The Emerald Research Register for this journal is available at www.emeraldinsight.com/researchregister

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm

IMCS 12,2

Cyberterrorism, computer crime, and reality

154

College of Business Administration, East Carolina University, Department of Decision Sciences, Greenville, North Carolina, USA

C. Bryan Foltz Keywords Computer crime, Information systems, Data security, Terrorism Abstract The term cyberterrorism is being used with increasing frequency today. Since widespread concern with cyberterrorism is relatively new, understanding of the term is somewhat limited. Government officials and experts are often heard claiming that the world is unprepared for cyberterrorism; however, other officials and experts state that cyberterrorism does not pose a threat to anyone. Examines the reasons for these disparate viewpoints and reviews the theoretical and actual forms in which cyberterrorism may occur. Further, proposes the use (and refocusing) of an existing model of computer security to help understand and defend against cyberterrorism.

Introduction Cyberterrorism – the very word conjures images of terrorists sitting in darkened rooms on the other side of the world, using the Internet to launch missiles, shut down power grids (Desouza and Hensgen, 2003), block emergency systems (Desouza and Hensgen, 2003), interrupt nuclear power plants and dams, or to launch other attacks. However, some questions do remain. What is cyberterrorism? Has it ever really been used against anyone? What kind of damage could cyberterrorism really inflict? What can be done to stop it? The purpose of this paper is to demonstrate that cyberterrorism is real and does pose a threat. This paper also proposes the use of a model of computer security to understand and defend against cyberterrorism.

Information Management & Computer Security Vol. 12 No. 2, 2004 pp. 154-166 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685220410530799

Cyberterrorism – what is it? The term cyberterrorism is being used with increasing frequency today. However, there is no widely agreed-upon definition. In fact, the term has been used to describe actions as varied as stealing data and hacking (Embar-Seddon, 2002), planning terrorist attacks (Desouza and Hensgen, 2003), causing violence (Pollitt, 2001), or attacking information systems (Denning, 2000). What, then, is cyberterrorism? There are countless definitions for this term in the literature. These definitions range from incredibly broad to very focused. For example, Yasin’s (1999, p. 1035) definition of cyberterrorism as “concerted, sophisticated attacks on networks” is very broad and all-inclusive. Denning (2000) provides an alternative definition that incorporates the type of motivation, the purpose (or desired outcome) of the attack, and the objects of the attack. Denning (2000) defines cyberterrorism as: . . . the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political and social objectives.

In addition, Denning’s (2000) definition specifically recognizes that the threat of cyberterrorism could have the same impact as a cyberterrorist attack. Pollitt (2001) suggests that cyberterrorism “is the premeditated, politically motivated attack against information, computer systems, and data which result in violence against noncombatant targets by subnational groups and clandestine agents.” This is similar to Denning’s (2000) definition but also describes the groups launching the attack. Pollitt’s (2001) definition also specifies that an act of cyberterrorism must result in violence. Bronskill (2001) recognizes that the Internet could be used to plan and coordinate more conventional terrorist activities by defining cyberterrorism as “the extent to which cyber-techniques are used for espionage, sabotage, or terrorism”. Finally, McFeatters (2001) suggests that cyberterrorism could also be focused on economic targets. Stanton (2002) suggests that distinguishing between vandalism and terrorism is becoming increasingly difficult. Desouza and Hensgen (2003) suggest that one possible way of differentiating between cyberterrorism, hacking, and vandalism is by understanding the motivation or intention of the person or group launching the attack. For example, Desmond (2002) suggests that most people would not view a 14-year-old launching a virus as cyberterrorism; however, launching a virus attack could easily be viewed as cyberterrorism. The intentions and motivation of the person launching the attack should be considered. Desmond’s hypothetical 14-year-old probably has much different intentions and motivations than a cyberterrorist group. A stereotypical 14-year-old could be motivated by a number of factors, such as a desire for attention, a desire to cause trouble, or the desire to prove themselves capable of launching a virus attack. A cyberterrorist group will probably have more specific goals or objectives. While accurately defining the term has proven difficult, the motivation of the individuals responsible actually sets cyberterrorism apart from other forms of computer crime. This leads back to the initial question: what is cyberterrorism? Since cyberterrorism is a relatively new phenomenon, our understanding of this issue continues to evolve. Many existing definitions have presented either a very narrow or a very broad view of cyberterrorism. All of these viewpoints are valid and contribute to our understanding of the issue; however, combining these definitions provides a more comprehensive understanding of the issue. Combining the definitions presented above suggests that cyberterrorism is an attack or threat of an attack (Denning, 2000), politically motivated (Denning, 2000, Pollitt, 2001), intended to: . interfere with the political, social (Denning, 2000), or economic (McFeatters, 2001) functioning of a group, organization, or country; or . induce either physical violence (Pollitt, 2001) or the unjust use of power; or . in conjunction with a more traditional terrorist action (Bronskill, 2001). The threat of cyberterrorism We have become extremely dependent upon computers and information systems (National Research Council, 1991). However, these systems are at risk from a variety of sources, including cyberterrorism. The threat of cyberterrorism is very different from other, more traditional threats, and has become a major concern for most countries. A

