Article Preview
TopIntroduction
Information systems are pervasive throughout the spectrum of modern international organizations including the education, military, government and commercial sectors. Worldwide spending on information technologies and services by the year 2014 is estimated to be $4 trillion (Hardcastle et al., 2012). Unfortunately, with the increased reliance of the U.S. economy on information and information systems come increased information security threats and associated costs. Information security concerns are not isolated to the U.S.; information security compromises occur internationally on a daily basis with losses potentially in the range of hundreds of billions a year (United Nations, 2005).
Capturing the true cost and occurrence of information security incidents is a difficult task. It is estimated that organizations only discover a fraction of actual security incidents (Whitman, 2003). Additionally, many organizations are reluctant to admit security breaches due to a variety of reasons, such as negative publicity or reputation damage (Richardson, 2011; Hoffer & Straub, 1989; Panko, 2009). This information dilemma is not limited to small organizations with limited information security resources. Since 2010, RSA Inc., Verisign Inc. (both companies at the forefront of digital encryption and security technology), and Google were hacked by what is now being called Advanced Persistent Threats (APTs) (Andress, 2011; Reeder, 2012). APTs are defined as a technologically sophisticated entity engaged in information warfare (use of IT to gain an advantage over an adversary) in support of long-term goals (Cloppert, 2009). While the damage done to RSA and Google was primarily conducted by complex computer software remotely operated via computer networks, it was human error that opened the organizations to attack. Specifically, the recent successful APT attacks against RSA Inc. and Internet giant Google both started with spear-phishing attacks that successfully tricked employees to open email attachments that included unknown software vulnerabilities (Andress, 2012).
The importance of employees on information security. There are numerous threats to the confidentiality, integrity, and availability of organizational information and information systems (Panko, 2009). While there are many security mechanisms designed to mitigate the information security risks from relevant threats, it is often incumbent upon users to utilize the technologies and/or procedures faithfully and properly for them to be effective; information security depends on the effective behavior of humans (Siponen, 2005; Stanton et al., 2005; Vroom & von Solms, 2004; Workman, 2007; Panko, 2009). In a report by the U.S. National Security Telecommunications and Information Systems Security Committee (NSTISSC), the greatest potential threat to government information resources is said to come from “insiders with legitimate access to those systems” (NSTISSAM, 1999).
There is ample and important research on the information security dangers of organizational insiders. There are generally two types of insider security risks – those from malicious and non-malicious employees (NSTISSAM, 1999; Brackney & Anderson, 2004). In the well-respected 2010/2011 Computer Security Institute (CSI) Computer Crime and Security Survey, over 60% of respondents reported losses due to security compromises from non-malicious insiders, compared to 41% from malicious insiders (Richardson, 2011).