Deterrence and prevention-based model to mitigate information security insider threats in organisations

Nader Sohrabi Safa; Carsten Maple; Steve Furnell; Muhammad Ajmal  Azad; Charith  Perera; Mohammad Dabbagh; Mehdi Sookhak

doi:10.1016/j.future.2019.03.024

Deterrence and prevention-based model to mitigate information security insider threats in organisations

Nader Sohrabi Safa, Carsten Maple, Steve Furnell, Muhammad Ajmal Azad, Charith Perera, Mohammad Dabbagh, Mehdi Sookhak

Research output: Contribution to journal › Article › peer-review

40 Citations (Scopus)

89 Downloads (Pure)

Abstract

Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Original language	English
Pages (from-to)	587-597
Number of pages	11
Journal	Future Generation Computer Systems
Volume	97
Early online date	12 Mar 2019
DOIs	https://doi.org/10.1016/j.future.2019.03.024
Publication status	Published - Aug 2019

Bibliographical note

NOTICE: this is the author’s version of a work that was accepted for publication in Future Generation Computer Systems. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Future Generation Computer Systems, [97], (2019) DOI: 10.1016/j.future.2019.03.024

© 2019, Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International http://creativecommons.org/licenses/by-nc-nd/4.0/

Keywords

Deterrence
Employee
Information security
Insider
Motivation
Organisation
Risk

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Networks and Communications

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1016/j.future.2019.03.024

Post-PrintAccepted author manuscript, 849 KBLicence: CC BY-NC-ND

Cite this

@article{e3d342e3ee7b4919a4a87a2326072a34,

title = "Deterrence and prevention-based model to mitigate information security insider threats in organisations",

abstract = "Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals{\textquoteright} attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees{\textquoteright} attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals{\textquoteright} attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals{\textquoteright} intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour. ",

keywords = "Deterrence, Employee, Information security, Insider, Motivation, Organisation, Risk",

author = "{Sohrabi Safa}, Nader and Carsten Maple and Steve Furnell and Azad, {Muhammad Ajmal} and Charith Perera and Mohammad Dabbagh and Mehdi Sookhak",

note = "NOTICE: this is the author{\textquoteright}s version of a work that was accepted for publication in Future Generation Computer Systems. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Future Generation Computer Systems, [97], (2019) DOI: 10.1016/j.future.2019.03.024 {\textcopyright} 2019, Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International http://creativecommons.org/licenses/by-nc-nd/4.0/ ",

year = "2019",

month = aug,

doi = "10.1016/j.future.2019.03.024",

language = "English",

volume = "97",

pages = "587--597",

journal = "Future Generation Computer Systems",

issn = "0167-739X",

publisher = "Elsevier",

}

TY - JOUR

T1 - Deterrence and prevention-based model to mitigate information security insider threats in organisations

AU - Sohrabi Safa, Nader

AU - Maple, Carsten

AU - Furnell, Steve

AU - Azad, Muhammad Ajmal

AU - Perera, Charith

AU - Dabbagh, Mohammad

AU - Sookhak, Mehdi

N1 - NOTICE: this is the author’s version of a work that was accepted for publication in Future Generation Computer Systems. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Future Generation Computer Systems, [97], (2019) DOI: 10.1016/j.future.2019.03.024 © 2019, Elsevier. Licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International http://creativecommons.org/licenses/by-nc-nd/4.0/

PY - 2019/8

Y1 - 2019/8

N2 - Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

AB - Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

KW - Deterrence

KW - Employee

KW - Information security

KW - Insider

KW - Motivation

KW - Organisation

KW - Risk

UR - http://www.scopus.com/inward/record.url?scp=85063230221&partnerID=8YFLogxK

U2 - 10.1016/j.future.2019.03.024

DO - 10.1016/j.future.2019.03.024

M3 - Article

SN - 0167-739X

VL - 97

SP - 587

EP - 597

JO - Future Generation Computer Systems

JF - Future Generation Computer Systems

ER -

Deterrence and prevention-based model to mitigate information security insider threats in organisations

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this