control concepts — who's buying?

October 1995 Computer Audit Update

I favour an annual statement by the Directors published alongside their Cadbury statement on the effectiveness of the Company’s system of internal controls. I appreciate that Cadbury relates to Public Companies but such a statement is good practice for any organization. There should be an initial full certification of all major applications and the IT infrastructure followed by full reviews when there are significant changes to systems. A review of change control procedures and activity should suffice for the annual statement where there have been no major changes during the year.

But who should certify?

But who should accredit or certify conformance with the Standard? The right people to review the adequacy of computer security for all computer systems are auditors who hold an IT qualification such as the Institute of Internal Auditors - UK’s Qualification in Computer Auditing @CA), ISACA’s Certified Information Systems Auditor (CISA), or the Institute of Chartered Accountants in England & Wales’ proposed Fellowship via the IT route.

There is an arguable case that the Institute of Internal Auditors -- United Kingdom and Ireland’s MIIA qualification is an adequate IT

qualification for simple computer systems.

In the case of internal auditors it is essential that their independence is demonstrated by their reporting lines. Audit Departments who report to a Finance Director, who is also responsible for MIS would not be acceptable. Internal auditors who report to an independent Audit Committee of nonexecutive directors as recommended in the Cadbury report on corporate governance would be acceptable. Indeed, there is an argument for restricting internal auditors who can certify to those who report to the Chairman or Board Audit Committee and hold the appropriate computer qualification.

CONTROL CONCEPTS -WHO’S BUYING?

Kevin McLean

Many organizations are not satisfied with the results of their IT security awareness programmes. The target is to achieve a major change in attitudes and behaviour throughout the organization. This article discusses how some marketing concepts can be used in designing and structuring an Information Security Awareness Programme.

1. Objectives and requirements for information security awareness

1 .l Introduction - the objectives for the controlled use of IT

The fundamental objectives of IT security management are to achieve low risk IT systems, and low incidence of security breaches. Since this requires the willing cooperation of system users and technicians, it involves telling people what to do through standards, guidelines and other instructions, and motivating them to perform in the interests of good security. A Policy statement is (or should be) a strong starting position but it will not usually stimulate the required responses from people as it will not contain sufficient detail of what to do, or be sufficiently motivating to obtain the required changes of behaviour.

1.2 Learning good behaviour

People often know what they are doing is wrong or inappropriate, but nevertheless continue in their behaviour despite this knowledge.

If the term awareness is taken to mean only the imparting of information, then awareness alone is unlikely to achieve any significant change of behaviour. What is really required is security learning. In common use the term ‘learning’ is often used to refer to the acquisition of knowledge or skill, often through the deliberate

01995 Elsevier Science Ltd 3

Computer Audit Update October 1995

memorization of information or set patterns of mechanical actions. (e.g. the facts needed for an examination or the basic skills to drive a car). In behavioural science, the term learning has a specific meaning and refers to any relatively permanent change in behaviour occurring as the result of experience or practice.

The exact nature of behavioural and attitudinal change we require for information security depends on the role and seniority of each individual. Examples are:

l All employees.

Universal wearing of identity badges. Adherence to physical entry procedures and visitor escort duties.

l System users.

Care and protection of passwords and/or identity tokens. Appreciation that it is not acceptable to offer or request sharing of passwords. Respect for privacy marked material.

l PC and workstation users.

Regular backing up of data files. Refusal of pirated or suspect software. Virus alertness. Physical care of equipment and media. Willingness to report problems or suspect situations.

l Project Managers and Sponsors.

Tolerance of ‘overheads’ due to information security. Acceptance of responsibility for information being processed.

Many organizations already have introduced behavioural programmes in a wide range of areas in response to perceived social and organizational needs. In some cases these have exploited innovative promotional methods and messages. The programmes include:

l Safety programmes.

High risk industries such as oil exploration and production have been active in this area. The organizational motivation is to reduce damage to capital equipment and the payment of compensation. The social and personal motivation is the reduction of risk of injury and fatalities.

4

l Energy and natural resource saving campaigns.

The organizational motivation is lower spend on energy and resources. The social motivation is the promotion of a caring corporate image in the context of ‘green’ issues.

l Other ecological campaigns.

Industries producing polluting waste products have conducted campaigns to obtain individual commitment to cleaner practices. The organizational motivation is the avoidance of liability for financial compensation. The social motivation is, once again, a better corporate image in the community.

l Quality and customer care programmes.