Cyberterrorism

155

IMCS 12,2

report by the Institute for Security Technology Studies at Dartmouth College (Vatis, 2001) suggests that cyberterrorists now pose a significant threat and that cyberattacks are increasing in frequency, scope, and sophistication. Oceans and friendly neighboring countries offer no protection against cyberterrorism, as the US Commission on Critical Infrastructure Protection notes (Wehde, 1998). Further, cyberterrorism attacks may come in many different forms.

156 Forms of cyberterrorism Cyberterrorism attacks can take many different forms, as noted in the variety of definitions presented earlier. This diversity makes cyberterrorism both difficult to define and difficult to stop. Table I presents a sample of possible cyberterrorism scenarios as described by a variety of authors. These threats include interfering or disrupting information and communications networks, infrastructure systems, banking and finance systems, transportation systems, emergency services, and government services. Virus attacks are also a form of cyberterrorism. As indicated within Table I, most of these cyberterrorism threats could be politically motivated. Further, the majority of the threats, both general and specific, tend to result in political, economic, or violent attacks. This brief examination suggests that the proposed definition of cyberterrorism is appropriate in scope and content. One of the most frightening specific forms of cyberterrorism involves penetration of a military facility resulting in missile launches (Embar-Seddon, 2002). While this sounds horrible, such an event is unlikely to occur. As Embar-Seddon (2002) notes, military installations such as this are not normally connected to the Internet in any manner – thus, a cyberterrorist would unlikely be able to break into the system via the Internet. Other scenarios posed by various authors include unauthorized access, modification, or theft of information. For example, a cyberterrorist could access a manufacturing facility and alter the formula used to produce a drug (Wehde, 1998) or other product, such as cereal (Pollitt, 2001) so that the resulting products are lethal. Pollitt (2001) notes that such changes are likely to be detected by quality assurance systems in place within the manufacturing plants. Other forms of cyberterrorism could focus on the banking and financial industry, the civilian infrastructure, or emergency services (Embar-Seddon, 2002). Of course, advances in technology, such as the advent of wireless networks, pose additional risks. In addition to the forms of cyberterrorism just discussed, the Internet can be used to support more traditional terrorist activities. For example, terrorists have used the Internet to purchase airline tickets (Gordon and Ford, 2002) and to locate targets (Levin, 2002). While these activities do fall within Bronskill’s (2001) definition of cyberterrorism, they are simply legitimate uses of the Internet, despite the underlying motivations and intentions. Has cyberterrorism actually occurred? Documented instances of cyberterrorism have not occurred in all the forms presented in Table I. Desouza and Hensgen (2003) note that some authors question the existence of cyberterrorism, suggest that cyberterrorism cannot harm anyone, and argue that no one has actually died as a result of cyberterrorism. Unfortunately this argument fails to consider possible future consequences. The threat of cyberterrorism exists, even if no acts of cyberterrorism have ever been committed. Desouza and Hensgen (2003) also

