Advertisement

Security by Compliance? A Study of Insider Threat Implications for Nigerian Banks

  • Tesleem FagadeEmail author
  • Theo Tryfonas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9750)

Abstract

This work explores the behavioural dimension of compliance to information security standards. We review past literature, building on different models of human behaviour, based on relevant theories like deterrence theory and the theory of planned behaviour. We conduct a survey of IT professionals, managers and employees of selected banks from Nigeria as part of a sector case study focussed in this region. Our findings suggest that security by compliance as a campaign to secure information assets in the Nigerian financial institution is a farfetched approach. In addition to standards, banking regulators should promote holistic change of security culture across the sector. Based on an established model of Information Security Governance Framework, we propose how information security may be embedded into organisation security culture in that context.

Keywords

Information security Compliance Insider threats Standards Information security culture 

References

  1. 1.
    Ross, A.: Security Engineering: A Guide to Building Dependable Security Systems, 2nd edn. Wiley, New York (2008)Google Scholar
  2. 2.
    Corriss, L.: Information security governance: integrating security into the organizational culture. In: Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies, Austin, Texas, USA, pp. 35–41. ACM (2010)Google Scholar
  3. 3.
    Aurigemma, S., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of the 2012 45th Hawaii International Conference on System Sciences, pp. 3248–3257. IEEE Computer Society (2012)Google Scholar
  4. 4.
    Renaud, K., Goucher, W.: The curious incidence of security breaches by knowledgeable employees and the pivotal role a of security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 361–372. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Siponen, M., Vance, A.: Neutralization: new insights into the problem of employee systems security policy violations. MIS Q. 34(3), 487–502 (2010)Google Scholar
  6. 6.
    ISO/IEC 27001:2013 Information technology - Security techniques - Specification for an Information Security Management System. The British Standard Institute 2014Google Scholar
  7. 7.
    Karjalainen, M., Siponen, M.T., Puhakainen, P., Sarker, S.: One size does not fit all: different cultures require different information systems security interventions. In: PACIS, p. 98 (2013)Google Scholar
  8. 8.
    Central Bank of Nigeria (2015). http://www.cenbank.org/. Accessed 04 Dec 2015
  9. 9.
    Chima, O.: How Bank Insiders Connive with Fraudsters. This Day Live (2015). http://www.thisdaylive.com/articles/how-bank-insiders-connive-with-fraudsters/204219/. Accessed 03 Dec 2015
  10. 10.
    Morgan, L.: Nigerian bank IT worker on the run after £23.5m cyber heist, IT Governance Blog (2014). http://www.itgovernance.co.uk/blog/nigerian-bank-it-worker-on-the-run-after-23-5m-cyber-heist/. Accessed 18 Dec 2015
  11. 11.
    Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29(2), 196–207 (2010)CrossRefGoogle Scholar
  12. 12.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. Oxford, United Kingdom, pp. 133–144. ACM (2009)Google Scholar
  13. 13.
    Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26(4), 276–289 (2007)CrossRefGoogle Scholar
  14. 14.
    GlobalSCAPE. Protecting Digitalized Assets in Healthcare. Whitepaper (2013). http://dynamic.globalscape.com/files/whitepaper_healthcare.pdf. Accessed 18 Dec 2015
  15. 15.
    Alavi, R., Islam, S., Mouratidis, H.: A conceptual framework to analyze human factors of information security management system (ISMS) in organizations. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 297–305. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Wall, J.D., Iyer, L. Salam A.F., Siponen, M.: Conceptualizing Employee Compliance and Non-compliance in Information Security Research: A Review and Research Agenda. Dewald Roode Information Security Workshop, Niagara Falls, New York (2013)Google Scholar
