Perhaps its a result of the advances made in security technologies, or just our understanding of the risks, but the ‘insider threat’ has become a part of the security landscape on par with massive DDoS and State driven Advanced Persistent Attacks. The insider threat is the risk of an employee acting against the interests of the organization and becoming a threat to its systems or the data therein. The investigation of wrongdoing often involves motive and opportunity, and so too have studies of crime and justice and most detective movies and courtroom dramas. How does our understanding of motive and opportunity help us to reduce the insider threat to the systems and data of organizations?
The team of Nader Sohrabi Safa, Carsten Maple, Tim Watson, and Rossouw Von Solms from the Cyber Security Centre at the University of Warwick in the United Kingdom and the Centre for Research in Information and Cyber Security at Nelson Mandela Metropolitan University in South Africa wanted to provide some insight into this question.
Situational Crime Prevention Theory is based around the concept reducing the opportunity for wrongdoing. Working from this basis the team developed some ideas about how changes to an organization might affect the decisions of those considering mischief. Through a survey they tested their ideas about the impact of increased effort, increased risk, reduced rewards, reduced provocation and the removal of excuses on the intention for wrong doing. Perhaps because of the focus on organizations, they also drew from Social Bond Theory which describes employees actives within an organization through their attachment to an organization, commitment to its goals, involvements in an activity and their personal norms. These theories along with attitude and intention were combined into a survey that was successfully completed by about 500 professionals in South Africa. The results showed that making it harder, more risky, less rewarding and harder to excuse can reduce misbehaviour and consequently insider threats. The research adds to the growing weight of evidence of the importance of the human and psychological aspect of information security. Paying attention to how opportunities for bad behaviour are perceived by employees and what might cause them to become an insider threat is a way towards creating better security through the prevention of incidents.
I quite enjoyed this piece and it is presented in a way that is very valuable to other academics studying security in the context of the organization.
Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of Information Security and Applications.