Prompts and alerts
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Why this countermeasure matters
A lack of automatic prompts and alerts can lead to:
- fraudsters feeling more confident their actions will not be detected
- individuals deliberately or accidently not disclosing information that would affect entitlements
- individuals deliberately or accidently providing false information or evidence to support a request or claim
- insiders deliberately or accidently accessing information or systems they should not be accessing.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- informing users or claimants up front about their obligations
- alerting the user when the cheapest available fare is not selected
- prompting the applicant to provide the correct information
- staff warnings if inconsistent or erroneous information is recorded
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- review the type of prompts and alerts that exist
- confirm that prompts and alerts are consistently applied
- undertake pressure testing or a process walk-through to confirm that prompts and alerts exist
- review reports to identify the number of incorrect actions completed despite prompts and alerts
- analyse behavioural changes caused by prompts and alerts, such as claims or requests abandoned following the prompt or alert
- review historical data to measure if the introduction of prompts and alerts improved compliance
- consult system users about the prompts or alerts to discover if they notice them
- consult behavioural insights experts on the prompts and alerts to find out if they influence behaviour and deter fraud
- review approvals process and make sure there is a separation of duties, if required.
This type of countermeasure is supported by:
Make sure requests or claims use a specific form, process or system for consistency.
Clear eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.
Make sure forms or system controls require mandatory information to support claims or requests.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Make sure sensitive or official information cannot leave your entity's network without authority or detection. The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.