Advertisement

Insider Threat and Information Security Management

  • Lizzie Coles-Kemp
  • Marianthi Theoharidou
Chapter
Part of the Advances in Information Security book series (ADIS, volume 49)

Abstract

The notion of insider has multiple facets. An organization needs to identify which ones to respond to. The selection, implementetion and maintenance of information security countermeasures requires a complex combination of organisational policies, functions and processes, which form Information Security Management. This chapter examines the role of current information security management practices in addressing the insider threat. Most approaches focus on frameworks for regulating insider behaviour and do not allow for the various cultural responses to the regulatory and compliance framework. Such responses are not only determined by enforcement of policies and awareness programs, but also by various psychological and organisational factors at an individual or group level. Crime theories offer techniques that focus on such cultural responses and can be used to enhance the information security management design. The chapter examines the applicability of several crime theories and concludes that they can contribute in providing additional controls and redesign of information security management processes better suited to responding to the insider threat.

Keywords

Information Security Organisational Unit Security Management Situational Crime Prevention Information Security Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ajzen, I., Fishbein, M.: Understanding attitudes and predicting social behaviour. Englewood Cliffs, Prentice-Hall, NJ (1980).Google Scholar
  2. 2.
    Akers, R.L.: Deviant behavior: a social learning perspective. Belmont, CA (1977)Google Scholar
  3. 3.
    Anderson, R.H., Bozek, T., Longstaff, T., Meitzler, W., Skroch, M., Van Wyk, K.: Research on Mitigating the Insider Threat to Information Systems - no.2, RAND Conference Proceedings (2000)Google Scholar
  4. 4.
    Ashenden, D.: Information Security management: A human challenge? Information Security Technical Report.13 (4), 195–201 (2008)Google Scholar
  5. 5.
    Balfe, S., Reidt, S.: Key Deactivation Strategies in MANETs: A Survey (2008) Available online.http://www.sreidt.com/wp-content/uploads/2009/01/reidt2008\ textunderscorerevocation.pdfCited20July2009
  6. 6.
    Beer, S.: The Heart of Enterprise. John Wiley & Sons (1995)Google Scholar
  7. 7.
    Bishop, M., Gollmann, D., Hunker, J., Probst, C.W.: Countering Insider Threats, Dagstuhl Seminar 08302 (2008)Google Scholar
  8. 8.
    Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J.: Common Sense Guide to Prevention and Detection of Insider Threats, Ver. 3.1. Carnegie Mellon University (2009)Google Scholar
  9. 9.
    Centre for the Protection of National Infrastructure: Ongoing personnel security - A good practise guide. United Kingdom (2008)Google Scholar
  10. 10.
    Centre for the Protection of National Infrastructure: Pre-Employment Screening - A good practise guide, 3rd Edition. United Kingdom (2009)Google Scholar
  11. 11.
    Centre for the Protection of National Infrastructure: Risk Assessment for Personnel Security - A guide, 3rd Edition, United Kingdom (2009)Google Scholar
  12. 12.
    Clarke, R.: Situational crime prevention: theory and practice. British Journal of Criminology. 20 , 136-137 (1980)Google Scholar
  13. 13.
    Clarke, R.: Situational crime prevention: successful case studies. Harrow and Heston, NY (1997)Google Scholar
  14. 14.
    Coles-Kemp, L.: Anatomy of an Information Security Management System. Ph.D. thesis, King’s College, University of London (2008)Google Scholar
  15. 15.
    Coles-Kemp, L.: The Effect of Organisational Structure and Culture on Information Security Risk Processes. Risk Research Symposium 2009 (2009). Available online.http://www.kcl.ac.uk/schools/sspp/geography/research/hrg/ papersCited20July2009
  16. 16.
    Crinson, I.: Assessing the ‘insider-outsider threat’ duality in the context of the development of public-private partnerships delivering ‘choice’in healthcare services:Asociomaterial critique. Information SecurityTechnical Report, 13 (4), 202–206 (2008) Google Scholar
