Project

Back to overview

Reducing Insider Computer Abuse: Influence Of Contextual Events

English title Reducing Insider Computer Abuse: Influence Of Contextual Events
Applicant Back Andrea
Number 165598
Funding scheme Project funding (Div. I-III)
Research institution Institut für Wirtschaftsinformatik Universität St. Gallen
Institution of higher education University of St.Gallen - SG
Main discipline Science of management
Start/End 01.04.2017 - 31.03.2020
Approved amount 261'206.00
Show all

Keywords (4)

Insider computer abuse; Employee compliance; information security; organisational IT security

Lay Summary (French)

Lead
Les actes malveillants perpétrés par des initiés sont identifiés comme l'un des plus grands problème pour les entreprises. Malgré l'importance croissante de la conformité des employés concernant la politique de sécurité et à la lumière de la numérisation du lieu de travail (par exemple, apportez votre propre appareil, l'utilisation des médias sociaux, etc.), importants lacunes de recherche existent dans notre compréhension de la façon de réduire efficacement le comportement non conforme des employés.
Lay summary

Bien que la recherche en sécurité de l'information a examiné plusieurs différentes théories, méthodes et techniques pour persuader les employés de se comporter en toute sécurité dans les organisations, les employés continuent de violer les politiques de sécurités. Afin de réduire plus efficacement les actes malveillants perpétrés par des initiés, il est nécessaire de mieux comprendre les événements contextuels (par exemple, la cupidité des employés, ego-satisfaction, l'ignorance de la communication, les émotions) qui précèdent la violation de la politique de sécurité et conduisent à un comportement non compatible avec la norme.

Avec ce projet, nous souhaitons proposer de nouvelles idées théoriques sur la manière d'influencer le comportement des employés à travers les événements contextuels qui précèdent temporellement les actes malveillants perpétrés par des initiés.

Nous proposons trois événements contextuels, dont l'importance a été soulignée par des études antérieures, à étudier: 1) L'ignorance de la communication d'alerte; 2) Les émotions qui conduisent aux actes malveillants perpétrés par des initiés et 3) Frustration comme conséquence de l'injustice organisationnelle.

Avec ce projet nous allons étendre la perspective théorique de la compréhension actuelle des actes malveillants perpétrés par des initiés qui devrait finalement conduire à une diminution du comportement qui n'est pas conforme aux politiques de sécurités.

Direct link to Lay Summary Last update: 25.12.2016

Responsible applicant and co-applicants

Employees

Publications

Publication
The effects of a gamified human resource management system on job satisfaction and engagement
Silic Mario, Marzi Giacomo, Caputo Andrea, Bal P. Matthijs (2020), The effects of a gamified human resource management system on job satisfaction and engagement, in Human Resource Management Journal, 30(2), 260-277.
Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance
Silic Mario, Lowry Paul Benjamin (2020), Using Design-Science Based Gamification to Improve Organizational Security Training and Compliance, in Journal of Management Information Systems, 37(1), 129-161.
Improving warning messages adherence: can Maya Security Bot advisor help?
Sillic Mario (2019), Improving warning messages adherence: can Maya Security Bot advisor help?, in Security Journal, 0.
Breaking Bad in Cyberspace: Understanding Why and How Black Hat Hackers Manage their Nerves to Commit Their Virtual Crimes
Silic Mario, LowryPaul Benjamin (2019), Breaking Bad in Cyberspace: Understanding Why and How Black Hat Hackers Manage their Nerves to Commit Their Virtual Crimes, in Information Systems Frontiers, 1-26.

Collaboration

Group / person Country
Types of collaboration
Google United States of America (North America)
- Research Infrastructure

Abstract

Insider computer abuse, the volitional and non-volitional security violation, is identified as one of the greatest concerns for companies. Moreover, various studies confirmed that the individual user within an organization is the least secured link in the entire organizational IT security ecosystem. It is estimated that a single employee policy violation of installing malicious software, costs businesses over 178$ billion annually (InfoWorld 2015). Not only this type of computer abuse impacts employees’ productivity, but also creates possible security loopholes as employees can access potentially dangerous websites and install malicious software that can be exploited by cybercriminals to gain access to organizational assets. A recent security breach, caused by malware installed by an employee, of a large US bank JP Morgan compromising the accounts of over 83 million customers resulted in important financial, privacy and reputational damages. As consequence, JP Morgan announced to spend $250 million on digital security annually. However, the majority of employee related security incidents remain unreported due to reputational risks organizations look to avoid.Despite the increasing relevance of the employee IS security policy compliance phenomenon, and in light of the digitization of the workplace (e.g. bring your own device, social media use, etc.), important research gaps remain in our understanding of how to effectively reduce employee non-compliant behavior. While information security research has examined several different theories, methods and techniques for persuading employees to behave securely in organizations, employees still continue to violate IS security policies. Although prominent scholars have called for research on this topic and have noted the importance of studying the events that precede the insider computer abuse, little has been done to address these calls. This can be explained by the complexity and difficulty of measuring and identifying the psychological factors that lead to the creation of motivations and actual behaviors to conduct these negative acts. However, without better understanding what drives employee non-compliant behaviors, all the technological countermeasures and deterrent safeguards will be hamstrung and often inefficient. Based on the quantitative research conducted in 2015, which was sponsored by the Basic Research Fund of the University of St. Gallen, one of the project outcomes set out the research gaps that remain in our understanding of the insider computer abuse. Specifically, we found that in order to more efficiently reduce the insider computer abuse it is necessary to better understand the contextual events (e.g. employee greed, disgruntlement, ego-satisfaction, ignorance of warning communication, emotions) that precede the IT security policy violation and lead to the employee non-compliant behavior. With this research proposal, we wish to advance our understanding of this phenomenon through the systematic theory development that can be published in high-ranking international journals by developing new theoretical insights about how to influence employee behavior through the contextual events, which temporally precede the insider computer abuse.We pose two main research questions: 1) How do contextual events moderate the threat of sanctions created by IS security deterrent safeguards? And 2) What aspects of contextual events, based on communication and persuasion, are most powerful in keeping individuals from performing potentially insecure IT behavior?We propose three contextual events, whose importance was stressed by past studies, to be empirically investigated, which set the boundaries of this research proposal: 1) Ignorance of warning communication; 2) Emotions that drive insider computer abuse and 3) Disgruntlement as consequence of organizational injustice.With this theoretical and empirical work, we show how our proposal can make multiple contributions to theory, and how important implications for practitioners can be derived.
-