Routine activity theory (RAT) is one of the most prominent modern theories in criminology. It aims to explain the conditions necessary for a crime to occur. Specifically, it describes three criteria: a potential offender, a suitable target, and the absence of a capable guardian (Miró, 2014). It was formulated in the 1970s by L. Cohen and M. Felson in response to the rise of crime in post-World War II U.S. (Miró, 2014). They hypothesized that this increase, despite a reduction in general criminogenic factors, such as poverty or a lack of education, could be explained by changes in Americans’ daily activities. As one example, during that time, more high-value and low-weight objects, such as electronics, were becoming available (Miró, 2014). Simultaneously, social changes led to people spending more time away from home; thus, their valuables were left unguarded, creating ample opportunity for burglaries (Miró, 2014). These observations served as the base for Cohen and Felson’s theory.
The three elements necessary for a crime to occur under the RAT are a potential offender, a suitable target, and the lack of a capable guardian. The potential offender can be anyone with a means and a motive to commit a crime (Miró, 2014). More specifically, Cohen and Felson considered the physical possibility of committing the crime more important to their model than motivation (Miró, 2014). Thus, the RAT focuses on environmental factors as means of predicting and preventing crime more than on understanding the criminal’s motives.
A suitable target is an object or person the potential offender can threaten. Such a target can be characterized by four attributes: value, inertia, visibility, and access (Miró, 2014). The value may be real or symbolic, as perceived by the potential offender (Miró, 2014). Inertia refers to the physical qualities of the object or person that make it more or less suitable to the offender (Miró, 2014). Visibility, or exposure, describes how known, or attractive, the target is (Miró, 2014). Finally, access refers to the physical characteristics that make the attack more likely or easier (Miró, 2014). The physical and environmental characteristics of the target are emphasized over others.
A capable guardian refers to any person who can intervene in the crime or make it less likely by his or her presence. This definition includes police or security guards, as well as potential witnesses (Miró, 2014). Over time, this definition has been expanded to include not only the physical presence of a person but symbolic presence (Miró, 2014). For instance, security cameras serve as a symbolic presence, capable of preventing crime despite the lack of a physical presence of a person.
The crime triangle is a concept built on top of the RAT. It defines handlers, managers, and guardians as additional elements capable of reducing the likelihood of a crime by interacting with the potential offender, the place, and the target, respectively (Miró, 2014). The crime triangle and the RAT provide a framework of actions that can be taken to prevent crime. In essence, by acting as the guardians, managers, and handlers, a private organization can work to eliminate the potential offender, the suitable target, or ensure capable guardians are in place. Eliminating the potential offender means restricting access to whatever valuable object may be an attractive target. By a similar token, removing the target means making it less visible or exposed, and imposing obstacles to accessing it. Finally, guardians, as explained in the RAT, can be security guards, cameras, or any other visible security measures.
General Security Program Design
Software development is a highly competitive field, particularly in rapidly growing areas such as data software. Thus, a company involved in the development of data software can face significant security risks both from inside and outside. Employees can pose a significant degree of security threat, whether deliberately or otherwise (Roberson & Birzer, 2008). In this case, most attacks will happen due to poor compliance with existing security programs leading to malware incidents or attacks on cloud solutions the company uses. Furthermore, deliberate attacks by insiders can include leaking confidential data to competitors. Furthermore, targeted attacks can be launched by competitors, intended to disrupt the company’s operations or gain insight into the software the company is developing. Finally, a sufficiently large company will likely attract random attackers who do not seek any particular objectives besides compromising a known website or network.
Two primary categories of data that presents a suitable target can be identified: software and data. Software, in this case, refers to any research and development materials the company enacts: algorithms, source code, research, and statistics on its use. This category is the primary target for outside targeted attacks. The second category is personal and client data, encompassing financial information or any other data provided by clients and employees. If the company provides cloud services, client data also includes the data stored in its cloud servers. Personal and client data is a suitable target for external threats that are more challenging to forecast.
Attack and Threat Types
A major threat is internal and non-targeted: an employee failing to follow security protocol and introducing malware to the company network or allowing an external entity to carry out a deliberate attack. Furthermore, an employee can deliberately disrupt company operations, tamper with confidential data, or leak confidential information to outside entities. Concerning external attacks, malware is an ever-present threat, while targeted attacks can attempt to infiltrate the company network or cloud storage.
A strong password policy will be a significant deterrent against basic informal and external attacks. Employees should ensure that their passwords on any company or related service are sufficiently complex and changed at most every three months (Roberson & Birzer, 2008). Furthermore, common password hygiene practices should be enforced: passwords should not be written down in any visible place or shared under any circumstances. If access to company computers and services can be meaningfully split into multiple areas, such as the local company network or the database. Failed password attempts should be logged as a means of detecting potential internal attacks early.
The company network should only have the minimum necessary access to the Internet. This will help prevent leaking confidential information to outside entities, phishing attempts, or malware being downloaded, deliberately or otherwise. Similarly to the above, if it is possible to separate the network into multiple zones based on their security requirements, it should be done. For instance, office WiFi should offer the least access to any internal data, while the most valuable and confidential information may be stored on isolated computers with no Internet access.
Attacks on physical hardware should also be prevented by the security policy. For instance, an insider can gain access to a company server and physically remove hard drives or copy data to an external drive, even if the server is not accessible through the company network. Thus, security measures should be in place to limit physical access to hardware: it should be placed in areas that are inaccessible without special authorization. All-access to these areas should be logged to aid in case of investigation of any security breaches. Furthermore, all hardware changes, including USB device addition or removal should also be logged.
A security program, no matter how thorough, is meaningless without employee compliance. To that end, a training program should be implemented, stressing the importance of the other security measures. It should include even personnel not normally involved in the company’s computer system (Roberson & Birzer, 2008). Besides general new employee training, the program should remind experienced employees of security policies in place and inform them of any changes as quickly as possible.
Finally, the program should be tested before implementation and subsequently undergo regular testing and audits. These tests and audits can investigate any unusual activities with data, erroneous or unexplained data, as well as custom reports. When possible, testing and auditing should not follow a known schedule, as announced audits and tests allow insider attackers to dispose of any evidence of their attack. Furthermore, penetration testing by an outside contractor should be carried out occasionally to assess the current effectiveness of the program or expose new vulnerabilities. Finally, employees should have access to the means of reporting security incidents to guide further improvements to the program or identify issues with compliance.
Miró, F. (2014). Routine activity theory. In J. M. Miller (Ed.), The Encyclopedia of Theoretical Criminology. Blackwell Publishing Ltd. Web.
Roberson, C., & Birzer, M. (2008). Introduction to private security: Theory meets practice. Pearson.