The Role of Individual Characteristics on Insider Abuse Intentions

Insiders represent a major threat to the security of an organization’s information resources (Warkentin & Willison, 2009; Stanton et al., 2005). Previous research has explored the role of protection motivation or of deterrence in promoting compliant behavior, but these factors have not been studied together. Furthermore, other individual differences, such as the Big Five personality factors may serve as critical influences on cybersecurity compliance. In this study we use a factorial survey approach to identify key components of secure insider behavior. We obtained 201 observations from a diverse sample of employees. The results of this effort will enable us to develop psychological profiles of individual employees so that we may create personalized cybersecurity training protocols that meet the unique needs of each employee profile, appealing to the proper set of motivations for each. Findings of the present study are presented, and the long-term project goal is discussed

Behavioural Evidence Analysis Applied to Digital Forensics: An Empirical Analysis of Child Pornography Cases using P2P Networks

The utility of Behavioural Evidence Analysis (BEA) has gained attention in the field of Digital Forensics in recent years. It has been recognized that, along with technical examination of digital evidence, it is important to learn as much as possible about the individuals behind an offence, the victim(s) and the dynamics of a crime. This can assist the investigator in producing a more accurate and complete reconstruction of the crime, in interpreting associated digital evidence, and with the description of investigative findings. Despite these potential benefits, the literature shows limited use of BEA for the investigation of cases of the possession and dissemination of Sexually Exploitative Imagery of Children (SEIC). This paper represents a step towards filling this gap. It reports on the forensic analysis of 15 SEIC cases involving P2P filesharing networks, obtained from the Dubai Police. Results confirmed the predicted benefits and indicate that BEA can assist digital forensic practitioners and prosecutors

Why Individual Employees Commit Malicious Computer Abuse: A Routine Activity Theory Perspective

Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on routine activity theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuse (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, as well as the organizational aspects of deterrence based on the routine activity framework of crime. We tested this research model using research participants holding a wide range of corporate positions and possessing varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations

A Tale of Two Deterrents: Considering the Role of Absolute and Restrictive Deterrence to Inspire New Directions in Behavioral and Organizational Security Research

This research-perspective article reviews and contributes to the literature that explains how to deter internal computer abuse (ICA), which is criminal computer behavior committed by organizational insiders. ICA accounts for a large portion of insider trading, fraud, embezzlement, the selling of trade secrets, customer privacy violations, and other criminal behaviors, all of which are highly damaging to organizations. Although ICA represents a momentous threat for organizations, and despite numerous calls to examine this behavior, the academic response has thus far been lukewarm. However, a few security researchers have examined ICA’s influence in an organizational context and addressed potential means of deterring it. However, the results of these studies have been mixed, leading to a debate on the applicability of deterrence theory (DT) to ICA. We argue that more compelling opportunities will arise in DT research if security researchers more deeply study its assumptions and more carefully recontextualize it. The purpose of this article is to advance a deterrence research agenda that is grounded in the pivotal criminological deterrence literature. Drawing on the distinction between absolute and restrictive deterrence and aligning them with rational choice theory (RCT), this paper shows how deterrence can be used to mitigate the participation in and frequency of ICA. We thus propose that future research on the deterrent effects of ICA should be anchored in a more general RCT, rather than in examinations of deterrence as an isolated construct. We then explain how adopting RCT with DT opens up new avenues of research. Consequently, we propose three areas for future research, which cover not only the implications for the study of ICA deterrence, but also the potential motivations for these types of offenses and the skills required to undertake them

A unified classification model to insider threats to information security

Prior work on insider threat classification has adopted a range of definitions, constructs, and terminology, making it challenging to compare studies. We address this issue by introducing a unified insider threat classification model built through a comprehensive and systematic review of prior work. An insider threat can be challenging to predict, as insiders may utilise motivation, creativity, and ingenuity. Understanding the different types of threats to information security (and cybersecurity) is crucial as it helps organisations develop the right preventive strategies. This paper presents a thematic analysis of the literature on the types of insider threats to cybersecurity to provide cohesive definitions and consistent terminology of insider threats. We demonstrate that the insider threat exists on a continuum of accidental, negligent, mischievous, and malicious behaviour. The proposed insider threat classification can help organisations to identify, implement, and contribute towards improving their cybersecurity strategies

Exploring Employees’ Computer Fraud Behaviors using the Fraud Triangle Theory

Background: Employee computer fraud is a costly and significant problem for firms. Using the fraud triangle theory, this study explores the extent to which an employee’s perception of opportunity, rationalization, and work pressure will contribute to their likelihood of committing computer fraud (i.e., intentional, malicious, or while motivated through a self-interest gain of information systems (IS) security policy non-compliance behaviors). Method: A model is proposed and empirically validated through survey data collected from various industries from 213 computer-using employees with financial responsibilities within their organizations in the U.S. Results: This study’s findings suggest when individual employees experience high levels of work pressure, they may be more likely to commit computer fraud. Organizations can guard against this behavior by monitoring their employees’ assigned workload and performance expectations to prevent these unwanted behaviors. This study demonstrates a need for future research to investigate further the motivations employees may have besides financial greed when committing different types of computer abuse behaviors. Conclusion: This study, based upon the fraud triangle theory, empirically reveals the importance of monitoring general work pressure to guard against employees committing computer fraud behaviors. Computer fraud behaviors should be considered a distinct type of information security violation behavior

Assessing and mitigating the impact of organisational change on counterproductive work behaviour: An operational (dis)trust based framework.:Full Report

This report comprises the findings of CREST funded research into organisational change and insider threat. It outlines the individual, social and organisational factors that over time, can contribute to negative employee perceptions and experiences.These factors can produce a reduction in an employee’s psychological attachment to, and trust in, their employing organisation which then allows them to undertake Counterproductive Work Behaviour (CWB). CWB concerns action which threatens the effectiveness, or harms the safety of, an employer and its stakeholders.It can develop from small scale discretions (e.g., time wasting, or knowledge hiding) into serious insider threat activities (e.g., destroying systems or exchanging confidential information with malicious others). Following past research linking CWB to both organisational change and trust breach, the aim of the study was to produce a (dis)trust based framework for predicting, identifying and mitigating counterproductive work behaviour and insider threat within the context of organisational change.We posed the following research questions:1. What effect does organisational change have in relation to counterproductive work behaviour (CWB) and insider threat acts?2. What role does (dis)trust play in CWB during organisational change?3. What preventative measures can be taken by organisations to help mitigate CWB and insider threat in organisational change initiatives?To address these questions, we collected empirical data from a case study organisation undergoing change: two sets of interviews, i.) with selected managers and staff outlining the key changes in the organisation, ii.) with a range of stakeholders involved in/privy to one of three insider threat case studies in two different departments, iii.) a review of HR and security paperwork on the insider threat cases, and then, iv.) anonymous surveys of the workforce in the same two departments in which our case studies occurred. Using these methods, we explored individuals’ cognitions and emotions to understand why while some employees remain engaged, loyal and trusting during change, others become disengaged, distrusting and behave in deviant ways

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company’s accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees’ intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research