Cyber Insider Threat in Virtual Organizations

Cyber Insider Threat in Virtual Organizations

Shuyuan Mary Ho (Florida State University, USA) and Jonathan M. Hollister (Florida State University, USA)
DOI: 10.4018/978-1-4666-5888-2.ch145

Chapter Preview



The concept of information security and privacy have been discussed and researched in many disciplines. In the realm of political science - corporate ethics, sensitive information such as trade secrets, market competitive intelligence, and intellectual property are rigorously discussed. As a result, corporate security policies are initiated and established to govern the principles of protecting corporate assets against potential risks, threats, and attacks. Government surveillance of citizens for the sake of the national security has been a critical issue discussed throughout decades. George Orwell identified this issue in the book Nineteen Eighty-Four, In the past, no government had the power to keep its citizens under constant surveillance. The invention of print, however, made it easier to manipulate public opinion, and the film and the radio carried the process further. With the development of television, and the technical advance which made it possible to receive and transmit simultaneously on the same instrument, private life came to an end.” (Orwell, 1949). Although our televisions don’t provide two-way broadcast, the development of Internet provides a similar dynamic. Real world events surrounding the domestic surveillance scandal by the Bush Administration evolved as a result of redirecting surveillance of foreign terrorist activities into the lives of American citizens (Grey, 2005). The need for national security has begun to overshadow citizens’ right to privacy. The case of Edward Snowden leaking sensitive information about the National Security Administration spying on United States citizens is a controversial case that frames Snowden as both a traitor and a patriot. Snowden intentionally stole and leaked information on the government’s surveillance acts. This became a high-profile case of malicious intentional insider threat within the government (CNN Staff, 2013). But this phenomenon applies to corporate governance as well. While government or corporate surveillance may have superseded the right to personal privacy, the emphasis on personal privacy has led to a black box of human interactions within a corporate domain and, as a result, threatens corporate, government, and national security. It becomes vitally important to balance individual privacy with surveillance interests governed by corporate security policies. How much security is necessary to protect corporate security interests, and how much does this impact individual privacy? These questions are indeed a challenge today.

While the paradox of security and privacy persists, the problem of cyber insider threats becomes more complex due to the mobility of storage, communication media, and technology enabled by distributed, grid, and cloud computing. By definition, the virtual organization refers to a group of individuals whose members and resources may be dispersed geographically, but function as a coherent unit through the use of cyber-infrastructure. This group of individuals is team-based and goal-oriented, where leaders and subordinates work together to achieve pre-determined goals (Ho, 2009). Without the luxury of physical interactions or facial expressions, people collaborate with each other dynamically in virtual organizations using cyber infrastructure. To better discuss the “black box” of human interactions as supported by the computer-mediated technologies, we will first discuss the background information of organizations in regards to the availability of technology and variety of security procedures. We will then raise the issue of user problems in organizations, and further analyze the challenges of user problems in the social and digital domains of virtual organizations. We will discuss the challenges and possible future research direction in analyzing user’s deceptive information behavior in computer-mediated communications within virtual organizations.

Key Terms in this Chapter

Behavioral Anomaly Detection: An approach or a mechanism that would establish a baseline model, profile normal user behavior for individuals whom reside in organizations and have authorized access to organizational internal and external resources, which include accessibility to systems, networks, applications, and facilities; an approach or a mechanism that would detect and alert individual deviational behavior that is uncommon, peculiar, irregular, and abnormal, and perceive, identify or suggest that a possible insider threat would come from specific perpetrator(s), a series suspicious events or eccentric states.

Trustworthiness Attribution: A process of evaluating and documenting an inward moral value or an outward conduct of a person in whom we can rest assured that the trust is not betrayed, usually in measurable terms, knowledge, skills, attitudes and beliefs. Trustworthiness is demonstrated by the acts of a person who fulfills an assigned material-related or virtue-related responsibility.

Insider Threat: Situations where a critical member of an organization with authorized access, high social power and holding a critical job position, inflicts damage within an organization. In a way, this critical member behaves against the interests of the organization, generally in an illegal and/or unethical manner.

Virtual Organization: A virtual organization refers to a group of individuals whose members and resources may be dispersed geographically, but function as a coherent unit through the use of cyber-infrastructure. This group of individuals is typically team-based and goal-oriented, where leaders and subordinates work together to achieve pre-determined goals. A virtual organization is an equivalent term to cyber organization.

White Hat: An ethical hacker who focuses on securing information systems and is ethically opposed to the abuse of information systems.

Penetration Test: A method of evaluating the security of a computer system or network by simulating an attack from a malicious cracker. The process involves an active analysis of the system for any vulnerabilities and technical flaws. Any security vulnerability that is found is presented to the system owner with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Complete Chapter List

Search this Book: