Competitive intelligence, corporate security and the virtual organization.

ABSTRACT

This paper seeks to document a variety of competitive intelligence (CI) vulnerabilities which (1) are common to most organizations; and (2) have a unique and adverse effect on virtual firms due to their reliance on subcontracting and information technologies. A 7 stage competitive counterintelligence program (identified by the FOG-PACT acronym) is developed in order to remedy many of these CI problems.

INTRODUCTION

Competitive Intelligence (CI) represents a systematic process initiated by organizations in order to gather and analyze information about competitors, suppliers, customers and the general socio-political/economic environment of the firm (Kahaner, 1996; Wright and Roy, 1999; Fitzpatrick, 2000). The purpose of CI programs is to harness disparate information resources in order to enhance the competitiveness of the firm while eroding the competitive advantage of its rivals (Helms, Ettkin and Morris, 2000). This information is often acquired through legitimate/ethical means and covert methodologies involving economic espionage [e.g., theft and/or unauthorized duplication/possesstion of trade secrets, proprietary technologies, etc.] (Fuld, 1985; Winkler, 1997; Wright and Roy, 1999; Gallagher, 1998). Organizations in a variety of industries (i.e.: aerospace, biotechnology, electronic, petrochemicals, and information technologies) or those possessing significant intellectual properties have been identified as having an increased risk for becoming the target of CI activities (Wright and Roy, 1999). The lure of enhancing competitiveness through the appropriation of proprietary technologies, business plans or intellectual properties, has driven many organizations and at least 23 nations to initiate hostile CI penetrations of American firms (Freeh, 1998). Financial losses from these CI intrusions have steadily increased. In 1996, the American Society for Industrial Security (ASIS) reported that CI losses among American firms were valued at approximately $63 billion (Gallagher, 1998). More recently, the FBI has estimated that the financial consequences of competitive intelligence leakages to U.S. firms may amount to $250 billion annually (Shanley and Crabb, 1998). A survey of Fortune 1000 firms by ASIS indicated that the four most significant outcomes of CI leakages include losses in competitive advantage, lost market share, increased R&D costs and higher insurance premiums (ASIS/PricewaterhouseCoopers, 1999).

Given the financial and adverse competitive consequences which may derive from CI and economic espionage activities, this paper seeks to: (1) identify CI vulnerabilities/threats common to many organizations; (2) discuss some of the unique CI vulnerabilities experienced by virtual organizations because of their extensive reliance on outsourcing and information technologies; and (3) outline a 7-stage competitive counterintelligence program that can assist virtual organizations in enhancing their corporate security and minimizing the competitive/financial losses attributable to the CI activities of other firms/governments.

COMPETITIVE INTELLIGENCE VULNERABILITIES OF TRADITIONAL AND VIRTUAL ORGANIZATIONS

Characteristics of Virtual Organizations

Virtual organizations constitute the antithesis of traditional vertical integration strategies. Rather than seeking to control value chain activities through direct ownership of businesses, virtual organizations acquire resources or strategic capabilities by creating "a temporary network of independent companies, suppliers, customers, even erstwhile rivals--linked by information technology to share skills, cost and access to one another's markets" (Byrne, 1993: 99). A common feature associated with virtual firms is an organizational artifact known as a HUB. Dickerson (1998) proposes that the HUB is the irreducible core of the virtual firm. This core contains all the basic organizational functions or infrastructure needed to supervise the allocation, management and coordination of subcontractors or strategic partners as work progresses through the value chain (Dickerson, 1998). HUBS generally retain only those organizational functions that are critical to their distinctive competencies and/or cannot be more efficiently/effectively performed by subcontractors. Furthermore, to enhance strategic flexibility and competitiveness, virtual organizations may be expected to frequently change subcontraCtors or outsourcers in order to leverage their unique situational capabilities and competitive advantages (Galbraith, 1995; Fitzpatrick and Burke, 2000a). The leveraging of these capabilities among members of this virtual network requires both HUBs and their partner cadre to develop open communication systems and high levels of mutual trust. This is essential in order to facilitate the transfers of information, intellectual properties/technologies and to provide an interorganizational climate promoting competitive synergies (Rackham, Freidman and Ruff, 1996). Once the competitive objectives of the HUB and its network partners have been accomplished, this adhocracy of organizational and subcontracted relationships is dissolved (Christie and Levary, 1998; Galbraith, 1995).

Competitive Intelligence Vulnerabilities of Virtual Organizations

Competitive intelligence practitioners have estimated that approximately 95 percent of the intelligence on targeted firms may be derived from publicly available sources of information (Barndt, 1994; Kahaner, 1996). For both virtual and non-virtual companies, these sources include government filings, competitive data bases and information obtained from the print media (Fuld, 1985; Kahaner, 1996; Fitzpatrick, 2000). Of these sources, routine corporate filings mandated by government authorities constitute a wealth of competitive information. This information is readily available or easily accessible by filing a Freedom of Information Request with the government agency that is the repository for the required document. Data mining of these government filings/documents permit companies to acquire a range of CI on targeted firms including: (a) equipment purchases with borrowed money; (b) R & D expenditures, innovations and patent activity; (e) proposed expansions or changes in operations; (d) process technologies, product improvements, sources/uses of raw material and equipment used in specific facilities; (e) corporate revenues, tax base, asset value, depreciation and other expenses; and (f) plant/facility layout & numbers of employees/shifts (Fuld, 1985; Fitzpatrick, 2000; Kahaner, 1996).

