Background

Various forms of risk assessments in the context of the planning of social life have been given serious consideration for quite a long time already. The importance of environmental impact assessment has, thus, for a while been accepted as a phase of its own in any major infrastructure planning enterprise. Likewise, the obligation to consider also the economic aspects in the connection of even minor structural reforms has been stressed. In this respect, not only the impacts on public economy should be taken into account, but also those accrued to the business sector, to households and to entire economy. Examination of crime risks in this sense, on the other side – in order to weight their significance as an element both in any law drafting or public planning procedure and as an element in the life span of any potentially risky products – is as an idea construction a fairly recent one. In this context the concept “crime proofing” should perhaps be utilised as a common denominator.

The Approach

As a kind of basic analysis of the issue a two-year project, initiated and financed by the European Union, was launched in 2004 in order to study how crime risks could be taken into account earlier both in law reform work and in product development. The goals of the project are as follows:

1. to create a crime risk assessment mechanism to proof EU legislation against economic/financial/organised crime at a European Union level in order to reduce the probability that an economic/financial/organised crime occurs due to opportunities arising from legislation, and to provide a detailed plan of action to put it in place at an EU level (this would mean providing EU institutional – and EU national – policymakers with an mechanism to be used when drafting new legislation/regulations in order to minimise the risk of money laundering, fraud, corruption and, more in general, the infiltration of organised crime into the legitimate economy);

2. to create a crime risk assessment mechanism to proof electronic products against theft, thereby reducing the probability that a theft occurs due to the intrinsic attractiveness of products, and to provide a detailed plan of action to put it in place in the business environment (this means providing EU enterprises with a concrete mechanism that can be used when designing a new product to minimise the risk of theft).

The short term strategic impact of the project will be the definition of minimum common standards for legislative crime proofing in the EU decision making process and for theft proofing electronic products in the business planning process.

The long term strategic impact of the project will be the development of a crime proofing culture within the European Union and the implementation of minimum common standards for legislative crime proofing in the legislative process of European Union Member States, and product crime proofing in the business planning process for all product manufacturers.

The Project Setup: Proofing of Legislative Efforts

The project was carried out by a consortium of ten EU member state institutions in the field of crime policy. The work was coordinated by the Università Cattolica del Sacro Cuore, Milan, Italy. More detailed information about the project can be found on the web site of the consortium (marc.unicatt.it).

The work was initiated by charting existing source materials and research potentially relevant for the issue. Next step was to outline, on one side, theoretical models on how to assess the risks occasioned by law drafting or product design and, on the other, to analyse the current practice within following fields in the EU member states:

A. Licensing and supervision of branches calling for legal or financial expertise, e.g. lawyers and auditors;
B. Licensing and supervision of branches offering safeguarding services, e.g. private detectives, locksmiths, enterprises in the field of security business and insurance companies;
C. Licensing and supervision of offshore banking services;
D. The potential of organised crime to make use of loopholes in company legislation with the aim at business seizure or money laundering;
E. The potential of organised crime to make use of loopholes in the control systems of public administration, e.g. waste disposal, production of medicines, waterway transport, public procurement.

The end product of the outlined theoretical models, together with the analysis of practices resulted in the following action model, according to which the starting point in drafting both EU level regulations and national level measures should be a four –step procedure as follows:

Step 1. Initial screening. This activity scans the piece of regulation/legislation according to established criteria. The criteria are: a) legislation that introduces product disposal regulations or any other new or more burdensome fee or obligation; b) legislation that introduces a concession on a tax or a concession on any other fee or obligation; c) legislation that introduces a grant, subsidy, or compensation scheme or any other scheme that provides a benefit; d) legislation that introduces or increases the tax on legal goods or in any other way increases the costs of legal goods; e) legislation that prohibits or restricts a demanded product or service or in any other way decreases the availability of demanded goods or services; f) legislation that introduces or removes a law enforcement capacity, increases or decreases funding for enforcement activity or in any other way impacts the intensity of law enforcement activity; g) legislation that provides officials with regulatory power. When the act matches one or more of these criteria the activity goes to the second step. If it does not, the exercise stops here. Screening is conducted by policymakers involved in the law making process.

