Dang-Pham et al. (2014), "Towards a complete understanding of information security misbehaviours: a proposal for future research with social network approach" (ACIS 2014)

Duy Dang-Pham, Siddhi Pittayachawan, Vince Bruno

School of Business IT and Logistics

RMIT University

Dang-Pham, D., Pittayachawan, S., and Bruno, V. (2014), "Towards a complete understanding of information

security misbehaviours: a proposal for future research with social network analysis approach", presented at

25th Australasian Conference on Information Systems (ACIS 2014), Auckland, New Zealand.

Towards a complete understanding of

information security misbehaviours:

a proposal for future research with

social network analysis approach

Background

• insider’s misbehaviours (both intentional and

unintentional ones–“shadow security”) is one of the current

focuses (Crossler et al. 2013; Warkentin and Willison 2009;

Willison and Warkentin 2013)

• 58% of the increased security incidents in 2013 were

caused by current (31%) and former employees (27%)

(PwC 2014)

• 14% of 47,000+ breaches in 2013 were due to insiders

(Verizon 2013)

2

Background (cont.)

• Why would misbehaviours occur?

• Human’s cognitions that react to stimulus and result in

misbehaviours

• However, focusing on the individual’s cognition is not

enough

Literature review

Structured literature review (Webster and Watson 2002)

• Keywords: “antecedents AND information security

misbehaviours”

• Journals: Computers & Security, Communications of ACM,

Decision Sciences, European Journal of Information Systems,

Information Systems Research, Information & Management,

Journal of Management Information Systems, Journal of

Information Systems Security, MIS Quarterly

• Literatures were gathered and analysed for common themes

4

Common themes

• Unit of analysis: individual employing rational choice for

decision-making (i.e. weights pros & cons of

consequences)

• There is a set of predominantly adopted theories e.g.

General Deterrence Theory, Social Bonding Theory,

Causal Reasoning Theory, General Strains Theory

• Next directions include investigating the relationship

between the workplace environment and the individual’s

behavioural intention and actual behaviours (e.g. Willison

and Backhouse 2006; Willison and Warkentin 2013;

Baskerville et al. 2014)

Examining the common themes

• What could be missing by focusing on the individual and

their rational choice process?

• How to characterise the relationship between workplace

environment and the individual?

paradigm assumption

Questioning the paradigm

assumption

• Carefully examine one of the predominantly adopted

theories such as General Deterrence Theory:

• What about organisations that do not have a formal

information security policy; or

• The employees hardly read or refer to information security

policy (Wood 2000)

(Straub 1990 p. 258)

• Brass et al.’s (1998) argument regarding the cause of

unethical organisational behaviours – whether they are due

to the rotten apples that spoil the barrel, or the bad barrel

that damage the apples within?

• Similarly, information security behavioural research has

been focusing much on the bad apples (i.e. individual)

rather than the barrel

• In fact, security are collective information practices of

risk, trust and morality (Dourish and Anderson 2006) e.g.

delegations of responsibility (Dourish et al. 2004),

approvals of workarounds (Kirlappos et al. 2014)

• Shift focus to the interactions and exchanges among the

individualssocial network research

Social network research

• By adopting the social network research approach,

researchers shift their attention away from the

individuals and aim at generating knowledge that are

more relational, contextual and systemic (Borgatti and

Foster 2003).

• SNA has been increasingly applied to investigate the

beliefs and behaviours of people as interconnected

beings that are influenced by the relationships patterns

among them within the organisational and social systems

(Zack 2000).

Research schemes• Social capital research:

• Network development research:

Network

applicationReceived

benefitsNetwork

structure

Routine

structureNetwork application

and structurePurposeful

inducements

• Borgatti et al.’s (2013) category of network studies: basic

and applied network research

• Basic research aims at understanding the causal

process between the predicting conditions and their

subsequent outcomes

• Applied research aims at calculating the metrics that

reflect the networks’ structure, which can be interpreted

by network analysts so to devise appropriate follow-up

actions

• Basic social network research identified the causal

phenomena so that the applied ones can base on such to

make effective decisions given the networks at hands.

