SkipHome | Help | Search | A-Z site index | LSE for You 

Skip You are here - Welcome to LSE > CARR > Risk & Regulation Magazine > Security and Regulation

Security and Regulation
Information, risk and financial crime

Mike Power reviews the CARR panel debate on information security held as part of the ESRC Festival of Social Science. 

Public concsciousness and concern in the UK about information security and financial crime seems to be at an all time high. Each new media disclosure of data loss by a government agency fuels a new sense of vulnerability focused on indentity theft and the risks to citizens of having their confidential details stored in portable databases. Add to this both the ongoing debate about identity cards and a central DNA database – intensified by high profile murder trials in 2008 – and the capacity of television drama to provide fictional realizations of a security dystopia, then the UK contemporary focus on information security resembles something akin to ‘moral panic’.

At CARR we view these specific issues via a broad and generic concern with the ways in which they are registered and processed in regulatory systems and how, in turn, these systems are designed to use private sources of control and self-regulation in complex networks of mutual dependency and reliance. Perhaps nowhere is this public-private regulatory partnership more developed than in the field of financial regulation and, specifically, in the operational risk agenda established by Basel 2, which has created a new kind of gateway of exchange between the internal control and risk management systems of financial organizations and public regulatory objectives.

Information security and financial crime issues have been progressively drawn into that operational risk management, both directly in terms of responsibilities for reporting on potential moneylaundering and also indirectly via management responsibility for systems and controls. In this way, internal control and risk management systems are being re-scripted around national security objectives. Accordingly, compliance officers and legal specialists now operate at a new ‘front line’ in the fight against crime. Yet despite the intense focus on information security, it remains a complex and fragmented field which presents considerable challenges for regulatory and security agencies. Today, seemingly mundane and routine matters, such as corporate policies over laptop use by employees, have acquired far reaching implications for public perceptions of risk and vulnerability.

In March 2008 CARR hosted a panel debate to discuss these issues as part of the ESRC Festival of Social Science held at the Royal United Services Institute for Defence and Security Studies . Elizabeth Robertson, a partner with Addleshaw Goddard, opened the discussion by outlining how organized crime was a risk concentration for the financial sector and described the implications of this for information management and sharing across agencies. Jim Backhouse from the Systems and Innovation group at LSE , drew attention to the evolution of practice from ‘computer security’ to ‘data security’ to information assurance. This shift is not well understood by citizens who associate security with zero-risk. He also argued for a stronger focus on citizen-based, rather than organization-based, risk management options in relation to identity theft. However, stronger forms of authentication brought their own risks, not least by incentivising more sophisticated forms of criminality. Mike Levi from the Crime and Justice Research group at Cardiff University made a similar point about how some security successes, such as chip and pin, have only served to displace criminal activity into other areas – something which complicates any cost-benefit analysis. He supported risk assessment initiatives in the field of security but argued for more sensitivity to the specificity of different security issues. For example, data loss as such was not assessable as a risk without greater knowledge of the take-up and exploitation of such data.

The final speaker was JP Rangaswami, Managing Director of Service Design, BT Design, who reminded the audience of the increased atomization, as we have moved from back-end databases in mainframes to laptops, and virtualization of information systems. These developments provide significant challenges to how we think about regulation. The unit of action and intervention is now of necessity the individual rather than the firm. He argued that we must accept the reality that employee laptops mix private and corporate uses and that virtual social networking has become normalized. Instead of imposing strict controls and bans in these areas, organizations need to increase capacities for transparency in usage with the development of greater self-responsibility. Experiments in this direction have proved to be very successful. Rangaswami also challenged the audience to explore the identity theft issue in a new, perhaps non-western, way by thinking of identity in a more ‘disposable’ and flexible ways.

The challenges for any sensible and cost-effective regulation in this field are considerable and it is clear that the innovative thinking about information security will come from below at the organizational level. Practices which work with the grain of contemporary trends in personal habits are likely to be much more successful than outright prohibitions and elaborate corporate policies which only increase the legalization and bureaucratization of organizational life.

Mike Power, Research Theme Director, CARR.

^


   About this page | Comment on this page | Privacy statement | Disclaimer
   Copyright ©