The 1999 ASIS survey on proprietary information losses indicates that organizations are increasingly relying on two structural features of virtual organizations in order to enhance competitiveness. These structural characteristics are the use of subcontracting and information technology (IT). Irrespective of industry, the survey suggests that organizational reliance on both the internet and computers have created new threats and risk factors in the protection of proprietary information and technologies. The survey also reports that on-site contractors and original equipment manufacturers represent the greatest single threat to corporate security. As noted by the study, "The new on-line and increasingly outsource business environment is moving rapidly to global supply chains that involve tens or hundreds of companies working transparently to design, manufacture, and deliver goods and services around the world. Most respondents apparently believe that business partners are not doing as much to protect the company's information as they themselves do" (ASIS/PricewaterhouseCoopers, 1999:18). Thus, these two important characteristics (i.e.: subcontracting and IT) which serve to bolster the competitiveness of virtual organizations may also increase their competitive intelligence vulnerabilities.

Competitive Intelligence Vulnerabilities, Subcontractor Management And The Serial/Long-Linked Form

Virtual organizations typically create an infrastructure in order to coordinate and/or manage the activities of subcontractors. The two common infrastructures are those characterized by the use of either serial/long-linked or reciprocating linkages between HUBs and their subcontractor cadre (Fitzpatrick and Burke, 2000a). In the serial-long linked form, HUBs make extensive use of information technologies (IT) to coordinate work processes/semi-finished goods as they flow or are transferred from one subcontractor to another. Subcontractors generally perform the work at their own facilities using their own personnel, assets and resources. As the work or product reaches the final stage of subcontractor activity, it is either (1) distributed directly to the customer; or (2) transferred directly back to the HUB for distribution to the customer. When using this methodology, virtual organizations generally rely upon subcontractors to initiate their own security programs to safeguard the proprietary technologies or intellectual properties transferred to them by HUBs. Thus, the CI vulnerability of the HUB is directly proportional to the effectiveness of the corporate security program initiated by the subcontractor (Weld, 1998; Boni, 1999). This trust in subcontractors for administering corporate security programs has sometimes been misplaced. Subcontractors have been found to be very lax in developing/enforcing security policies, conducting security investigations and establishing security clearances for their own personnel (Winkler, 1997; Kahaner, 1996; ASIS/PricewaterhouseCoopers, 1999). The failure to develop appropriate security procedures and background investigations for personnel is astounding in light of employee attitudes toward theft and disclosure of proprietary information. A recent nationwide survey revealed that 13 percent of employees consider themselves to be basically dishonest and likely to attempt theft, while 66 percent would steal if other persons were observed to commit acts of theft without repercussions (Somerson, 1999). This employee proclivity toward dishonesty makes them highly susceptible to recruitment by CI operatives using the MICES principle.

MICES Principle of Agent Recruitment

The MICES principle represents an agent recruitment methodology whose origins evolve from espionage-related "tradecraft." The acronym stands for Money, Ideology, Compromise, Ego and Sexual Entrapment. The technique serves to directly target human weaknesses in order to secure access to proprietary information/technologies (Barron, 1985). In the first instance (i.e., money), an employee of the target company/organization is bribed by the CI operative in order to gain access to the desired information, intellectual property and/or proprietary technology. Targets for bribery are often identified by credit investigations on individuals known to have access to sensitive information (Schwartz and Abehouse, 1996). Barron (1985) notes that money is the most effective recruitment mechanism in encouraging U. S. citizens to betray their firms. When using Ideology as a recruitment technique, CI operatives attempt to manipulate the value or belief systems of individuals (Barton, 1985; Schweizer, 1993; Fitzpatrick, 2000). This is frequently accomplished by encouraging prospective informants to betray their organization due to philosophical disagreements over employer methods/practices and/or alternative loyalties to foreign nationalities. Schwartz and Abehouse (1996) report how an individual masquerading as an official of the Indian government attempted to use patriotic appeals and monetary incentives to encourage Indian nationals working for AMGEN to release proprietary technologies behind new product developments. Compromise represents an extortive technique whereby the threatened disclosure of personally or professionally damaging information about a potential informant is used to secure the individual's cooperation. Often, the personal expenditure patterns as revealed by credit reports can disclose unflattering information or behavioral patterns about targeted individuals (Schwartz and Abehouse, 1996). The Ego mechanism exploits the low self esteem and disgruntled attitudes of employees in order to yield proprietary information. This is often accomplished by allowing the targeted employee to fulfill his/her fantasies about living on the edge or to exploit perceived inequitable treatment by their organization (Barron, 1985; Fitzpatrick, 2000). The theft of designs for the "look-down" radar system that Grumman Aircraft Corporation installed in the F-14 fighter during the 1970s and 1980s exemplifies the latter technique. The KGB isolated a disgruntled Polish national employed by a Grumman subcontractor that produced the radar system. This employee felt that he had not been properly recognized for his organizational accomplishments. Seeking revenge, he turned over plans for the radar system to KGB operatives. The Soviets then copied and installed this innovative technology in their MIG 29 aircraft (Neely, 1993). Finally, Sexual entrapment has been used to recruit corporate agents/informants. This is often utilized when HUB or subcontractor representatives are engaged in business-related travel (Laffin, 1996).

