A socio-technical perspective to counter cyber-enabled industrial espionage

  • Moufida SadokEmail author
  • Christine Welch
  • Peter Bednar
Original Article


The ubiquitous digitization of information and the pervasive connectivity of work systems have inevitably facilitated cyber-enabled industrial espionage. Security failures explain most of cyber industrial espionage incidents, and insider threats represent a significant pattern in many case examples. Insiders can inadvertently or purposefully pose serious threats to organisations by facilitating access to or misuse of proprietary sensitive data. This paper argues that technical security solutions have rather limited scope to tackle this problem, and that a socio-technical approach has potential to provide a better means to address the challenge of preventing and responding to insider threats. Such an approach could bridge the gap between the design and implementation of security solutions and creation of an organisational culture that is security-aware.


Cyber-security Socio-technical Industrial espionage Work system Insider threat 



  1. Ackoff, R.L., and F.E. Emery. 1972. On purposeful systems. London: Tavistock.Google Scholar
  2. Albrechtsen, E. 2007. A qualitative study of users’ view on information security. Computers & Security, 26: 276–289.CrossRefGoogle Scholar
  3. Albrechtsen, E., and J. Hovden. 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security 29: 432–445.CrossRefGoogle Scholar
  4. Alotaibi, M., S. Furnell, and N. Clarke. 2016. Information security policies: a review of challenges and influencing factors. In 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), 352–358. IEEE.Google Scholar
  5. Alter, S. 2013. Work system theory: Overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems 14 (2): 72–121.CrossRefGoogle Scholar
  6. Alter, S. 2017. Six work system lenses for describing, analyzing, or evaluating important aspects of is security. International Journal of Systems and Society (IJSS) 4 (2): 69–82.CrossRefGoogle Scholar
  7. Bada, M., A.M. Sasse, and J.R. Nurse. 2015. Cyber security awareness campaigns: Why do they fail to change behaviour? Working Papers of the Sustainable Society Network vol. 3, First International Conference on Cyber Security for Sustainable Society 2015, Coventry University, 2627 February 2015, 118–132. arXiv preprint arXiv:1901.02672.
  8. Baron, R., and M. Pigeon. 2017. Adapting the EU Directive on Trade Secrets ‘Protection’ into National Law: A transposition guide for legislators and civil society organisations. Brussels: Corporate Europe Observatory, February 2017.Google Scholar
  9. Baskerville, R. 1991. Risk analysis: An interpretive feasibility tool in justifying information systems security. European Journal of Information Systems 1: 121–130.CrossRefGoogle Scholar
  10. Baxter, G., and I. Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interacting with Computers 23 (1): 4–17.CrossRefGoogle Scholar
  11. Beadnar, P.M. 2018. The socio-technical toolbox. Portsmouth: Portsmouth Craneswater Press.Google Scholar
  12. Bednar, P.M., and V. Katos. 2009. Addressing the human factor in information systems security. MCIS2009. In ed. A. Poulymenakou, N. Pouloudi, and K. Pramatari, Proceedings of 4th Mediterranean Conference on Information Systems, 900–912. Athens, Greece, September 25–27.Google Scholar
  13. Bednar, P.M., and C. Welch. 2009. Inquiry into informing systems: Critical systemic thinking in practice, Chapter 14. In Foundations of informing science, ed. G. Gill. Santa Rosa: Informing Science Press.Google Scholar
  14. Bissell, K., R.M. Lasalle, and P. Dal Chin. 2019. Ninth Annual Cost of Cybercrime Study, Accenture and the Ponemon Institute. Accessed 16 July 2019.
  15. Cabinet Office/Detica. 2011. The Costs of Cybercrime: A Detica report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. Accessed 16 July 2019.
  16. Carl, S. 2017. An unacknowledged crisis—economic and industrial espionage in Europe. Essays in honour of Nestor Courakis, 1316–1326. Athens: Ant. N. Sakkoulas Publications L.P. 2017.Google Scholar
  17. Checkland, P., and S. Holwell. 1998. Information, systems and information systems: Making sense of the field. Chichester: Wiley.Google Scholar
  18. Cherns, A. 1976. Principles of socio-technical design. Human Relations 29 (8): 783–792.CrossRefGoogle Scholar
  19. CPNI. 2013. Insider Threat Data Collection Study: Report of Main Findings. Retrieved from…/insider-data-collection-study-report-of-main-findings.pdf.
  20. CSIS. 2018. Economic Impact of cyber Crime—No Slowing Down. p17. Retrieved from
  21. Davenport, T.H., and L. Prusak. 2000. Working knowledge: How organizations manage what they know. Boston: Harvard Business School Press.Google Scholar
  22. Dhillon, G., and G. Torkzadeh. 2006. Value-focused assessment of information system security in organizations. Information Systems Journal 16: 293–314.CrossRefGoogle Scholar
  23. Dhillon, G., T. Oliveira, S. Susarapu, and M. Caldeira. 2016. Deciding between information security and usability: Developing value based objectives. Computers in Human Behavior 61: 656–666.CrossRefGoogle Scholar
  24. Emery, M. 2000. The current version of emery’s open systems theory. Systemic Practice and Action Research 13 (5): 623–643.CrossRefGoogle Scholar
  25. Furnell, S. 2016. The usability of security—revisited, Computer Fraud & Security, September 5–11.Google Scholar
  26. Global Economic Crime Survey. 2016. Adjusting the Lens on Economic Crime. Retrieved from
