Category Archives: Product Risk

Product Serialisation – a tool to help counter diversion and illicit trade

Posted on by

Paul Curwell, CPP, CFE, CISSP

5 minutes

When was the last time you bought diverted product?

Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?

If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.

men s gray crew neck shirt

I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.

Only the logo and product name was in english – everything else was in Indonesian.

My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.

To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.

Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.

Diversion of critical technology – a byproduct of global competition?

Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.

Serialisation can help improve supply chain integrity and counterdiversion

When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.

In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.

Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”

European Union Agency for Network and information security (2015)

Serialisation offers benefits to Supply Chain Integrity:

  • Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
  • Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
  • Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs
Supply chain integrity and security: what are the risks? (Part I)

Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:

  • The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
  • The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
  • The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
  • India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).

Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.

How does serialisation work?

Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:

  • Pallet
  • Consignment
  • Packaging (item and carton levels)
  • Labelling
  • Item

To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:

  • Barcodes
  • QR codes
  • Data Matrices

According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:

  • A large data carrying capacity
  • Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
  • The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
deliveryman scanning the barcode
Photo by RDNE Stock project on Pexels.com

How can small-medium businesses access the benefits of serialisation?

It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.

As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.

    Further reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Returns Fraud – a risk for eCommerce companies

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    7 minutes

    What is Returns Fraud?

    Returns fraud is a deceptive practice where customers purchase a product from a retailer so as to either temporarily ‘borrow’ the item, or to obtain a refund or store credit. Returns Fraud involves deception on the part of customers, who seek to return a product under ‘false pretences’. Common returns fraud typologies include:

    • Online returns fraud – where customers make a false claim in order to obtain a refund or store credit. Typically, these customers claim that they did not make the purchase (when buying using a credit card), that the goods did not arrive, or that the goods which arrived were faulty, damaged or did not match the description when purchased. Many customers do not return these products whilst also claiming a refund, meaning they actually keep the goods and profit from the refund.
    • Product substitution with lower cost items – customers purchase a high-quality item from one store / brand, and a similar but low quality item from another store. They may remove product tags or labels, or place the substitute product in the high quality product’s packaging before returning. Often returned goods are not properly scrutinised, or may be returned to third party service providers, and by the time the fraud is detected it is too late.
    • Product substitution with counterfeit items – this typology is the same as with lower cost items above, except the substituted product is a counterfeit item. This creates issues for retailers if the counterfeit item is repackaged and released for resale without proper inspection, and can result in brand damage or create consumer safety issues.
    • Wardrobing – a common problem especially for online retailers, consumers purchase items of clothing for a specific event (such as a party), use the item of clothing, then return it for a refund or exchange without declaring this use to the retailer.
    • Use of fraudulent receipts – some consumers alter or forge sales receipts and use these along with often substituted or second hand goods to attempt a refund without having purchased the item. Physical retailers without robust returns processes, who do not verify information on receipts against their records, or who place returned items to one side to process in quiet periods, are particularly vulnerable.

    Returns Fraud can be perpetrated by external parties (i.e. opportunistic individuals and actual customers), employees (i.e. trusted insiders), and external parties in collusion with trusted insiders.

    elegant male outfits on dummies in modern boutique
    Photo by Andrea Piacquadio on Pexels.com

    How does Returns Fraud impact retailers?

    If not properly managed, Returns Fraud can have significant implications for retailers and may even send struggling businesses to the wall. Returns Fraud will impact profits, operating costs and brand in the market. Examples of the impact of Returns Fraud on retailers include:

    • Increased Operating Costs – Retailers may need to employ additional staff to manage and process returns, as well as spending more on loss prevention or fraud protection programs. In some cases, specialist expertise may be required, particularly for high value or complex disputes which retailers are not equipped to handle.
    • Card Scheme penalties – Card Schemes such as Visa and Mastercard apply financial penalties to retailers (merchants) where a customer disputes a transaction, such as in the case of ‘online returns fraud’ (above).
    • Customer Experience and Trust – Retailers who implement stringent policies risk frustrating or offending legitimate customers, resulting in complaints, negative ratings online, or refusal to deal with the brand again. Balancing customer experience with retail security is a huge challenge.
    • Returned Inventory Management – The ‘reverse supply chain’ is challenging for any retailer, but it needs proper attention to mitigate risks of substituted, damaged, soiled, or counterfeit product being accepted, repackaged, and resold as legitimate by a retailer with potentially disastrous results.
    • Financial losses – As mentioned in my previous post ‘Product Security is fundamental to Product Management‘ (see “Security and integrity risks need to factor in pricing decisions“, link below), once a product has been stolen or diverted a retailer needs to sell significantly more product units to recover those losses. Over time, these losses erode revenue and impact profit margins, potentially making the business unviable.
    Often overlooked, Product Security is fundamental to Product Management