  17. 17.
    Vroom, C., von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23(3), 191–198 (2004)CrossRefGoogle Scholar
  18. 18.
    Theoharidou, M., Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to Information Systems and the effectiveness of ISO17799. Comput. Secur. 24(6), 472–484 (2005)CrossRefGoogle Scholar
  19. 19.
    Park, S., et al.: Towards understanding deterrence: information security managers’ perspective. In: Kim, K.J., Ahn, S.J. (eds.) Proceedings of the International Conference on IT Convergence and Security 2011, vol. 120, pp. 21–37. Springer, Netherlands (2011)Google Scholar
  20. 20.
    D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inf. Syst. 20(6), 643–658 (2011)CrossRefGoogle Scholar
  21. 21.
    Waly, N., Tassabehji, R., Kamala, M.: Measures for improving information security management in organisations: the impact of training and awareness programmes. In: Proceedings of the UK Academy for Information Systems Conference, Oxford, Paper, vol. 8 (2012)Google Scholar
  22. 22.
    Gundu, T., Flowerday, S.V.: Ignorance to awareness: Towards an information security awareness process. SAIEE Africa Res. J. 104(2), 69–79 (2013)Google Scholar
  23. 23.
    Da Veiga, A., Martins, N., Eloff, J.H.P.: Information security culture - validation of an assessment instrument. South. Afr. Bus. Rev. 11(1), 147–166 (2007)Google Scholar
  24. 24.
    Deloitte. Insight into the Information Security Maturity of Organisations, with a Focus on Cyber Security. Central Asia Information Security Survey Result (2014). https://www2.deloitte.com/content/dam/Deloitte/kz/Documents/risk/KZ_Deloitte_Information_Security_Survey_2014_EN.pdf. Accessed 16 Dec 2015
  25. 25.
    Department of Homeland Security. Build Security In. Governance and Management (2015). https://buildsecurityin.us-cert.gov/articles/best-practices/governance-and-management. Accessed 08 Jan 2016
  26. 26.
    Martins, A., Elofe, J.: Information security culture. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds.) Security in the Information Society: Visions and Perspectives, pp. 203–214. Springer US, MA (2002)Google Scholar
  27. 27.
    Sherif, E., Furnell, S., Clarke, N.: An identification of variables influencing the establishment of information security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 436–448. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  28. 28.
    Furnell, S., Clarke, N.: Organizational security culture: Embedding security awareness, education, and training. In: Proceedings of the IFIP TC11 WG, vol. 11, pp. 67–74 (2005)Google Scholar
  29. 29.
    Ruighaver, A.B., Maynard, S.B., Chang, S.: Organizational security culture: Extending the end-user perspective. Comput. Secur. 26(1), 56–62 (2007)CrossRefGoogle Scholar
  30. 30.
    Lim, J.S., Ahmad, A., Chang, S., Maynard, S.: Embedding information security culture emerging concerns and challenges. In: PACIS 2010 Proceedings. Paper 43 (2010)Google Scholar
  31. 31.
    Veiga, A.D., Eloff, J.H.P.: An information security governance framework. Inf. Syst. Manage. 24(4), 361–372 (2007)CrossRefGoogle Scholar
  32. 32.
    NITDA. National Information Technology Development Agency: Guidelines on Data Protection (2013). http://www.nitda.gov.ng/wp-content/uploads/Guidelines-on-Data-Protection-Final-Draft-3.5.pdf. Accessed 08 Jan 2016
  33. 33.
    Merete Hagen, J., Albrechtsen, E., Hovden, J.: Implementation and effectiveness of organizational information security measures. Inf. Manage. Comput. Secur. 16(4), 377–397 (2008)Google Scholar
  34. 34.
    Jackson, J., Bradford, B., Hough, M., Myhill, A., Quinton, P., Tyler, T.R.: Why do people comply with the law? Legitimacy and the influence of legal institutions. Br. J. Criminol. 52(6), 1051–1071 (2012)CrossRefGoogle Scholar
  35. 35.
    Knapp, K.J., et al.: Information security: management’s effect on culture and policy. Inf. Manage. Comput. Secur. 14(1), 24–36 (2006)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Cryptography GroupUniversity of BristolBristolUK

Personalised recommendations