Abstract
The ubiquitous digitization of information and the pervasive connectivity of work systems have inevitably facilitated cyber-enabled industrial espionage. Security failures explain most of cyber industrial espionage incidents, and insider threats represent a significant pattern in many case examples. Insiders can inadvertently or purposefully pose serious threats to organisations by facilitating access to or misuse of proprietary sensitive data. This paper argues that technical security solutions have rather limited scope to tackle this problem, and that a socio-technical approach has potential to provide a better means to address the challenge of preventing and responding to insider threats. Such an approach could bridge the gap between the design and implementation of security solutions and creation of an organisational culture that is security-aware.
Similar content being viewed by others
References
Ackoff, R.L., and F.E. Emery. 1972. On purposeful systems. London: Tavistock.
Albrechtsen, E. 2007. A qualitative study of users’ view on information security. Computers & Security, 26: 276–289.
Albrechtsen, E., and J. Hovden. 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security 29: 432–445.
Alotaibi, M., S. Furnell, and N. Clarke. 2016. Information security policies: a review of challenges and influencing factors. In 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), 352–358. IEEE.
Alter, S. 2013. Work system theory: Overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems 14 (2): 72–121.
Alter, S. 2017. Six work system lenses for describing, analyzing, or evaluating important aspects of is security. International Journal of Systems and Society (IJSS) 4 (2): 69–82.
Bada, M., A.M. Sasse, and J.R. Nurse. 2015. Cyber security awareness campaigns: Why do they fail to change behaviour? Working Papers of the Sustainable Society Network vol. 3, First International Conference on Cyber Security for Sustainable Society 2015, Coventry University, 26–27 February 2015, 118–132. arXiv preprint arXiv:1901.02672.
Baron, R., and M. Pigeon. 2017. Adapting the EU Directive on Trade Secrets ‘Protection’ into National Law: A transposition guide for legislators and civil society organisations. Brussels: Corporate Europe Observatory, February 2017.
Baskerville, R. 1991. Risk analysis: An interpretive feasibility tool in justifying information systems security. European Journal of Information Systems 1: 121–130.
Baxter, G., and I. Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interacting with Computers 23 (1): 4–17.
Beadnar, P.M. 2018. The socio-technical toolbox. Portsmouth: Portsmouth Craneswater Press.
Bednar, P.M., and V. Katos. 2009. Addressing the human factor in information systems security. MCIS2009. In ed. A. Poulymenakou, N. Pouloudi, and K. Pramatari, Proceedings of 4th Mediterranean Conference on Information Systems, 900–912. Athens, Greece, September 25–27.
Bednar, P.M., and C. Welch. 2009. Inquiry into informing systems: Critical systemic thinking in practice, Chapter 14. In Foundations of informing science, ed. G. Gill. Santa Rosa: Informing Science Press.
Bissell, K., R.M. Lasalle, and P. Dal Chin. 2019. Ninth Annual Cost of Cybercrime Study, Accenture and the Ponemon Institute. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study. Accessed 16 July 2019.
Cabinet Office/Detica. 2011. The Costs of Cybercrime: A Detica report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60942/THE-COST-OF-CYBER-CRIME-SUMMARY-FINAL.pdf. Accessed 16 July 2019.
Carl, S. 2017. An unacknowledged crisis—economic and industrial espionage in Europe. Essays in honour of Nestor Courakis, 1316–1326. Athens: Ant. N. Sakkoulas Publications L.P. 2017.
Checkland, P., and S. Holwell. 1998. Information, systems and information systems: Making sense of the field. Chichester: Wiley.
Cherns, A. 1976. Principles of socio-technical design. Human Relations 29 (8): 783–792.
CPNI. 2013. Insider Threat Data Collection Study: Report of Main Findings. Retrieved from https://www.cpni.gov.uk/…/insider-data-collection-study-report-of-main-findings.pdf.
CSIS. 2018. Economic Impact of cyber Crime—No Slowing Down. p17. Retrieved from https://csis-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf.
Davenport, T.H., and L. Prusak. 2000. Working knowledge: How organizations manage what they know. Boston: Harvard Business School Press.
