Insider Threats in a Financial Institution: Analysis of Attack-Proneness of Information Systems Applications

This study investigates the risk of insider threats associated with different applications within a financial institution. Extending routine activity theory (RAT) from criminology literature to information systems security, hypotheses regarding how application characteristics, namely value, inertia, visibility, accessibility, and guardians, cause applications to be exposed to insider threats are developed. Routine activity theory is synthesized with survival modeling, specifically a Weibull hazard model, and users' system access behavior is investigated using seven months of field data from the institution. The inter-arrival times of two successive unauthorized access attempts on an application are employed as the measurement of risk. For a robustness check, the daily number of unauthorized attempts experienced by an application as an alternative measurement of risk are introduced and a zero-inflated Poisson-Gamma model is developed. The Markov chain Monte Carlo (MCMC) method is used for model estimations. The results of the study support the empirical application of routine activity theory in understanding insider threats, and provide a picture of how different applications have different levels of exposure to such threats. Theoretical and practical implications for risk management regarding insider threats are discussed. This study is among the first that uses behavioral logs to investigate victimization risk and attack proneness associated with information assets.

[1]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[2]  RaoH. Raghav,et al.  Moving toward black hat research in information systems security , 2010 .

[3]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[4]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[5]  Pieter H. Hartel,et al.  Cyber-crime Science = Crime Science + Information Security , 2010 .

[6]  Andrew Hiles,et al.  The Definitive Handbook of Business Continuity Management , 2010 .

[7]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[8]  David W. Chadwick,et al.  Guest editorial: A brief overview of data leakage and insider threats , 2013, Inf. Syst. Frontiers.

[9]  Wim Bernasco,et al.  Co‐offending and the choice of target areas in burglary , 2006 .

[10]  Rakesh K. Sarin,et al.  Ranking with Partial Information: A Method and an Application , 1985, Oper. Res..

[11]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[12]  J. Klein,et al.  Survival Analysis: Techniques for Censored and Truncated Data , 1997 .

[13]  Mary J. Culnan,et al.  The dimensions of perceived accessibility to information: Implications for the delivery of information systems and services , 1985, J. Am. Soc. Inf. Sci..

[14]  Richard R. Bennett Routine Activities: A Cross-National Assessment of a Criminological Perspective , 1991 .

[15]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[16]  Shambhu Upadhyaya,et al.  Insider Threat Assessment: Model, Analysis and Tool , 2010 .

[17]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[18]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[19]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[20]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[21]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[22]  Kuheli Roy Sarkar Assessing insider threats to information security using technical, behavioural and organisational measures , 2010, Inf. Secur. Tech. Rep..

[23]  Detmar W. Straub,et al.  The psychological origins of perceived usefulness and ease-of-use , 1999, Inf. Manag..

[24]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[25]  Sandip Sinharay,et al.  Experiences With Markov Chain Monte Carlo Convergence Assessment in Two Psychometric Examples , 2004 .

[26]  Kyung-shick Choi Computer Crime Victimization and Integrated Theory: An Empirical Assessment , 2008 .

[27]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes , 2005, Inf. Technol. People.

[28]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[29]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[30]  Alan Calder,et al.  Information Security Based on ISO 27001/ISO 17799: A Management Guide , 2006 .

[31]  Lawrence E. Cohen,et al.  Social Change and Crime Rate Trends: A Routine Activity Approach , 1979 .

[32]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[33]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[34]  Mikko T. Siponen,et al.  Overcoming the insider: reducing employee computer crime through Situational Crime Prevention , 2009, CACM.

[35]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[36]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[37]  Hock-Hai Teo,et al.  Research Note - Effects of Individual Self-Protection, Industry Self-Regulation, and Government Regulation on Privacy Concerns: A Study of Location-Based Services , 2012, Inf. Syst. Res..

[38]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[39]  James B. D. Joshi,et al.  An adaptive risk management and access control framework to mitigate insider threats , 2013, Comput. Secur..

[40]  N. Mantel Evaluation of survival data and two new rank order statistics arising in its consideration. , 1966, Cancer chemotherapy reports.

[41]  Behzat Yucedal,et al.  VICTIMIZATION IN CYBERSPACE: AN APPLICATION OF ROUTINE ACTIVITY AND LIFESTYLE EXPOSURE THEORIES , 2010 .

