Throwing this out to those of you involved in the interdiction of internal theft.
PREMISE:
1. A low likelihood of detection is part of the calculation made by the typical dishonest employee when deciding to steal or commit fraud.
2. The knowledge that some other thefts have been detected can have an impact on others who are making the calculation described in #1.
QUESTION: Is there a "tipping point" in terms of the rate of detection of thefts below which detection has little or no impact on others thinking of stealing, and above which detection does have a deterrent effect?
QUESTION: If there is a "tipping point", how might this be discovered, even if only in approximate terms?
RATIONALE: If there is a "tipping point", and if we can say, for instance, that a 20% detection rate has a much greater deterrent effect than, say, a 15% detection rate, we can strongly rationalize to management the need for just those resources necessary to achieve 20% or greater detection rates. In other words, the ROI on the entire investment changes completely.
The company spends, perhaps, $100,000 per year to achieve 15% detection and, aside from the recovery aspects, sees little deterrent benefit from that investment. Perhaps, under this "tipping point" theory, it would only be necessary to spend another $20,000 to achieve 20% detection rates and, as a result, achieve a much greater deterrent benefit from the detection program that "the first 15%" does not achieve.
An analogy to this idea might be the "killing level" of an antibiotic. You have to have a certain level of the antibiotic in your system to do any good, and if you take less than the amount needed to achieve a "killing level", you might as well not take any at all. So, 4 pills a day will kill the bug you've got, but 3 pills a day does little or nothing. It's that one additional pill that makes all the pills effective, and without it none of the pills do you any good.
Incidentally, I have not been able to find any documentation of the notion of a "tipping point" in the first place, but I have a strong suspicion that it exists. It would be different in each venue, of course, and it might only be discoverable empirically, and perhaps only as a rough approximation. It's just my gut feeling that there's "some point" at which detection has a deterrent impact, below which detection doesn't much "phase" other people thinking about stealing. In fact, I'm not even sure that very low detection rates don't actually reinforce the calculation that "I won't get caught". But that's a question for another day.
If there is a "tipping point", security managers would have a target to shoot at that is much more do-able than "trying to catch whoever we can", and certainly more do-able than thinking, even in vague terms, that you're going to "catch them all". And, we would know that perhaps we don't need to do a lot more than we're doing now, but perhaps just a little more would make a big difference - and it's usually easier to convince management to give you a little more resources, especially when you can show that it changes the ROI on the money they're already spending.
PREMISE:
1. A low likelihood of detection is part of the calculation made by the typical dishonest employee when deciding to steal or commit fraud.
2. The knowledge that some other thefts have been detected can have an impact on others who are making the calculation described in #1.
QUESTION: Is there a "tipping point" in terms of the rate of detection of thefts below which detection has little or no impact on others thinking of stealing, and above which detection does have a deterrent effect?
QUESTION: If there is a "tipping point", how might this be discovered, even if only in approximate terms?
RATIONALE: If there is a "tipping point", and if we can say, for instance, that a 20% detection rate has a much greater deterrent effect than, say, a 15% detection rate, we can strongly rationalize to management the need for just those resources necessary to achieve 20% or greater detection rates. In other words, the ROI on the entire investment changes completely.
The company spends, perhaps, $100,000 per year to achieve 15% detection and, aside from the recovery aspects, sees little deterrent benefit from that investment. Perhaps, under this "tipping point" theory, it would only be necessary to spend another $20,000 to achieve 20% detection rates and, as a result, achieve a much greater deterrent benefit from the detection program that "the first 15%" does not achieve.
An analogy to this idea might be the "killing level" of an antibiotic. You have to have a certain level of the antibiotic in your system to do any good, and if you take less than the amount needed to achieve a "killing level", you might as well not take any at all. So, 4 pills a day will kill the bug you've got, but 3 pills a day does little or nothing. It's that one additional pill that makes all the pills effective, and without it none of the pills do you any good.
Incidentally, I have not been able to find any documentation of the notion of a "tipping point" in the first place, but I have a strong suspicion that it exists. It would be different in each venue, of course, and it might only be discoverable empirically, and perhaps only as a rough approximation. It's just my gut feeling that there's "some point" at which detection has a deterrent impact, below which detection doesn't much "phase" other people thinking about stealing. In fact, I'm not even sure that very low detection rates don't actually reinforce the calculation that "I won't get caught". But that's a question for another day.
If there is a "tipping point", security managers would have a target to shoot at that is much more do-able than "trying to catch whoever we can", and certainly more do-able than thinking, even in vague terms, that you're going to "catch them all". And, we would know that perhaps we don't need to do a lot more than we're doing now, but perhaps just a little more would make a big difference - and it's usually easier to convince management to give you a little more resources, especially when you can show that it changes the ROI on the money they're already spending.
Comment