£ £

£

£ £ £

£

Pollitt, 2001 Embar-Seddon, 2002 Embar-Seddon, 2002 Embar-Seddon, 2002 Embar-Seddon, 2002 Wehde, 1998 Gordon and Ford, 2002 Embar-Seddon, 2002 Embar-Seddon, 2002

General infrastructure issues Electrical power systems Gas and oil (production, transportation and storage) Water supply systems

Banking and finance Disrupt banks, international financial transactions, stock markets Manipulate stock prices

Transportation

Emergency services

Government services Embar-Seddon, 2002 Launching missiles (This is not possible, because missile and defenses systems are on isolated systems, not on computers that are networked to the Internet) Embar-Seddon, 2002

Viruses Virus attack on power generating station’s computer command center could be as destructive as a bomb

Wehde, 1998

Stanton, 2002

£

£

£

£ £

£ £

£ £ £

£

£

Stanton, 2002 Gordon and Ford, 2002 Gordon and Ford, 2002

£ £ £

£ £ £

Political attack

£ £ £

Embar-Seddon, 2002 Wehde, 1998 Gengler, 1999 Desouza and Hensgen, 2003

Political motivation

Information and communications Access a drug manufacturer and alter formulas to be deadly Access hospital records and change patient blood type Stolen information could be of great value (i.e. troop movements, etc.) Manipulating perceptions, opinion, and the political and socioeconomic direction Facilitating identity theft Web page defacement (for political purposes) Modification of recipe for commercial cereal to include lethal levels of an ingredient (Pollitt suggests this would be detected by quality control mechanisms and would probably alter taste/appearance anyway)

Source

Threat

£

£

£

£ £

£ £ £ £

£

£

£

£

£

£ £ £

£

£ £

Violent attack

Economic attack

Cyberterrorism

157

Table I. Cyberterrorism threats

IMCS 12,2

158

note that others feel that cyberterrorism is real and harmful. These two disparate points of view simply reflect the huge variation in actions labeled as cyberterrorism. A narrow definition of cyberterrorism leads to a smaller number of reported instances (of cyberterrorism), while a broader definition leads to a larger number of reported instances. Table II presents a number of cyberterrorism incidents. A brief examination suggests that most of these incidents were, or could have been, politically motivated. Further, many of these incidents resulted in disruptions of the political, social, or economic functioning of various groups, organizations, or countries, physical violence, or the unjust use of power. Most of these incidents fall within the proposed cyberterrorism definition, thus suggesting that the scope and content are appropriate. These cyberterrorism incidents range from simple Web site defacement to the theft of nuclear research data. A number of these incidents occurred in response to other events, including other cyberattacks, physical attacks, and kidnappings. Perhaps the most disturbing is the loss of internal and external communications suffered by NATO following allied air strikes on Kosovo and Serbia in 2000 (Montgomery, 2003). This small, but concerning, list of actual cyberterrorism incidents illustrates the need to better understand cyberterrorism and defenses against cyberterrorism. Preventing cyberterrorism Cyberterrorism as a form of computer crime or misuse Although cyberterrorism is a somewhat new phenomenon, attacks on computer systems have been a concern since the early 1960s (Skinner and Fream, 1997). Computer crime and misuse have been defined as “unauthorized, deliberate, and internally recognizable misuse of assets of the local organizational information system by individuals” (Straub, 1986, p. 27). Examples of activities which are considered misuse include violations against hardware, software, data, and service (Straub, 1986). Cyberterrorism and computer crime and misuse both target the same vulnerabilities using the same tools (Hulme, 2002) and methodologies (Desmond, 2002). Existing research on computer crime and misuse can be used as a reference for the study of cyberterrorism. Studies of information systems misuse and computer crime often focus upon the source of misuse. Kuong (1992) established a taxonomy[1] distinguishing between the various sources of misuse: . The enemy within represents organizational employees of a non-technical nature who have legitimate access to the information system. . The enemy without refers to individuals not employed by the organization. . The enemy within/within includes organizational employees occupying positions within the IS department or otherwise having privileged access to the information systems. . The enemy within/without refers to collusion between external individuals (the enemy without) and internal personnel of either a non-technical nature (the enemy within) or technical nature (the enemy within/within). In the past, most computer security violations were attributed to insiders (the enemy within or the enemy within/within) (Lang, 1995) or other trusted individuals (Anthes, 1996). A recent survey by the Computer Security Institute suggests that this trend may