[42]  Ritu Agarwal,et al.  The Role of Innovation Characteristics and Perceived Voluntariness in the Acceptance of Information Technologies , 1997 .

[43]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[44]  Gurpreet Dhillon,et al.  Defining Internal Control Objectives for Information Systems Security: A Value Focused Assessment , 2008, ECIS.

[45]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[46]  Joseph G. Ibrahim,et al.  Default Bayes factors for generalized linear models , 2000 .

[47]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[48]  Cheolho Yoon Theory of Planned Behavior and Ethics Theory in Digital Piracy: An Integrated Model , 2011 .

[49]  J. Backhouse,et al.  Opportunities for computer abuse: Considering systems risk from the offender's perspective , 2005 .

[50]  Ali Mili,et al.  Managing complex IT security processes with value based measures , 2009, 2009 IEEE Symposium on Computational Intelligence in Cyber Security.

[51]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[52]  McGilchrist Ca,et al.  Regression with frailty in survival analysis. , 1991 .

[53]  Katherine S. Williams Textbook on Criminology , 1997 .

[54]  David Collett Modelling Survival Data in Medical Research , 1994 .

[55]  Laura B. Cardinal,et al.  Balancing and Rebalancing in the Creation and Evolution of Organizational Control , 2004, Organ. Sci..

[56]  Mathieu Gorge Data protection: why are organisations still missing the point? , 2008 .

[57]  Peter F. Drucker,et al.  The Essential Drucker , 2018 .

[58]  E. Kaplan,et al.  Nonparametric Estimation from Incomplete Observations , 1958 .

[59]  Richard J. Cook,et al.  The Statistical Analysis of Recurrent Events , 2007 .

[60]  C. Robert,et al.  Bayesian Modeling Using WinBUGS , 2009 .

[61]  Edward L. Melnick,et al.  Modeling Survival Data , 2011, International Encyclopedia of Statistical Science.

[62]  David Geer Security technologies go phishing , 2005, Computer.

[63]  Robert T. Eckenrode,et al.  Weighting Multiple Criteria , 1965 .

[64]  W. R. Smith,et al.  FURTHERING THE INTEGRATION OF ROUTINE ACTIVITY AND SOCIAL DISORGANIZATION THEORIES: SMALL UNITS OF ANALYSIS AND THE STUDY OF STREET ROBBERY AS A DIFFUSION PROCESS , 2000 .

[65]  Mary J. Culnan,et al.  ENVIRONMENTAL SCANNING: THE EFFECTS OF TASK COMPLEXITY AND SOURCE ACCESSIBILITY ON INFORMATION GATHERING BEHAVIOR* , 1983 .

[66]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[67]  Raya Fidel,et al.  The many faces of accessibility: engineers' perception of information sources , 2004, Inf. Process. Manag..

[68]  Patrick R. Gartin,et al.  Hot Spots of Predatory Crime: Routine Activities and the Criminology of Place , 1989 .

[69]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[70]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[71]  David J. Spiegelhalter,et al.  WinBUGS user manual version 1.4 , 2003 .

[72]  Dale Goodhue,et al.  Understanding user evaluations of information systems , 1995 .

[73]  Detmar W. Straub,et al.  Moving toward black hat research in information systems security: an editorial introduction to the special issue , 2010 .

[74]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[75]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[76]  K. Wittebrood,et al.  Burglary Victimization in England and Wales, the United States and the Netherlands: A Cross-National Comparative Test of Routine Activities and Lifestyle Theories , 2004 .

[77]  Ephraim R. McLean,et al.  Information Systems Success: The Quest for the Dependent Variable , 1992, Inf. Syst. Res..

[78]  M. Yar The Novelty of ‘Cybercrime’ , 2005 .

[79]  Adrian F. M. Smith,et al.  Bayesian Inference for Generalized Linear and Proportional Hazards Models Via Gibbs Sampling , 1993 .

[80]  Bruce E. Barrett,et al.  Decision quality using ranked attribute weights , 1996 .

[81]  Andrew Gelman,et al.  General methods for monitoring convergence of iterative simulations , 1998 .

[82]  Paul D. Allison,et al.  Survival analysis using sas®: a practical guide , 1995 .

[83]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[84]  Haren Van,et al.  Implementing Information Security Based on ISO 27001 and ISO 17799: A Management Guide , 2006 .

[85]  Rupert G. Miller,et al.  Survival Analysis , 2022, The SAGE Encyclopedia of Research Design.