Crime Risk Management

‘How can the security/risk manager utilise the ‘Crime Risk Management’ process and how useful is this process’?

Crime Risk Management (CRM) is an evolutionary and analytical process to assess whether organisational procedures, assets or individuals could become exposed to a potential threat; to identify the measures necessary to reduce any such risk; to mitigate the consequences of any hazard once realised; to evaluate the success or otherwise of the prescribed course of action; and to adapt appropriately. The conventions of risk management take into account that whilst risk is unlikely to be entirely eradicated, adapting organisational security mechanisms to further protect against anticipated or imagined threats can significantly reduce it. The Crime Risk Management process provides those responsible for securing an organisation against risk with various tools. To develop a greater understanding of how CRM is utilised today it is beneficial to consider the practices of a particular industry in isolation. The manner in which the banking industry combats financial crimes such as plastic fraud provides a useful example. Further to this, in order to critically assess the effectiveness of the approaches taken by industry watchdogs in safeguarding against risk, a brief comparison between the Banking sector and the United Nations CRM practices has been included. Ultimately, when best practices are followed, the CRM process can also have the effect of a deterrent against future misconduct when the latent vulnerabilities of an operation are recognised and appropriately reduced to within acceptable boundaries.

According to constitutive criminology, crime is defined as the harm resulting from people “investing energy in harm-producing relations of power,” which “denies others their ability to make a difference” (McLaughlin and Muncie, 2006:66). The United States (US) Air Force Material Command Pamphlet (AFMCPAM 63-101, 1997:5) describes risk as “a measure of a project’s inability to achieve program objectives…(it) has two components: the probability of failing to achieve particular performance, schedule or cost objectives, and the consequences of failing to achieve those objectives”. Subsequently, risk management is the process of ‘controlling’ such risks and “includes identifying and tracking risk areas, developing risk mitigation plans as part of risk handling, monitoring risks and performing risk assessments to determine how risks have changed” (AFMCPAM 63-101, 1997:5-6).

Cox (2005:64) defines risk management as a “decision process that maps available risk assessment information about the probable consequences of acts of crime, along with value judgments and priority information concerning the choices of which acts to take in response”. This definition however interprets the discipline of risk management as a more passive activity, focusing more on the assimilation of information and the analysis that follows, rather than the active intervention required to avert or alleviate the risk. Conversely, Broder as cited in Nalla & Newman (1990: 92), defines CRM as the “anticipation, recognition and appraisal of a risk and the initiation of some action to remove the risk or reduce the potential loss from it to an acceptable level”.

Based on the above contrasting definitions, one focusing on the information gathering and analysis aspect, and the other accentuating the notion of taking action to avert the risk, CRM can be concluded to have a number of objectives: namely to assess risk by proactive means rather than simply reacting to risks as and when they are encountered, to assess potential losses that might result from these eventualities, conduct a cost benefit analysis of taking risk intervention measures such as setting up a CRM process, and finally, to minimise, control or transfer foreseeable risks (Gill, 1998:14). Therefore, a solid “risk management approach includes three primary elements: a threat assessment, a vulnerability assessment, and a criticality assessment” (Decker, 2001:1). Each of these aspects also takes into consideration the probability of an occurrence and the timeframe in which it is likely to occur during the lifetime of a project (AFMCPAM 63-101, 1997:6).

Threat assessments are critical supports for operational decision-making in the security program design phase, identifying areas requiring crucial and concerted efforts. These assessments identify and evaluate risks based on a number of elements including ‘capability’, ‘intentions’, and the ‘potential lethality’ of a breach (Decker, 2001:1). Since there is no way to anticipate every possible risk, or to know everything about each risk, the two other processes involved in this method, vulnerability and criticality assessments, are essential in maximising preparedness against the threat of a violation. A vulnerability assessment determines “weaknesses that may be exploited” by potential perpetrators and “suggests options to eliminate or mitigate those weaknesses”. “A criticality assessment is a process designed to systematically identify and evaluate”: an operation’s key assets based on their consequence to the fulfilment of its mission or basic function, those within the organisation that may prove vulnerable, “or the significance of a structure” (Decker, 2001:1). This aspect of the CRM approach is imperative since it has the potential to aid preparedness against material threats, and in turn, enhance the allocation of scarce resources to those areas, whether to assets, procedures or structures, subsequently identified as being of the highest priority and thereby requiring ‘special protection’ from perceived threats (Decker, 2001:1-2).