The organizational motivation is increased market share and market preparation for new services. The social and personal motivation is greater respect for employees.

These programmes have involved elements which can be ‘borrowed’ for a campaign to improve information security behaviour. Success factors of those campaigns were:

.

.

b

.

.

.

.

.

.

.

high profile campaigns with high-level endorsement;

strong themes, quality literature and other media;

campaigns sustained over time;

designated facilitators;

measurement and feedback of success

statistics;

internal and external PR;

management targets set;

investment in the programmes;

appreciation that change takes time;

the realization that the factors which motivate the individual are not the same as the corporate rationale for the behaviour change.

01995 Elsevier Science Ltd


2. Status of IT security awareness

2.1 Initiatives

There have been a number of national and international initiatives. In the UK, the Department of Trade and industry (DTI) sponsored the development of IT security awareness material for industry and commerce. The campaign was mainly directed at small businesses. Its content included video, audio and printed material for direct use within a business.

In late 1991 the Commission of European Communities (CEC) launched a project entitled IT Security Awareness - A Framework investigating practices and experience at corporate and national levels throughout Europe.

In the public sector in the UK, security awareness has been dealt with both at departmental and central levels in the Civil Service. The central training agency for government, the Civil Service College, has provided basic training in the form of a foundation course in fundamentals of IT security, but this course is aimed at IT security specialists and not at the general user population. The candidates are either experienced in IT needing to learn security principles, or general (physical) security officers requiring to understand specific issues for IT security.

In the private sector, many companies have invested resources in increasing IT security awareness through in-house awareness campaigns and programmes. The overall picture is that some attention and resources are being given to the subject of IT security awareness. But is this expenditure providing ‘value for money’?

2.2 Effectiveness

As part of its 1991 work programme, the European Security Forum (an association of leading European corporations concerned with IT security) performed a survey’ of practices in Information Security Awareness among its membership. It is fair to assume that the findings

represent current practice in organizations at the leading edge of IT security practice since the Forum tends to attract the practice leaders.

The summary conclusions from this survey were:

l with current practices the overall levels of awareness in the participating organizations are low;

l the awareness programmes under way are

limited in the structure and scope of security topics covered:

l a wide range of promotional methods are in use, but few are considered effective;

l IT security awareness training should be directed at all staff:

l most organizations do not obtain feedback or measure the success of their IT security awareness programmes.

Structure and scope

Only one third of the survey respondents had established a structured formal programme, although most of the remainder declared they would be launching initiatives in the 12 month period following the survey. The motives given for starting a programme were various. The most common were:

l a general concern about IT security;

l the vulnerabilities presented by the spread of microcomputers; AND

l a wish to conform to good management practice.

The survey indicated that coverage of awareness programmes tended to be strong in specific instructional areas such as access control, physical security, security administration and contingency planning. They were weaker on motivational areas such as the general need for IT security and benefits to the typical systems user. Surprisingly, the respondents rated themselves as being poor on coverage of



personal computing, although it was accepted as the priority area for improvement in future work.

Promotional methods

The most common promotional methods were specific security brochures, and articles in general corporate publications. This was followed by specific presentations on IT security and inclusion of promotional material in corporate training events. Other methods in use include videos, posters and security sections in personnel and other handbooks. Very few organizations claimed to have a sustained, phased programme. In terms of perception of effectiveness in delivering themes and messages, the respondents rated videos highly. Despite the popularity of brochures and newsletter articles, the respondents felt that they were not effective in selling the messages.

Target population, coverage and effectiveness

The survey investigated the targeting of awareness programmes at different categories of staff identified by seniority or by functional role. The overall profile showed awareness levels lower than required at all grades of management and with all IT technical and user staff. Overall security behaviour was rated poor, with operations staff the best performers and IT developers and users the lowest rated.

Feedback and monitoring

Very little active monitoring of the effectiveness of awareness campaigns and initiatives is performed. The respondents believed that improved practices would be indicated in internal and external audits and security reviews. Less than 15% used questionnaires or interviews to test the effectiveness of information media and events in the programme. The use of incident report statistics for success measurement was not considered to be a reliable measure due to uncertainty about unreported incidents.

The survey indicated that current practice is merely to attempt to impart basic security

information to the target audience. Motivational aspects are not well addressed and hence the desired objective of creating a security minded culture is not being achieved. The survey respondents rated senior management support, quality of presentation material and the assignment of suitably qualified people to run the programme as major success factors.

