Towards a complete understanding of information security misbehaviours: a proposal for future research with social network approach

Insider's intentional misbehaviours without the malicious intent to harm and security workarounds are emerging issues in information security behavioural field. To mitigate these insider's threats, prior research has been confirming many contributing factors of misbehaviours by focusing much on the cognition of employees as individual beings. Consequently, these studies' practical values are inevitably limited by the assumptions of their focus on individuals, which overlook the dynamic exchanges between organisational entities and collectives. From reviewing prior information security behavioural research and detecting their limitations, this paper introduces and proposes social network research as a new approach that would complement to the current body of knowledge. As a result, we discuss the potential directions of social network research and provide some potential research ideas that could be investigated using social network analysis techniques.

[1]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[2]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[3]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[4]  B. Crona,et al.  The role of social networks in natural resource governance: What relational patterns make a difference? , 2009 .

[5]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[6]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[7]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[8]  James Backhouse,et al.  Opportunities for computer crime: considering systems risk from a criminological perspective , 2006, Eur. J. Inf. Syst..

[9]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[10]  T. Hirschi Causes of Delinquency. , 1970, British medical journal.

[11]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[12]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[13]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[14]  Michael H. Zack,et al.  Researching organizational systems using social network analysis , 2000, Proceedings of the 33rd Annual Hawaii International Conference on System Sciences.

[15]  Mathews Nkhoma,et al.  Contextual Difference and Intention to Perform Information Security Behaviours Against Malware in a BYOD Environment: a Protection Motivation Theory Approach , 2013, ACIS.

[16]  Clay Posey,et al.  When Computer Monitoring Backfires: Invasion of Privacy and Organizational Injustice as Precursors to Computer Abuse , 2011 .

[17]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[18]  G. Lawrence Sanders,et al.  An Exploration of Group Information Security Compliance: A Social Network Analysis Perspective , 2013, ICIS.

[19]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[20]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[21]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[22]  Mason A. Carpenter,et al.  Social Network Research in Organizational Contexts , 2012 .

[23]  Charles Cresson Wood An Unappreciated Reason Why Information Security Policies Fail , 2000 .

[24]  Duy P. T. Dang,et al.  Predicting Insider's Malicious Security Behaviours: A General Strain Theory-Based Conceptual Model , 2014, CONF-IRM.

[25]  Martin G. Everett,et al.  Analyzing social networks , 2013 .

[26]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[27]  Dusten R. Hollist,et al.  Causes of Delinquency , 1950, Juvenile Justice.

[28]  Tom L. Roberts,et al.  Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes , 2011, Comput. Secur..

[29]  Paul Dourish,et al.  Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena , 2006, Hum. Comput. Interact..

[30]  S. Borgatti,et al.  The Network Paradigm in Organizational Research: A Review and Typology , 2003 .

[31]  Daniel J. Brass,et al.  Relationships and Unethical Behavior: A Social Network Perspective , 1998 .

[32]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[33]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[34]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[35]  Jongwoo Kim,et al.  An emote opportunity model of computer abuse , 2014, Inf. Technol. People.

[36]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[37]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[38]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..