£

£ £

£

Montgomery, 2003 Gengler, 1999

Montgomery, 2003

Montgomery, 2003

General infrastructure issues US interests suffered a weeklong cyberattack following the collision of an American surveillance plane and a Chinese fighter in April 2001. Over 1,200 sites were hit with either DDoS attacks or defacements

£

Montgomery, 2003 Embar-Seddon, 2002 Embar-Seddon, 2002 Embar-Seddon, 2002 Stanton, 2002

Transportation

Emergency services

Government services

Viruses

£

£

£

?

Embar-Seddon, 2002

Banking and finance The Bank of Israel and the Tel Aviv stock exchange suffered cyberattacks launched by pro-Palestinian hackers in 2002

£

£ £

£

Montgomery, 2003

£

£

?

?

Embar-Seddon, 2002

Political attack

Information and communications Theft of “sensitive nuclear research” from India by Pakistani hackers (in response to the dispute over Kashmir) Web page defacements have increased by five times since 1999 (in response to the dispute over Kashmir) Access hospital records and change patient blood type NATO infrastructure and Web servers were attacked following allied air strikes on Kosovo and Serbia during 2000. NATO e-mail servers were swamped with e-mails containing viruses. Internal and external communications were shut down for days. The attacks were blamed on “military hackers hired by the Former Republic of Yugoslavia”

Political motivation

Source

Act of cyberterrorism

£

£

?

£

?

Economic attack

?

£

Violent attack

Cyberterrorism

159

Table II. Acts of cyberterrorism

IMCS 12,2

160

be changing (Power, 2002). The 2002 CSI/FBI Computer Security Survey suggests that attacks on computer systems originating outside the organization (the enemy without) now outnumber those originating within the organization (Power, 2002). This could be attributed to the ever-increasing number of viruses and denial of service attacks, which tend to come from the outside (although this type of attack could be launched from within). Barring so-called moles or sleepers, cyberterrorists would typically be considered the enemy without. Models of computer security In response to ongoing concern about computer security, a number of different models of computer security have been proposed within the literature. Some of these models, such as the Bell-LaPadula model, the Biba model, and the Clark-Wilson model, work within the traditional CIA (confidentiality, integrity, availability) framework. Other models draw upon behavioral theory in an attempt to stop misuse by examining individual behavior. A few models also incorporate criminological theory. CIA models The Handbook of Information Security Management summarizes several models of computer security. Many of these models focus on protecting data confidentiality and integrity but do not consider concepts drawn from the reference disciplines of psychology and criminology. For example, the Bell-LaPadula model, first proposed in 1973 (LaPadula, 1996), assigns access levels to objects (data and information), and to subjects (users or other processes capable of modifying data). Subjects are granted read permission for objects stored at or below their (the subjects) access level, write permission for objects at or above their access level, and read-write permission for objects at their access level (Krause and Tipton, 1998). The Biba integrity model, the first model to address integrity, deals with confidentiality in a manner very similar to the Bell-LaPadula model (Krause and Tipton, 1998). However, the Biba model also requires that processes cannot modify data stored at higher security levels, as this would be a threat to the data already stored at the higher level (Krause and Tipton, 1998). The Clark-Wilson model also focuses on integrity but focuses on well-formed transactions and the separation of duties (Krause and Tipton, 1998). Other CIA models include the Goguen-Meseguer model, the Southerland model, and the Brewer-Nash model (Krause and Tipton, 1998). The CIA models all offer some degree of protection against cyberterrorism; however, as Bort (2002) notes, these goal-oriented models are somewhat limited, even in terms of defending organizations against computer misuse, let alone cyberterrorism. Behavioral models A number of computer security models focus on individual behavior. These models typically incorporate existing models of human behavior drawn from the reference discipline of psychology, such as Ajzen’s (1988) theory of planned behavior (Figure 1). The theory of planned behavior (TPB) suggests that individuals who intend to commit a behavior tend to commit that behavior. Further, intentions are based on three factors: attitude, subjective norms, and perceived behavioral controls. Attitude refers to an individual’s opinions about a behavior, while subjective norms refer to an individual’s perception of how referent others view the behavior (peer pressure). Perceived