  27. Information Commissioner. 2017. Warning for workers after charity employee is prosecuted for data protection offences. ICO News 8 November 2017. Accessed 26 Apr 2019.
  28. IP Commission. 2017. The Theft Of American Intellectual Property: Reassessments Of The Challenge And United States Policy. The National Bureau of Asian Research. Retrieved from
  29. Isdell, N., and D. Beasley. 2011. Inside coca-cola: A CEO's life story of building the world's. St. Martin's Press.Google Scholar
  30. Keller, S., and B. Schaninger. 2019. A better way to lead large-scale change. McKinsey & Company. Accessed 30 Jun 2019.
  31. Kolkowska, E., and G. Dhillon. 2013. Organizational power and information security rule compliance. Computers & Security 33: 3–11.CrossRefGoogle Scholar
  32. Koppel, R., S. Smith, J. Blythe, and V. Kothari. 2015. Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health Technology and Informatics 280: 220–251.Google Scholar
  33. Lesca, H., and N. Lesca. 2011. Weak signals for strategic intelligence: Anticipation tool for managers. Chichester: Wiley.CrossRefGoogle Scholar
  34. Mohr, B.J. 2016. Creating high-performing organizations: The North American open socio-technical systems design approach. Chapter 2 in ed. B.J. Mohr and P. van Amelsvoort, Co-creating humane and innovative organizations: Evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.Google Scholar
  35. Mohr, B.J., and P. van Amelsvoort (eds.). 2016. Co-creating humane and innovative organizations evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.Google Scholar
  36. Moulières-Seban, T., D. Bitonneau, J.M. Salotti, J.F. Thibault, and B. Claverie. 2017. Human factors issues for the design of a cobotic system. In Advances in human factors in robots and unmanned systems, 375–385. Cham: Springer.Google Scholar
  37. Mumford, E. 2006. The story of socio-technical design: Reflections on its successes, failures and potential. Information Systems Journal 16 (1): 317–342.CrossRefGoogle Scholar
  38. Mumford, E., and G.J. Beekman. 1994. Tools for change & progress: A socio-technical approach to business process re-engineering. Leiden: CSG Publications.Google Scholar
  39. Mumford, E., and M. Weir. 1979. Computer systems in work design—the ETHICS method. New York: Wiley.Google Scholar
  40. Naughton, J. 2018. How Facebook got into a mess—and why it can’t get out of it. The Observer, 28 April 2018. Accessed 30 Jun 2019.
  41. Nissen, H.-E. 2002. Challenging traditions of inquiry in software practice, Chapter 4. In Social thinking—software practice, ed. Y. Dittrich, C. Floyd, and R. Klischewski. Cambridge Mass: MIT Press.Google Scholar
  42. Nonaka, I. 1991. The knowledge creating company, Harvard Business Review, 69 Nov–Dec 1991.Google Scholar
  43. Oz, E., and A. Jones. 2008. Management information systems. London: Cengage Learning EMEA. ISBN 978-1-84480-758-1.Google Scholar
  44. Parsons, K., A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram. 2014. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security 42: 165–176.CrossRefGoogle Scholar
  45. Pava, C.H.P. 1983. Designing managerial and professional work for high performance: A Socio-technical Approach. National Productivity Review 2 (2): 126–135.CrossRefGoogle Scholar
  46. Sadok, M., and P.M. Bednar. 2016. Information security management in SMEs: Beyond the IT challenges. In Proceedings of International Symposium on Human Aspects of Information Security & Assurance, Frankfurt, Germany, 209–219, July 19–21.Google Scholar
  47. Sarker, S., S. Chatterjee, X. Xiao, and A. Elbanna .2019. The sociotechnical “Axis of Cohesion” for the IS discipline: Its historical legacy and its continued relevance, MISQ (forthcoming).Google Scholar
  48. Shedden, P., R. Scheepers, W. Smith, and A. Ahmad. 2011. Incorporating a knowledge perspective into security risk assessments. VINE Journal Information Knowledge Management System 41 (2): 152–166.Google Scholar
  49. Silberg, J. and J. Maryilka. 2019. Tackling bias in artificial intelligence (and in humans). McKinsey Global Institute. Accessed 27 Apr 2019.
  50. Siponen, M., and R. Willison. 2009. Information security management standards: Problems and solutions. Information & Management 46: 267–270.CrossRefGoogle Scholar
  51. Sommerville, I. 2011, Software engineering, Pearson Education Inc, ISBN: 978-0-13-705346-9.Google Scholar
  52. Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.CrossRefGoogle Scholar
  53. Spears, J.L., and H. Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34 (3): 503–522.CrossRefGoogle Scholar
  54. Stahl, B.C., N.F. Doherty, and M. Shaw. 2012. Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal 22: 77–94.CrossRefGoogle Scholar
  55. The Global State of Information Security Survey. 2016. Managing cyber risks in an interconnected world.
  56. Trist, E., H. Murray and F. Emery. 1997. The social engagement of social science: A Tavistock anthology: The socio-ecological perspective (Tavistock Anthology), University of Pennsylvania. Accessed 26 Apr 2019.
  57. Verizon Data Breach Investigation Report. 2018. Accessed 16 July 2019.
  58. Wright, P.C., and G. Roy. 1999. Industrial espionage and competitive intelligence: One you do; one you do not. Journal of Workplace Learning 11 (2): 53–59.CrossRefGoogle Scholar

Copyright information

© Springer Nature Limited 2019

Authors and Affiliations

  1. 1.Institute of Criminal Justice StudiesUniversity of PortsmouthPortsmouthUK
  2. 2.Portsmouth Business SchoolUniversity of PortsmouthPortsmouthUK
  3. 3.School of ComputingUniversity of PortsmouthPortsmouthUK
  4. 4.Department of InformaticsLund UniversityLundSweden

Personalised recommendations