“The Insider Threat” Comparing malicious and non-malicious information security behaviours using a rational choice model
MetadataShow full item record
This item's downloads: 365 (view details)
In the modern networked world, replete with massive amounts of data, one of the greatest threats facing organisations is information loss inflicted by actors within or trusted by the organisation. This research is thus aimed at: Understanding the cognitive elements influencing an insider’s decision to intentionally violate information security policies. The use of the word ‘intentionally’ in this context is important because it excludes any exploration of accidental or unintentional abuse. There have been disparate findings in many prior studies, which have tended to concentrate on Deterrence Theory and consequently the current work adopts Rational Choice Theory as a lens to study behaviours that can have both positive and negative implications for the person engaged in the behaviour. Equally, the study embraces the ideal of contextual relevance and draws on practitioner-led opinion to determine the operationalisation of the dependent variable. Recognising that rational choices, do not take place in a vacuum the study also examines a series of antecedent cognitive and affective factors, with a view to determining if there are differences in the way that insiders arrive at a decision to violate policies through malicious versus non-malicious acts, what benefits they take into account, and what other factors impact on getting them to the point of making that decision. An initial mixed-method study was conducted to determine valid content for measuring the dependent variable, and subsequently a larger scale quantitative study was conducted, using a hypothetical scenario method. Usable complete responses were received from 458 professional people, which were used to test a Structural Equation Model (SEM). The results of the study provide contributions in several key areas: theoretical and methodological. Additionally, all of the findings from the structural model constructed for this study have implications for practice, including where some hypothesised relationships were found to be insignificant. Overall, the empirical findings from the study suggest the following conclusions. Firstly, differences exist in the elements of the rational choice process that pertain to malicious versus non-malicious acts. Secondly, benefits from offending need to be conceptualised as multi-dimensional in nature, and the construct developed during this study offers a way forward for other studies to follow. Thirdly, sanctions are subservient to benefits in the rational choice process, and finally, there are several antecedent factors (neutralisation techniques, moral beliefs, impulsivity and emotional state) that have an impact on that process.