Information Systems Frontiers

, Volume 15, Issue 1, pp 5–15 | Cite as

Understanding insiders: An analysis of risk-taking behavior

  • Fariborz Farahmand
  • Eugene H. Spafford


There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.


Behavior Insider Perception Prospect theory Risk 



This material is based in part upon work supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College. The views and conclusions contained in this document should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College. Sponsors of the Center Education and Research in Information Assurance and Security (CERIAS) also supported portions of this work. The authors would also like to acknowledge the contribution of Mr. William Keck in literature review.


  1. Albrechtsen, E., & Hovden, J. (2009). Improving information security awareness and behavior through dialogue, participation and collective reflection. An intervention study. Computers & Security, XXX, 1–14.Google Scholar
  2. Bishop, M., & Gates, C. (2008). Defining the insider threat. Proceedings of the Cyber Security and Information Intelligence Research Workshop, article 15.Google Scholar
  3. Bloom, B. S., & Krathwohl, D. R. (1956). Taxonomy of educational objectives: The classification of educational goals, by a committee of college and university examiners. Handbook 1: Cognitive domain, New York, Longmans.Google Scholar
  4. Brackney, R. C., & Anderson, R. H. (2004). Understanding the Insider Threat. Proceedings of a March 2004 Workshop, RAND Corporation.Google Scholar
  5. Camerer, C. F. (2000). Prospect theory in the wild. In D. Kahnman & A. Tversky (Eds.), Choices, values, and frames (p. Chap. 16). Cambridge: Cambridge University Press.Google Scholar
  6. Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26, 63–72.CrossRefGoogle Scholar
  7. D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRefGoogle Scholar
  8. Deloitte (2009). Protecting what matters: The 6th annual global security survey. Deloitte Touche Tohmatsu.Google Scholar
  9. DeMillo, R. A., & Spafford, E. H. (2004). Four grand challenges in trustworthy computing. Computing Research Association, 2004.Google Scholar
  10. Diamond, L. (1988). The impact of information form on the perception of risk. International Conference on Information Systems, 91–97.Google Scholar
  11. Dillon, R. L., & Tinsley, C. H. (2008). How near-misses influence decision making under risk: a missed opportunity for learning. Management Science, 54(8), 1425–1440.CrossRefGoogle Scholar
  12. Farahmand, F., Atallah, M., & Kensynski, B. (2008). Incentives and Perceptions of Information Security Risks. Proc. of the Twenty Ninth International Conference on Information Systems, Paris.Google Scholar
  13. Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making, 13, 1–17.CrossRefGoogle Scholar
  14. Fischoff, B., et al. (1978). How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits? Policy Sciences, 9(2), 127–152.CrossRefGoogle Scholar
  15. Gefen, D. P., & Pavlou, P. A. (2006). The modeling role of perceived regulatory effectiveness of the online marketplaces on the role of trust and risk transaction intensions. WI: International Conference on Information Systems.Google Scholar
  16. Goodhue, D. L., & Straub, D. W. (1991). Security concerns of systems users; a study of perceptions of the adequacy of security. Information & Management, 20, 13–27.CrossRefGoogle Scholar
  17. Greitzer, F. L., et al. (2008). Combating the insider cyber threat. IEEE Security and Privacy, 61–64.Google Scholar
  18. Hammond, K. R. (1993). Naturalistic decision making from a Brunswikian viewpoint: Its past, present, future. In G. A. Klein, J. Orasanu, R. Calanrewood, & E. Zsambok (Eds.), Decision making in action: Models and methods (pp. 205–227). Norwood: Albex.Google Scholar
  19. Heath, L., et al. (1994). Applications of Heuristics and biases to social issues. Plenum.Google Scholar
  20. Hu, X., Lin, Z., Whinston, A., & Zang, H. (2001). Perceived risk and escrow adoption. International Conference on Information Systems (pp 271–274).Google Scholar
  21. Jennex, M. E., & Zyngier, S. (2007). Security as a contributor to knowledge management success. Information Systems Frontiers, 9, 493–504.CrossRefGoogle Scholar
  22. Johnson, E. J., & Tversky, A. (1984). Representations of perceptions of risk. Journal of Experimental Psycholog: General, 113, 55–70.CrossRefGoogle Scholar
  23. Kahneman, D., & Lovallo, D. (1993). Timid choices and bold forecasts: a cognitive perspective on risk taking. Management Science, 39(1), 17–31.CrossRefGoogle Scholar
  24. Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under uncertainty; Heuristics and biases. Cambridge University press.Google Scholar
