Driven by the difficulty in achieving complete security with technical tools, business investigators are looking into organizational and behavioral issues that could help make systems more secure. This chapter looks at the security of systems from the organizational perspective. Specifically, this study attempts to identify if different organizations have different predisposition to particular type(s) of security threat sources. Using publicly available security breach data from a privacy rights clearinghouse to investigate which organizational characteristics predisposes an institution to an external or internal threat source, it was concluded that as size of organization and the number of its valuable documents increase by one unit, the organization's probability of suffering an internal attacks decrease. Furthermore, when executive members have a business degree rather than information-security-related degrees, the likelihood of suffering an internal attack increases. Also, the probability of an organization suffering an internal or external attack is not based on its industry type.
TopIntroduction
Acts that affect the integrity and availability of business information systems as well as the privacy of business data threatens the security of those information systems. To achieve a secured system, the information systems must be protected from unauthorized access, use, disclosure, disruption, modification or destruction. As organizations continue to depend on complex information systems, the identification of sources of threat to these systems are very important (Warkentin & Willison 2009). Organizations of different types and sizes have different information security threats that they need to be aware of to ensure their sensitive information and assets are protected. The 2010/2011 Computer Security Institute’s Computer Crime and Security Survey of 351 computer security practitioners revealed that most organizations experienced relatively less system security breaches over the years but the attacks are increasingly complex with some successful breaches resulting in huge financial loss (Warkentin & Willison 2009).
Prior studies on recent breaches have categorized potential sources of threats including cracking, malicious code, falsification and physical assault (Warkentin & Willison 2009). Another study developed a scoring system for vulnerabilities that pose threats to the systems. Some other studies which focused on the individuals within the organization, have suggested that individuals are the most important factor in protecting an information systems (Workman, Bommer, & Straub 2008).
Internal actors, according to findings by McAfee research, account for 43% of data loss and thus is a significant part of data loss. In the same study, they found that 68% of these incidents were significant enough to have a financially negative impact on the enterprise or firm (McAfee 2017). This means that insider threat and its financial consequences are issues that must be addressed and prevented for a company to succeed.
The threat of a data breach from an insider can come in multiple forms and have varying levels of dangers. A study by the Ponemon Institute in 2017 found in a survey of 874 incidents that the money lost from and the frequency of each type of insider breach. The data in the table adapted from a Ponemon Institute Infographic shows a comparison of insider breaches categorized under Malicious Insider, Negligent Insider, and Credential Theft. See Table 1.
Table 1. Adapted from Ponemon Institute 2016 infographic report: DTEX, 2017
| Breach Type | % of Incidents | Cost to Contain | Annualized Cost |
| Malicious Insider | 22% | $347,130 | $1,227,812 |
| Negligent Insider | 68% | $206,933 | $2,291,591 |
| Credential Thief | 10% | $493,093 | $776,165 |