Work Process Security Issues

The use of the serial-long linked methodology has also been associated with losses of CI because HUBs are not able to effectively control subcontractor activities regarding the destruction of product over-runs and/or defective products (Boni, 1999). Frequently, product over-runs and defective products are simply disposed of through normal waste management procedures. However, Winkler (1997) and Edwards (2000) provide evidence that suggests that dumpster diving constitutes an important source of CI for competitors. Competitors or their agents often sift through garbage looking for discarded prototypes, partially assembled or even complete products in order to secure a sample upon which to base their reverse engineering activities. Garbage sifting can also be used to recover documents containing secretive communications, data or other working papers/correspondence that may be indicative of the virtual firm's technologies, intellectual properties and/or competitive strategy (Winkler, 1997; Nugent, 1992). Detection of this information before the virtual firm can implement its strategy or introduce new products permits competitors to enlarge their window for competitive response/countermeasures (Fitzpatrick, 2000). Dumpster diving has generally been considered to be legal provided that access to the garbage has not occurred as a result of trespass and the sifting garbage contents was accomplished in a public place (Sinton, 2000).

Nondiselosure/Noneompete Issues

As noted by William Boni, of PricewaterhouserCoopers Investigations," If your key component supplier also sells to one of your rivals, how well is that supplier protecting your information?"(Jesitus, 2000:10). This statement reflects a general tendency for virtual organizations to rely on their subcontractors to police their own workforce with respect to nondisclosure/noncompete agreements that they have negotiated with the Hub. In many instances, subcontractors have found the enforcement of these agreements to be difficult. For example, in 1997, the FBI arrested Steven L. Davis on five counts of wire fraud and theft of trade secrets. Davis had been working for Wright Industries, a principal subcontractor for Gillette. Despite having signed a confidentiality/nondisclosure agreement, Davis attempted to sell trade secrets behind the Gillette MACH 3 razor design to BIC Corporation (Gallagher, 1998). Employees have also been found to negligently disclose proprietary information to others because they fail to recognize its competitive significance or assume that it is common knowledge (Winkler, 1997; Jesitus, 2000; Helms, Ettkin and Morris, 2000). Typically, employees regard data on customer lists, pricing, promotional activities, and manufacturing operations to be public knowledge. However, for manufacturing firms, the ASIS survey found that the monetary cost associated with losses of this type of data is valued at three times the dollar cost of their CI losses of R & D information (ASIS/PricewaterhouseCoopers, 1999; Jesitus, 2000).

Where deliberate and/or negligent disclosure of proprietary information from subcontractors has not been achieved, competitors may attempt to get access to valuable CI through purchase of the subcontractor. For example, a consortium of French companies (allied with Airbus) attempted to purchase a Boeing subcontractor in order to learn trade secrets underlying the specialized machine tools and wing components used in Boeing's line of commercial aircraft. To thwart this CI penetration, Boeing was eventually forced to buy this targeted subcontractor (Schweizer, 1993).

In establishing virtual organizations, HUBs have often used relational partnering methodologies in order to network their subcontractor cadres. Relational partnering is premised on the notion that HUBs and their subcontractor cadre can develop long-term learning relationships, thereby achieving mutual and sustainable competitive benefits (Grover, 1995). From the subcontractor perspective, long-term commercial relationships with the HUB permit them to develop expertise, assets and strategic capabilities that will prove useful in (a) initially meeting contract requirements with the HUB; and (b) subsequent competitive activities with other organizations (Rackham, Freidman and Ruff, 1996). On the other hand, relational partnering also has the potential for creating a variety of CI risks/vulnerabilities for both HUBs and subcontractors. Such a risk was recognized by many Boeing employees during the development of the 777 aircraft. Boeing made use of selected partner expertise by inviting subcontractors, suppliers, and even potential customers to participate as members of "Design-Build" teams. As team members, these individuals had access to information regarding product design features and new technologies that would be included in the new aircraft. Many Boeing engineers felt that this policy could result in significant losses of proprietary information since Boeing would not be in a position to monitor how the information might be subsequently disseminated by "Design-Build" team participants (Sabbagh, 1993).

CI vulnerabilities also exist for subcontractors participating in serial-long linked forms of virtual organizations. To maximize efficiency and competitive advantage, many HUBs (e.g.: Motorola, Nissan, Toyota) have required their subcontractors to share information on their innovative work practices and technologies with other members of the partner cadre in order to improve their collective operations in service to the HUB. However, the exchange of this proprietary information can serve to erode the competitive advantages of these subcontractors when they compete against each other in subsequent business dealings (Dabholkar and Neeley, 1998; Fitzpatrick and Burke, 2000b).