Cyberterrorism

161

Figure 1. The theory of planned behavior

behavioral control refers to a person’s evaluation of their ability to commit the behavior in question (Ajzen, 1988). The TPB has been found to explain the behavior of computer misuse (Foltz et al., 2002). Further, Peace et al. (2003) proposed and tested a TPB-based computer security model incorporating concepts from the theory of general deterrence (TGD) and expected utility theory. All components of their model were found to be statistically significant. Lee and Lee (2002) also suggested a computer security model based upon the TPB. In their model, Lee and Lee (2002) incorporated the TGD, social bond theory, and social learning theory. These models are intended to explain why individuals commit misuse and to help change their behavior. As such, the TPB appears to be an excellent choice to help prevent computer misuse. However, using the TPB to modify behavior assumes that the organization has some form of access to the individuals in question. As mentioned earlier, this is often untrue in the case of cyberterrorism. Straub’s computer security model Straub’s (1986) computer security model, as seen in Figure 2, is a general model of computer security. The CSM does not specify authorization levels or access rights; rather it suggests that organizations need a three-layered defense to protect against information systems misuse and computer crime. The first layer of defense, deterrents, is based on the TGD (Straub, 1986). Deterrents are basically policies explaining the acceptable and unacceptable uses of organizational information systems (Straub, 1986). Several studies have found deterrents to be helpful in reducing the amount of misuse within organizations (Klette, 1975; Straub, 1987). Preventives are the second layer of the CSM (Straub, 1986). These are active measures such as passwords and encryption that are designed to block intrusions. Preventives are effective against both the enemy within and the enemy without since they actually limit access to the information systems. The third and final layer of Straub’s CSM is detectives (Straub, 1986). Detectives are designed to detect misuses after they have occurred so that the recovery process can begin. Detectives do not block misuse from occurring; rather, they alert systems administrators so that the appropriate corrective measures can be taken[2].

IMCS 12,2

162

Figure 2. The computer security model

Applying the computer security model to cyberterrorism The CSM is intended to safeguard information systems against attack. As such, the CSM can be used to block some forms of cyberterrorism. However, a number of issues must be considered. For example, preventives and detectives may be more readily applied to cyberterrorists than deterrents. Deterrents are designed to be more effective against insiders (the enemy within and the enemy within/within), since outsiders cannot readily be induced to read (let alone obey) organizational policies and procedures. Further, organizations can typically reprimand or discipline employees or other insiders. This ability to reprimand or punish is critical to the success of deterrents. As mentioned earlier, deterrents are based upon the TGD, which suggests that punishing offenders prevents other potential offenders from committing the same crime (Nagin, 1978). However, the certainty and severity of punishment are critical to the success of deterrents (Nagin, 1978). If the probability of punishment for a crime is small or if the punishment is mild, deterrents will not be effective. Since individuals such as cyberterrorists exist outside the organization, the probability of punishment is fairly low. This suggests that deterrents may have little or no impact on external cyberterrorist groups. This lack of impact suggests the need to refocus defensive efforts away from deterrents and toward other defensive mechanisms, such as preventives and deterrents. This modification is graphically depicted in Figure 3. Preventives should be effective against many forms of cyberterrorism. Preventives are designed to limit the damage caused by network intrusions and similar forms of attack, whether launched from inside or outside the organization (Straub, 1986). Preventives can also defend against some Internet-based attacks, including virus attacks. Preventives also defend against distributed denial-of-service attacks, although they normally cannot prevent such attacks from being launched from locations outside the organization. Thus, preventives are effective in blocking some, but not all, forms of cyberterrorism. The final layer of the CSM, detectives, is designed to discover attacks that have penetrated both the deterrents and preventives. Detectives are especially important for protecting against attacks from the enemy within/within. In an organizational setting, the enemy within/within is usually a highly technical person, possibly even the person