All of this adds up to the author’s view that, in terms of conditioning the target population to behave in a secure way, awareness programmes as currently applied are failing and are going to continue to fail.

2.3 Stimulus and response

Behavioural scientists, in attempting to measure empirically human response, use a ‘black box model’ in order to define behavioural responses to stimuli. This model is called the S/R or stimulus-response model. For example, for supply and demand analysis in economics, price is manipulated (stimulus) and the effect on the quantity sold is observed (response).

The response which the information Security manager is trying to obtain is security positive behaviour in which the population obey security instructions and make decisions which support the protection of valued information. The difficulty is that the individual members of the population are simultaneously receiving other stimuli which will be in conflict with the required security responses. These stimuli will include project deadlines, budget controls, traditional practices and market intelligence which training and practice has more thoroughly conditioned the individual to deal with than security concerns. Figure 1 illustrates the effects of multiple stimuli on the simple S/R black box model.

2.4 Changing behaviour

In obtaining a security positive response from people, we need to ensure that the conditioning of the individual is such that they are sensitive to security relevant stimuli and that their responses are effective.

6 01995 Elsevier Science Ltd


4 Behaviour >

Theoretical SIR model I li Response to multiple stimuli

Figure 1: The S/R Black Box model

Awareness ) Interest hvaluation ) Trial

Innovation is known to exist but consumer has little information and no well- founded attitudes about it.

Consumer becomes aware that innovation may be useful or solve some problem.

/ I

Consumer develops a favourable or unfavourable attitude towards innovation and decides whether or not to try it.

Consumer tests innovation but. if possible only in a limited

way.

) Adoption

Innovation is accepted or rejected: if accepted, consumer becomes committed to continued use of innovation.

Figure 2: The adoption of innovation



risks associated with innovation.

I

Opinion leaders. respected and important in speeding the Rely on informal,

diffusion trusted sources of

process. information:

They respond to responsive to

successes change when

obtained by benefits are clear,

innovators. willing to conform.

I I I I

\

Tend to be skeptical of new ideas and resistant to change. Respond (eventually) to social pressure, economic factors or fear motives.

Firmly tradition bound and suspicious of new ideas; can be difficult to reach with new ideas as they do not keep themselves informed.

Figure 3: Diffusion - how groups adopt innovation

Since we are looking at the process of changing peoples’ values, perceptions and behaviour, it is worth looking at a model of how people respond to innovation. E.M. Rogers* defines an innovation as “any idea or product perceived by the potential innovator as new.” Adoption is the process by which the individual becomes committed to the continued use of an innovation. Rogers identified five stages in the adoption process as shown in Figure 2.

has proposed a model of diffusion in the form of a normal distribution curve. According to the Rogers model there are five categories of adopters and members of each category adopt an innovation at the same time. These are shown in Figure 3.

3. Marketing practices

What can we learn from the marketing profession with regard to achieving a security culture within an organization? Traditionally, marketing methods and techniques have been concerned with interpreting market trends,

Rogers has also considered how whole population groups adopt innovations. He uses the term diffusion to describe this process and he



positioning new products on the marketplace, conditioning consumers to accept and demand new products and assessing marketplace responses to products during their market life. Is it viable to consider our IT user population as ‘consumers’ and IT security as a ‘product’? K.C. Williams3 describes the widening of the concept of “product” to include the marketing of ideas as “the challenge of the future” for marketing. Are there precedents for marketing change as we are attempting with IT security and can lessons be learned from the precedents?

3.1 Conditioning

The marketing industry has widened its repertoire in recent years to promote ideas and image as well as products. At the highest level of persuasion we find consumer conditioning campaigns. These are directed at attitudes and beliefs, and often do not expect any immediate, active responses from the target audience. Examples of these are the corporate campaigns to raise public awareness of corporate activities and values and to produce ‘feel-good’ responses. These are sometimes conducted where there are no consumer choices to be made. An example would be, the promotion of a television production company, where the company is attempting to implant an image of quality in viewers’ minds so that they will be more likely to accept and select programmes made by the company. The real customers of the company are the television broadcast organizations who will buy the programmes if they consider that they will achieve satisfactory audience response.

Political promotional campaigns are becoming increasingly sophisticated, with the political parties realizing that what they are selling is not just a factual manifesto but a whole complex range of intellectual and emotive messages. The objective of such campaigning is to condition the population to share and support the values of the party. Party membership and subscription is not normally a prominent feature of such campaigning; it is recognized that it is easier to get practical support for ideas when the ‘consumer’ is not being asked to spend time or money (this will be done at the next level of persuasion once the ‘hearts and minds’ are won).