COMPETITIVE INTELLIGENCE VULNERABILITIES, SUBCONTRACTOR MANAGEMENT AND THE RECIPROCATING FORM

There exist two methods by which HUBs can utilize reciprocating linkages to manage subcontractor activities. The first corresponds to traditional subcontracting where the HUB directly receives and then combines subcontractor work products prior to delivery to the customer. In this instance, HUBs make extensive use of information technologies to coordinate the sequencing and delivery of subcontractor outputs/activities. In the second form of this methodology, HUBs provide and manage a large central facility where subcontractors perform or provide their services (Fitzpatrick and Burke, 2000a). These subcontractors are granted extensive access to HUB facilities and resources while accomplishing their tasks. This freedom of access is analogous to an extended plant tour or opportunity for observational benchmarking. As such, it creates the potential risk of CI losses by affording subcontractor representatives the opportunity to visually observe proprietary production processes, technologies, job designs, plant layouts, product formulations, R & D activities and even confidential documents. As a result, observers possess enough data to begin reverse engineering of key business technologies and/or to be in a position to disclose confidential information about business plans to competitors. Xerox Corporation's loss of the technologies behind the computer mouse and the GUI (graphic user interface) to Apple Computer Corporation during the 1980s is one of the better known CI coups attributable to the use of this methodology (Cringely and Sen, 1996). More recently, a contract food services employee used his on-site status at MasterCard International to secure documentation of a confidential proposal for a business alliance between MasterCard and The Disney Corporation. He was later arrested by the FBI for attempting to sell trade secrets to a MasterCard competitor for $200,000 (Associated Press, 2001).

The use of temporary or contractor employees has been associated with both breaches in corporate security and significant losses of CI. These security breakdowns can often be traced to the fact that these employees are rarely subject to the extensive background investigations or security clearances required of permanent HUB employees. However, their lack of security clearances is not an impediment to having access to high security areas within HUB facilities (ASIS/PricewaterhouseCoopers, 1999; Winkler, 1997). Frequently, access to these facilities is during time periods where little work is being performed and security procedures are lax. This affords these temporary/contract employees ample opportunities to plant electronic monitoring devices, engage in computer hacking, peruse confidential files and dumpster diving (Winkler, 1997; Nugent, 1992). Hecht and Murphy (2000) describe an incident that suggests corporate security and other support personnel often fail to verify the credentials of subcontractors or their right to access corporate information/facilities. In a security penetration exercise, these authors were able to enter a high security facility during a shift change by masquerading as subcontractors. Without verifying their credentials, a cooperative librarian granted them guest privileges on the library's computer network. Within two hours, they planted password sniffing software and subsequently obtained accounts/passwords to all major corporate computer servers/data bases.

COMPETITIVE INTELLIGENCE VULNERABILITIES AND COMPUTER/TELECOMMUNICATIONS SECURITY ISSUES

For virtual organizations, the extensive use of information and telecommunications technologies permits them to manage their globally dispersed networks of partners and subcontractors (Warren and Hutchinson, 2000). These technologies have allowed virtual organizations to (1) replace inefficient and costly "paper based" processes (Warren and Hutchinson, 2000; Kerwin, Stapaneck and Welch, 2000); and (2) develop creative synergies through the more effective sharing of information and management of virtual teaming/tasking activities (Townsend, DeMarie and Hendrickson, 1998). Virtual teaming has been successfully used by a number of corporations including DEC (Digital Equipment Corporation--now part of COMPAQ), John Brown Engineers & Construction, Ltd., and Boeing. Each of these organizations created extensive IT infrastructures consisting of shared data bases, simulation and modeling systems, videoconferencing, and teleconferencing systems in order to permit the rapid exchange of ideas/information and bolster creative synergy (Grenier and Metes, 1995; Grimshaw and Kwok, 1998; Sabbagh, 1993).

Computer Security Issues

The reliance by virtual corporations on IT to support competitive activities serves to enhance their CI vulnerabilities through cyber attack mechanisms. Many of these attacks are designed to permit CI operatives or hackers to force system entry by exploiting known security failings of an organization's computer hardware/software configurations or discovering the account and password information of legitimate system users. In this first instance, port/network scanning is an important precursor to the cyber attack in that it permits hackers to determine the type of software or services running on remote computer systems. Spoofing, packet and password sniffers permit hackers to illegally enter computer systems/data bases, pirate information and/or sabotage these systems. Spoofing allows attackers to bypass system firewalls by masquerading as authorized internal users of the system. Packet and password sniffers respectively (a) collect system message traffic and data transfers; and (b) locate/retrieve information contained in password files (Schultz, 1999; Warren and Hutchinson, 2000). Hacking activities are often facilitated by ineffective organizational and individual computer password security policies/protocols (Schultz, 1999). While the methodologies and risks associated with these types of cyber attacks are well known within the IT community, relatively few attacks are detected and reported by computer system administrators. A study by the Defense Information Security Agency reported that typically only 4 percent of system intrusions are actually detected and of those detected, only 1.2 percent are actually reported as system violations (Graham, 1998).

Laffin (1996) documents the activity of criminal gangs in both the theft and subsequent ransom of corporate laptop computers. Recently, Qualcomm's CEO had his laptop computer stolen from a California hotel conference room. The computer contained information on proprietary technologies. Its theft is being treated as a potential economic espionage case by the FBI (Associated Press, 2000). Intellectual properties contained on individual computer systems have also been compromised through an electronic sensing technology entitled TEMPEST. This electronic intelligence technology (ELINT) enables CI operatives to reproduce the screen images of computer monitors by capturing the electro-magnetic or Van Eck radiation emitted by these devices at distances of up to one mile (Nugent, 1992; Winkler, 1997; Ward, 1993).

