Prof. Tejay (Nova Southeastern University)
- Datum: 02.05.2012
Ort: Kaulbachstr. 45, Raum E04
Selected Topics in Information Security
A Theory Explaining How an Organization Can Live Up to the Letter, But Not the Spirit, of an Information Security Initiative
Co-author: Allen Lee
In all walks of life, there are people who say one thing, but do another. In our case study of a government organization that has set out to implement an information security initiative, we see people who say (and actually believe) one thing, but do something else entirely, where the result is a thwarted security initiative. For an overall perspective, we adopt Pettigrew’s (1987) contextualist theory of strategic change, first, to provide categories to guide and organize observations at our case-study site and, second, to serve as a foundation upon which to build a specific theory explaining the phenomenon of how members of an organization can live up to the letter, but not the spirit, of the organization’s information security initiative, thereby undermining and defeating it. Such superficial security can result from the beliefs and actions of individuals rather than be the fault of technology. We offer a theory of action that diagnoses the mechanism by which this is possible, and that consequently prescribes how fundamental information security actions need to be coordinated with people’s underlying security values for desired information security objectives to be achieved.
Identifying Factors Influencing Insider Attacks within an Organization
Co-author: Gary Doss
There are numerous accounts of successful malicious activities conducted by employees and internal users of organizations. To understand this phenomenon, studies have been conducted that include researching individual sociological and psychological traits, financial impacts to organizations, specific log analysis tools, and theoretical models to monitor user activity. Majority of the studies have focused on a technical approach to defend against the insider threat. However, there is limited attempt to focus on the targets the insider might want to obtain or achieve. From a target perspective, an organization might be able to better control the outcome of a malicious insider threat attack. As an organization policy violation is, or resembles, a criminal activity, it is conceivable to apply a criminology lens to this problem. This study uses the Routine Activities Theory to develop research model capturing key factors that influence malicious insider activity. Data was collected using scenario-based survey. The data was analyzed using Structural Equation Modeling techniques. These techniques were used to evaluate fit of the model to explain information security policy violations.