Upload
duy-dang-pham
View
136
Download
1
Tags:
Embed Size (px)
Citation preview
Predicting insider’s malicious security behaviours: a General Strain Theory-based conceptual model
Duy DangRMIT University
School of Business IT & [email protected]
Dang, D. (2014), “Predicting Insider’s Malicious Security Behaviours: A General StrainTheory-Based Conceptual Model”, presented at 2014 International Conferenceon Information Resources Management (Conf-IRM 2014), Ho Chi Minh City, Vietnam.
Problem identification
– PwC (2014):• 25% increase of security incidents in 2013
• 58% were believed to be caused by former or current employees
• 51% were believed to be caused by trusted partners and services providers
– Verizon (2013)• 10% increase of security incidents (47,000 approx.)
• 15% of 47,000 were due to insiders
Insider’s malicious information security behaviours are persistent and growing
Define insiders
• Employees who have knowledge and accessto the organisation’s information systems
• Use the knowledge and access to exploit vulnerabilities & perform misbehaviours– Intentional vs. unintentional (accidental)
– Malicious intent vs. non-malicious intent
– Organisation- vs. individual-targeted
E.g. sabotage database, hack and steal data etc.
Research question
• What make the employees perform intentional misbehaviours with malicious intent?
• What are the contributing factors of the intention to perform such misbehaviours?
• To what extent the factors would influence the intention?
Conceptual model
“Stressful employees perceive injustice inworkplace, invoke negative emotions and perform intentional misbehaviours with malicious intent.”
General Strain Theory
• Revised and developed by Robert Agnew (1992, 2001, 2009)
• “Strains” are undesirable and disliked events– Mismatching expectations– Job dissatisfaction– Sanction pressure– Abusive peers
• Information systems professionals are reported to be in constant stressful states (Thong and Yap 2000).
Organisational injustice
• Strains are perceived as injustice or unjust
• Distributive injustice
– Unfairness in outcomes
• Procedural injustice
– Unfairness in process
• Interactional injustice
– Unfairness in interaction
Negative emotions
• Disgruntlement or anger
– Commonly results from perceived organisationalinjustice
– Energise the perpetrator
– Make them disregard positive information
– Reduce cost of crimes
Future directions
• Qualitative approach to gain in-depth insights about the employees’ perceptions to refine conceptual model:
– Identify strains
– Gain in-depth insights about perceived organisational injustice and negative emotions
• Pilot study to assess validity and reliability of constructs
References
• Agnew, R. (2001), “Building on the Foundation of General Strain Theory: Specifying the Types of Strain Most Likely to Lead to Crime and Delinquency,” Journal of Research in Crime and Delinquency, vol. 38 no. 4, pp. 319–361.
• Agnew, R. (2009), “General Strain Theory,” inKrohn,M.D.,Lizotte,A.J. and Hall,G.P. (Eds.),Handbook on Crime and Deviance, Springer, pp. 169–185.
• Agnew, R. and White, H.R. (1992), “An Empirical Test of General Strain Theory,” Criminology, vol. 30 no. 4, pp. 475–500.
• PwC, 2014. Key findings from The Global State of Information Security ® Survey 2014.
• Verizon, 2013. 2013 Data Breach Investigations Report.• Thong, J.Y.. and Yap, C.-S. (2000), “Information systems and
occupational stress: a theoretical framework,” Omega, vol. 28 no. 6, pp. 681–692.