Leaking confidential information by non-malicious user behavior in Enterprise Systems - an empirical study

Information assets of enterprises are vulnerable to theft and need to be protected to avoid information leakage to unauthorized parties. Technical countermeasures to protect confidential information fall to short, as information leaks can emerge from non-malicious behavior of users while they execute a business process in an Enterprise System. Our study investigates characteristics of security incidents in which users are authorized to access information in a secure domain, but cause information flow into an unsecure domain without any malicious objectives. We use a qualitative research method to explore the context, activities, and behaviors that lead to leakage of confidential information. We will collect empirical data in three sequential phases with interviews. In the first phase informants will be security consultants for Enterprise Systems, in the second phase company’s security managers will be interviewed and finally narratives are collected from end users. We employ the grounded theory approach to analyze the data and formulate the theoretical framework. The findings are expected to provide insights into the sources of confidential information leakage caused by non-malicious user behavior in Enterprise Systems.

[1]  Hangjung Zo,et al.  Security and performance in service-oriented applications: Trading off competing objectives , 2010, Decis. Support Syst..

[2]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[3]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[4]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[5]  Anthony M. Cresswell,et al.  Organizational Impacts of Cyber Security Provisions: A Sociotechnical Framework , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[6]  Jingguo Wang,et al.  Research Note - A Value-at-Risk Approach to Information Security Investment , 2008, Inf. Syst. Res..

[7]  Oguzhan Alagöz,et al.  Modeling secrecy and deception in a multiple-period attacker-defender signaling game , 2010, Eur. J. Oper. Res..

[8]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[9]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[10]  Elisa Bertino Data Security , 1998, Data Knowl. Eng..

[11]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[12]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[13]  Bhavani M. Thuraisingham,et al.  Security for Enterprise Resource Planning Systems , 2007, Inf. Secur. J. A Glob. Perspect..

[14]  Reind P. van de Riet,et al.  Security moving from database systems to ERP systems , 1998, Proceedings Ninth International Workshop on Database and Expert Systems Applications (Cat. No.98EX130).

[15]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[16]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[17]  Diane M. Strong,et al.  Understanding Organization-Enterprise System Fit: A Path to Theorizing the Information Technology Artifact , 2010, MIS Q..

[18]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[19]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[20]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[21]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[22]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[23]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[24]  Stefan Biffl,et al.  Business process-based valuation of IT-security , 2005, ACM SIGSOFT Softw. Eng. Notes.

[25]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[26]  T. Davenport Putting the enterprise into the enterprise system. , 1998, Harvard business review.

[27]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[28]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[29]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[30]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[31]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[32]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[33]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[34]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[35]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[36]  Sanjay Gosain,et al.  Enterprise Information Systems as Objects and Carriers of Institutional Forces: The New Iron Cage? , 2004, J. Assoc. Inf. Syst..

[37]  Lynn A. Isabella Evolving Interpretations as a Change Unfolds: How Managers Construe Key Organizational Events , 1990 .

[38]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[39]  M. Markus,et al.  The Enterprise System Experience— From Adoption to Success , 2000 .

[40]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[41]  K. H. Park,et al.  Virtual enterprise – organisation, evolution and control , 2001 .

[42]  Jeanne W. Ross,et al.  Learning to Implement Enterprise Systems: An Exploratory Study of the Dialectics of Change , 2002, J. Manag. Inf. Syst..

[43]  Janine L. Spears A Holistic Risk Analysis Method for Identifying Information Security Risks , 2004, IICIS.

[44]  Dmitri Nizovtsev,et al.  Risks and Benefits of Signaling Information System Characteristics to Strategic Attackers , 2009, J. Manag. Inf. Syst..

[45]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[46]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[47]  Wanda J. Orlikowski,et al.  CASE Tools as Organizational Change: Investigating Incremental and Radical Changes in Systems Development , 1993, MIS Q..