3 Key Takeaways:
- Typologies aren’t just academic – they’re essential to stop fraud, insider threats, and trade secrets theft before it happens.
- They help businesses understand how bad actors exploit systems, people, and processes – often using your own supply chain or research team.
- Typologies link real-world risks to detection models, enabling proactive IP protection and smarter investment in technology.
Why You Should Care About Typologies (Even If You’d Rather Not)
If you’ve ever had to explain to your board how a former employee walked out with your research, your IP, or your customer list – and no one caught it until too late – then you’ve already lived the cost of ignoring typologies.
I’ve worked with governments, banks, and startups, and here’s what I’ve seen time and again: organisations throw money at tech or tools without understanding how threats actually unfold. That’s where typologies come in. They’re not just theory. They’re your cheat sheet to understanding how people commit fraud, steal trade secrets, or sabotage your commercialisation efforts.
In short, a typology shows you the playbook of a bad actor. And if you understand the playbook, you can stop the play.
But Wait – What Even Is a Typology?
A typology is basically a pattern. It’s a recipe for how bad things happen – who’s involved, how they do it, what systems they exploit, and what clues they leave behind. Think of it as a detective’s casefile – but for your data scientist.
The term ‘typology’ is used in the sciences and social sciences. According to Solomon (1977) “a criminal typology offers a means of developing general summary statements concerning observed facts about a particular class of criminals who are sufficiently homogenous to be treated as a type“.
Use of the term ‘typology’ in this way apparently dates back to italian criminologist Cesare Lombroso (1835–1909). Here’s my analogy: if you’re baking a cake, the recipe tells you the ingredients, the method, and the tools. A typology does the same for detecting threats – helping teams build analytics models that actually spot trouble before it hits the balance sheet.
As we see the convergence of financial crime, cybersecurity and physical threat detection in domains such as insider threats or fraud, we need to have an end-to-end understanding of the path and actions that ‘bad actors’ must take to realise their objective, as well as other factors such as offender attributes / characteristics, motive, and overall threat posed.
Let’s Break Down the Buzzwords: Typologies vs MO vs TTPs
You’ve probably heard terms like Modus Operandi (MO) or TTPs (Tactics, Techniques, and Procedures). Don’t panic – they all describe the how of a crime or attack.
- MO is a criminal law term.
- TTPs come from military and cyber land.
- Both describe how something bad is done – like sending trade secrets to a personal Gmail account, or siphoning supplier data through a compromised third-party tool.
I lump them under the umbrella of “bad actor behaviour”. What matters is that these behavioural clues often exist – but your systems can’t see them if you don’t know what to look for. That’s why you need detailed typologies.
Why Typologies Matter to Your Business (Yes, Yours)
Whether you’re running an eCommerce business, commercialising a research breakthrough, or protecting IP in a complex supply chain, typologies help you see how fraud and insider threats could happen before it becomes front-page news.
For example:
- Scenario A: Salesperson sends brochures to a potential customer = normal.
- Scenario B: Researcher sends sensitive experimental data to a private email address = alarm bells.
The context is everything. That’s why good typologies are tied to 4th-level risks – meaning they’re specific to a product, process, or team in your business. Generic threats don’t cut it anymore.
Anatomy of a Good Typology
Writing good typologies is like writing a great detective novel – detailed, layered, and grounded in reality. Here’s what every solid typology needs:
- A clear name tied to a business risk
- Who the threat actor is (e.g. employee, vendor, nation-state)
- What they’re targeting (IP, systems, customer data)
- A step-by-step attack description (ideally with a visual)
- Specific indicators (the digital “fingerprints” of wrongdoing)
- The data sources needed to detect those indicators
- Guidance for analysts and investigators
Tip: Don’t hand over vague notes to your data scientist and expect magic. The typology should be ready-to-use – or you’ll waste time (and salaries) getting lost in translation.
Public examples of typologies include those written for Anti-Money Laundering or Counter-Terrorist Financing by bodies such as FATF, FINCEN and AUSTRAC). But be warned, substantial effort is often required to take these more generic typologies and implement them in your business!
In my experience, a typology is ‘finished’ when it can be readily understood and converted to analytics-based detection model by a data scientist with minimal rework or clarification being required.
Why This Matters Now
Let’s not kid ourselves. Technology is moving fast, but bad actors are faster. With the rise of AI-assisted digital fraud, cross-border IP theft, and dodgy supply chain partners, businesses need more than gut instinct. They need systems that understand the threat – and that starts with typologies.
Plus, the more lucrative or competitive your sector (banking, biotech, medtech), the more likely someone wants your secrets. Whether for financial gain or strategic advantage, fraud is real – and increasing.
So What Should You Do Next?
- Start identifying your risks, in detail. We’re after the who, what, why, when, where and how level of detail. Typologies demand specificity.
- Align your detection efforts with specific risks. Ditch the one-size-fits-all dashboards. They’re not helping. Remember, the more granular the better.
- Build typologies that actually work. If you don’t have them, start writing them – or call someone who can.
- Design your continuous monitoring program. Build detection models (rules and / or AI/ML) to detect bad behaviour in your data. Then check your program – does it monitor those known typologies? If not, you’ve got gaps.
- Don’t go it alone. Security, fraud, research, and IT teams need to collaborate – threats don’t respect silos, and neither should you.
Want help building typologies that actually protect your business? Let’s talk. Because protecting your revenue, product and IP is just smart business.
Further reading
- Baesens, B., Van Vlasselaer, V., Verbeke, W. (2015). Fraud Analytics Using Descriptive, Predictive, and Social Network Techniques: A Guide to Data Science for Fraud Detection, John Wiley & Sons Inc.
- Curwell, P. (2023). Comparative Case Analysis: A powerful tool for typology development
- Johnson, C., Badger, L. Waltermire, D. Snyder, J., Skorupka, C. (2016). Guide to Cyber Threat Information Sharing, NIST Special Publication 800-150, U.S. Department of Commerce, United States. https://doi.org/10.6028/NIST.SP.800-150
- Judicial Commission for NSW (2022). Tendency and coincidence in Civil Trials Bench Book — Evidence, Sydney Australia, https://www.judcom.nsw.gov.au/
- Kovac, M. (2016). Using Digital Exhaust to Improve Sales, Harvard Business Review, 8 July 2016, https://hbr.org/2016/07/using-digital-exhaust-to-improve-sales
- Pherson, R. H., & Heuer, R. J. (2021). Structured analytic techniques for intelligence analysis. Thousand Oaks, California: CQ Press, an imprint of SAGE Publications, Inc.
- Solomon, H.M. (1977). Crime and Delinquency – Typologies, University Press of America, Maryland, United States. https://www.ojp.gov/ncjrs/virtual-library/abstracts/crime-and-delinquency-typologies
- U.S. Government (2009). A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis, Langley, VA.
DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.