While a number of conventional theories are both accessible and feasibly applicable as CRM processes, the two contemporary methods that are the most popular are the rational choice and routine activity theories. The routine activity approach considers only direct-contact predatory violations, where at least one offender takes or damages the property of at least one other person. It is thus based on three factors, “a likely offender, a suitable target and the absence of capable guardians against crime” (Cohen and Felson, 1979:588). On the other hand, the rational choice approach focuses on situational crime prevention, predicting the time and place where crimes are likely to occur, reducing opportunities and the motivation to offend, and thereby decreasing the propensity of the criminal to offend at all (Clarke and Cornish, 1985:174-177). Both of these approaches highlight the importance of assimilation and analysis of information. To this end, the Crime Pattern Analysis (CPA) is a critical informative tool “which seeks to determine what crimes are likely to impact particular targets”, to identify “the criminals (most) likely to commit the crimes, and (to forecast) how and when such crimes are likely to occur” (Tyska and Fennelly, 1998:50).

An initial consideration of these concepts would appear relatively straightforward, however the prospect of implementing an effective CRM process to adequately safeguard against risk can be a daunting endeavour for the security manager. One area in particular requiring a comprehensive CRM approach is the retail banking industry especially relating to plastic fraud. Plastic fraud includes various types of criminal activity including use of stolen cards, skimming, absent ordering, and identity theft (Newman and Clarke, 2003:145, Refer also to Appendix 1, page 13).

Misuse of stolen cards is the most traditional form of plastic fraud, where cards are stolen from customers, enabling the fraudsters to make purchases in the window available to them between their acquisition of the card and the original card holder reporting the loss of the card to their issuing bank who take action to revoke or cancel the account (Slawsky and Zafar, 2005:101). Skimming is another form of plastic crime that takes place when a cardholder uses his card at any commercial establishment or cash machine. The details of the electromagnetic strip at the back of the card are copied onto a secondary storage device, which can later be replicated onto a counterfeit card, illegally cloned to resemble the details of the original, and reused by the fraudster for access to funds or illegal purchases. (Slawsky and Zafar, 2005:104). Another form of card crime growing in incidence is the ‘Card Not Present’ (CNP) variety. This occurs when the perpetrator makes a purchase through mail order or telephone order, usually buying expensive merchandise, for their own personal gain, for either reselling it in the market-place or by tricking the merchant into refunding the value of the goods upon their return (Montague, 2004:12).

Leonard and Lamb (2007:91) define identity theft as “afraud committed using the identifying information of another person”. As such, it comprises the misuse of information that is specific to an individual, usually involving “a partial and transient adoption (of the details)…in order to facilitate criminal activity” (Finch, 2002:86). In extreme cases, this could cause the victim huge financial losses, discomfort and social embarrassment where the protagonist attempts to use these details to derive material benefit at the expense of the victim.

When applying the CRM process to this form of crime, the first step the security manager is required to take is the initial assessment phase, which involves evaluating the threats and areas of vulnerability in order to determine the level of risk. A number of tools are required at this stage, some of which are quantitative in nature, and others are qualitative (Fennelly, 2003:494). Quantitative analyses usually employ statistical sampling, based on mathematical calculations to assess the likelihood of a crime, extrapolated from results data (DePersia and Pennella, 1998:304). The aforementioned Rational Choice Theory is a related quantitative approach. Within the context of plastic fraud crime, application of this particular theory is exemplified through the regulated practice of profiling customers.

