Skip to main content

Confronting Information Security’s Elephant, the Unintentional Insider Threat

Part of the Lecture Notes in Computer Science book series (LNAI,volume 12197)

Abstract

It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of unintentional human error. Such lack of emphasis is surprising given relatively recent reports that highlight error’s central role in being the root cause for numerous security breaches. Unfortunately, efforts that recognize human error’s influence suffer from not employing a commonly accepted error framework and lexicon. We thus take this opportunity to review what the data show regarding error-based breaches across various types of organizations and create a nomenclature and taxonomy rooted in the rich history of safety research that can be applied to the information security domain. Our efforts represent a significant step in an effort to classify, monitor, and compare the myriad aspects of human error in information security in the hopes that more effective security education, training, and awareness (SETA) programs can be devised. Further, we believe our efforts underscore the importance of revisiting the daily demands placed on organizational insiders in the workplace.

Keywords

  • Unintentional insider threat
  • Human error
  • Information security

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-50439-7_22
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-50439-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Fig. 1.

Adapted from [1]

Fig. 2.

Notes

  1. 1.

    Most information security reports focus on breaches of confidentiality rather than integrity and availability; thus, we have focused our efforts on these types of attacks in this section.

  2. 2.

    While beyond the scope of this paper to provide a tutorial on writing learning or training objectives, most experts in these fields agree that these objectives must at least declare an expectation of observable participant/learner behavior that demonstrates measurable change under a given condition (often time framed) [cf. Mayer 38].

References

  1. Reason, J.: Human Error. Cambridge University Press, Cambridge (1990)

    CrossRef  Google Scholar 

  2. Goldberg, M.: 10 of the biggest data breaches over the last decade (2019). https://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=1. Accessed 30 Jan 2020

  3. Bissell, K., LaSalle, R., Dal Cin, P.: The Cost of Cybercrime: Ninth Annual Cost of Cybercrime Study. Accenture (2019)

    Google Scholar 

  4. Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: the enduring problem of human error. Database Adv. Inf. Syst. 36(4), 68–79 (2005)

    CrossRef  Google Scholar 

  5. Verizon: Data Breach Investigations Report (2019)

    Google Scholar 

  6. Baskerville, R.: A taxonomy for analyzing hazards to information systems. In: Katsikas, S.K., Gritzalis, D. (eds.) SEC 1996. IAICT, pp. 167–176. Springer, Boston, MA (1996). https://doi.org/10.1007/978-1-5041-2919-0_14

    CrossRef  Google Scholar 

  7. Reilly, R.B.: 95% of successful security attacks are the result of human error (2014). https://venturebeat.com/2014/06/19/95-of-successful-security-attacks-are-the-result-of-human-error/. Accessed 30 Jan 2020

  8. Targett, E.: Revealed: human error, not hackers, to blame for vast majority of data breaches (2018). https://www.cbronline.com/news/kroll-foi-ico. Accessed 30 Jan 2020

  9. Metinko, C.: Cybersecurity training sees flood of M&A (2018). https://www.forbes.com/sites/mergermarket/2018/08/17/cybersecurity-training-sees-flood-of-ma/#5d8e709d2266. Accessed 30 Jan 2020

  10. Statista: Spending on cybersecurity in the United States from 2010 to 2018 (2019). https://www.statista.com/statistics/615450/cybersecurity-spending-in-the-us/. Accessed 30 Jan 2020

  11. Carpenter, P.: Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. Wiley, Indianapolis (2019)

    Google Scholar 

  12. Cram, W.A., D’Arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q. 43(2), 525–554 (2019)

    CrossRef  Google Scholar 

  13. von Solms, B., von Solms, R.: Cybersecurity and information security–what goes where? Inf. Comput. Secur. 26(1), 2–9 (2018)

    CrossRef  Google Scholar 

  14. Conrad, E., Misenar, S., Feldman, J.: CISSP Study Guide, 2nd edn. Syngress, Waltham (2012)

    Google Scholar 

  15. Debenedetti, G. The email headache that won’t go away (2016). https://www.politico.com/story/2016/07/hillary-clinton-email-fbi-fallout-225113. Accessed 30 Jan 2020

  16. Response, S.S.: W32.Duqu: the precursor to the next Stuxnet (2011). https://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet. Accessed 30 Jan 2020

  17. Graff, G.M.: How a dorm room minecraft scam brought down the Internet (2017). https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/. Accessed 30 Jan 2020

  18. Spadafora, A.: 90 percent of data breaches are caused by human error (2019). https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-human-error. Accessed 30 Jan 2020

  19. IBM: X-Force Threat Intelligence Index (2019)

    Google Scholar 

  20. Targett, E.: Personal Communication with M. Canham (2020)

    Google Scholar 

  21. Justice, C.D.O.: California Data Breach Report, 2012–2015 (2016)

    Google Scholar 

  22. Chubb: Chubb cyber index: providing data driven insight on cyber threat trends (2020). https://chubbcyberindex.com/#/incident-growth. Accessed 30 Jan 2020

  23. Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)