Telecommunications Security Issues

The coordination of business relationships between HUBs, and virtual teams of subcontractors and other business/project partners often involves extensive foreign business travel, telecommunications, data and fax transmissions. A number of authors have documented how the internationalization of these virtual relationships serves to create CI vulnerabilities stemming from the actions of foreign intelligence agencies, hotel staffs, and telecommunication ministry personnel. These personnel may deploy a variety of electronic technologies to intercept, monitor and transcribe all relevant telecommunications, teleconferencing, fax or data transmissions of targeted HUB employees during their stay in a foreign country. Transcriptions and/or analysis of this message and data traffic are then distributed to the country's domestic competitors in order to negate the competitive activities/advantages of the HUB organization (Nugent, 1992; Winkler, 1997; Schweizer, 1993; Laffin, 1996). Additionally, Winkler (1997) reports that business travelers often convey confidential information/data through cellular or public telephones. These conversations are frequently monitored using commercially available radio interception equipment or over heard by agents of intelligence services/competitors in close proximity to the caller. The planting of surveillance devices by competitor/intelligence agents in hotel rooms, conference rooms, and even in the first/business class areas of airliners has also been widely documented (Nugent, 1992; Winkler, 1997; Helms, Ettkin and Morris, 2000).

FOG-PACT: A SEVEN STAGE COMPETITIVE COUNTER INTELLIGENCE PROGRAM

The magnitude of the financial costs and competitive threats deriving from the previously described CI leakages has focused the attention of many organizations on the development of corrective security measures. These corrective measures are typified by the organizational development of competitive counter intelligence programs. Competitive counter intelligence (CCI) is an organizational process designed to protect the firm's plans, actions, resources, intellectual properties, and proprietary technologies from the CI activities of other organizations (Barndt, 1994). An effective counter intelligence program must attempt to mitigate the deleterious effects of leakages of proprietary information due to (1) mandatory government filings by corporations; and (2) lapses in personnel, computer, and telecommunications security attributable to HUB/subcontractor relationships. For virtual organizations, mitigation of these security weaknesses requires utilization of a series of diverse CCI techniques that can be conceptually discussed, organized and implemented through an acronym entitled FOG-PACT.

F: FBI And The ANSIR Program--An Early Warning Network Of Economic Espionage

The FBI's Awareness of National Security Issues and Response Program (ANSIR) may constitute a potential early Warning mechanism in the fight against economic espionage. The ANSIR program actively monitors and disseminates information on (1) the economic espionage activities of foreign intelligence agencies/corporations; and (2) emergent threats to U.S. corporate computer and physical infrastructures (Federal Bureau of Investigation, 2001). The FBI issues advisories on these threats and will also notify specific companies when they appear to have become targets of foreign intelligence agencies or terrorist activities (Waguespack, 2001). Additionally, ANSIR coordinators from local FBI field offices meet regularly with industry leaders and security directors to communicate updates on security issues and espionage techniques (Federal Bureau of Investigation, 2001). Thus, maintaining frequent contact with these coordinators is useful in proactively anticipating emerging security threats (Winkler, 1997).

O: Outsourcer Security Issues

In developing effective CCI programs, virtual organizations must focus on security issues that derive from their extensive use of subcontractors and other strategic partners. A central component of these CCI programs for virtual companies is the nondisclosure agreement and security auditing procedures governing the partnering relationships (Weld, 1998; Winkler,1997; Boni, 1999). Organizational-level contracts and nondisclosure agreements among the HUB and its partners should delineate "how the vendor will act with regards to sensitive proprietary information to which they are granted access in the course of business" (Boni, 1999:477). These documents should provide procedural guidelines for subcontractor organizations or other business partners concerning (1) the receipt, storage and handling of materials or data obtained from either the HUB or its virtual partner network; (2) security provisions governing work-in-process and the distribution of finished goods; (3) destruction of overruns or products which have failed quality control inspections; (4) incident reporting systems for security breaches/violations; (5) the routine auditing of subcontractor/partner security programs; and (6) disclosures of proprietary information in subsequent competitive activities/alliances (Boni, 1999; Weld, 1998). It should be noted that this last recommendation may conflict with some of the objectives inherent to relational partnering philosophies. Relational partnering activities are often viewed by subcontractors as an opportunity to develop unique skills that will assist them in subsequent competitive affiliations (Rackman, Friedman and Ruff, 1996). While this partnering philosophy may serve to build truly collaborative alliances, it can also constitute a barrier to the establishment of effective counter intelligence programs. With respect to these programs, subcontractors or members of the partner cadre should also be required to institute personnel policies commensurate with the HUBs' corporate security doctrines or procedures. (See section P: Personnel Security Issues for additional discussion).

G: Minimizing CI Losses Attributable To Government Filings

As noted previously, corporations are required to submit a variety of local, state, and federal filings indicative of their intellectual properties, proprietary technologies, manufacturing processes, expansion plans, financial and marketing operations, and even elements of their business strategy. However, when compiling these documents, Winkler (1997) notes that most corporations provide more competitive information than is required by law. Thus, CI operatives mining data from government filings are often the beneficiaries of this corporate oversight. To counter this unnecessary leakage of corporate information, Winkler (1997) recommends that the firm's legal and security staffs review and verify that all filings contain the minimum amount of documentation required by specific governmental agencies. Additionally, firms should also attempt to lobby legislative bodies to lengthen the time period from when filings are submitted and when they are available for public perusal. Delaying the release of information contained in these firings may better enable firms to benefit from the "time value of information" and further exploit their competitive advantages (Fitzpatrick, 2000).