In order to identify extraordinary behaviour financial institutions commonly track the regular transaction histories of their clientele. This is especially true of institutions that issue cards for credit purchases, viewing investment in database profiling of customer transaction histories as crucial. These systems make it possible to characterise potential ‘suspect’ incidents by programming patterns which trigger warnings including: sudden spending sprees, reaching the credit limit or exhausting the account balance, duplicate transactions of unlikely merchandise especially expensive items such as televisions, and an unusual avoidance of delivery services (Slawsky and Zafar, 2005:102). An example of automated programming used to detect uncharacteristic activity on card accounts is the Visa Intelligent Scoring Of Risk (VISOR) facility provided by the Visa network (Grabosky and Smith, 1998:170). The use of this CPA technique has improved the potential to diminish the effect of fraudulent activity on both customers and institutions alike, by simultaneously preventing further theft and acting as a deterrent against aspiring felons.

Qualitative assessments determine the chances of risk on a sliding scale from negligible to prohibitive based on the opinions, experience and knowledge of leading security management experts (Kovacich and Boni, 1999:192). Considering most plastic fraud takes place at the ‘Point of Sale’ (POS), and since highly skilled security managers cannot monitor everything at once, one of the most effective means of incorporating qualitative assessment into the CRM process is by implementing a thorough training regimen for employees, alongside a widespread awareness raising campaign aimed at educating customers and installation of permanent surveillance equipment such as CCTV (Horan, 1996:68-76). This dual approach instructs on the nefarious methods employed to misuse either cards or card information in order to create a front-line defence mechanism and enhance the fraud detection capacity of the operation. Any fraudulent activities intercepted by staff are rapidly communicated throughout the organisation, for instructive and investigative purposes, to further foster this self-regulative method (Horan, 1996:68).

The assimilation of quantitative and qualitative analysis into banking industry best-practice CRM has resulted in the introduction of a number of effective controls designed specifically to curtail plastic fraud. One solution has been the introduction of embedded ‘microchip’ protection and PIN cards in the United Kingdom (Hoare, 2007:274). This security enhancement prevents the misuse of credit cards by requesting the card PIN for every transaction regardless of whether the customer is making a simple purchase or a cash withdrawal, thereby further reducing the risk of fraudulent transactions. This approach is then combined with customer advisories such as the need to keep cards and PIN information separate (Grabosky and Smith, 1991:170). When implementing crime risk management systems of this nature, however, there are two imperative considerations security managers must remain mindful of in advocating a particular method: probability and the associated cost-benefit outcomes.

Proponents within crime management recommend that risk should always be viewed in a probabilistic context (Fischer and Green, 2004:139). For example, the recent collapse of the sub-prime mortgage market, beginning in the United States, has had a tremendous impact on global financial markets, however those organisations that viewed the probability of this event occurring as remote presumably installed fewer measures to insure against such a risk, thereby suffering the greatest losses. This example vindicates those weary observers who viewed this practice as dubious, although not criminal in the strictest sense, and who have continued to advocate for more rigorously stringent regulation of credit lending (Munro, Ford, Leishman, and Kofi Karley, 2005:1-3 & 26-30).

The second, and arguably more important factor, is that the cost of CRM implementation should not exceed the benefits received to the institution in seeking to avoid the risk in the first instance (Culp, 2001:226). The indomitable pervasiveness of plastic fraud, although costly, does not quite warrant the installation of sophisticated risk management systems at all POS sites. One of the more dramatic recent proposals to counteract crimes of an identity fraud nature involves biometrically tagging individuals to a corresponding identification card in order to develop a log of all activities, which is then compiled into an ominous central database (Ahlefeld and Gaston, 2005:79). Although some view these measures as the only way possible of comprehensively monitoring and controlling such crimes, there are certainly many criticisms against this suggested method including the prohibitive cost of implementing and maintaining a system capable of delivering this service, the potential for security breaches in the data system storing private records of citizens, and the associated infringements upon civil liberties and human rights likely to be raised in opposition to the proposal (Grant, 2008). Industry driven cost-benefit analysis is therefore a vital component of appropriate CRM design.

