nach oben

Information Systems Frontiers

Erschienen in:

01.03.2013

Understanding insiders: An analysis of risk-taking behavior

verfasst von: Fariborz Farahmand, Eugene H. Spafford

Erschienen in: Information Systems Frontiers | Ausgabe 1/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.

Vorheriger Artikel Guest editorial: A brief overview of data leakage and insider threats

Nächster Artikel Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Albrechtsen, E., & Hovden, J. (2009). Improving information security awareness and behavior through dialogue, participation and collective reflection. An intervention study. Computers & Security, XXX, 1–14.

Bishop, M., & Gates, C. (2008). Defining the insider threat. Proceedings of the Cyber Security and Information Intelligence Research Workshop, article 15.

Bloom, B. S., & Krathwohl, D. R. (1956). Taxonomy of educational objectives: The classification of educational goals, by a committee of college and university examiners. Handbook 1: Cognitive domain, New York, Longmans.

Brackney, R. C., & Anderson, R. H. (2004). Understanding the Insider Threat. Proceedings of a March 2004 Workshop, RAND Corporation.

Camerer, C. F. (2000). Prospect theory in the wild. In D. Kahnman & A. Tversky (Eds.), Choices, values, and frames (p. Chap. 16). Cambridge: Cambridge University Press.

Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26, 63–72.CrossRef

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRef

Deloitte (2009). Protecting what matters: The 6th annual global security survey. Deloitte Touche Tohmatsu.

DeMillo, R. A., & Spafford, E. H. (2004). Four grand challenges in trustworthy computing. Computing Research Association, 2004.

Diamond, L. (1988). The impact of information form on the perception of risk. International Conference on Information Systems, 91–97.

Dillon, R. L., & Tinsley, C. H. (2008). How near-misses influence decision making under risk: a missed opportunity for learning. Management Science, 54(8), 1425–1440.CrossRef

Farahmand, F., Atallah, M., & Kensynski, B. (2008). Incentives and Perceptions of Information Security Risks. Proc. of the Twenty Ninth International Conference on Information Systems, Paris.

Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making, 13, 1–17.CrossRef

Fischoff, B., et al. (1978). How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits? Policy Sciences, 9(2), 127–152.CrossRef

Gefen, D. P., & Pavlou, P. A. (2006). The modeling role of perceived regulatory effectiveness of the online marketplaces on the role of trust and risk transaction intensions. WI: International Conference on Information Systems.

Goodhue, D. L., & Straub, D. W. (1991). Security concerns of systems users; a study of perceptions of the adequacy of security. Information & Management, 20, 13–27.CrossRef

Greitzer, F. L., et al. (2008). Combating the insider cyber threat. IEEE Security and Privacy, 61–64.

Hammond, K. R. (1993). Naturalistic decision making from a Brunswikian viewpoint: Its past, present, future. In G. A. Klein, J. Orasanu, R. Calanrewood, & E. Zsambok (Eds.), Decision making in action: Models and methods (pp. 205–227). Norwood: Albex.

Heath, L., et al. (1994). Applications of Heuristics and biases to social issues. Plenum.

Hu, X., Lin, Z., Whinston, A., & Zang, H. (2001). Perceived risk and escrow adoption. International Conference on Information Systems (pp 271–274).

Jennex, M. E., & Zyngier, S. (2007). Security as a contributor to knowledge management success. Information Systems Frontiers, 9, 493–504.CrossRef

Johnson, E. J., & Tversky, A. (1984). Representations of perceptions of risk. Journal of Experimental Psycholog: General, 113, 55–70.CrossRef

Kahneman, D., & Lovallo, D. (1993). Timid choices and bold forecasts: a cognitive perspective on risk taking. Management Science, 39(1), 17–31.CrossRef

Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under uncertainty; Heuristics and biases. Cambridge University press.

Kenney, R. L., & Raiffa, H. (1976). Decisions with multiple objectives: Preferences and value tradeoffs. Wiley.

Kim, K., & Prabhakar, P. (2000). Initial trust, perceived risk, and the adoption of the internet banking. International Conference on Information Systems (pp 537–543).

Knight, F. H. (1921). Risk, uncertainty and profit. Dodo.

