Duy Dang-Pham, Siddhi Pittayachawan, Vince Bruno School of Business IT and Logistics RMIT University Dang-Pham, D., Pittayachawan, S., and Bruno, V. (2014), "Towards a complete understanding of information security misbehaviours: a proposal for future research with social network analysis approach", presented at 25th Australasian Conference on Information Systems (ACIS 2014), Auckland, New Zealand. Towards a complete understanding of information security misbehaviours: a proposal for future research with social network analysis approach
19
Embed
Dang-Pham et al. (2014), "Towards a complete understanding of information security misbehaviours: a proposal for future research with social network approach" (ACIS 2014)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Duy Dang-Pham, Siddhi Pittayachawan, Vince Bruno
School of Business IT and Logistics
RMIT University
Dang-Pham, D., Pittayachawan, S., and Bruno, V. (2014), "Towards a complete understanding of information
security misbehaviours: a proposal for future research with social network analysis approach", presented at
25th Australasian Conference on Information Systems (ACIS 2014), Auckland, New Zealand.
Towards a complete understanding of
information security misbehaviours:
a proposal for future research with
social network analysis approach
Background
• insider’s misbehaviours (both intentional and
unintentional ones–“shadow security”) is one of the current
focuses (Crossler et al. 2013; Warkentin and Willison 2009;
Willison and Warkentin 2013)
• 58% of the increased security incidents in 2013 were
caused by current (31%) and former employees (27%)
(PwC 2014)
• 14% of 47,000+ breaches in 2013 were due to insiders
(Verizon 2013)
2
Background (cont.)
• Why would misbehaviours occur?
• Human’s cognitions that react to stimulus and result in
misbehaviours
• However, focusing on the individual’s cognition is not
enough
Literature review
Structured literature review (Webster and Watson 2002)
• Keywords: “antecedents AND information security
misbehaviours”
• Journals: Computers & Security, Communications of ACM,
Decision Sciences, European Journal of Information Systems,
Information Systems Research, Information & Management,
Journal of Management Information Systems, Journal of
Information Systems Security, MIS Quarterly
• Literatures were gathered and analysed for common themes
4
Common themes
• Unit of analysis: individual employing rational choice for
decision-making (i.e. weights pros & cons of
consequences)
• There is a set of predominantly adopted theories e.g.
General Deterrence Theory, Social Bonding Theory,
Causal Reasoning Theory, General Strains Theory
• Next directions include investigating the relationship
between the workplace environment and the individual’s
behavioural intention and actual behaviours (e.g. Willison
and Backhouse 2006; Willison and Warkentin 2013;
Baskerville et al. 2014)
Examining the common themes
• What could be missing by focusing on the individual and
their rational choice process?
• How to characterise the relationship between workplace
environment and the individual?
paradigm assumption
Questioning the paradigm
assumption
• Carefully examine one of the predominantly adopted
theories such as General Deterrence Theory:
• What about organisations that do not have a formal
information security policy; or
• The employees hardly read or refer to information security
policy (Wood 2000)
(Straub 1990 p. 258)
• Brass et al.’s (1998) argument regarding the cause of
unethical organisational behaviours – whether they are due
to the rotten apples that spoil the barrel, or the bad barrel
that damage the apples within?
• Similarly, information security behavioural research has
been focusing much on the bad apples (i.e. individual)
rather than the barrel
• In fact, security are collective information practices of
risk, trust and morality (Dourish and Anderson 2006) e.g.
delegations of responsibility (Dourish et al. 2004),
approvals of workarounds (Kirlappos et al. 2014)
• Shift focus to the interactions and exchanges among the
individualssocial network research
Social network research
• By adopting the social network research approach,
researchers shift their attention away from the
individuals and aim at generating knowledge that are
more relational, contextual and systemic (Borgatti and
Foster 2003).
• SNA has been increasingly applied to investigate the
beliefs and behaviours of people as interconnected
beings that are influenced by the relationships patterns
among them within the organisational and social systems
(Zack 2000).