Cyberterrorism

163

Figure 3. The cyberterrorism computer security model

responsible for the organization’s security. Although background checks and careful hiring practices may limit risk, audits and other methods used to detect misuse protect the organization from this type of enemy. In the realm of cyberterrorism, an individual or individuals could be planted within the organization or government body, positioned to do as much damage as possible. Although the CSM cannot prevent such an attack, the proper use of detectives may discover these attacks in a timely fashion so that damage can be limited. The above discussion points out that the CSM can theoretically be applied to the new issue of cyberterrorism. However, some aspects of cyberterrorism differ from information systems misuse and computer crime. For example, the CSM and most other discussions of information systems misuse and computer crime assume that the perpetrator(s) want to avoid capture. However, cyberterrorists may have a different point of view. First, cyberterrorists may be geographically distant from their targets. This distance may lead to a perception of safety, especially when national boundaries separate the cyberterrorist and the target. Second, cyberterrorists may follow the example set by numerous suicide bombers. Relieved from the burden of remaining anonymous and hidden, a suicide cyberterrorist could wreak even greater havoc than ever. As Montgomery (2003) summarizes, “It’s easy to hack and cause enormous damage if you don’t care about getting caught.” Finally, the CSM cannot guard against legitimate uses of the Internet or other information systems used to support terrorism. Modifying the computer security model for use with cyberterrorism Although the CSM can theoretically be applied to cyberterrorism, the effectiveness of the CSM against cyberterrorism could be enhanced in a number of ways. For example, deterrents could be modified to be more applicable to outsiders. Also, CSM implementation could be refocused to depend more upon preventives and detectives, rather than deterrents. The effectiveness of the CSM may also be enhanced by better reporting and punishment of cyberterrorism incidents. Although deterrents are often viewed as the cornerstone of computer security (Backhouse and Dhillon, 1995), they may not be as effective when dealing with cyberterrorism. As mentioned earlier, organizations can require employees to read

IMCS 12,2

164

computer usage policies (deterrents) and can punish employees for failing to comply with these policies. Unfortunately, organizations cannot influence outsiders as easily. However, deterrents could be more strongly implemented at the national and international level. The creation of national (preferably international) policies and procedures regarding the capture, transfer, and punishment of cyberterrorists should act as a deterrent, even to individuals outside the targeted organizations. Unfortunately this solution would be difficult or impossible to implement immediately. Another approach to improving the CSM’s effectiveness against cyberterrorism relies on the preventive and detective layers of the CSM. Although deterrents have proven somewhat effective in blocking computer misuse (Klette, 1975; Straub, 1987), preventives and detectives may be more applicable to cyberterrorism. Rather than trusting deterrents to prevent cyberterrorism from occurring, organizations should focus on actively protecting themselves through the use of appropriate software and policies. Refocusing the CSM toward preventives and detectives should increase its effectiveness against cyberterrorism. This focus on preventives and detectives should also incorporate greater organizational awareness of cyberterrorism and potential defensive mechanisms. All employees within the organization need to understand the basic issues surrounding cyberterrorism, the threat to their organizations, and potential defensive mechanisms. Users should be encouraged to watch for common attack methods as well as any unusual activity that could pose a risk. Further, users should be encouraged or required to install software and anti-virus updates as directed by their computer support personnel. Systems administrators, especially those directly involved with the security function, need ongoing training to stay current with the ever-changing threats posed by cyberterrorism and computer crime in general. These individuals need sufficient time, financial, and managerial support to stay current. Finally, managers need to take a proactive, rather than reactive, stance with regard to cyberterrorism. They need to understand the potential losses associated with cyberterrorism in order to balance the cost of security measures against those potential losses. Of course, managers should encourage their employees to learn about different threats and to utilize available defensive mechanisms (preventives and detectives). All discovered cyberterrorism incidents should be reported to the proper authorities. Further, organizations victimized by cyberterrorism attacks should actively seek legal prosecution of responsible parties. As the TGD suggests, the certainty and severity of punishment greatly influences the effectiveness of detectives (Nagin, 1978). By reporting and prosecuting all discovered cyberterrorism incidents, organizations and nations could possibly increase the effectiveness of deterrents by informing potential cyberterrorists that consequences will be associated with their actions. Of course, the establishment of national and international laws and treaties governing cyberterrorism would make reporting and prosecuting cyberterrorism easier. However, in the absence of such laws and treaties, organizations should still be encouraged to report and prosecute cyberterrorists. Conclusion Cyberterrorism is viewed as a threatening, frightening issue. However, questions remain about the true threat posed by cyberterrorism. This debate is further fueled by the plethora of definitions proposed for the term “cyberterrorism.” These definitions

