A confirmatory analysis of the prevention insider threat in organization information system
DOI:
https://doi.org/10.53797/jthkkss.v2i1.3.2021Keywords:
Insider threat, Insider attack, Protection Motivation Theory, Confirmatory Factor Analysis, Information SystemAbstract
Many issues related to insider threat in organization had been debated ever since. Although insider attacks may not occur as frequently as external attacks, they have a higher rate of success, go undetected, and pose a much greater risk than external adversaries. In relation to that, it is undeniably the fact that many mechanisms have been proposed to be an initiative to protect data from outside attacks. However, those mechanisms could not protect data from authorized users who may misuse their privileges. Due to that circumstances, the development of mechanisms that protect sensitive data from insiders somehow become pitch demand as in method to prevent harm caused by malicious insiders. The method of this research is the quantitative method using a questionnaire. The findings have contributed to developing a framework that will be used to prevent insider threat in an organization in the future.
Downloads
References
Ahmad, Z., Norhashim, M., Song, O. T., & Hui, L. T. (2016). A typology of employees’ information security behaviour. 2016 4th International Conference on Information and Communication Technology (ICoICT), 1–4. https://doi.org/10.1109/ICoICT.2016.7571929.
Alaskar, M., Vodanovich, S., & Shen, K. N. (2015). Evolvement of Information Security Research on Employees’ Behavior: A Systematic Review and Future Direction. 2015 48th Hawaii International Conference on System Sciences, 4241–4250. https://doi.org/10.1109/HICSS.2015.508.
Althebyan, Q., & Panda, B. (2007). A Knowledge-Base Model for Insider Threat Prediction. 2007 IEEE SMC Information Assurance and Security Workshop, 239–246. https://doi.org/10.1109/IAW.2007.381939.
Anderson & Agarwal. (2010). Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions. MIS Quarterly, 34(3), 613. https://doi.org/10.2307/25750694.
Bandura, A. (1982). Self-efficacy mechanism in human agency. American Psychologist, 37(2), 122–147. https://doi.org/10.1037/0003-066X.37.2.122.
Burns, A. J., Posey, C., Roberts, T. L., & Benjamin Lowry, P. (2017). Examining the relationship of organizational insiders’ psychological capital with information security threat and coping appraisals. Computers in Human Behavior, 68, 190–209. https://doi.org/10.1016/j.chb.2016.11.018.
Chinchani, R., Iyer, A., Ngo, H. Q., & Upadhyaya, S. (2005). Towards a Theory of Insider Threat Assessment. 2005 International Conference on Dependable Systems and Networks (DSN’05), 108–117. https://doi.org/10.1109/DSN.2005.94.
Clubb, A. C., & Hinkle, J. C. (2015). Protection motivation theory as a theoretical framework for understanding the use of protective measures. Criminal Justice Studies, 28(3), 336–355. https://doi.org/10.1080/1478601X.2015.1050590.
Crossler, R. E. (2010). Protection Motivation Theory: Understanding Determinants to Backing Up Personal Data. 2010 43rd Hawaii International Conference on System Sciences, 1–10. https://doi.org/10.1109/HICSS.2010.311.
Fawzi, H., Tabuada, P., & Diggavi, S. (2014). Secure Estimation and Control for Cyber-Physical Systems Under Adversarial Attacks. IEEE Transactions on Automatic Control, 59(6), 1454–1467. https://doi.org/10.1109/TAC.2014.2303233.
Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A Meta-Analysis of Research on Protection Motivation Theory. Journal of Applied Social Psychology, 30(2), 407–429. https://doi.org/10.1111/j.1559-1816.2000.tb02323.x.
Gundu, T., & Flowerday, S. V. (2013). Ignorance to Awareness: Towards an Information Security Awareness Process. SAIEE Africa Research Journal, 104(2), 69–79. https://doi.org/10.23919/SAIEE.2013.8531867.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95. https://doi.org/10.1016/j.cose.2011.10.007.
Johnston & Warkentin. (2010). Fear Appeals and Information Security Behaviors: An Empirical Study. MIS Quarterly, 34(3), 549. https://doi.org/10.2307/25750691.
Junglas, I. A., & Watson, R. T. (2008). Location-based services. Communications of the ACM, 51(3), 65–69. https://doi.org/10.1145/1325555.1325568.
Lacey, D. (2010). Understanding and transforming organizational security culture. Information Management & Computer Security, 18(1), 4–13. https://doi.org/10.1108/09685221011035223.
LaRose, R., Rifon, N. J., & Enbody, R. (2008). Promoting personal responsibility for internet safety. Communications of the ACM, 51(3), 71–76. https://doi.org/10.1145/1325555.1325569.
Lee, Y., & Kozar, K. A. (2008). An empirical investigation of anti-spyware software adoption: A multitheoretical perspective. Information & Management, 45(2), 109–119. https://doi.org/10.1016/j.im.2008.01.002.
Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187. https://doi.org/10.1057/ejis.2009.11.
Legg, P. A., Buckley, O., Goldsmith, M., & Creese, S. (2015). Caught in the act of an insider attack: Detection and assessment of insider threat. 2015 IEEE International Symposium on Technologies for Homeland Security (HST), 1–6. https://doi.org/10.1109/THS.2015.7446229.
