) value?

Why: To determine how many, if any, security system values have been changed.

Q4: The system security level (QSECURITY) is currently set at ____.

Why: To determine the security level currently.

Q5: The security auditing level (QAUDLVL) is currently set at *NONE, the default, shipped value.

Why: To determine if security auditing is active.

Q6: The number of local workstations (terminals or PC's) attached to the AS/400 is __.

Why: To determine the hardware environment and the approximate number of users.

Q7: The number of remote workstations (terminals or PC's) attached to the AS/400 is __.

Why: To determine the hardware environment and the approximate number of users.

Q8: Our environment allows users to communicate with the AS/400 via a personal computer modem.

Why: To determine if personal computers can access the system via telecommunications.

Q9: The current environment provides adequate protection against possible internal (employee initiated) threats of computer crime and abuse.

Why: To determine if the respondent feels that the current security environment is adequate against internal threats.

Q10: The current environment provides adequate protection against possible external threats of computer crime and abuse.

Why: To determine if the respondent feels that the current security environment is adequate against external threats.

Q11: How often are the AS/400 passwords changed per year?

Why: To determine how often passwords are changed.

Q12: The current environment has adequate off-site backup of all system and user libraries.

Why: To determine if off-site backups are available if needed.

Q13: Our organization has been the victim of computer crime or abuse.

Why: To determine if the organization feels they have been a victim.

Q14: The greatest threat of compute crime or abuse is from ____ sources.

Why: To determine if internal or external sources are thought to be the greatest threat.

The following seven questions were asked to determine if the responding person has had a problem with and/or considers the item a threat.

Q15: Unauthorized use, duplication or theft of software.

Q16: Hardware theft.

Q17: Unauthorized modification or destruction of data.

Q18: Unauthorized program changes.

Q19: Hardware damages.

Q20: Unauthorized computer room access.

Q21: Unauthorized computer use.

Q22. Personal computer viruses.

Why: To determine the types of past problems and future threats.   Also, to determine the severity of the problem or threat.

Q23: Our management information systems (MIS) organization is audited at least one a year by outside auditors or internal MIS auditing specialist?

Why: To determine if MIS is audited on a regular basis.

Q24: Our organization has published policies or guidelines relating to the proper use of computer hardware and software.

Why: To determine if formal, written documentation has been prepared.

Q25: Our AS/400 is connected to an uninterruptible power supply (UPS).

Why: To determine if a UPS is available.

Q26: Our AS/400 is housed in a limited access computer room.

Why: To determine basic physical access threat.

Q27: Indicate the number of years of professional, computer related experience you have had.

Why: To determine the number of years of professional experience.

Q28: Indicate the highest formal educational level achieved.

Why: To determine the educational level.

Q29: Indicate your position/title.

Why: To determine the position the respondent holds in the organization.

In summary, the methodology consisted of a literature review, key informant interviews and a survey of local AS/400 users.  The next chapter will discuss the results of the methodology.

Next