P: Personnel Security Issues--The Weakest Link!

Both researchers and practitioners have identified human beings as one of the weakest links in corporate security programs (Winkler, 1997; Hecht and Murphy, 2000; Fitzpatrick, 2000). In dealing with personnel issues, corporate security programs should begin with extensive background investigations and security clearances on all HUB and subcontractor personnel having access to sensitive information, technologies and/or facilities (Winkler, 1997). HUB and subcontractor employees should be required to sign and adhere to the provisions of nondisclosure agreements. These agreements should specify what trade secrets are to safeguarded and the compliance methodology to be used in protecting them (Carr, Furniss and Morton, 2000). Advocates of virtual teaming/tasking methodologies have often advocated unfettered access to corporate information/data as a way to stimulate creative synergy (Townsend, DeMarie, and Hendrickson, 1998). However, this often serves to create avenues for CI leakages within companies. Therefore, at the risk of reducing potential synergies, corporate security programs should restrict access to and distribution of sensitive information to those employees with a "need to know" (Winkler, 1997; Fitzpatrick, 2000). Virtual organizations also need to develop training programs that bolster security awareness and diligence among HUB and subcontractor employees. These programs should cover topics ranging from agent recruitment by CI operatives (e.g., MICES principle) to fundamental elements of data and computer/telecommunications security (Carr, Furniss and Morton, 2000; Winkler, 1997; Fitzpatrick, 2000). For instance, training employees in the techniques that CI operatives use to compile disparate sources of information (e.g., customer lists, price lists, product promotional data, supplier lists and raw material prices, etc.) into detailed competitive assessments, can often serve to increase their sensitivity to information security issues. Finally, these organizations need to develop incident reporting programs and rapid response teams to stop or limit the damage associated with employee lapses in corporate security (Winkler, 1997).

A: Auditing Corporate Security

As discussed earlier, many corporate personnel are oblivious to CI penetrations and breaches in corporate security. Furthermore, they exhibit a reluctance to report its occurrence (Graham, 1998). Therefore, it is imperative for organizations to routinely mount corporate security penetration exercises using outside experts (Winkler, 1997; Hecht and Murphy, 2000). The use of external consultants with a level of expertise equal to that of CI operatives should expose potential weaknesses common in most corporate security programs (Winkler, 1997). After concluding the audit, non-punitive feedback should be given directly to "targets" of the exercise. Security consultants should then work with these employees to develop recommendations and procedures to reduce the potential for future security breakdowns. Both the employees and security consultants should then jointly present the recommendations to top management. This participatory process may serve to (a) provide an important validation of conclusions reached by the consultants; (b) build an employee coalition supportive of the new security recommendations; and (c) create a corporate culture which recognizes that corporate security requires a multilevel system of empowerment in order to be effective.

C: Computer Security And T: Telecommunications Security

In reviewing Security Magazine's 1999 survey of corporate security executives, Somerson (1999) reports that computer security has been protected through the use of document shredders, lockdown devices, system alarms and password protection software. He also reports that approximately 10 percent of these executives planned to bolster computer security through the installation of biometric reading/scanning technologies as authentication hurdles. These devices authorize computer system/data access based upon matching a potential user' s physiological characteristics against the known characteristics of valid users. These scanning technologies range from fingerprint identification to retinal/iris and voice pattern recognition (Desmarais, 2000; Richards, 1999). For example, the U-Match Mouse (BioLink Technologies) uses a patented fingerprint scanning technology that is incorporated into a conventional 2-button mouse. As individuals attempt to activate a computer system, their fingerprints are scanned and compared against a 5000 byte template that determines whether they are among the authorized user cadre (Businesswire, 2000).

Security management hardware/software (e.g.: COBRA, DCOM, TINA), as well as the installation of updated virus protection and firewalls, have often been used to hinder cyber attacks stemming from port/network scanning and spoofing (Gritzalis, Lladis and Oikonomopoulos, 2000). Encryption technologies can provide defenses against password/packet sniffing and data theft (Schultz, 1999). Additional password security may be instituted through single-use passwords and eliminating passwords subject to compromise through "dictionary programs" (Schultz, 1999; Hecht and Murphy, 2000).

Technological solutions have also been suggested to mitigate CI problems attributable to the electronic monitoring of computer screen emissions and telecommunications systems. The monitoring and reproduction of computer screen emissions can be countered by "hardening" computer systems through use of copper shielding and performing sensitive activities in windowless lead-lined rooms (Ward, 1993; Winkler, 1997; Fitzpatrick, 2000). Finally, the monitoring of corporate telecommunications can be made more cumbersome by (1) routinely sweeping corporate facilities for "bugs"; and (2) requiring sensitive message traffic to be conducted at random time intervals and over telephone exchanges not identified with the targeted firm (Winkler, 1997; Fitzpatrick, 2000). In addressing the first of these recommendations, corporate security experts find that CI operatives often use shift changes to physically penetrate corporate offices/facilities in order to plant surveillance devices. Therefore, the sweeping of offices/facilities should be performed shortly after the organization experiences major influxes and/or departures of personnel (Winkler, 1997; Hecht and Murphy, 2000). Additionally, organizational personnel conducting sensitive message traffic should have their communications restricted to telephone lines not possessing the same 3 digit prefix shared by the majority of the firm's offices/personnel. This creates uncertainty for CI operatives concerning the how, when and where issues associated with bugging and surveillance operations (Winkler, 1997; Fitzpatrick, 2000).