Other examples of conditioning campaigns include efforts by nuclear energy providers to stress the social, economic and ecological benefits of their ‘product’. In the UK there has been considerable exposure of such advertising on prime television and the popular press despite the obvious fact that members of the public cannot decide individually how their electricity is generated. Federations or associations representing suppliers of groups of products have conducted nonspecific campaigns to enhance the image of, for instance, meat, dairy and tobacco products in the perceived values of an increasingly health conscious population.

3.2 Behavioural change

The next level of marketing change involves campaigns to persuade the consumers to change or modify behaviour. Examples of these are road safety campaigns, drink-driving, energy and materials conservation, safe sex and antismoking. Such campaigns set out to adjust our appreciation of the problems, condition us to anticipate situations which require a revised reaction or response, and invest some additional effort in our new behaviour. The benefits, often benefits to society in general and not just personal gains, are presented in order to motivate the changed or new behavioural response. These benefits are usually presented clearly and starkly for best effect with the target audience. For example, in UK antismoking campaigns various health messages were used to gain continuing and wide impact. The messages included the themes that smoking is bad for your health and potentially lethal, passive smoking endangers others and unborn babies are endangered by parents who are smokers. The same campaign chose customized messages for different consumer subgroups. In order to reach young people, less emphasis was placed on the threatening health messages (considered to be too remote from the considerations of youth) whereas endorsement by celebrity role models and the social unattractiveness of smoking (dirty, smelly, costly) were a major part of the campaign.

3.3 Point of delivery messages

The final and most primitive level of change marketing is the delivery of instruction, advice or



warning messages at the point of delivery of the ‘product’. Examples of these are notices on public transport reminding passengers that fare evasion is a criminal offence, notices in shops stating ‘Shoplifting is theft’, or ‘Selling alcohol to minors is an offence’ or even ‘Keep off the grass’ in public parks. These messages tend to be stark and very specific. Some companies use these techniques, for example, by putting notices on telephones and electrical switches to encourage economic use. Such messages are really only effective if they are linked into conditioning and behavioural campaigns which give more background on why the action or behaviour is demanded. They mainly act as a final reminder of action or behaviour required, or fair warning of the consequences of failure to comply.

3.4 Branding

Branding is the use of easily recognized symbols to represent the whole product. It can include logos, slogans and the association of strong linked images.

Having used antismoking campaigns as a good example of practice in behavioural marketing, there are also lessons to be learned in looking at the opposite camp, the tobacco industry. In many countries, advertising restrictions have severely constrained the tobacco manufacturers’ abilities to promote their products. They have responded by using strong imaging or branding of products to reap maximum benefit from conditioning-style advertising. The ‘brand’ is a shorthand symbol of the benefits of the product and its superiority to competing products.

In IT security awareness, branding can be a useful tool. The use of a distinctive and simple logo and/or a well-chosen slogan can help to present a strong image for the campaign and provide a reminder for the bigger issues of the campaign.

3.5 Measuring campaign success

The link with ‘traditional’ product marketing becomes less strong when we attempt to

measure the success or otherwise of the marketing exercise. The marketplace provides an unequivocal feedback for product marketing - we know how the product has sold, and where loyalty has been established from sales reports. Less reliably, we can investigate how and why the product has not sold by consumer interview and analysis. The success of behavioural marketing is more difficult to measure than with product marketing as less obvious criteria have to be established and somehow measured. The application of the simple behavioural science ‘black-box’ model becomes difficult as both the stimuli and response sets are complex and hence difficult to observe and measure.

As an example of the difficulties of success measurement, consider the use of the frequency of incident reports as a measure of success. If IT security practice improves as a result of our awareness programme then it might be expected that incident reports should decrease. However, another effect of increasing awareness will be to extend the population’s judgement of what constitutes reportable events, and therefore people may tend to report events which would have previously escaped attention.

Another factor which might be considered for success measurement is performance in security reviews and audits. The difficulty with these is that they are rarely objective or expressed in quantifiable terms which lend themselves to reasonable before and after comparisons. In addition, since for internal reviews the reviewers will have been subjects of the awareness campaign as well as the review subjects, their expectations will have been raised and their subjective judgement thresholds will be higher.