There are innumerous benefits to implementing a CRM process within an organisation, regardless of the environment in which it is applied, in either the public or private sphere, which is why this approach has steadily grown in practice (McLaughlin and Muncie, 2006: 363-364). It is the essentially proactive nature of the approach taken in CRM, allowing for the mitigation and prevention of potentially disastrous outcomes, that explains why it is so well favoured. The banking industry is not alone in its vulnerability to losses through fraudulent practices; indeed according to calculations published by the United Kingdom (UK) Home Office Identity Fraud Steering Committee (IFSC), it is estimated that identity fraud represents an annual cost of £1.7 billion to the UK economy (Home Office, 2006).

The significance of this threat is a partial motivating factor behind the financial services sector adopting an industry-wide approach to CRM shared regulatory practices. The Credit Industry Fraud Avoidance System (CIFAS) is representative of this trend, working in conjunction with institutions across the entire financial sector and in the general interest of the banking fraternity. These cooperative systems are then linked to the broader national security management infrastructure, and though ongoing consultations and data sharing, a complex relationship has been established to combat pervasive and costly crimes, including plastic fraud (CIFAS, 2007). This level of cooperation was recently formalised in the UK through Royal Assent to the Serious Crimes Act 2007 for the prevention of fraud through shared information with anti-fraud organisations (Office of PSI, 2007: Part 3, Chapter 1, section 68). Thereby the CRM approach of individual institutions informs industry standards to national policing activities, all working cooperatively in a sophisticated network dedicated to crime management.

This cooperative approach by the banking industry to CRM processes has a cascading effect. The shared CRM network enables participants to access a continuous risk assessment feedback mechanism, allowing the entire industry to maintain a collective pool of knowledge easily referenced to assess the potential risks associated with a specific action, either not previously anticipated or as part of a new initiative by an individual institution, creating unprecedented levels of cost-benefit sharing and exemplifying the potential of widespread best-practice implementation (CIFAS, 2007 and FSA, 2008). Regulative bodies such as the Financial Services Authority (FSA), constituted with statutory powers through the Financial Services and Markets Act 2000 (Office of PSI, 2000: Part 1, section 1), provide a form of protection for the industry against both internal and external fraud, by monitoring, evaluating and reporting practices across the sector. The authority is an industry funded, non-governmental organisation, empowered to enforce its recommendations (FSA, 2008). Alongside the membership requirement to voluntarily commit to full disclosure regulative authorities such as this further enable the industry to self-regulate, mitigate against threats and further spread the cost of CRM across the sector.

The systemic level of commitment exemplified by the banking industry’s approach to CRM of threats such as plastic fraud, and the broader commitment to combating identity related fraud in the United Kingdom, demonstrate the high level of cooperative action required to effectively combat specific crimes and realise the full potential of CRM processes at large. Both Gill, through his three foci for risk management decision-making (1998:15), and Young’s 1992 theory of the ‘square of crime’ (Department of Criminology, 2003:1-15) call for multi-sectoral simultaneous high-level intervention for effective crime prevention outcomes. The combinations of: institutions and their customers, advocating for changes in public and private policy to mitigate specific threats, activated by administrators and legislators alike, must be in alignment with factors such as Gill’s means to ‘change offenders’ (1998:16), where appropriate punishment is meted against identified perpetrators to increase the risk of offending, in concert with a palpable level of public opprobrium (Department of Criminology, 2003:1-21).