Research schemes• Social capital research:
• Network development research:
Network
applicationReceived
benefitsNetwork
structure
Routine
structureNetwork application
and structurePurposeful
inducements
• Borgatti et al.’s (2013) category of network studies: basic
and applied network research
• Basic research aims at understanding the causal
process between the predicting conditions and their
subsequent outcomes
• Applied research aims at calculating the metrics that
reflect the networks’ structure, which can be interpreted
by network analysts so to devise appropriate follow-up
actions
• Basic social network research identified the causal
phenomena so that the applied ones can base on such to
make effective decisions given the networks at hands.
Borgatti et al. (2013, p. 6)
SNA in information security
behavioural research
• Basic research: understand the impacts of network
attributes on individual’s awareness and behaviours.
Examples:
• actor’s centrality and recognition of sanctions, norms,
social bonding, extrinsic and intrinsic factors
• actor’s personal attributes/ties and delegations of
responsibility
SNA in information security
behavioural research (cont.)
• Applied research: understand the root cause and spread
of misbehaviours/workarounds:
• Build sociogram of advice network in relation to
misbehaviours and workarounds
• Trace back to the key informants of misbehaviours
• Apply treatment/inducement and observe changes (i.e.
quasi-experiment research)
Example of sociogram (adapted from Allen et al. 2007)
Limitations
• Mostly in data collection
• omission errors (e.g. missing links)
• participant’s burden when answering SNA questions
(e.g. intrusive, exhaustive, prone to retrospective
error)
• edge/node attribution errors (e.g. assume
connection from common attendance)
Conclusion
• Explore the vast number of SNA metrics (e.g. ties, nodes,
cohesion etc.) to understand more about information
security (mis)behaviours:
• dissemination of information security policy, measuring
discrepancy of security goals and expectations,
formation and transformation of security climates and
sub-cultures …
• Basic research applied research basic research …
References
• Allen, J., James, A. D., and Gamlen, P. 2007. “Formal versus informal knowledge networks in
R&D: a case study using social network analysis,” R&D Management (37:3), pp. 179–196.
• Baskerville, R., Park, E., and Kim, J. 2014. “An emote opportunity model of computer abuse,”
Information Technology & People (27.2), pp. 1–31.
• Borgatti, S., and Foster, P. 2003. “The network paradigm in organizational research: A review
and typology,” Journal of management (29:6), pp. 991–1013.
• Borgatti, S. P., Everett, M. G., and Johnson, J. C. 2013. Analyzing Social Networks, Sage
Publications Ltd.
• Brass, D., Butterfield, K., and Skaggs, B. 1998. “Relationships and unethical behavior: A social
network perspective,” Academy of Management Review (23:1), pp. 14–31.
• Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., and Baskerville, R. 2013.
“Future directions for behavioral information security research,” Computers & Security
(32)Elsevier Ltd, pp. 90–101.
• Dourish, P., and Anderson, K. 2006. “Collective Information Practice: Exploring Privacy and
Security as Social and Cultural Phenomena,” Human–Computer Interaction (21:3), pp. 319–
342.
• Dourish, P., Grinter, R. E., Delgado de la Flor, J., and Joseph, M. 2004. “Security in the wild:
user strategies for managing security as an everyday, practical problem,” Personal and
Ubiquitous Computing (8:6), pp. 391–401.
References (cont.)
• Kirlappos, I., Parkin, S., and Sasse, M. A. 2014. “Learning from ‘Shadow Security’: Why
understanding non-compliant behaviors provides the basis for effective security,” .
• Straub, D. W. 1990. “Effective IS Security: An Empirical Study,” Information Systems Research
(1:3), pp. 255–276.
• Warkentin, M., and Willison, R. 2009. “Behavioral and policy issues in information systems
security: the insider threat,” European Journal of Information Systems (18:2), pp. 101–105.
• Willison, R., and Backhouse, J. 2006. “Opportunities for computer crime: considering systems
risk from a criminological perspective,” European Journal of Information Systems (15:4), pp.
403–414.
• Willison, R., and Warkentin, M. 2013. “Beyond Deterrence: An Expanded View of Employee
Computer Abuse,” MIS Quarterly (37:1), pp. 1–20.
• Wood, C. C. 2000. “An unappreciated reason why information security policies fail,” Computer
Fraud & Security , pp. 13–14.
• Zack, M. 2000. “Researching organizational systems using social network analysis,” in
Proceedings of the 33rd Hawaii Conference on System Sciences, (Vol. 00) , pp. 1–7.