Multiple Case Study Approach to Identify Aggravating Variables of Insider Threats in Information Systems

Malicious insiders present a serious threat to information systems due to privilege of access, knowledge of internal computer resources, and potential threats on the part of disgruntled employees or insiders collaborating with external cybercriminals. Researchers have extensively studied insiders’ motivation to attack from the broader perspective of the deterrence theory and have explored the rationale for employees to disregard/overlook security policies from the perspective of neutralization theory. This research takes a step further: we explore the aggravating variables of insider threat using a multiple case study approach. Empirical research using black hat analysis of three case studies of insider threats suggests that, while neutralization plays an important role in insider attacks, it takes a cumulative set of aggravating factors to trigger an actual data breach. By identifying and aggregating the variables, this study presents a predictive model that can guide IS managers to proactively mitigate insider threats. Given the economic and legal ramifications of insider threats, this research has implications relevant both for both academics and security practitioners.

[1]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[2]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[3]  Haider Abbas,et al.  Addressing Dynamic Issues in Information Security Management , 2011, Inf. Manag. Comput. Secur..

[4]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[5]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[6]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[7]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[8]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[9]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[10]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[11]  Kenneth K. Wong Computer-Related Fraud in the U.K. , 1984 .

[12]  David F. Andersen,et al.  Preliminary System Dynamics Maps of the Insider Cyber-threat Problem , 2004 .

[13]  Sue Ziebland,et al.  Analysing qualitative data , 2000, BMJ : British Medical Journal.

[14]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[15]  Detmar W. Straub,et al.  Moving toward black hat research in information systems security: an editorial introduction to the special issue , 2010 .

[16]  Chlotia Posey Garrison,et al.  A Longitudinal Analysis of Data Breaches , 2011, Inf. Manag. Comput. Secur..

[17]  John L. Rice,et al.  Cybercrime: Understanding and addressing the concerns of stakeholders , 2011, Comput. Secur..

[18]  George Stephanides,et al.  The economic approach of information security , 2005, Comput. Secur..

[19]  E. Eugene Schultz,et al.  The human factor in security , 2005, Comput. Secur..

[20]  Angelos D. Keromytis,et al.  Hard Problems and Research Challenges Concluding Remarks , 2008, Insider Attack and Cyber Security.

[21]  Shambhu Upadhyaya,et al.  Target-Centric Formal Model For Insider Threat And More , 2004 .

[22]  Denis Trèek,et al.  An integral framework for information systems security management , 2003, Comput. Secur..

[23]  Alok R. Chaturvedi,et al.  Economic Analysis of Tradeoffs Between Security and Disaster Recovery , 2011, Commun. Assoc. Inf. Syst..

[24]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[25]  Julien Bourgeois,et al.  A Global Security Architecture for Intrusion Detection on Computer Networks , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[26]  Rossouw von Solms,et al.  A framework for information security evaluation , 1994, Inf. Manag..

[27]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[28]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[29]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[30]  Eugene Santos,et al.  Intelligence Analyses and the Insider Threat , 2012, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[31]  Dawn M. Cappelli,et al.  Combating the Insider Cyber Threat , 2008, IEEE Security & Privacy.

[32]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[33]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[34]  R. Yin Case Study Research: Design and Methods , 1984 .

[35]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[36]  Princely Ifinedo,et al.  Information technology security management concerns in global financial services institutions: Is national culture a differentiator? , 2009, Inf. Manag. Comput. Secur..

[37]  Huseyin Cavusoglu,et al.  Economics of ITSecurity Management: Four Improvements to Current Security Practices , 2004, Commun. Assoc. Inf. Syst..

[38]  Izak Benbasat,et al.  Empirical Research in Information Systems: The Practice of Relevance , 1999, MIS Q..

[39]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[40]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[41]  Tai-hoon Kim,et al.  SOX Act and IT Security Governance , 2008, 2008 International Symposium on Ubiquitous Multimedia Computing.

[42]  Surya B. Yadav A Six-View Perspective Framework for System Security: Issues, Risks, and Requirements , 2010, Int. J. Inf. Secur. Priv..

[43]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[44]  Kent Marett,et al.  The Role of E-Training in Protecting Information Assets Against Deception Attacks , 2008, MIS Q. Executive.

[45]  Prashant Palvia,et al.  Research Models in Information Systems , 2006, Commun. Assoc. Inf. Syst..

[46]  Sang Chin Yang,et al.  System Dynamics Based Insider Threats Modeling , 2011 .

[47]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[48]  Salvatore J. Stolfo,et al.  Addressing the Insider Threat , 2009, IEEE Security & Privacy Magazine.

[49]  I. S. Herschberg,et al.  Computer security: The long road ahead , 1987, Comput. Secur..

[50]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[51]  Qiang Liu,et al.  IT Control in the Australian Public Sector: An International Comparison , 2005, ECIS.

[52]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[53]  Thomas C. Richards,et al.  A computer fraud survey , 1984, SGSC.

[54]  Charles P. Pfleeger Reflections on the Insider Threat , 2008, Insider Attack and Cyber Security.

[55]  Maria Kjaerland,et al.  A taxonomy and comparison of computer security incidents from the commercial and government sectors , 2006, Comput. Secur..

[56]  Gerald V. Post,et al.  Accessibility vs. security: A look at the demand for computer security , 1991, Comput. Secur..

[57]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[58]  Cynthia E. Irvine,et al.  A video game for cyber security training and awareness , 2007, Comput. Secur..

[59]  Jose J. Gonzalez,et al.  A system dynamics model of an insider attack on an information system , 2003 .

[60]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[61]  R. Stake Qualitative Case Studies. , 2005 .

[62]  Stephen H. Conrad,et al.  A behavioral theory of insider-threat risks: A system dynamics approach , 2008, TOMC.

[63]  Christian W. Probst,et al.  Countering Insider Threats , 2008 .

[64]  G. Paré,et al.  CASE RESEARCH IN INFORMATION SYSTEMS : CURRENT PRACTICES , TRENDS , AND RECOMMENDATIONS , 2003 .

[65]  Jagdish Pathak,et al.  Internal Audit and E-commerce Controls , 2004 .

[66]  Margaret D. LeCompte,et al.  Analyzing Qualitative Data , 2000 .

[67]  R. L. Lehmann Tracking potential security violations , 1981, SGSC.

[68]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[69]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[70]  Ron Weber,et al.  Evaluating and Developing Theories in the Information Systems Discipline , 2012, J. Assoc. Inf. Syst..

[71]  Liisa von Hellens,et al.  Qualitative Research in Information Systems , 2007, Australas. J. Inf. Syst..

[72]  Ning Hu,et al.  A Layered Approach to Insider Threat Detection and Proactive Forensics , 2005 .

[73]  Aditya K. Ghose,et al.  Analyst-Mediated Contextualization of Regulatory Policies , 2010, 2010 IEEE International Conference on Services Computing.

[74]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[75]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[76]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[77]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[78]  Shirley Gregor,et al.  The Nature of Theory in Information Systems , 2006, MIS Q..

[79]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[80]  Terry Dwain Escamilla,et al.  Intrusion detection: network security beyond the firewall , 1998 .

[81]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[82]  Nicole Beebe,et al.  Improving Organizational Information Security Strategy via Meso-Level Application of Situational Crime Prevention to the Risk Management Process , 2010, Commun. Assoc. Inf. Syst..

[83]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .