Confronting Information Security's Elephant, the Unintentional Insider Threat

It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of unintentional human error. Such lack of emphasis is surprising given relatively recent reports that highlight error’s central role in being the root cause for numerous security breaches. Unfortunately, efforts that recognize human error’s influence suffer from not employing a commonly accepted error framework and lexicon. We thus take this opportunity to review what the data show regarding error-based breaches across various types of organizations and create a nomenclature and taxonomy rooted in the rich history of safety research that can be applied to the information security domain. Our efforts represent a significant step in an effort to classify, monitor, and compare the myriad aspects of human error in information security in the hopes that more effective security education, training, and awareness (SETA) programs can be devised. Further, we believe our efforts underscore the importance of revisiting the daily demands placed on organizational insiders in the workplace.

[1]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[2]  Rossouw von Solms,et al.  Cybersecurity and information security - what goes where? , 2018, Inf. Comput. Secur..

[3]  Emilee Rader,et al.  "Wait, Do I Know This Person?": Understanding Misdirected Email , 2019, CHI.

[4]  Hugh M. Cannon,et al.  Bloom Beyond Bloom: Using the Revised Taxonomy to Develop Experiential Learning Strategies , 2005 .

[5]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[6]  Donald A. Norman,et al.  THE WAY I SEE ITWhen security gets in the way , 2009, INTR.

[7]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[8]  Andrea Back,et al.  Shadow it – A View from Behind the Curtain , 2014, Comput. Secur..

[9]  W. Alec Cram,et al.  Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance , 2019, MIS Q..

[10]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[11]  Perry Carpenter,et al.  Transformational Security Awareness , 2019 .

[12]  R. Bennett,et al.  A TYPOLOGY OF DEVIANT WORKPLACE BEHAVIORS: A MULTIDIMENSIONAL SCALING STUDY , 1995 .

[13]  Hussain Aldawood,et al.  Educating and Raising Awareness on Cyber Security Social Engineering: A Literature Review , 2018, 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE).

[14]  K. Roberts Some Characteristics of One Type of High Reliability Organization , 1990 .

[15]  Kathleen M. Sutcliffe,et al.  Managing the Unexpected: Sustained Performance in a Complex World , 2015 .

[16]  Tom L. Roberts,et al.  Intentions to Comply Versus Intentions to Protect: A VIE Theory Approach to Understanding the Influence of Insiders' Awareness of Organizational SETA Efforts , 2018, Decis. Sci..

[17]  Richard Baskerville,et al.  A longitudinal study of information system threat categories: the enduring problem of human error , 2005, DATB.

[18]  K. Weick Organizational Culture as a Source of High Reliability , 1987 .

[19]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[20]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[21]  Jens Rasmussen,et al.  Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[22]  Declan Kennedy,et al.  Writing and using learning outcomes: a practical guide , 2006 .

[23]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[24]  S. Kerr On the folly of rewarding A, while hoping for B. , 1975 .

[25]  Richard Baskerville,et al.  A taxonomy for analyzing hazards to information systems , 1996, SEC.

[26]  D. L. Simms,et al.  Normal Accidents: Living with High-Risk Technologies , 1986 .

[27]  D. Norman The Design of Everyday Things: Revised and Expanded Edition , 2013 .