  25. Kenney, R. L., & Raiffa, H. (1976). Decisions with multiple objectives: Preferences and value tradeoffs. Wiley.Google Scholar
  26. Kim, K., & Prabhakar, P. (2000). Initial trust, perceived risk, and the adoption of the internet banking. International Conference on Information Systems (pp 537–543).Google Scholar
  27. Knight, F. H. (1921). Risk, uncertainty and profit. Dodo.Google Scholar
  28. Lehto, M. R., & Buck, J. R. (2008). Introduction to human factors and ergonomics for engineers. CRC.Google Scholar
  29. Levy, M., & Levy, H. (2002). Prospect theory: much ado about nothing. Management Science, 48(10), 1334–1349.CrossRefGoogle Scholar
  30. Lichtenstein, S., & Slovic, P. (1971). Reversals of preference between bids and choices in gamble decisions. Journal of Experimental Psychology, 89(1), 46–55.CrossRefGoogle Scholar
  31. MacGregor, D. G., et al. (1999). Perception of financial risk: a survey study of advisors and planners. Journal of Financial Planning, 12(8), 68–86.Google Scholar
  32. Maloof, M. A., & Stephens, G. D. (2007). ELICIT: a system for detecting insiders who violate need-to-know. Lecture Notes in Computer Science, 4637, 146–166.CrossRefGoogle Scholar
  33. Masterson, S. S., et al. (2000). Integrating justice and social exchange: the differing effects of fair procedures and treatment on work relationships. Academy of Management Journal, 43(4), 738–748.CrossRefGoogle Scholar
  34. Moores, T. T., & Dhillon, G. (2003). Do privacy seals in e-commerce really work? Communication of ACM, 46(12), 265–271.CrossRefGoogle Scholar
  35. Odean, T. (1998). Are investors reluctant to realize their losses? Journal of Finance, 53, 1775–1798.CrossRefGoogle Scholar
  36. Paese, P. W., Bieser, M., & Tubbs, M. E. (1993). Framing effects and choose shifts in group decision making. Organizational Behavior and Human Decision Processes, 56, 149–165.CrossRefGoogle Scholar
  37. Savage, L. J. (1954). The foundations of statistics. Wiley.Google Scholar
  38. Schroeder, N. J. (2005). Using prospect theory to investigate decision-making bias within an information security context. Dept. of the Air Force Air University, Air Force Institute of Technology.Google Scholar
  39. Slovic, P. (1987). Perceptions of risk. Science, 236, 280–285.CrossRefGoogle Scholar
  40. Slovic, P., et al. (2007). The affect heuristic. European Journal of Operational Research, 177, 1333–1352.CrossRefGoogle Scholar
  41. Stamper, C. L., & Masteson, S. (2002). Insider or outsider? How employee perception of insider status affect their work behavior. Journal of Organizational Behavior, 23, 875–894.CrossRefGoogle Scholar
  42. Starr, C. (1969). Social benefits versus technological risks. Science, 165(3899), 1232–1238.CrossRefGoogle Scholar
  43. Stolfo, S. J., et al. (2008). Insider attack and cyber security, advances in information security. Springer.Google Scholar
  44. Stonebruner, G., Gougen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST SP800-30.Google Scholar
  45. Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.CrossRefGoogle Scholar
  46. Sveen, F. O., Rich, E., & Jager, M. (2007). Overcoming organizational challenges to secure knowledge management. Information Systems Frontiers, 9, 481–492.CrossRefGoogle Scholar
  47. Taylor, R. G. (2006). Management perception of unintentional information security risks. International Conference on Information Systems (pp 1581–1597).Google Scholar
  48. Trepel, C., Fox, C. R., & Poldrack, R. A. (2005). Prospect theory on the brain? Toward a cognitive neuroscience of decision under risk. Cognitive Brain Research, 23(1), 34–50.CrossRefGoogle Scholar
  49. Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: heuristics and biases. Science, 185, 1124–1131.CrossRefGoogle Scholar
  50. Tversky, A., & Kahneman, D. (1979). Prospect theory: an analysis of decisions under risk. Econometrica, 47(2), 263–291.CrossRefGoogle Scholar
  51. von Neumann, J., & Morgenstern, O. (1947). Theory of games and economic behavior. Princeton University Press.Google Scholar
  52. Wells, J. T. (2005). Principles of fraud examination. Wiley.Google Scholar
  53. Willison, R., & Siponen, M. (2009). Overcoming the insider: reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133–137.CrossRefGoogle Scholar
  54. Wood, B. (2000). An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems—#2 Proceedings of a Workshop Held by RAND.Google Scholar
  55. Zajonc, R. B. (1980). Feeling and thinking: preferences need no inferences. American Psychologist, 35, 151–175.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Center for Education and Research in Information Assurance and SecurityPurdue UniversityWest LafayetteUSA

Personalised recommendations