Comparative Case Analysis: A powerful tool for typology development

What is Comparative Case Analysis?

Comparative Case Analysis (‘CCA’), also known as ‘Similar Fact Analysis’, is a technique used in criminal intelligence analysis to identify similarities and support decision making (Sacha et al, 2017).

Cases can be linked in CCA through any of the following:

a) Modus Operandi (or tactics, techniques, procedures)
b) Signatures and patterns
c) Forensic evidence
d) Intelligence

College of Policing (2023), United Kingdom

CCA is useful when analysing process-based crime types where perpetrators need to follow a defined set of steps to effect the crime. Examples of such crime types include fraud and financial crime, cybercrime, money laundering and Intellectual Property Crime (e.g. counterfeiting networks).

I use CCA when developing typologies, which I then convert to analytics-based detection models which are run as part of a continuous monitoring or detection program over a dataset to detect suspect transactions, individuals/ legal entities, or behaviour.

a person pointing on to the photographs
Photo by RODNAE Productions on

Where can you collect cases to perform CCA?

So, you’ve worked out that CCA is appropriate to use in your situation. The next challenge is where to get your case study data from. Common sources include:

  • Indictments and statements of claim – depending on jurisdiction, these may be published by prosecutorial agencies such as the U.S. Department of Justice, or by the courts (for tips, see my article on searching Australian court records).
  • Media reports – media monitoring and other Open Source Intelligence (OSINT) capabilities are essential for any financial crime or corporate security function. For information on how to build one, look at my 101 post.
  • Industry information sharing sessions – industry groups such as the Pharmaceutical Security Institute and the Australian Financial Crimes Exchange exist for this purpose.
  • Prisoner interviews – may be performed by law enforcement, regulators, journalists or academics for publication.
  • Academic case studies, published papers and conferences
  • Examination of your own case files based on historical incidents or near-misses.

Unfortunately, it is all too common to find cases that are incomplete. If you don’t control your data (such as cases sourced from the media) your ability to improve data quality is limited – you may need to exclude incomplete cases from the CCA.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

If you are using your own case files, consider changing your internal processes, templates and SOPs to collect the data you need in the future. If you encounter resistance, obtain buy-in from stakeholders by helping them understand what you need and why you need it.

How do you undertake Comparative Case Analysis?

CCA is an invaluable but involved process which will take time to complete. CCA has its roots in academia, particularly the social sciences (see Goodrick et al 2014), so some literature on the topic is irrelevant or too academic to be useful for typology development or intelligence analysis.

photo of women laughing
Photo by on

CCA can be undertaken individually or within a group, although doing the work individually may lead to intelligence blindspots. My high level methodology is as follows:

1Define your scope, case criteria, and other considerations a) What are you attempting to achieve by performing this CCA? Is CCA the most appropriate method?
b) What risk are you seeking to mitigate and what type of case / crime type etc meets these criteria?
c) What timeframe, jurisdiction, industry / product / channel / customer type are in scope?
d) How might analytical bias arise in your methodology? How will you manage this?
2Collect your case information and prepare the data for analysisa) Refer to the ‘where can you collect cases to perform CCA?’ for suggestions
3Review each case for data quality and completenessa) Do you have sufficient information for each case?
b) Do your cases fit the criteria you defined in step 1?
c) Do you need to change your methodology?
d) Is the methodology viable with the avilable information?
e) What cases (if any) do you need to remove due to incomplete data?
4Develop a structured form or methodology to undertake the comparisona) How are you going to compare each case? I build a form or template as part of my approach which I populate with information from each case and use this for case comparison
b) What data elements do you want to compare? Details captured usually include entities (people, businesses, things such as vehicles or residences), locations and dates / times, activities (e.g. events, transactions), and attributes such as language in addition to Modus Operandi.
c) Comparison of this data enables the identification of patterns or attributes which can be used to link seemingly separate incidents together (remember criminals share with each other, a liked case doesn’t have to reflect the same individual).
5Determine where you will store your resultsa) Where will you store your captured data and analysis?
b) If dealing with large volumes of data, you may want to build a database or design a workbook in Microsoft Excel to collect the data for subsequent analysis.
6Read each case and identify each data elementa) Physically read the material for each case
b) Identify the data elements which you want to capture (step 4). One way to do this is using coloured pens or highlighters, with each colour representing a specific data element (e.g. entities).
c) Once identified, this information can be used to document your results (step 7)
7Document your resultsa) I tend to find Microsoft Word, PowerPoint or Excel is fine for this purpose, but ensure you store your CCA reports in a central location so they can be peridocially reviewed and updated.
b) An alternative is ‘visual CCA’, effectively using a visualisation tool such as Tableau or Microsoft PowerBI to analyse and present your findings (see Sacha et al 2017)
c) Ensure any assumptions, data gaps or hypotheses are clearly identified (ideally CCA is factual, so if there are information gaps you are better off leaving this blank than filling a gap with a hypothesis. The fact you have done this can get overlooked in future typology and detection model work and lead to erroneous results).
8Have an ‘independent party’ peer review or critique your worka) Having another party (e.g. team or peers, independent experts etc) not involved in original activity perform a review and challenge role.
b) This provides an opportunity to identify gaps, assumptions or conclusions in your analysis.
9Evaluate your results a) Are they complete?
b) How reliable do you think they are?
c) Are they sufficiently detailed and rigorous enough to use as a basis for typology development?
d) What if any rework do you need to do before finalising your CCA? Perform updates to your work as appropriate.
10Periodically refresh completed CCAsa) Threats such as fraud, financial crime and cybercrime are constantly changing in response to new processes, products, channels, internal controls and actions taken by fraud and security teams to mitigate these threats.
b) Implement a process to periodically reivew and update historical CCA, such as annually, and incorporate this into any detailed typologies.
Paul Curwell (2023). Comparative Case Analysis methodology,

A simplified example of a CCA data capture template (step 4) which has been populated with fictional case information (steps 6 and 7) is shown below:

A simplified example of a CCA data capture template (step 4) which has been populated with fictional case information (steps 6 and 7).

Typology development: the next step in operationalising detection

Whilst CCA is not a pre-requisite to developing a typology, it certainly helps. When designing your CCA approach, I recommend you consider the types of data you will need to build your typology and incorporate these into your methodology (see my previous article, ‘typologies demystified‘).

Analysing Modus Operandi or TTPs requires the application of a number of intelligence analysis methods and is too big to cover here. I will write about this separately in a future post.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.