Lehto, M. R., & Buck, J. R. (2008). Introduction to human factors and ergonomics for engineers. CRC.

Levy, M., & Levy, H. (2002). Prospect theory: much ado about nothing. Management Science, 48(10), 1334–1349.CrossRef

Lichtenstein, S., & Slovic, P. (1971). Reversals of preference between bids and choices in gamble decisions. Journal of Experimental Psychology, 89(1), 46–55.CrossRef

MacGregor, D. G., et al. (1999). Perception of financial risk: a survey study of advisors and planners. Journal of Financial Planning, 12(8), 68–86.

Maloof, M. A., & Stephens, G. D. (2007). ELICIT: a system for detecting insiders who violate need-to-know. Lecture Notes in Computer Science, 4637, 146–166.CrossRef

Masterson, S. S., et al. (2000). Integrating justice and social exchange: the differing effects of fair procedures and treatment on work relationships. Academy of Management Journal, 43(4), 738–748.CrossRef

Moores, T. T., & Dhillon, G. (2003). Do privacy seals in e-commerce really work? Communication of ACM, 46(12), 265–271.CrossRef

Odean, T. (1998). Are investors reluctant to realize their losses? Journal of Finance, 53, 1775–1798.CrossRef

Paese, P. W., Bieser, M., & Tubbs, M. E. (1993). Framing effects and choose shifts in group decision making. Organizational Behavior and Human Decision Processes, 56, 149–165.CrossRef

Savage, L. J. (1954). The foundations of statistics. Wiley.

Schroeder, N. J. (2005). Using prospect theory to investigate decision-making bias within an information security context. Dept. of the Air Force Air University, Air Force Institute of Technology.

Slovic, P. (1987). Perceptions of risk. Science, 236, 280–285.CrossRef

Slovic, P., et al. (2007). The affect heuristic. European Journal of Operational Research, 177, 1333–1352.CrossRef

Stamper, C. L., & Masteson, S. (2002). Insider or outsider? How employee perception of insider status affect their work behavior. Journal of Organizational Behavior, 23, 875–894.CrossRef

Starr, C. (1969). Social benefits versus technological risks. Science, 165(3899), 1232–1238.CrossRef

Stolfo, S. J., et al. (2008). Insider attack and cyber security, advances in information security. Springer.

Stonebruner, G., Gougen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST SP800-30.

Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.CrossRef

Sveen, F. O., Rich, E., & Jager, M. (2007). Overcoming organizational challenges to secure knowledge management. Information Systems Frontiers, 9, 481–492.CrossRef

Taylor, R. G. (2006). Management perception of unintentional information security risks. International Conference on Information Systems (pp 1581–1597).

Trepel, C., Fox, C. R., & Poldrack, R. A. (2005). Prospect theory on the brain? Toward a cognitive neuroscience of decision under risk. Cognitive Brain Research, 23(1), 34–50.CrossRef

Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: heuristics and biases. Science, 185, 1124–1131.CrossRef

Tversky, A., & Kahneman, D. (1979). Prospect theory: an analysis of decisions under risk. Econometrica, 47(2), 263–291.CrossRef

von Neumann, J., & Morgenstern, O. (1947). Theory of games and economic behavior. Princeton University Press.

Wells, J. T. (2005). Principles of fraud examination. Wiley.

Willison, R., & Siponen, M. (2009). Overcoming the insider: reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133–137.CrossRef

Wood, B. (2000). An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems—#2 Proceedings of a Workshop Held by RAND.

Zajonc, R. B. (1980). Feeling and thinking: preferences need no inferences. American Psychologist, 35, 151–175.CrossRef

Titel: Understanding insiders: An analysis of risk-taking behavior
verfasst von: Fariborz Farahmand
Eugene H. Spafford
Publikationsdatum: 01.03.2013
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 1/2013
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-010-9265-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2013

Guest editorial: A brief overview of data leakage and insider threats

Examining continuous usage of location-based services from the perspective of perceived justice

A collaborative platform for buyer coalition: Introducing the Awareness-based Buyer Coalition (ABC) system

Comment on Lee et al.’s group signature and e-auction scheme

Investigating the role of an enterprise architecture project in the business-IT alignment in Iran

PadSpace: A new framework for the service federation of web resources