    The challenge with Returns Fraud, as with any other security program, is the need to balance the inherent risk of Returns Fraud with customer service and customer experience. Some retailers have accepted a high incidence of Returns Fraud, only to find it has eventually sent the business bankrupt as word gets around the retailer is an easy target and the incidence of fraud increases.

    Three simple steps to mitigating Returns Fraud risk

    Recent media reporting indicates the incidence of Returns Fraud is increasing worldwide, particularly wardrobing and online returns fraud; however, there are three steps businesses can take to mitigate the risk:

    • Return policies – Policies must be clear, legal, compliant with card scheme rules (for credit card payments), and transparent to allow consumers to understand retailer expectations and conditions of sale. Policies should be displayed prominently on the website and in-store, and customers should acknowledge conditions of sale in writing prior to payment. Evidence that a customer has read and acknowledged these policies should be retained by retailer systems and processes in the event of a legal dispute.
    • Using data analytics for fraud detection – data is essential for detecting unusual patterns or behaviours indicative of returns fraud. Provided the required data is collected, typologies can be developed and dashboards built to quickly facilitate detection. Examples of indicators retailers might look for in their typologies include customers who frequently return items (analysed data should include customer name, address, phone number, or email address to identify common purchases using fictitious names); returns of specific products or product categories within 48-72 hours after purchase; and returns of ‘prestigious’ items which consumers might not be able to afford. Early detection, proper investigation, and collection of evidence is crucial to minimising a loss.
    • Build high levels of employee awareness and a strong security culture – Employees are one of the most important elements of any security or fraud program. Poor awareness of fraud and security creates ignorance of the risk, preventing staff from being able to recognise problems and respond in a timely manner. Staff should be trained both on commencement and periodically (at least annually) throughout their employment, with targeted training being undertaken in response to new trends or criminal tactics. Further information on improving security culture can be found below.
    6 steps to improving security and integrity culture in the workplace

    As you can see, the risk of Returns Fraud is real and must be properly understood, assessed and managed by retailers to mitigate unplanned losses and vulnerabilities. Failure to properly consider and plan for Returns Fraud in any retail business is likely to result in substantial financial loss, legal disputes, and brand damage, and may even send the business into insolvency.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Often overlooked, Product Security is fundamental to Product Management

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    7 minutes

    Products are core to modern business strategy

    If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

    • Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
    • Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

    Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

    vehicle headrest monitor
    Photo by Mike Bird on Pexels.com

    Product security and integrity risks are varied

    There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

    • Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
    • Consumer safety / law issues including product safety and product recall
    • IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
    • Commercial risks arising from brand damage, competition etc
    • Geopolitical risks – such as trade embargoes, disruptions and material shortages
    • Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
    • Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
    • After market risks – such as parallel imports, grey market products, resold products etc.

    Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

    lake with mountain view
    Photo by Ian Beckley on Pexels.com

    Inherent risks mean security & integrity has a place in product development

    When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

    Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

    To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

    The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

    • Confidentiality – has the ability to keep sensitive information secret
    • Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
    • Availability – making sure the product servicable as and when expected

    When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

    Supply chain integrity and security: what are the risks? (Part I)

    Product Security and Integrity is more than cybersecurity

    In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

    Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

    Prototype product protection: a step by step guide

    Security and integrity risks need to factor in pricing decisions

    Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

    Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

    So what sort of security and integrity programs might you need to cost?

    • Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
    • Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
    • Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
    • Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
    • Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues
    black dslr camera on white surface
    Photo by Pixabay on Pexels.com

    Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

    If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Prototype product protection: a step by step guide

    Posted on by

    Paul Curwell, CPP, CFE, CISSP

    What is prototyping?

    A prototype is a draft version of a product that allows you to explore your ideas and show the intention behind a feature or the overall design concept to users before investing time and money into development” (usability.gov). Prototyping is an essential step in product development as it provides an opportunity to qualify feedback from potential customers, size the market, inform investment and financial decisions, and support go/no-go decisions.