  17. 17.
    Dhillon, G.: Managing Information System Security. Macmillan Press, London (1997) Google Scholar
  18. 18.
    Dhillon, G., Silva, L., Backhouse, J. (2004) Computer Crime at CEFORMA:ACase Study. International Journal of Information Management, 24, 551–561 (2004) CrossRefGoogle Scholar
  19. 19.
    Drenth, P.: Culture Consequences in organizations. In.: Drenth, P.J.D., Koopman, P.L., Wilpert, B. (eds), Organizational Decision-Making under Different Economic and Political Conditions, 199–206 (1996) Google Scholar
  20. 20.
    Hirschi,T.: Causesof delinquency. Berkeley, Universityof California Press,CA (1969) Google Scholar
  21. 21.
    Humphreys, E.:Information security management standards: Compliance, governance and risk management. Information SecurityTech. Report, 13 (4), 247–255 (2008) Google Scholar
  22. 22.
    ISO/IEC 27001:2005, Information technology -Security techniques -Information security management systems -Requirements (2005) Google Scholar
  23. 23.
    ISO/IEC 27002:2005, Information technology -Security techniques -Code of practice for information security management (2005) Google Scholar
  24. 24.
    Martins, A., Elof, J.: Information Security Culture. In: Proc. of IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, 203–213 (2002) Google Scholar
  25. 25.
    Overill, R.E.: ISMS Insider Intrusion Prevention and Detection. Information SecurityTechnical Report, 13 (4), 216–219 (2008) Google Scholar
  26. 26.
    Schlienger,T.,Teufel, S.:Information Security Culture: The Socio-Cultural Dimensionin Information Security Management. In: Proc. of IFIP TC11 17th International Conference on 27. Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, pp. 191202 (2002) Google Scholar
  27. 27.
    Schwaniger,M.:ManagingComplexity-ThePathToward IntelligentOrganisations.Systemic Practice and Action Research, 13 (1999) Google Scholar
  28. 28.
    Straub, D.W.,Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22 (4) 441–465 (1998) CrossRefGoogle Scholar
  29. 29.
    Sutherland, E.: Criminology. J.B. Lippincott, Philadelphia (1924) Google Scholar
  30. 30.
    Theoharidou, M.,Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to Information Systems and the effectiveness of ISO 17799. Computers & Security, 24 (6), 472–484 (2005) CrossRefGoogle Scholar
  31. 31.
    Theoharidou, M., Gritzalis, D.: Situational Crime Prevention and Insider Threat: Countermeasuresand Ethical Considerations.In:Tavani,H. et al. (Eds.): Proc. of the 8th International Computer Ethics Conference (CEPE-2009), Greece (2009) Google Scholar
  32. 32.
    von Solms, B.: Information Security -The ThirdWave? Computers&Security, 19 (7) 615–620 (2000) Google Scholar
  33. 33.
    Walker,T.: Practical managementof malicious insider threat -An enterprise CSIRTperspective. Information SecurityTechnical Report, 13 (4), 225–234 (2008) Google Scholar
  34. 34.
    Willison, R.: Understanding and addressing criminal opportunity: the application of situational crime prevention to IS security. Working Paper Series 100. Dept. of Information Systems, London School of Economics and Political Science (2001) Google Scholar
  35. 35.
    Willison, R.: Understanding the offender/environment dynamic for computer crimes: Assessing the feasibility of applying criminological theory to the IS security context. In: Proc. of the 37th Hawaii International Conference on System Sciences (2004) Google Scholar
  36. 36.
    Willison, R.: Understanding the perpetration of employee computer crime in the organizational context.Working paper no.4, Copenhagen Business School (2006) Google Scholar
  37. 37.
    Willison, R.: Understanding the perpetration of employee computer crime in the organizational context. Information&Organization, 16 (4), 304–324 (2006) Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Information Security GroupRoyal HollowayUnited Kingdom
  2. 2.Dept. of InformaticsAthens University of Economics and BusinessAthensGreece

Personalised recommendations