Whilst a consideration of the plastic fraud approach has illustrated the high level of cooperation required between all impacted by crime, in order to more effectively prevent losses, a brief reflection of the United Nations system further reveals the evolution of CRM at work. CRM processes are performed in two simultaneous approaches within the UN system. CRM practices are now more closely assimilated into the Security Risk Assessment (SRA) processes of the organisation to more effectively combat risk from both internal and external threats (Australian Capital Territory Insurance Authority, 2004: 4-10). CRM and SRA processes are continually reviewed, evaluated, reassessed and adapted as necessary; especially in light of recent attacks such as those on UN staff members in Iraq and Algeria. Updated recommendations are communicated broadly to mainstream their approach across all activities and in order to achieve the aims of comprehensive security management across their global operations. The mission of the UN Security Management System (UNSMS) overall is “to ‘enable’ the effective and efficient conduct of UN activities while ensuring the security, safety and well being of staff as a high priority” (United Nations, 2002:2, Part II, para 3).

To achieve this mandate the UNSM system requires maximum coordination and cooperation at all levels to facilitate workable ‘funds and programmes’ so they are enabled to perform their primary objective of delivering aid as appropriate. The ‘management techniques’ discussed by Gill (1998: 14-15) are increasingly being incorporated to general UN practices; for example in the manner of staff and management recruitment practices which emphasise security as the responsibility of all staff employed under the auspices of the UN (United Nations, 2006:4-2). In order to fully integrate this approach, from the ground up and across country programs, a Security Management Team is allocated to meet regularly at the ‘head of mission’ level.

These senior level fora are guided by the senior country representative of the UN Department of Safety and Security (DSS), who are “responsible for providing leadership, operational support and oversight of the security management system to enable the safest and most efficient conduct of the programmes and activities of the United Nations” (United Nations, 2006:2-1, para 2.5). The UNSMS framework exemplifies Gill’s risk management recommendations whereby the mandate of security managers is to be a stakeholder in program operational objectives, enabling their effective fulfilment, and conversely, the managers and staff of each program are a stakeholder in the security of their own operations (1998:14-15). This cultural shift from the traditional perception of security as ‘working in isolation’ allows for an increased level of protection to permeate the organisation and for all staff to enjoy the successful achievement of operational objectives in a safe and secure environment.

Although the UNSM system provides one positive example, the reality is that changing internal traditional operational cultures, to incorporate risk prevention as a perceived responsibility for all managers, remains a significant challenge (Handy, 1993: 209). Closer inspection of the plastic fraud approach to the CRM process also exposes a number other difficulties faced by the security manager when implementing procedures to prevent exposure to risk. The crime risk manager may be criticised for displaying a disposition to crime displacement, which results in a transfer of risk rather than absolute dissolution. “Crime displacement occurs when security measures are effective in preventing crime”, where they are in place, “and forces the criminal to go elsewhere…to commit their crimes”, where there may be less security infrastructure. Displacement could be represented by a shift in time (temporal), shift in target venue (spatial), tactics, or perpetrator (Vellani, 2006:169).

As intimated above, the high level of cross-sectoral cooperation required to truly spotlight and diminish specific crimes is often beyond the means of small-scale security managers to influence. Even in the case of confederated cooperation illustrated by the banking industry to mitigate plastic fraud, the crime still exists. Where the perpetrator commits isolated instances of plastic fraud there may be a low risk of detection, incidents may not be recorded or reported and therefore there is a perceived lack of punishment associated with the offence, which can contribute to the overall seriousness of the problem (Department of Criminology, 2003: 1-21). Indeed the CIFAS prevention service lists the three documents most frequently utilised to commit identity related fraud offences as “non-UK passports, utility bills and then UK passports” (CIFAS, 2008). As CRM policy shifts its attention toward the greater risk area a gap is left behind for small-scale, undetected perpetrators that nonetheless contribute to an area of fraudulent activity that still represents major losses for credit providers.