range from very narrow to very broad. Many authors utilizing narrow definitions claim that cyberterrorism does not pose a threat to the world as it has never occurred and cannot harm anyone anyway. However, a broader (more cautious) point of view suggests that cyberterrorism is real and does pose a threat to the security of governments and organizations throughout the world. Although cyberterrorism is a relatively new issue, information systems misuse and computer crime has been a concern within the literature for years (Skinner and Fream, 1997). As a result of this concern, numerous models of computer security have been proposed. Of these, Straub’s (1986) computer security model seems most applicable to the prevention of cyberterrorism. Although the CSM can serve as a basis for understanding and preventing cyberterrorism, the CSM cannot address all forms of cyberterrorism. The CSM could be made more applicable to cyberterrorism with a few modifications, such as the utilization of deterrents applicable to those outside the organization, a greater reliance on preventives and detectives, and increased reporting and prosecution of cyberterrorists. Notes 1. Some individuals may fall into more than one category or may change categories due to employment changes. For example, a recently terminated employee would be classified as an enemy without even though such a person would have an insider’s knowledge. Kuong’s taxonomy does not address these issues. 2. Computer security software systems often incorporate both preventive and detective functions. References Ajzen, I. (1988), Attitudes, Personality, and Behavior, The Dorsey Press, Chicago, IL. Anthes, G.H. (1996), “Hack attack: cyberthieves siphon millions from US Firms”, Computerworld, Vol. 30 No. 16, p. 81. Backhouse, J. and Dhillon, G. (1995), “Managing computer crime: a research outlook”, Computers & Security, Vol. 14 No. 7, pp. 645-51. Bort, J. (2002), “Time for a new security model”, Network World, Vol. 19 No. 30, pp. s6-s8. Bronskill, J. (2001), “CSIS on alert for cyber saboteurs: spy agency monitors threat to computer networks”, Ottawa Citizen, 9 January, p. A3. Denning, D.E. (2000), Statement of Dorothy E. Denning, available at: www.house.gov/hasc/ testimony/106thcongress/00-05-23denning.htm Desmond, P. (2002), “Thwarting cyberterrorism”, Network World, Vol. 19 No. 7, pp. 72-4. Desouza, K.C. and Hensgen, T. (2003), “Semiotic emergent framework to address the reality of cyberterrorism”, Technological Forecasting and Social Change., Vol. 70 No. 4, pp. 385-96. Embar-Seddon, A. (2002), “Cyberterrorism: are we under siege?”, American Behavioral Scientist, Vol. 45 No. 6, pp. 1033-44. Foltz, C., Cronan, P.T. and Jones, T. (2002), “Human behavior as a factor in the control of information systems misuse and computer crime”, Proceedings of the Decision Sciences Institute, DSI, Atlanta, GA, pp. 1246-51. Gengler, B. (1999), “Politicians speak out on cyberterrorism”, Network Security, Vol. 1999 No. 10, p. 6. Gordon, S. and Ford, R. (2002), “Cyberterrorism?”, Computers & Security, Vol. 21 No. 7, pp. 636-47. Hulme, G.V. (2002), “Sound security policies combat cyberterrorism”, InformationWeek, No. 905, p. 22.