Step 2. Preliminary crime risk assessment. This is a descriptive/qualitative activity, which aims at identifying and describing which crime risks can be envisaged (if any) and for which types of crime. Three criteria should be observed: a) estimating the formal aspects of the act, i.e. – does the act make more chaotic the whole legislative framework addressing the sector/market? – does the act contain ambiguous or unclear language? – is the act easily applicable and enforceable in the Member States?; b) estimating the vulnerability of the regulated sector/market, in order to explore if it is per se vulnerable to crime, i.e. – do legitimate operators of the sector/market have interest in committing crime? – is the market/sector infiltrated by external criminals (organized or not)? – are the unlawful behaviours identified in the sector/market a law enforcement priority?; c) estimating the possible crime risks arising from specific provisions, i.e. does any provision produce unintended opportunities for crime? – if so, for which crimes? – is it a low, medium or high crime risk? If the act is determined as a medium/high crime risk, it will go to the next phase. If it does not, the exercise stops here. This step is conducted by policymakers involved in the law making process.

Step 3. Extended crime risk assessment. This is an analytical/quantitative activity, which aims at quantifying the risk envisaged in step 2, by calculating a Legislative Crime Risk (LCR) index. This is conceived as a function of two elements: (i) the threat, i.e. the likelihood that a crime occurs because of legislation and (ii) its seriousness, i.e. the harm caused by a given crime on the society. (LCRc is constructed as follows: a) using a series of indicators* two indexes – a textual deficiencies index (TD) – and a market vulnerability index, related to a specific crime type (MVc ) are calculated, followed by b) a fixation of a weighting system (α and β values), c) resulting in a Legislative Crime Threat index, related to a specific crime type (LCTc), according to the formula LCT = α·TD + β·MVc. LCTc is then linked to the seriousness value related to a specific crime type (Sc), resulting in the formula LCRc = (LCTc; Sc). This step is conducted by a group of experts, providing for different expertise in the relevant fields.

Step 4. Conclusions and recommendations. Here the conclusions from Steps 2 and 3 are evaluated, resulting in recommendations on how the crime risk could be addressed and legislation proofed. Recommendations on how the crime risk should be addressed and, consequently, legislation crime-proofed will be made to policymakers by a group of experts (see previous step), by suggesting those textual changes likely to reduce the crime risk (either by reducing opportunities for crime or by introducing security measures that may mitigate the risk).

The crime risk assessment mechanism, built to proof legislation against crime, could now be implemented at different levels. Even if tuned to European legislation, the mechanism could be easily applied to different types of legislation: it could take into account either soft or hard law at international, national, and local levels.

The Project Setup: Proofing of Electronic Products

A similar kind of exercise was conducted in respect of proofing products against crime. At this pilot stage the scope was narrowed to cover the proofing electronic products against theft, making the exercise an early step towards the incorporation of crime consequences into product and service design and development. The process of developing the crime risk assessment mechanism in this field took as its basis the Secured Goods by Design model presented by Clarke and Newman in 2002. The model is based upon two quantitative checklists, one which assesses a product’s vulnerability to theft in terms of how concealable, removable, available, valuable, enjoyable and disposable (CRAVED) a product is. The second assesses the product’s security features – for example, does it contain technology to negate its financial value if stolen, can it be tracked and has it been field-tested for theft? Vulnerability to theft is indexed by the relationship between scores on the two indices. Products which have high vulnerability/low security will be particularly prone to theft; products which have low vulnerability/high security will be less likely to be targeted.

A decision was made to retain the principles contained within the Secured Goods by Design mechanism – that risk should be commensurate with protection – but to use an extensive consultation process to develop a different framework for measurement. The consultation process involved interviews with representatives from the insurance industry, law enforcement, manufacturers of electronic products and consumer groups from ten European countries (six original EU and four accession states). The extreme difficulty of recruiting respondents may itself be indicative of the fact that the notion of crime-reductive design of electronic products in not yet something which engages the interest and attention of many of those whose involvement would be necessary to successful implementation of a risk-based assessment of electronic products.