4. Planning the IT security awareness

campaign

4.1 Marketing mix for IT security

How can we use marketing principles in planning and executing an effective information security awareness programme? The starting point is to examine the marketing ‘mix’ for IT



Responsible, professional behaviour; protection against the consequences of others’ actions and accidents; selfprotection against accusations of bad practice; conformance with accepted practice within the organisation

Time, attention, minor inconvenience. IT development and operations overheads

&

&

Corporate newsletters and other promotional media: endorsement by

1 opinion formers

Corporate communications channels. use of IT communication to reach IT users. Timing of campaign.

Figure 4: The marketing mix for IT security awareness

security. This is a brief profile of what is being the disciplinary consequences of bad practice,

promoted, to whom and by what means. The can also be effective but need to be used with

marketing mix for IT security awareness is care so as not to establish a ‘least effort to avoid

illustrated in Figure 4. trouble’ response.

The distinction between the definition of the

product and basic customer need is important.

The product is the set of objectives for the whole

programme. Where a corporate Information

Security Policy exists (and it is an invaluable

basis for a market-driven Security Programme) it

will state the objectives. The basic customer

needs are what will sell the programme to the

members of the population. In most

organizations, employees will not be strongly

influenced by the risks of fraud or major computer

mishap. As for the young smokers targeted by

antismoking campaigns, the big messages are

too remote. To be effective, the campaign must

use more personally relevant messages. For IT

security the benefits messages will include positive elements such as avoiding problems with

PCs, and being confident of protection against

impersonation. Negative messages, stressing

The target market needs to be divided into

subgroups in order to exploit the lifecycle for

innovation adoption and diffusion. It can be

extremely effective to identify the key players in

the leading edge of the adoption/diffusion profile

and subject them to specific attention. One

method which can approach this is to hold

briefing and discussion meetings with key

innovators and early adopters. Such sessions

must allow the free discussion of objections to security measures and provide the opportunity for

the development of the subjects’ own ideas for

security awareness. The author has experienced

a number of meetings of this sort where the

subject has consistently presented resistance to

ideas of increased levels of control, but after the meeting has been a champion of Information

Security.



Develop security policy Develop themes and messages

I Analyse audience (identify leaders and followers) Set timescales for conditioning phase

,,’ I- Set tImescales for behaviouralchange phase

r-- Produce foundation materia Ilvideo. booklets etc.! , Produce basic targeted instr&tional material ’

, ’ Produce modules for general training courses

- Meet with opinion leaders - Conduct major announcement events (seminars, briefings etc.)

’ Circulate and distribute basic conditioning material

material to selected groups Establish local facilitators for for information flow (the sales team)

on about successes and failures

r ,’ Establish measurable programmes (clear-desk or badges)

,’ L- Monitor, s port and encourage local facilitators

Ensure newcomers are initiated into the programme Provide information updates and “news” reports

- Cevelop and distribute “pointafdelivery” material - Ensure that messages are refreshed - Ensure that disttibued material is renewed before becomming stale - Withdraw material which is not working - Analyse and report results of the programme - Continue to manage the “sales team” - Perform consumer appreciation surveys to test reactions - Exploit any exlernal material and media as appropriate

Figure 5: Stages in the IT security awareness campaign

The price of the product needs to be clearly understood and declared so that there are no concealed surprises and no rejection of the principles by reaction from the early supporters.

The price will obviously be different for different individuals. The project manager may have to budget for more technical safeguards, more thorough controls in the development process



and more attention to detail in development practices. The user may have to accept some impediments in the use of systems and information. Office system users may have to use slower methods to prepare and disseminate sensitive information. For the majority of users, however, the price will be small and will represent only what is necessary in terms of good business practice.

The promotional tools and methods of delivery must be chosen to present the messages in the most cost-effective way. This may seem an obvious statement, but the results of the ESF survey indicate that insufficient consideration is being given to the selection of promotional media. The main indicator of this is the widespread use of leaflets and brochures compared with levels of confidence in them as effective promotional material. Aspects such as the nature of the message, its durability, the size and nature of target audience, impact required, topicality and expected response should all influence the choice and use of promotional media. The adoption/diffusion lifecycle should also be considered in choosing media to reach the target subgroups.

When delivering the messages, the campaign manager should use the range of techniques and styles used in any advertising campaign e.g. humour, drama, symbolism, characterization, repetition etc. In doing so, the value of branding should not be overlooked. In order to give some measure of the success of the campaigns, some quantifiable elements should be included. For example, elements such as a clear-desk programme, or a promotion of the wearing of identity badges, could be initiated because with these highly visible elements, it should be possible to measure good practice before, during and after the campaign.

