The Fraud Triangle

Criminologist Donald Cressey coined the phrase more than half a century ago. Today, the concept is still widely used, for instance in the audit guidelines of the American Institute of Certified Public Accountants (AICPA). Of the three points of this triangle, Opportunity is the one that matters most from a risk reduction perspective, it is also the one that can be most easily managed.

Opportunities arise when users gain access to information assets and are able to carry out sabotage, theft, fraud, or espionage, the four predominant categories of internal threats. Conventional access control mechanisms are by nature often coarse-grained to the extent that they not only fail to limit and restrict access adequately but also force IT operators to grant excessive permissions and thus fraud opportunities. Segregation of duties has become an important discipline for information security specialists not because the problem as such inherently is so difficult to handle, but because role management tools bundle excessive and toxic combinations of permissions into roles. This is discussed in more detail in the article on roles and RBAC.

Risk intelligent access control

Risk avoidance through excessively restrictive access controls is mostly counterproductive. Giving users access to information assets and promoting their ability to collaborate by means of sharing information, is what constitutes core business. For a bank, complete risk avoidance is the same as ceasing operations. Managing risk is what the business is all about. Therefore information must be made available while risks are assessed, something that requires secure information sharing by means of risk intelligent access control.

The Attribute Based Access Control (ABAC) concept lends itself to the inclusion of risk levels as a factor considered in access control policies. A policy can mandate: "Yes, permit this transaction, provided the risk level is less then X". The risk level can combine different risk indicators. Does the HR system report that the user resigned and will leave the company within the next 30 days? Tick, increase the risk level since two thirds of fraud incidents occur within a month of departure. The called transaction places a bid only seconds before the stock exchange closes for the day. Tick, risk level increases. And this is the day of month when portfolio values are measured based on latest bids? Tick, risk level increases. And so on.

This is a more adaptive way of controlling access than the "on/off" mode of older concepts. To a fraudulent mind, static assignment of permissions tend to offer fraud opportunities in much the same way a value ticket grants a gambler access to the casino. After login you're free to play on all the systems you have access to until closing hours. Turning off all risk related access hinders this employee from doing any work, good or bad. Putting risk intelligence into access controls, enables all employees to keep up their good work while reducing any temptations to do bad.

Risk scaling

Dynamic and real-time risk assessments based on the state of data in other systems naturally comes with an integration challenge. The richer the integration, the more powerful the risk mitigating capacity. Performance becomes a serious concern. It's not surprising then that Axiomatics risk-intelligent solutions are utilized in environments with extreme performance requirements. This includes global trading applications where every millisecond translates into big money and online transactions where millions users are active simultaneously.