The questionnaire which participants were asked to complete focused upon the two principles, vulnerability and security. For 15 electronic products, participants were asked to rate the product in terms of its vulnerability and security and then to give three qualitative reasons for that rating** . A few of the main results:

• Overall, the vulnerability scores awarded to the 15 products were much higher than the security scores;
• There was little difference between product types for the scores awarded for vulnerability. The products considered to be the most vulnerable were mobile phones, while the products considered to be the least vulnerable were Personal Digital Aids (PDAs);
• The average security scores showed greater variation with the most secure product type being the laptop computer and the least secure product type being the PDA.

Scrutiny of the spontaneous reasons for product vulnerability cited by the domain experts consulted suggest that they could all be incorporated into the CRAVED classification. The weighting of the CRAVED factors in vulnerability assessment should be the subject of further research, but as a defensible first cut at vulnerability measurement, equal weighting would suffice. Scores of high, medium and low vulnerability would thus be calculated for each product at the earliest commercially practicable stage of their development. Assessment of security, on the other hand, should be carried out on a product by product basis rather than based upon a simple scoring system. A simple security scoring system would lead product security to become formulaic, to be designed down to a standard rather than ingeniously to maximise security.

Final remarks

Apparently, the crime risk mechanism, constructed to proof legislation against crime and to make products less vulnerable against crime (theft), could now be implemented at different levels. It could also be extended to larger typologies of crime than those considered by this project. Some parts of the mechanism deserve further research. Indicators should be tuned and extended. The Seriousness Index, now build on a simplified indicator, could be developed through harm indexes. As to the product vulnerability aspect, the development of an assessment to measure the risk of theft is worthless unless manufacturers implement it and consumers accept it. The aim of the proposed system is not to encourage manufacturers and designers to develop products which will not be attractive to customers; rather it is to ensure that the products which are highly desirable are equally secure.

As regards the overall implementation procedure in this field, it is necessary that regulators further develop the impact assessment procedures paying more attention to the implications on crime.

___________________________________________________________

*)The textual deficiencies (TD) indicators are as follows: (i) External consistency, which concerns the impact of the normative act on the existing legislative framework (a too large volume of laws addressing the same field makes the whole legislative framework complex and chaotic, producing risk of overlaps and of law’s misuses); (ii) Internal consistency, which concerns the internal organization of the normative act (the assumption is that a legislative act should have a logical and consistent structure, to avoid internal overlaps and to make the regulation clear); (iii) Clarity of content, which concerns the language used in the text (the assumption is that generic terms, too broad concepts or ambiguous norms may lead to misinterpretation, which produces the risk of asymmetries in the application, exploitable for illicit purposes); (iv) Enforceability, which concerns the capability of the normative act to be effective, by providing for enforcement and implementation mechanisms (this means that a law should establish the consequences of possible non-compliant behaviours, as well as mechanisms to guarantee an effective implementation by Member States). To carry out the TD assessment, each indicator has been divided into a sub-indicator and each sub-indicator has been translated into a question; each question is linked to a set of possible answers: YES/NO/NOT APPLICABLE (NA).
The market vulnerability (MV) index indicators are as follows: (i) Attractiveness (it can be expressed as the profitability of a market for criminals minus the risk for criminals of being detected and, consequently, punished); (ii) Accessibility (this concerns the capacity of criminals to infiltrate a given market and takes account of the obstacles and barriers raised by legislation against illicit behaviour; the main assumption is that the more the obstacles raised against entry into the market, the less it will be vulnerable to criminals). As for TD assessment, each MV sub-indicator has been translated into a question and each question has been linked to the following possible answers: YES/NO/NOT APPLICABLE (NA).

**)The factors found out having an impact on vulnerability are as follows: (a) attractive design, (b) carried openly, (c) commonly used, (d) desirable, (e) distinctive – can be identified from a distance, (f) expensive, (g) fashionable, (h) good brand name, (j) high quality specifications, (k) looks expensive, (l) marketable/easy to re-sell, (m) no association to a specific person, (n) popular, (o) popular amongst young people, (p) small/light. The factors found out having an impact on security are as follows: (a) BIOS password, (b) cable lock, (c) password protection, (d) serial number, (e) requires installation, (f) PIN code, (g) phone/card locking. The three most frequently mentioned vulnerability factors were: (i) small/light, (ii) expensive, (iii) popular; whilst the three most frequently mentioned security factors were: (i) password protection, (ii) phone/card locking, (iii) cable lock.;/;