The major challenge in taking the CRM process approach is in designing the system based on ‘real’ threats and with enough flexibility to adapt to a constantly changing environment. CRM processes require constant review, evaluation, reassessment and adaptation, and even then there is no guarantee that risk will always be averted (Gill, 1998: 17). There may be those whose commitment to the process waivers, governments and their policies may change, societal reactions to certain risk may be attenuated, criminals evolve to increasingly sophisticated methods as their use of technology improves and victim organisations may change their directions, reforming appropriately as they go (Department of Criminology, 2003: 1-22). Therefore, implementation of a CRM process requires a scrupulous cost-benefit examination, credible and quality information from which the risk assessment is drawn, and a wholesale commitment by the organisation in order to derive maximum worth (Gill, 1998: 16-17). If the approach is too conservative the risk may be that tangible business opportunities are unnecessarily overlooked whilst simultaneously failing to address the risks involved. Finally, the security manager must also control the level of expectation associated with their anticipated levels of success, since it is unlikely for even the most reliable system to remain unscathed.

In conclusion, almost every act in business involves an element of risk: customer habits change, new competitors appear, and factors outside the sphere of control could delay a project. However thorough risk analysis and management can help to inform decision making and minimize potential disruptions, especially where there is a sufficient balance between mitigating the risk and the cost associated in doing so. Evolving CRM processes that utilise decentralised risk management techniques in combination with a centralised coordination approach are becoming accepted best practice, with the result that individual firms are able to adapt the framework to best suit their preferences and internal conditions. It would therefore appear that the discipline is ‘coming of age’ which is evidenced through the prevalence of its practice in the mainstream. However the combination of the ever-present elements of change and the unforeseen represent the greatest challenges to the security manager in mitigating risk. The reality is that they can only apply their experience, offer their informed advice to key stakeholders, and manage the outcomes, whatever they may be.

References

Ahlefeld, H. von. and Gaston, J. (2005) Lessons in Danger, OECD Online Bookshop.

Air Force Material Command Pamphlet (1997) ‘Acquisition: Risk Management’, AFMC Pamphlet 63-101,

http://www.e-publishing.af.mil/shared/media/epubs/AFMCPAM63-101.pdf, (accessed 1 March 2008).

Australian Capital Territory (ACT) Insurance Authority (2004) ‘Guide to Risk Management’, Risk Management Guide & Toolkit, ACT Insurance Authority, http://www.treasury.act.gov.au/actia/Guide.doc (Accessed 1 March 2008).

Bridgeman, C. (1996) ‘Crime Risk Management: Making it work’, Crime Detection and Prevention Series Paper 70, Police Research Group, London: Home Office.

Clarke, R.V. and Cornish, D.B. (1985) ‘Modelling Offenders’ Decisions: A framework for Research and Policy’, Crime and Justice, 6: 147-185.

Cohen, L.E. and Felson, M. (1979) ‘Social Change and Crime rate trends’, American Sociological Review, 44: 588-608.

Cox, L. A. (2005) Quantitative Health Risk Analysis Methods, Springer.

Credit Industry Fraud Avoidance System (CIFAS). (2007) ‘New Fraud Prevention Power Will Save £Millions’, Press Centre, 30 October 2007, http://www.cifas.org.uk/default.asp?edit_id=786-57, (accessed 1 March 2008).

Credit Industry Fraud Avoidance System (CIFAS). (2008) ‘2007 Fraud Trends’, Press Centre, 28 January 2008, http://www.cifas.org.uk/default.asp?edit_id=790-57, (accessed 1 March 2008).

Culp, C. L. (2001) The Risk Management Process, John Wiley and Sons.

DePersia, A.T. and Pennella, J.J. (1998) Enforcement and Security Technologies, SPIE.

Decker, R.J. (2001) ‘Homeland Security: Key Elements of a Risk Management Approach’, Testimony: Before the Subcommittee on National Security, Veteran Affairs and International Relations; House Committee on Government Reform, GAO-02-150T, United States: General Accounting Office.

Department of Criminology (2003) ‘Unit 1: Crime Risk Management’, Module 2: Applied Crime Management, Department of Criminology, 1-5 to 1-23.

Fennelly, L.J. (2003) Handbook of Loss Prevention and Crime Prevention, Butterworth-Heinemann.

