Show simple item record

dc.contributor.advisorLang, Michael
dc.contributor.advisorGolden, Willie
dc.contributor.authorBrowne, Sean
dc.description.abstractIn the modern networked world, replete with massive amounts of data, one of the greatest threats facing organisations is information loss inflicted by actors within or trusted by the organisation. This research is thus aimed at: Understanding the cognitive elements influencing an insider’s decision to intentionally violate information security policies. The use of the word ‘intentionally’ in this context is important because it excludes any exploration of accidental or unintentional abuse. There have been disparate findings in many prior studies, which have tended to concentrate on Deterrence Theory and consequently the current work adopts Rational Choice Theory as a lens to study behaviours that can have both positive and negative implications for the person engaged in the behaviour. Equally, the study embraces the ideal of contextual relevance and draws on practitioner-led opinion to determine the operationalisation of the dependent variable. Recognising that rational choices, do not take place in a vacuum the study also examines a series of antecedent cognitive and affective factors, with a view to determining if there are differences in the way that insiders arrive at a decision to violate policies through malicious versus non-malicious acts, what benefits they take into account, and what other factors impact on getting them to the point of making that decision. An initial mixed-method study was conducted to determine valid content for measuring the dependent variable, and subsequently a larger scale quantitative study was conducted, using a hypothetical scenario method. Usable complete responses were received from 458 professional people, which were used to test a Structural Equation Model (SEM). The results of the study provide contributions in several key areas: theoretical and methodological. Additionally, all of the findings from the structural model constructed for this study have implications for practice, including where some hypothesised relationships were found to be insignificant. Overall, the empirical findings from the study suggest the following conclusions. Firstly, differences exist in the elements of the rational choice process that pertain to malicious versus non-malicious acts. Secondly, benefits from offending need to be conceptualised as multi-dimensional in nature, and the construct developed during this study offers a way forward for other studies to follow. Thirdly, sanctions are subservient to benefits in the rational choice process, and finally, there are several antecedent factors (neutralisation techniques, moral beliefs, impulsivity and emotional state) that have an impact on that process.en_IE
dc.publisherNUI Galway
dc.rightsAttribution-NonCommercial-NoDerivs 3.0 Ireland
dc.subjectInformation Securityen_IE
dc.subjectBehavioural Securityen_IE
dc.subjectMalicious behaviouren_IE
dc.subjectNon-malicious behaviouren_IE
dc.subjectBusiness Information Systemsen_IE
dc.subjectBusiness and economicsen_IE
dc.title“The Insider Threat” Comparing malicious and non-malicious information security behaviours using a rational choice modelen_IE
dc.contributor.funderNational University of Ireland, Galwayen_IE
dc.local.noteThis study examines the cognitive elements influencing an insider’s decision to intentionally violate information security policies. Employing a Rational Choice model, an initial mixed-method study, followed by a larger scale quantitative study led to development of a new research construct and additional findings with implications for theory, methodology, and practice.en_IE

Files in this item


This item appears in the following Collection(s)

Show simple item record

Attribution-NonCommercial-NoDerivs 3.0 Ireland
Except where otherwise noted, this item's license is described as Attribution-NonCommercial-NoDerivs 3.0 Ireland