Mitigating Insider Sabotage and Espionage: A Review of the United States Air Force\u27s Current Posture

The security threat from malicious insiders affects all organizations. Mitigating this problem is quite difficult due to the fact that (1) there is no definitive profile for malicious insiders, (2) organizations have placed trust in these individuals, and (3) insiders have a vast knowledge of their organization’s personnel, security policies, and information systems. The purpose of this research is to analyze to what extent the United States Air Force (USAF) security policies address the insider threat problem. The policies are reviewed in terms of how well they align with best practices published by the Carnegie Mellon University Computer Emergency Readiness Team and additional factors this research deems important, including motivations, organizational priorities, and social networks. Based on the findings of the policy review, this research offers actionable recommendations that the USAF could implement in order to better prevent, detect, and respond to malicious insider attacks. The most important course of action is to better utilize its workforce. All personnel should be trained on observable behaviors that can be precursors to malicious activity. Additionally, supervisors need to be empowered as the first line of defense, monitoring for stress, unmet expectations, and disgruntlement. In addition, this research proposes three new best practices regarding (1) screening for prior concerning behaviors, predispositions, and technical incidents, (2) issuing sanctions for inappropriate technical acts, and (3) requiring supervisors to take a proactive role

Enabling information security culture : influences and challenges for Australian SMEs

An effective information security culture is vital to the success of information systems governance, risk management and compliance. Small and medium size enterprises (SMEs) face special challenges developing an information security culture as they may lack the information security knowledge, skills and behaviours of large organisations. This paper reports the main findings from an interpretive study of key influences enabling an effective information security culture for Australian SMEs. The paper provides a framework depicting external and internal influences on SME information security culture and a set of key challenges in the Australian context. The findings highlight that SME owner attitudes and behaviour &ndash; in turn influenced by government involvement - strongly influence information security culture for Australian SMEs. A surprising finding is the potential influence of the Australian culture. Practical and theoretical implications are discussed.<br /

Risk, Human Behavior, and Theories inOrganizational Studies

The present paper regards risk, threats and organizational issues that are associated with human behavior;e.Business is no exception[2]. Organizational actors in e.Businessorganizations make security decisions with a wide variety of meanings[3]: information systems interactions, access to physical premises, behavior within the workplace, utilization of tools and work instruments, are just a few examples of the realm of security decisions that are made within all organizations, and e.Business organizations in particular. The way in which the risk is perceived greatly influences any decision. The aim of the present paper is to conjugate general risk theories in terms of human behavior and system security (as opposed to system risk) in order to identify a common baseline ofrisk and behavior, that will lead eventually lead to a structured framework that will contribute to the discipline of organizational studies

CYBER SECURITY @ HOME: The Effect of Home User Perceptions of Personal Security Performance on Household IoT Security Intentions

This study explored potential human factors predictors of home user security intentions through the lens of past performance, perceived self-efficacy, and locus of control. While perceived self-efficacy and locus of control are elements in several organizational and individual security models, past performance has been less frequently studied. The variable, past performance, which has been referred to in other studies as prior experience, knowledge, and information security awareness, is usually a single question self-assessment of familiarity or comfort with technology. This study explores user technical prowess in further depth, using formal technical education, informal technical education, employment in an IT/CS field, and self-reported email and internet security measures as a measurement of technical ability. Security intentions were determined by best practices in hardware security, network security, and IoT device protection. Studying IoT security in home users is important because there are 26.6 billion devices connected to the Internet already, with 127 devices are being added to the network every second, which creates a very large attack surface if left unsecured. Unlike organizations, with dedicated IT departments, home users must provide their own security within their network. Instead of building security around the user, this research attempts to determine what human factors variables effect intentions to use existing security technologies. Through an online survey, home users provided information on their background, device usage, perceived ability to perform security behaviors, level of control over their environment, current security intentions, and future security intentions. Hierarchical linear regression, path modeling, and structural equation modeling determined that past performance was consistently the strongest predictor of security intentions for home users. Self-efficacy and locus of control had varying results among the disparate methods. Additionally, exposure to security concepts through the survey had an effect on user security intentions, as measured at the end of the survey. This research contributed an initial model for the effects of past performance, self-efficacy, and locus of control on security intentions. It provided verification for existing self-efficacy and locus of control measurements, as well as comprehensive, modular security intentions survey questions. Additionally, this study provided insight into the effect of demographics on security intentions

Impact and key challenges of insider threats on organizations and critical businesses

The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed