Motivation and opportunity based model to reduce information security insider threats in organisations

Information technology has brought with it many advantages for organisations, but information security is still a major concern for organisations which rely on such technology. Users, whether with intent or through negligence, are a great source of potential of risk to information assets. A lack of awareness, negligence, resistance, disobedience, apathy and mischievousness are root causes of information security incidents in organisations. As such, insider threats have attracted the attention of a number of experts in this domain. Two particularly important considerations when exploring insider threats are motivation and opportunity. Two fundamental theories relating to these phenomena, and on which the research presented in this paper relies, are Social Bond Theory (SBT), which can be used to help undermine motivation to engage in misbehaviour, and Situational Crime Prevention Theory (SCPT), which can be used to reduce opportunities for misbehaviour. The results of our data analysis show that situational prevention factors such as increasing the effort and risk involved in a crime, reducing the rewards and removing excuses can significantly promotes the adoption of negative attitudes towards misbehaviour, though reducing provocations does not have any effect on attitudes. Further, social bond factors such as a commitment to organisational policies and procedures, involvement in information security activities and personal norms also significantly promotes the adoption of negative attitudes towards misbehaviour. However, attachment does not significantly promote an attitude of misbehaviour avoidance on the part of employees. Finally, our findings also show that a negative attitude towards misbehaviour influences the employees’ intentions towards engaging in misbehaviour positively, and this in turn reduces insider threat behaviour. The outputs of this study shed some light on factors which play a role in reducing misbehaviour in the domain of information security for academics and practitioners.