    Photo by Karol D on Pexels.com

    Not every product idea will be a commercial success, meaning innovators can spend a lot of money on new product development without financial return. Prototyping helps minimise this risk by regular and repeated feedback. The generic product development process begins with the idea (ideation), which leads to development of a Product Definition prior to prototyping. Usability.gov identifies two categories of prototype:

    • Low-fidelity prototypes are often paper-based and without user interactions. They are prepared quickly and are cheaper than high-fidelity prototypes whilst helping potential users understand the product concept and how it might benefit them. Feedback collected from user interviews (customer interviews) should be incorporated into the iterative new product development process to inform the Minimal Viable Product (MVP).
    • High-fidelity prototypes are effectively early models of the future product. They are as realistic as possible with working components, meaning they are often expensive to produce and may require support from the product developer’s supply chain to design and build custom components. The need for custom components may require suppliers to develop their own prototypes and perform custom R&D as a prerequisite for being able to produce their customer’s new product, adding to development timelines and commercial complexity. There may be multiple iterations of high-fidelity prototypes, with latter models being closer to the model which will go into production and on to a product launch for sale.
    Photo by Andrea Piacquadio on Pexels.com

    How are prototypes vulnerable? What are the risks?

    Part of the challenge with protecting prototypes is the need to balance secrecy with feedback. Failure to provide adquate secrecy or protection could mean innovators lose commercial advantage or are usurped by competitors who are faster, more agile and better resourced. However, the flip side of any product is that it needs to be tested and product developers need as much real life feedback as possible, both from customers on whether the product meets their needs and also real-life applications on whether the product solves the problem as intended under realistic conditions.

    The inherent risks associated with a prototype are a reflection of how advanced the prototyping activity actually is. At the early stages, risks are primarily associated with information security and personnel security, where leaks or compromises can occur which tip-off the market to what is under development. As prototypes are produced and tested, these risks remain but new risks including physical theft or loss and third party or supplier risks also come into play. The spectrum of risks is illustrating in the following figure and overlaid on the reseach and development process:

    (c) Paul Curwell (2022). Prototype Product Protection illustrated: Security risks aligned to the R&D process

    Taking steps to ensure legal protections for your Intellectual Property, such as Patents, Copyright or Design Rights are addressed is an important step in prototype protection, but these legal protections are not the sole actions required. Litigation cases can turn into a ‘war of attrition’ with the winner having the deepest pockets, so reliance on a purely legal strategy may not be prudent. Selected security and fraud risks which also need consideration include:

    • Physical theft of the prototype – which can occur during storage, production, transport and field trials.
    • Theft of test data, plans or designs – arising through virtual (cyber) and physical (e.g. paper, human) vectors.
    • Theft or disclosure of pricing and commercial data – this is likely of particular interest to competitors and ‘fast followers’, but potentially also to industry media and investors.
    • Contract Manufacturer agreements – outsourcing may confer less control over your information and who has acess to it. Additionally, there are many examples of contract manufacturers with undeclared conflicts of interest or a lack of integrity who disclose this information to third parties or competitors irrespective of any legal agreements in place.
    • Theft or unauthorised use of tooling, molds etc for production – parts of your supply chain, including contract manufacturers, may use your custom tooling or manufacturing molds intended for developing the prototype for unauthorised manufacturing activities during periods of factory downtime. Tooling agreements which specify ownership of IP, and access control associated with tooling, are essential to manage product diversion risk.
    • Third Parties – many businesses will need to involve their suppliers in prototyping and new product development. This requires providing information, access to designs or prototypes, and go to market plans and timelines, all of which are commercially valuable and potentially market sensitive if the company is publicly listed. Use of external experts including product development specialists, product engineers, graphic or industrial designers, product quality consultants, computer-aided design (CAD) specialists can increase the chance of success. However, the more people ‘in the know’ the greater the opportunity for compromise.
    • Data Management and Information Protection – ideally, much of your product development information will be online rather than paper-based to provider greater control over access, versions, and dissemination. A data management plan incorporating risk-based data security and information protection is essential, and being able to evidence appropriate security and protections can give greater confidence to business angel, venture capital and private equity investors to fund product development.