Financial Services Authority (FSA). (2008) ‘Who are we’, http://www.fsa.gov.uk/Pages/About/Who/index.shtml, (accessed 1 March 2008).

Finch, E. (2002) ‘What a tangled web we weave: identity theft and the Internet’, in Yvonne Jewkes (ed.) Dot.cons: Crime, deviance and identity on the Internet, Willan Publishing, 86-104.

Fischer, R. J. and Green, G. (2004) Introduction to Security (7^th Edn), Butterworth-Heinemann.

Gill, M. (1998) ‘Chapter 1: Introduction’, in Martin Gill (ed.) Crime at Work Volume II: Increasing the Risk to Offenders, Leicester: Perpetuity Press Ltd, 11-23.

Grabosky, P.N. and Smith, R.G. (1998) Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, Transaction Publishers.

Grant. I. (2008) ‘Wave of criticism hits government ID card relaunch’ in ComputerWeekly.com, http://www.computerweekly.com/Articles/2008/03/07/229773/wave-of-criticism-hits-government-id-card-relaunch.htm, (accessed 9 March 2008).

Handy, C. (1993) Understanding Organizations (4^th edn), Harmondsworth: Penguin.

Home Office (2006) ‘Identity Fraud puts £1.7bn Hole in Britain’s Pocket’, Press Releases, 2 February 2006,

http://press.homeoffice.gov.uk/press-releases/identity-fraud-puts-1.7bn-hole?version=1, accessed 1 March 2008).

Horan, D.J. (1996) The Retailer’s Guide to Loss Prevention and Security, CRC Press.

Hoare, J. (2007) ‘Deceptive Evidence: Challenges in Measuring Fraud’ in J.M. Hough, and M.G. Maxfield (eds) Surveying Crime in the 21^st Century, Criminal Justice Press.

Kovacich, G. L. and Boni, W. C. (1999) High Technology Crime Investigator’s Handbook, Elsevier.

Leonard, R. and Lamb J. (2007) Credit Repair (8^th Edn),Nolo.

McLaughlin, E. and Muncie, J. (2006) The Sage Dictionary of Criminology, Sage Publications.

Montague, D.A. (2004) Fraud Prevention Techniques for Credit Card Fraud, Trafford Publishing.

Munro, M., Ford, J., Leishman, C. and Kofi Karley, N. (2005) Lending to higher risk borrowers: Sub-prime credit and sustainable home ownership, Joseph Rowntree Foundation, http://www.jrf.org.uk/bookshop/eBooks/1859353355.pdf, (accessed 1 March 2008).

Nalla, M. and Newman, G.A.(1990) APrimer in Private Security, New York: Harrow and Heston.

Newman, G.R. and Clarke, R.V. (2003) Superhighway Robbery: Preventing e-commerce crime, Willan Publishing.

Office of Public Sector Information (2000) Financial Services and Markets Act 2000, http://www.opsi.gov.uk/acts/acts2000/ukpga_20000008_en_1, (accessed 1 March 2008).

Office of Public Sector Information (2007) Serious Crimes Act 2007, http://opsi.gov.uk/acts/acts2007/ukpga_20070027_en_1, (accessed 1 March 2008).

Slawsky, J. H. and Zafar, S. (2005) Developing and Managing a Successful Payment Cards Business, Gower Publishing Ltd.

Tyska, L.A. and Fennelly, L.J. (1998) 150 Things you should know about Security, Butterworth-Heinemann.

United Nations (2002) ‘Inter-organizational security measures: framework for accountability for the United Nations field security management system’, Report of the Secretary General to the General Assembly, A/57/365, United Nations, https://dss.un.org/dssweb/portals/0/BackgroundDocs/A_57_365.pdf, (accessed 1 March 2008).

United Nations (2006) Field Security Handbook, United Nations Department of Safety and Security (UNDSS).

Vellani, K.H. (2006) Strategic Security Management: A Risk Assessment Guide for Decision Makers, Butterworth-Heinemann.