1

DETERRING INTERNALINFORMATION SYSTEMS MISUSE

EECS711 : Security Management and Audit Spring 2010

Presenter : Amit DandekarInstructor : Dr. Hossein Saiedian

2

Contents

• Information system misuses by insiders• Counter measures• Measuring effectiveness of counter measures– Survey methodology – Survey results– Survey conclusions

• Conclusion

3

Information system misuse by insiders• Misuses of information system (IS) resources– Largely due to intentional actions of legitimate

users• 70% of breaches involving loss of more than 100k are

internal per a study

– Result in financial loss and other negative consequences

– Misuses likely to persist due to increasing user sophistication and availability of tools

4

Counter measures

• Counter measures– Procedural controls• Security policy• Security awareness programs

– Technical controls• Computer monitoring software• Preventive security software

5

Measuring effectiveness of counter measures• Survey studies deterrent effect of these

measures on IS misuse intentions• Web based survey – 579 users from eight organizations from variety of

industries– 44% companies with 10,000 or more employees

• Two parts of survey– Examine awareness countermeasures– Examine effects of awareness on IS misuse

6

Survey methodology

• Measure awareness of four security countermeasures– Measured on seven point scales • one = strongly disagree, seven = strongly agree

7

Survey methodology

• Measure user intentions to misuse IS resources– Measures likelihood of engaging in misuse

behavior

8

Survey results

• Respondents least aware of security awareness programs

9

Survey results

• Security awareness programs have most deterrent effect

10

Survey results

• Security awareness programs– Most deterrent effect on IS misuse

• Security policy– Significant deterrent effect

• Preventive security software– Significant deterrent effect

• Computer monitoring software– No significant deterrent effect

11

Survey conclusion

• Security awareness programs need to get larger budget than other countermeasures– Most deterrent effect but least deployed security

counter measure

• Security policy statements and guidelines is effective deterrent – Introduce employees to policies as early as

possible– Display policies prominently

12

Survey conclusion

• Preventive security software are significant deterrent– Increase users fear of detection– Deterrent effect is above and beyond its core

functionality– Organizations should make concerted effort to

alert employees of latest technological solutions protecting IS resources• E.g. provide real time feedback during password

construction

13

Survey conclusion

• Computer monitoring software is insignificant deterrent– Users do not equate monitoring to being caught– Users doubted if audit logs were monitored

regularly– Users doubt if punishment will be severe

14

Conclusion

• Following three measures significantly deter user’s IS misuse intentions– Security awareness program– Security policy– Preventive security software

• Monitoring end user activities has least effect• Combination of proactive and preventive

approach is most effective in deterring users from IS misuse

15

References

D'Arcy, J. and Hovav, A. 2007. Deterring internal information systems misuse. Commun. ACM 50, 10 (Oct. 2007), 113-117.