    In addition to these inherent risks, two contextual factors influence your risk exposure, being time and the number of people who are in the know. As with anything you want to keep under wraps, the longer the time you need to keep something secret the more effort required. The quicker you go from ideation to commercialisation, the less the chance of compromise or accidental disclosure. Related to time is the number of people ‘in the know’. Typically, longer product development timeframes mean more people in the know. There is presumably a relationship between the number of people who know and the likelihood of intentional or unintential compromise.

    Photo by Senne Hoekman on Pexels.com

    Most importantly with prototype protection is that it’s not just the prototype itself which needs protecting: it’s also information pertaining to it, as well as any externally-facing indicators of what you are doing that can tip off competitors which need to be carefully managed.

    The prototype threat and risk assessment

    Some industries are much more competitive and cut-throat than others, with competition arising not just from business competitors but also nation states. Innovators, research managers and commercialisation teams are often reluctant to talk about security, but according to ‘The report of the Commission on the theft of American Intellectual Property’ (2013), the cost of IP theft in the USA alone is likely to exceed US$300 billion.

    The ongoing theft of IP is “the greatest transfer of wealth in history.”

    GENERAL KEITH ALEXANDER, Commander of the United States Cyber Command and Director of the National Security Agency

    Industries with commercially lucrative or national security applications at the cutting edge of science, technology, engineering and mathematics and some consumer sectors are most likely to be targeted, with targets ranging from applied research through to trade secrets, prototypes and commercial information. Understanding who might be interested in obtaining information about your prototype (‘threat actors’), such as competitors, competitive intelligence collectors, media, and foreign governments, is a crucial first step. A threat assessment can help identify these actors, understand their tactics and level of sophistication (their capability and intent), and provide insights on how they are most likely to target your R&D.

    A Risk Assessment complements the Threat Assessment. Risk Assessments look inward and focus on what can go wrong (risks) and what is present to prevent this (internal controls), whilst threat assessments focus on the outside looking in. The bottom line is that every material risk should have adequate control coverage, with the most critical assets (including people, information and physical items) having multiple redundant layers of protection. Threat and Risk Assessments provide a strong foundation for a Prototype Protection Plan.

    Photo by Pixabay on Pexels.com

    Developing the Prototype Protection Plan

    The Prototype Protection Plan (PPP) documents what steps a business will take to protect prototype versions associated with a given new product development project. This plan considers the threats and risks identified through the assessment process (above), and outlines the ‘who, what, when, where, why and how’ of each risk treatment option. The PPP should cover the full spectrum of risks – physical, cyber, information/ IP, personnel (insider threats) and supply chain.

    Better practice involves assigning a dedicated security manager for the duration of the project (either full or part-time), whose role includes not only coordinating the overall PPP program but is also able to assess, investigate, evaluate and respond to incidents and potential compromises. Industries where products have rapid product life and profit cycles may also undertake a variety of counterintelligence practices given the level of ongoing scruitiny performed by competitors.

    In summary, as outlined in this article protecting your prototype takes effort, however in many cases the benefits from doing so exceed the costs. Failure to properly identify, understand and manage these risks can lead to a loss of market share, future revenue, shareholder returns and brand damage, whilst being overzealous with security can mean your business never gets out of the starting blocks in its product development race. This balance must be carefully managed in prototype security.

    Further Reading

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

    Product security risk assessments for tangible goods

    Posted on by

    Author: Paul Curwell

    State of art – managing fraud and security risk in relation to products

    It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.

    Photo by Gabriel Freytez on Pexels.com

    I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.

    Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.

    To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.

    What satisifies a criminals cravings?

    In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:

    • Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
    • Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
    • Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
    • Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
    • Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
    • Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.

    Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.

    How can we apply the CRAVED construct to manage product risk?

    Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.

    Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:

    Tip 1: Analyse your historical incidents

    Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.

    TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.

    As you start to analyse your historical incident data, ask yourself the following questions:

    • Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
    • Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
    • Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
    • How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
    • Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
    • Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?

    Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals

    Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.

    Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.

    In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.

    Tip 3: Understand where the product is most likely to be attacked or compromised

    For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.

    It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.

    Further reading:

    • Clark, Ronald V., and John E. Eck. 2016. Crime Analysis for Problem Solvers in 60 Small Steps. Washington, DC: Office of Community Oriented Policing Services. https://cops.usdoj.gov/RIC/Publications/cops-w0047-pub.pdf
    • Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org

    DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.