Figure 5 gives a suggested outline action plan for the campaign, using the marketing principles discussed.

5. Summary

IT Security Awareness is generally accepted by Security Managers as an essential component

of security management. However, programmes and campaigns which are being currently conducted are not achieving the impact of other behavioural change programmes in the commercial world. Campaigns to improve safety, quality and ecological performance have been of higher profile and generally more successful than IT Security Awareness. The security manager needs to employ the methods used in Marketing and Advertising in order to achieve behavioural change. The Security Awareness strategic plan needs to consider persuasion as well as information. As well as getting authority from the most senior management, it needs to get the visible support of opinion leaders within the organization. The themes and messages need to be carefully thought out and targeted at population groups for best effect.

Consideration must be given to conditioning attitudes of the population towards the need for Information Security, specifying the responses needed from the population and using ‘point of delivery’ messages as a final reminder or warning.

The promotional campaign should use all the techniques used in marketing and advertising to help project the messages into the consciousness of the population. There should be some feedback analysis to test the success of the campaigns and to help refine the delivery process. The delivery should be refreshed by changing components which have become ‘stale’ and by including new messages where appropriate.

IT Security Awareness is too important a subject to be treated half-heattedly. The cause is important for business success. It needs to be promoted professionally.

6. References

1. European Security Forum, Security Status Survey 199 1 -IT Security Awareness. Report circulated privately to ESF members.

2. Rogers, E.M., Diffusion of Innovation, New York: Free Press, 1962.



3. Williams, K.C., Behavioural Aspects of Marketing, Heinemann Professional Publishing, 1981.

Kevin McLean has over 22 years experience in Information Technology and management, initially as a systems developer and latterly as a consultant to a wide range of government and business sectors. He is Head of IT Security and Systems Management consulting at Hoskyns Group p/c, which is the UK operation of Cap Gemini Sogeti. He has performed security reviews and has implemented security improvement programmes for a wide range of organizations in the UK and internationally and he is a founder member of the IFIP (International Federation of Information Processing) working group on Information Security Management. This paper was first presented at EuroCACS ‘95.

IT AND LEGAL RISKS MANAGEMENT

Gareth 0. Jessop

There is a general perception that legal issues are of limited significance in IT. The prevailing view is either that the law largely ignores technology and is decades behind in adapting to it or that only specific areas of law (copyright, data protection, hacking offenses) affect the selection and use of IT systems.

In fact, a much wider range of general law impinges on IT strategy, and IT systems involve both a wide range of legal risks and the opportunity to assess and manage those risks. The real issue therefore is not how the law affects IT but how IT affects legal exposure.

Take some examples from the law of negligence. From the moment, in 1932, when the law recognized a general duty to “take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbours”‘, the use of technology has featured in that issue: the courts have

considered the role of available technology in risk management. Before the end of 1932, a US court had decided that bargeowners were negligent in not fitting radio receivers, even though only one line in the industry had introduced them2. In 1965, a shipping line which had fitted radar but failed to instruct and supervise its staff, so that the radar screen was not permanently monitored, was found liable3.

The same principles came to be applied to business IT systems. A bank was held liable on a stopped cheque because its cashier failed to check data available on his terminal. By 1973, another US bank only avoided liability for the consequences of a system crash on a ‘state of the art’ defence, the Court finding that its limited backup facilities and absence of disaster recovery procedures were reasonable by reference to the then current cost and availability of such systems4, and by 1981 in New York, a bank was successfully sued because its software could not deal with the countermanding of cheques if the cheque details were incomplete5.

All of these examples are from the United States, but have persuasive authority elsewhere: the courts were applying the same basic rules as exist under English law. In the UK as in the US, the law expects the installation of reasonably available technology and imposes on businesses and their managers a duty to train and supervize staff in its use. Even lawyers are not immune: the US courts have described an electronic retrieval system as an essential tool of a modern efficient law office.

Similar principles are capable of applying even in the field of criminal responsibility, where the test of reasonable care can also be relevant. The most drastic example must be the concept of corporate manslaughter, where a gross failure to exercise due care can render a business and its senior management liable to criminal penalties. There is no difference in principle between a failure to provide machine guards or to control asbestos dust and a failure to provide readily-available monitoring or failsafe software. In all these respects, reckless ignorance as well as deliberate actions can found liability, both civil and criminal.


control concepts — who's buying?

Documents