CONCLUSION

Virtual organizations represent a new form of organizational structure designed to enhance competitiveness and strategic flexibility through the extensive use of subcontracting, business partnering, and information technologies. Many of these strategic advantages derive from the ability of the virtual organization to freely exchange information, resources, technologies and ideas across organizational boundaries. On the other hand, the unique features of this organizational form that serve to enhance competitiveness can also result in significant intelligence vulnerabilities and the subsequent loss of strategic advantage. Aggressive counter intelligence programs, such as the FOG-PACT system outlined in this paper, have the potential for reducing competitive intelligence vulnerabilities through (a) heightened personnel security; (b) restrictions in both the access to and use of information technologies; (c) the construction of contracts which restrict the manner in which subcontractors or business partners utilize proprietary information and intellectual properties derived from their association with virtual firms; and (d) the hardening computer/telecommunications systems from hostile penetration and monitoring. However, the techniques designed to enhance corporate security may also pose a significant competitive predicament for virtual firms by restricting their ability to rapidly disseminate information/ideas while benefiting from the creative synergies/capabilities of their business partners. Indeed, one of the key dilemmas facing virtual companies may be balancing this need for openness and creative synergy with basic principles of corporate security.

REFERENCES

American Society for Industrial Security and PricewaterhouseCoopers. (1999). Trends in proprietary information loss. Alexandria, VA: American Society for Industrial Security.

Associated Press. (2000, September 19). O. C. business plus; FBI probing Irvine theft of Qualcomm CEO's laptop. The Los Angeles Times, p. 3.

Associated Press. (2001, March 22). Food worker arrested on corporate espionage charges. Retrieved May 23, 2001, Online: http://www.cnn.com/2001/us/03/22/credit.card.espionage.ap/index.html

Barndt, W. D., Jr. (1994). User-directed competitive intelligence. Westport, CN: Quorum Books.

Barron, J. (1985). KGB today: The hidden hand. New York: Berkley Books.

Boni, W. C. (1999). Protecting high tech trade secrets. In M. Krause and H. Tipton (Eds.), Handbook of Information Security Management 1999 (pp. 465-479). Boca Rato n, FL: Auerbach.

Businesswire. (2000, October 11). New software offering for biometrically enhanced security provides unmatched level of privacy. Retrieved October 11, 2000 from the World Wide Web: http://www.businesswire.com.

Byrne, J. (1993, February 8). The virtual corporation. Business Week, 98-102.

Carr, C., Furniss, J. and Morton, J. (2000, March). Complying with the economic espionage act. Risk Management,47(3), 21-24.

Christie, P. M. J., and Levary, R. R. (1998, July/August). Virtual corporations: Recipe for success. Industrial Management, 40(4), 7-11.

Cringely, B.(Writer) and Sen, P. (Director). (1996). Triumph of the Nerds. New York: Ambrose Video Publishing, Inc.

Dabholkar, P. A. and Neeley, S. M. (1998). Managing interdependency: A taxonomy for business-to-business relationships. Journal of Business and Industrial Marketing, 13(6), 439-460.

Demarais, N. (2000). Body language, security and e-commerce. Library HiTech, 18(1), 61-74.

Dickerson; C. M. (1998, January). Virtual organizations: From dominance to opportunism. New Zealand Journal of Industrial Relations, 35-46.

Edwards, C. (2000, July 2). Corporate spying becomes standard: More companies use hacking, bribery to stay ahead of competitors. Detroit News, p. 2.

Federal Bureau of Investigation. (2001). FBI--Awareness of National Security Issues and Response (ANSIR) Program. Retrieved May 23, 2001, Online: http://www.fbi.gov/hq/nsd/ansir/ansir.htm

Fitzpatrick, W. M. (2000). Strategic management and decision making: Creating and maintaining competitive advantage (3rd edition). New York: McGraw-Hill, Primis.

Fitzpatrick, W. M. and Burke, D. R. (2000a, Summer). Form, functions and financial performance realities for the virtual organization. SAM Advanced Management Journal 65(3), 13-20.

Fitzpatrick, W. M. and Burke, D. R. (2000b). Virtual partnering for transactional and relational competitive advantage. Journal of Global Competitiveness 8(1), 1-20.

Freeh, L. J. (1998, Janruary 28). Threats to U. S. national security. Testimony before the Senate Select Committee on Intelligence, Washington, D.C.: Author. Retrieved May 23, 2001, Online: http//www.fbi.gov/congress/congress98/threats.htm

Fuld, L. M. (1985). Competitive intelligence: how to get it--ho w to use it. New York: John S. Wiley and Sons.

