Predicting insider’s malicious security behaviours: a General Strain Theory-based conceptual model

Duy DangRMIT University

School of Business IT & Logisticsduy.dang@rmit.edu.au

Dang, D. (2014), “Predicting Insider’s Malicious Security Behaviours: A General StrainTheory-Based Conceptual Model”, presented at 2014 International Conferenceon Information Resources Management (Conf-IRM 2014), Ho Chi Minh City, Vietnam.

Problem identification

– PwC (2014):• 25% increase of security incidents in 2013

• 58% were believed to be caused by former or current employees

• 51% were believed to be caused by trusted partners and services providers

– Verizon (2013)• 10% increase of security incidents (47,000 approx.)

• 15% of 47,000 were due to insiders

Insider’s malicious information security behaviours are persistent and growing

Define insiders

• Employees who have knowledge and accessto the organisation’s information systems

• Use the knowledge and access to exploit vulnerabilities & perform misbehaviours– Intentional vs. unintentional (accidental)

– Malicious intent vs. non-malicious intent

– Organisation- vs. individual-targeted

E.g. sabotage database, hack and steal data etc.

Research question

• What make the employees perform intentional misbehaviours with malicious intent?

• What are the contributing factors of the intention to perform such misbehaviours?

• To what extent the factors would influence the intention?

Conceptual model

“Stressful employees perceive injustice inworkplace, invoke negative emotions and perform intentional misbehaviours with malicious intent.”

General Strain Theory

• Revised and developed by Robert Agnew (1992, 2001, 2009)

• “Strains” are undesirable and disliked events– Mismatching expectations– Job dissatisfaction– Sanction pressure– Abusive peers

• Information systems professionals are reported to be in constant stressful states (Thong and Yap 2000).

Organisational injustice

• Strains are perceived as injustice or unjust

• Distributive injustice

– Unfairness in outcomes

• Procedural injustice

– Unfairness in process

• Interactional injustice

– Unfairness in interaction

Negative emotions

• Disgruntlement or anger

– Commonly results from perceived organisationalinjustice

– Energise the perpetrator

– Make them disregard positive information

– Reduce cost of crimes

Future directions

• Qualitative approach to gain in-depth insights about the employees’ perceptions to refine conceptual model:

– Identify strains

– Gain in-depth insights about perceived organisational injustice and negative emotions

• Pilot study to assess validity and reliability of constructs

References

• Agnew, R. (2001), “Building on the Foundation of General Strain Theory: Specifying the Types of Strain Most Likely to Lead to Crime and Delinquency,” Journal of Research in Crime and Delinquency, vol. 38 no. 4, pp. 319–361.

• Agnew, R. (2009), “General Strain Theory,” inKrohn,M.D.,Lizotte,A.J. and Hall,G.P. (Eds.),Handbook on Crime and Deviance, Springer, pp. 169–185.

• Agnew, R. and White, H.R. (1992), “An Empirical Test of General Strain Theory,” Criminology, vol. 30 no. 4, pp. 475–500.

• PwC, 2014. Key findings from The Global State of Information Security ® Survey 2014.

• Verizon, 2013. 2013 Data Breach Investigations Report.• Thong, J.Y.. and Yap, C.-S. (2000), “Information systems and

occupational stress: a theoretical framework,” Omega, vol. 28 no. 6, pp. 681–692.