Organizational Vulnerability to Insider Threat - What Do Australian Experts Say?

Approaches to the study of organizational vulnerabilities to intentional insider threat has been narrow in focus. Cyber security research has dominated other forms of insider threat research [1]. However, within the scope of cyber security, the effort is predominantly focused on external threats or technological mitigation strategies. Deeper understanding of organizational vulnerabilities influencing insider threat and responses to insider threats beyond technological security remains limited in Australia. Despite the increasing potential threat and impact of such risk to organizations, empirical studies remain rare. This paper presents an initial study related to identifying organizational vulnerabilities associated with intentional insider threat. A Delphi Method was employed as part of a broader mixed methods study. There was a strong consensus amongst Australian experts as to the primary organizational vulnerabilities to insider threat. These main risks extend across personnel, process, technological and strategic (resource allocation) domains. The organizational vulnerabilities identified by Australian experts is consistent with research, literature, and guidelines, available from other countries. The results confirm the need to look beyond the narrow focus on individuals and technology in order to fully address the insider threat problem. Whilst only preliminary results are presented here, future analysis of data will focus on identifying best practice solutions for the Australian market.

[1]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[2]  Sadie Creese,et al.  A Critical Reflection on the Threat from Human Insiders - Its Nature, Industry Perceptions, and Detection Approaches , 2014, HCI.

[3]  Dawn M. Cappelli,et al.  Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis , 2006 .

[4]  Frank L. Lars J. Christine F. Christopher R. Thomas Greitzer,et al.  Psychosocial Modeling of Insider Threat Risk Based on Behavioral and Word Use Analysis , 2013 .

[5]  Kimmo Laakso,et al.  Using the Delphi method , 2011, 2011 Proceedings of PICMET '11: Technology Management in the Energy Smart World (PICMET).

[6]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[7]  Suzanne D. Pawlowski,et al.  The Delphi method as a research tool: an example, design considerations and applications , 2004, Inf. Manag..

[8]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[9]  James P Festa New technologies and emerging threats: personnel security adjudicative guidelines in the age of social networking , 2012 .

[10]  Gregory J. Skulmoski,et al.  Journal of Information Technology Education the Delphi Method for Graduate Research , 2022 .

[11]  F. Hasson,et al.  The Delphi Technique in Nursing and Health Research , 2011 .

[12]  Michele Maasberg,et al.  The Dark Side of the Insider: Detecting the Insider Threat through Examination of Dark Triad Personality Traits , 2015, 2015 48th Hawaii International Conference on System Sciences.