Liang, H. (2010). Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems, 11(07), 394–413. https://doi.org/10.17705/1jais.00232.
Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479. https://doi.org/10.1016/0022-1031(83)90023-9.
Magklaras, G. B., Furnell, S. M., & Brooke, P. J. (2006). Towards an insider threat prediction specification language. Information Management & Computer Security, 14(4), 361–381. https://doi.org/10.1108/09685220610690826.
Magklaras, G., & Furnell, S. (2010). Insider Threat Specification as a Threat Mitigation Technique. In C. W. Probst, J. Hunker, D. Gollmann, & M. Bishop (Eds.), Insider Threats in Cyber Security (Vol. 49, pp. 219–244). Springer US. https://doi.org/10.1007/978-1-4419-7133-3_10.
Mahmood, Siponen, Straub, Rao, & Raghu. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly, 34(3), 431. https://doi.org/10.2307/25750685.
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory. Journal of Applied Social Psychology, 30(1), 106–143. https://doi.org/10.1111/j.1559-1816.2000.tb02308.x.
Ng, B.-Y., Kankanhalli, A., & Xu, Y. (Calvin). (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815–825. https://doi.org/10.1016/j.dss.2008.11.010.
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance. 2007 40th Annual Hawaii International Conference on System Sciences (HICSS’07), 156b–156b. https://doi.org/10.1109/HICSS.2007.206.
Park, S., Ahmad, A., & Ruighaver, A. B. (2010). Factors Influencing the Implementation of Information Systems Security Strategies in Organizations. 2010 International Conference on Information Science and Applications, 1–6. https://doi.org/10.1109/ICISA.2010.5480261.
Pechmann, C., Zhao, G., Goldberg, M. E., & Reibling, E. T. (2003). What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes. Journal of Marketing, 67(2), 1–18. https://doi.org/10.1509/jmkg.67.2.1.18607.
Pelechrinis, K., Iliofotou, M., & Krishnamurthy, S. V. (2011). Denial of Service Attacks in Wireless Networks: The Case of Jammers. IEEE Communications Surveys & Tutorials, 13(2), 245–257. https://doi.org/10.1109/SURV.2011.041110.00022.
Plotnikoff, R. C., & Higginbotham, N. (2002). Protection Motivation Theory and exercise behaviour change for the prevention of heart disease in a high-risk, Australian representative community sample of adults. Psychology, Health & Medicine, 7(1), 87–98. https://doi.org/10.1080/13548500120101586.
Probst, C. W., & Hansen, R. R. (2009). Analysing Access Control Specifications. 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, 22–33. https://doi.org/10.1109/SADFE.2009.13.
Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D., & Moore, A. (n.d.). Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. 36.
Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803.
Salleh, N., Hussein, R., Mohamed, N., Abdul, N. S., Ahlan, A. R., & Aditiawarman, U. (n.d.). Examining Information Disclosure Behavior on Social Network Sites Using Protection Motivation Theory, Trust and Risk. 11.
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012). Common Sense Guide to Mitigating Insider Threats 4th Edition: Defense Technical Information Center. https://doi.org/10.21236/ADA585500.
Siponen, M., Pahnila, S., & Mahmood, A. (2006). Factors Influencing Protection Motivation and IS Security Policy Compliance. 2006 Innovations in Information Technology, 1–5. https://doi.org/10.1109/INNOVATIONS.2006.301907.
Siponen, M., & Willison, R. (2009). Information security management standards: Problems and solutions. Information & Management, 46(5), 267–270. https://doi.org/10.1016/j.im.2008.12.007.
Srivastava, P., Singh, S., Pinto, A. A., Verma, S., Chaurasiya, V. K., & Gupta, R. (2011). An architecture based on proactive model for security in cloud computing. 2011 International Conference on Recent Trends in Information Technology (ICRTIT), 661–666. https://doi.org/10.1109/ICRTIT.2011.5972392.
Tanner, J. F., Hunt, J. B., & Eppright, D. R. (1991). The Protection Motivation Model: A Normative Model of Fear Appeals. Journal of Marketing, 55(3), 36–45. https://doi.org/10.1177/002224299105500304.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3–4), 190–198. https://doi.org/10.1016/j.im.2012.04.002.
Warkentin, M., Johnston, A., Straub, D., Temple University, & Korea University Business School. (2016). Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination. Journal of the Association for Information Systems, 17(3), 194–215. https://doi.org/10.17705/1jais.00424.
Warkentin, M., Malimage, N., & Malimage, K. (2012). Impact of Protection Motivation and Deterrence on IS Security Policy Compliance: A Multi-Cultural View. 10.
Weinstein, N. D. (1993). Testing four competing theories of health-protective behavior. Health Psychology, 12(4), 324–333. https://doi.org/10.1037/0278-6133.12.4.324.
Woon, Tan, & Low, 2005), I. M. Y., Tan, G. W., & Low, R. T. (2005). A Protection Motivation Theory Approach to Home Wireless Security. 14.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816. https://doi.org/10.1016/j.chb.2008.04.005.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Rahimah Abu Bakar, Bahbibi Rahmatullah, Erni Munastiwi, Omar Dheyab
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