Galbraith, J. R. (1995). Designing organizations. San Francisco, CA: Jossey-Bass.

Gallagher, N. J. (1998, March 24). Cybercrime, transnational crime and intellectual property. Testimony before the Congressional Joint

Economic Committee, Washington, D.C.: Author. Retrieved March 23, 2001, Online: www.fbi.gov/congress/congress98/gallagher.htm

Graham, B. (1998, Feb. 28). Lack of disclosure impedes development safeguards. The Washington Post, p. A6.

Greiner, R. and Metes, G. (1995). Going virtual: Moving your organization into the 21st century. Upper Saddle River, NJ: Prentice Hall PTR.

Grimshaw, D. J. and Kwok, F. T. S. (1998). The business benefits of the virtual organization. In M. Igbaria and M. Tan (Eds.), The virtual workplace (pp. 45-70). Hershey, PA: Idea Group Publishing.

Gritzalis, S., Lliadis, J. and Oikonomopoulos, S. (2000). Distributed component software security issues on deploying a secure electronic marketplace. Information Management & Computer Security, 8(1), 5-13.

Grover, R. (1995). Theory and simulation of market-focused management. Fort Worth, TX: The Dryden Press.

Hecht, K. and Murphy, C. (2000, Feb. 11-12). Current computer security threats to American business: A high level review. DIA/FBI/NSA Joint Commission on Technology Protection, Plenary Incident Response Meeting, Santa Clara, CA.

Helms, M. M., Ettkin, L. P. and Morris, D. J. (2000). Shielding your company against information compromise. Information Management and Computer Security, 8(3), 117-130.

Jesitus, J. (2000). Keeping secrets. Industry Week, 249(4), 9-10.

Kahaner, L. (1996). Competitive intelligence. New York: Simon and Schuster.

Kerwin K., Stepanek, M. and Welch, D. (2000, Feb. 28). At Ford, e-commerce is job 1. Business Week 74-78.

Laffin, J. (1996). Brassey's book of espionage. London: Brassey's.

Neely, H, M. (Producer). (1993). Air combat II: MIG versus America. New York: U.S. News and Perpetual Motion Films.

Nugent, J. M. (1992). Foreign competitive intelligence: A personal view. Proceedings of the 7th International Conference of the Society of Competitve Intelligence Professionals, 297-312.

Rackham, N., Freidman, L. and Ruff, R. (1996). Getting partnering right: How market leaders are creating long-term competitive advantage. New York: McGraw-Hill.

Richards, D. R. (1999). Biometric identification. In M. Krause and H. Tipton (Eds.), Handbook of Information Security Management 1999 (pp. 526). Boca Raton, FL: Auerbach.

Sabbagh, K. (Producer and Director). (1993). 21st century jet. Seattle, WA: KCTS/Channel 9.

Schultz, E. E. (1999). Assessing and combating the sniffer threat. In M.

Krause and H. Tipton (Eds.), Handbook of Information Security Management 1999 (pp. 167-181). Boca Raton, FL: Auerbach.

Schwartz, R. (Producer). and Abehouse, B. (Producer). (1996, January 17). The new spies. New York: ABC News/Prime Time Live.

Schweizer, P. (1993). Friendly spies: How America's allies are using economic espionage to steal our secrets. New York: Atlantic Monthly Press.

Shanley, A. & Crabb, C. (1998, December). Corporate espionage no longer a hidden threat. Chemical Engineering, 105(13), 82.

Sinton, P. (2000, July 5). Private eyes/detective work is big business in cutthroat corporate world. San Francisco Chronicle, B2.

Somerson, I. (1999, September 27-29). Security @ the millennium. A white paper presentation from Security Magazine and The Security Group (Cahners Business Information), ASIS International Seminar. Retrieved October 12, 2000, from the World Wide Web: http//www.securitymagazine.com/whitepaper.htm

Townsend, A. N., DeMarie, S. M. and Hendrickson, A. R. (1998). Virtual teams: Technology and the workplace of the future. Academy of Management Executive, 12(3), 17-29.

Waguespack, M. J. (2001, April 3). The FBI's ANSIR Program. Testimony before the House Committee on Government Reform, Subcommittee on National Security, Veterans Affairs and International Relations. Washington, D.C. : Author. Retrieved May 23, 2001, from the World Wide Web: http//www.fbi.gov/congress/congress01/ansir040301.htm Ward, G. (1993). Tempest in a teapot. Retrieved October 16, 2000, Online: http://www.austinlinks.com/Crypto/tempest.html, 1-7.

Warren, M. and Hutchinson, W. (2000). Cyber attacks against supply chain management systems: A short note. International Journal of Physical Distribution and Logistics Management, 30(7/8), 710-716.

Weld, R. (1998, November 2). Too much trust: Are trade secrets safe with suppliers? Industry Week, 247(20), 28-30.

Winkler, I. (1997). Corporate espionage. Rocklin, CA: Prima Publishing.

Wright, P. C. and Roy, G. (1999). Industrial espionage and competitive intelligence: one you do; one you do not. Journal of Workplace Learning, 11 (2) 53-5 9.

William M. Fitzpatrick and Donald R. Burke are management professors at Villanova University. Their teaching, consulting and publishing activities are in the areas of strategic planning and decision making, competitive intelligence systems and general management.