    CrossRef  Google Scholar 

  24. Norman, D.: The Design of Everyday Things, Revised and Expanded edn. Basic Books, New York (2013)

    Google Scholar 

  25. Perrow, C.: Normal Accidents: Living with High Risk Technologies, Updated edn. Princeton University Press, Princeton (2011)

    Google Scholar 

  26. Rasmussen, J.: Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans. Syst. Man Cybern. SMC-13(3), 257–266 (1983)

    Google Scholar 

  27. SKYbrary: Human error types (2016). https://www.skybrary.aero/index.php/Human_Error_Types. Accessed 30 Jan 2020

  28. Rader, E., Munasinghe, A.: “Wait, do I know this person?” Understanding misdirected Email. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Glasgow, Scotland (2019)

    Google Scholar 

  29. Posey, C., et al.: Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inf. Manag. 51(5), 551–567 (2014)

    CrossRef  Google Scholar 

  30. Chubb: Chubb Cyber Library (2020). https://chubbcyberindex.com/#/cyber-library. Accessed 30 Jan 2020

  31. Robinson, S.L., Bennett, R.J.: A typology of deviant workplace behaviors: a multidimensional scaling study. Acad. Manag. J. 38(2), 555–572 (1995)

    Google Scholar 

  32. Silic, M., Back, A.: Shadow IT–a view from behind the curtain. Comput. Secur. 45, 274–283 (2014)

    CrossRef  Google Scholar 

  33. Posey, C., Canham, M.: A computational social science approach to examine the duality between productivity and cybersecurity policy compliance within organizations. In: International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS), Washington D.C. (2018)

    Google Scholar 

  34. Wilson, M., Hash, J.: SP 800-50: Building an Information Technology Security Awareness and Training Program, NIST, Gaithersburg (2003)

    Google Scholar 

  35. Aldawood, H., Skinner, G.: Educating and raising awareness on cyber security social engineering: a literature review. In: 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, NSW, Australia. IEEE (2018)

    Google Scholar 

  36. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

    CrossRef  Google Scholar 

  37. Cannon, H.M., Feinstein, A.H.: Bloom beyond Bloom: Using the revised taxonomy to develop experiential learning strategies. In: Developments in Business Simulation and Experiential Learning: Proceedings of the Annual ABSEL Conference, Orlando, FL (2005)

    Google Scholar 

  38. Mayer, R.E.: Applying the Science of Learning. Pearson/Allyn & Bacon, Boston (2011)

    Google Scholar 

  39. Burns, A., et al.: Intentions to comply versus intentions to protect: a VIE theory approach to understanding the influence of insiders’ awareness of organizational SETA efforts. Decis. Sci. 49(6), 1187–1228 (2018)

    CrossRef  Google Scholar 

  40. Kennedy, D.: Writing and Using Learning Outcomes: A Practical Guide. University College Cork (2006)

    Google Scholar 

  41. Kerr, S.: On the folly of rewarding A, while hoping for B. Acad. Manag. J. 18(4), 769–783 (1975)

    Google Scholar 

  42. MITRE: Common vulnerabilities and exposures (2020). https://cve.mitre.org/. Accessed 30 Jan 2020

  43. Weick, K.E., Sutcliffe, K.M.: Managing the unexpected: sustained performance in a complex world. Wiley, Hoboken (2015)

    CrossRef  Google Scholar 

  44. Weick, K.E.: Organizational culture as a source of high reliability. Calif. Manag. Rev. 29(2), 112–127 (1987)

    CrossRef  Google Scholar 

  45. Roberts, K.H.: Some characteristics of one type of high reliability organization. Org. Sci. 1(2), 160–176 (1990)

    CrossRef  Google Scholar 

  46. Field, T.: Insider threat: ‘you can’t stop stupid’ (2010). https://www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789. Accessed 30 Jan 2020

  47. Matyszczyk, C.: IT and security professionals think normal people are just the worst (2019). https://www.zdnet.com/article/it-professionals-think-normal-people-are-stupid/. Accessed 31 Jan 2020

  48. Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009)

    CrossRef  Google Scholar 

  49. Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56(February), 70–82 (2016)

    CrossRef  Google Scholar 

  50. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    CrossRef  Google Scholar 

  51. Norman, D.A.: The way I see it when security gets in the way. Interactions 16(6), 60–63 (2009)

    CrossRef  Google Scholar 

Download references

Acknowledgement

This research was in part sponsored by the U.S. Army CCDC Soldier Center and was accomplished under Cooperative Agreement Number W911NF-15-2-0100. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of U.S. Army CCDC Soldier Center or the U.S. Government.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Clay Posey .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Canham, M., Posey, C., Bockelman, P.S. (2020). Confronting Information Security’s Elephant, the Unintentional Insider Threat. In: Schmorrow, D., Fidopiastis, C. (eds) Augmented Cognition. Human Cognition and Behavior. HCII 2020. Lecture Notes in Computer Science(), vol 12197. Springer, Cham. https://doi.org/10.1007/978-3-030-50439-7_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-50439-7_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-50438-0

  • Online ISBN: 978-3-030-50439-7

  • eBook Packages: Computer ScienceComputer Science (R0)