Cyberterrorism

165

IMCS 12,2

166

Klette, H. (1975), “Some minimum requirements for legal sanctioning systems with special emphasis on detection”, Proceedings of General Deterrence: A Conference on Current Research and Standpoints, National Swedish Council for Crime Prevention, Stockholm, pp. 12-59. Krause, M. and Tipton, H.F. (Eds) (1998), Handbook of Information Security Management, CRC Press LLC, Boca Raton, FL. Kuong, J.F. (1992), “Computer fraud – points of high exposure you should focus on when controlling and reviewing for fraud”, Computer Security, Auditing, and Controls, Vol. 19 No. 1, pp. 1-8. Lang, C. (1995), “Who’s spying now?”, Netguide, Vol. 2 No. 7, pp. 44-50. LaPadula, L.J. (1996), “Foreword”, Journal of Computer Security, Vol. 4 No. 2/3, pp. 233-8. Lee, J. and Lee, Y. (2002), “A holistic model of computer abuse within organizations”, Information Management & Computer Security, Vol. 10 No. 2, pp. 57-63. Levin, B. (2002), “Cyberhate”, American Behavioral Scientist, Vol. 45 No. 6, pp. 958-88. McFeatters, A. (2001), “Cyber-enemy: America’s newest threat is lurking behind computer screens”, Pitsburgh Post-Gazette, p. E3. Montgomery, G. (2003), “Cyberterrorism: ready to explode”, Australian Personal Computer, Vol. 292, April, pp. 26-9. Nagin, D. (1978), “General deterrence: a review of the empirical evidence”, Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates, National Academy of Sciences, Washington, DC, pp. 93-139. National Research Council (1991), Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, DC. Peace, A.G., Galletta, D.F. and Thong, J.Y.L. (2003), “Software piracy in the workplace: a model and empirical test”, Journal of Management Information Systems, Vol. 20 No. 1, pp. 153-77. Pollitt, M.M. (2001), “Cyberterrorism – fact or fancy?”, available at: www.cosc.georgetown.edu/ , denning/infosec/pollitt.html Power, R. (2002), “2002 CSI/FBI computer crime and security survey”, Computer Security Issues and Trends, Vol. 8 No. 1. Skinner, W.F. and Fream, A.M. (1997), “A social learning theory analysis of computer crime among college students”, The Journal of Research in Crime and Delinquency, Vol. 34 No. 4, pp. 495-518. Stanton, J.J. (2002), “Terror in cyberspace”, American Behavioral Scientist, Vol. 45 No. 6, pp. 1017-32. Straub, D.W. (1986), “Deterring computer abuse: the effectiveness of deterrent countermeasures in the computer security environment”, dissertation, Indiana University Graduate School of Business, Bloomington, IN. Straub, D.W. (1987), “Controlling computer abuse: an empirical study of effective security countermeasures”, in DeGross, L.L. and Kriebel, C.H. (Eds), Proceedings of the International Conference on Information Systems, Pittsburgh, PA, ACM, Baltimore, MD, pp. 277-89. Vatis, M.A. (2001), “Cyber attacks during the war on terrorism: a predictive analysis”, Institute for Security Technology Studies at Dartmouth College, NH. Wehde, E. (1998), “US vulnerable to cyberterrorism”, Computer Fraud & Security, Vol. 1998 No. 1, pp. 6-7. Yasin, R. (1999), “Heavyweights rally against Net hackers”, InternetWeek, Vol. 750, 29 January, p. 7.