Borgatti et al. (2013, p. 6)

SNA in information security

behavioural research

• Basic research: understand the impacts of network

attributes on individual’s awareness and behaviours.

Examples:

• actor’s centrality and recognition of sanctions, norms,

social bonding, extrinsic and intrinsic factors

• actor’s personal attributes/ties and delegations of

responsibility

SNA in information security

behavioural research (cont.)

• Applied research: understand the root cause and spread

of misbehaviours/workarounds:

• Build sociogram of advice network in relation to

misbehaviours and workarounds

• Trace back to the key informants of misbehaviours

• Apply treatment/inducement and observe changes (i.e.

quasi-experiment research)

Example of sociogram (adapted from Allen et al. 2007)

Limitations

• Mostly in data collection

• omission errors (e.g. missing links)

• participant’s burden when answering SNA questions

(e.g. intrusive, exhaustive, prone to retrospective

error)

• edge/node attribution errors (e.g. assume

connection from common attendance)

Conclusion

• Explore the vast number of SNA metrics (e.g. ties, nodes,

cohesion etc.) to understand more about information

security (mis)behaviours:

• dissemination of information security policy, measuring

discrepancy of security goals and expectations,

formation and transformation of security climates and

sub-cultures …

• Basic research applied research basic research …

References

• Allen, J., James, A. D., and Gamlen, P. 2007. “Formal versus informal knowledge networks in

R&D: a case study using social network analysis,” R&D Management (37:3), pp. 179–196.

• Baskerville, R., Park, E., and Kim, J. 2014. “An emote opportunity model of computer abuse,”

Information Technology & People (27.2), pp. 1–31.

• Borgatti, S., and Foster, P. 2003. “The network paradigm in organizational research: A review

and typology,” Journal of management (29:6), pp. 991–1013.

• Borgatti, S. P., Everett, M. G., and Johnson, J. C. 2013. Analyzing Social Networks, Sage

Publications Ltd.

• Brass, D., Butterfield, K., and Skaggs, B. 1998. “Relationships and unethical behavior: A social

network perspective,” Academy of Management Review (23:1), pp. 14–31.

• Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., and Baskerville, R. 2013.

“Future directions for behavioral information security research,” Computers & Security

(32)Elsevier Ltd, pp. 90–101.

• Dourish, P., and Anderson, K. 2006. “Collective Information Practice: Exploring Privacy and

Security as Social and Cultural Phenomena,” Human–Computer Interaction (21:3), pp. 319–

342.

• Dourish, P., Grinter, R. E., Delgado de la Flor, J., and Joseph, M. 2004. “Security in the wild:

user strategies for managing security as an everyday, practical problem,” Personal and

Ubiquitous Computing (8:6), pp. 391–401.

References (cont.)

• Kirlappos, I., Parkin, S., and Sasse, M. A. 2014. “Learning from ‘Shadow Security’: Why

understanding non-compliant behaviors provides the basis for effective security,” .

• Straub, D. W. 1990. “Effective IS Security: An Empirical Study,” Information Systems Research

(1:3), pp. 255–276.

• Warkentin, M., and Willison, R. 2009. “Behavioral and policy issues in information systems

security: the insider threat,” European Journal of Information Systems (18:2), pp. 101–105.

• Willison, R., and Backhouse, J. 2006. “Opportunities for computer crime: considering systems

risk from a criminological perspective,” European Journal of Information Systems (15:4), pp.

403–414.

• Willison, R., and Warkentin, M. 2013. “Beyond Deterrence: An Expanded View of Employee

Computer Abuse,” MIS Quarterly (37:1), pp. 1–20.

• Wood, C. C. 2000. “An unappreciated reason why information security policies fail,” Computer

Fraud & Security , pp. 13–14.

• Zack, M. 2000. “Researching organizational systems using social network analysis,” in

Proceedings of the 33rd Hawaii Conference on System Sciences, (Vol. 00) , pp. 1–7.