I've been on the lookout for Corporate Fraud: Case Studies in Detection and Prevention by John D. O'Gara. I thought it might contain insights useful for intrusion detection. Looking at the sample excerpt, (.pdf), it seems more suited to corporate types. However, I found this statement to be fascinating:
"Effective prevention depends on the probability of detection and prosecution more than on any other single factor, because management fraud typically involves override rather than taking advantage of control weaknesses."
This ties in to my idea that prevention eventually fails, for whatever reason. I also found the emphasis on recognition of indicators to be completely in line with my ideas:
"All competent professional internal auditors should have the ability to recognize the red flags and symptoms that indicate the possible existence of management fraud, and they should also be able to perform diagnostic procedures to assess the probability of occurrence. Investigation of cases of more complex management fraud beyond determining whether fraud probably occurred normally requires specialized experience and skills. Nevertheless, we cannot overemphasize the importance of recognition. Simply put, recognition must occur before investigation can start.
According to the Institute of Internal Auditors (IIA), 'The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.' Furthermore, the IIA maintains that '[d]etection of fraud consists of identifying indicators of fraud sufficient to warrant recommending an investigation.'"
That's similar to my description of Network Security Monitoring:
"NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM tools are used more for network audit and specialized applications than traditional alert-centric 'intrusion