Dhillon, G., and G. Torkzadeh. 2006. Value-focused assessment of information system security in organizations. Information Systems Journal 16: 293–314.
Dhillon, G., T. Oliveira, S. Susarapu, and M. Caldeira. 2016. Deciding between information security and usability: Developing value based objectives. Computers in Human Behavior 61: 656–666.
Emery, M. 2000. The current version of emery’s open systems theory. Systemic Practice and Action Research 13 (5): 623–643.
Furnell, S. 2016. The usability of security—revisited, Computer Fraud & Security, September 5–11.
Global Economic Crime Survey. 2016. Adjusting the Lens on Economic Crime. Retrieved from https://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf.
Information Commissioner. 2017. Warning for workers after charity employee is prosecuted for data protection offences. ICO News 8 November 2017. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/11/warning-for-workers-after-charity-employee-is-prosecuted-for-data-protection-offences/. Accessed 26 Apr 2019.
IP Commission. 2017. The Theft Of American Intellectual Property: Reassessments Of The Challenge And United States Policy. The National Bureau of Asian Research. Retrieved from http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf.
Isdell, N., and D. Beasley. 2011. Inside coca-cola: A CEO's life story of building the world's. St. Martin's Press.
Keller, S., and B. Schaninger. 2019. A better way to lead large-scale change. McKinsey & Company. https://www.mckinsey.com/business-functions/organization/our-insights/a-better-way-to-lead-large-scale-change. Accessed 30 Jun 2019.
Kolkowska, E., and G. Dhillon. 2013. Organizational power and information security rule compliance. Computers & Security 33: 3–11.
Koppel, R., S. Smith, J. Blythe, and V. Kothari. 2015. Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health Technology and Informatics 280: 220–251.
Lesca, H., and N. Lesca. 2011. Weak signals for strategic intelligence: Anticipation tool for managers. Chichester: Wiley.
Mohr, B.J. 2016. Creating high-performing organizations: The North American open socio-technical systems design approach. Chapter 2 in ed. B.J. Mohr and P. van Amelsvoort, Co-creating humane and innovative organizations: Evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.
Mohr, B.J., and P. van Amelsvoort (eds.). 2016. Co-creating humane and innovative organizations evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.
Moulières-Seban, T., D. Bitonneau, J.M. Salotti, J.F. Thibault, and B. Claverie. 2017. Human factors issues for the design of a cobotic system. In Advances in human factors in robots and unmanned systems, 375–385. Cham: Springer.
Mumford, E. 2006. The story of socio-technical design: Reflections on its successes, failures and potential. Information Systems Journal 16 (1): 317–342.
Mumford, E., and G.J. Beekman. 1994. Tools for change & progress: A socio-technical approach to business process re-engineering. Leiden: CSG Publications.
Mumford, E., and M. Weir. 1979. Computer systems in work design—the ETHICS method. New York: Wiley.
Naughton, J. 2018. How Facebook got into a mess—and why it can’t get out of it. The Observer, 28 April 2018. https://www.theguardian.com/technology/2018/apr/07/facebookgot-into-mess-cant-get-out-of-it-mark-zuckerberg-surveillance-capitalism. Accessed 30 Jun 2019.
Nissen, H.-E. 2002. Challenging traditions of inquiry in software practice, Chapter 4. In Social thinking—software practice, ed. Y. Dittrich, C. Floyd, and R. Klischewski. Cambridge Mass: MIT Press.
Nonaka, I. 1991. The knowledge creating company, Harvard Business Review, 69 Nov–Dec 1991.
Oz, E., and A. Jones. 2008. Management information systems. London: Cengage Learning EMEA. ISBN 978-1-84480-758-1.
Parsons, K., A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram. 2014. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security 42: 165–176.
Pava, C.H.P. 1983. Designing managerial and professional work for high performance: A Socio-technical Approach. National Productivity Review 2 (2): 126–135.
Sadok, M., and P.M. Bednar. 2016. Information security management in SMEs: Beyond the IT challenges. In Proceedings of International Symposium on Human Aspects of Information Security & Assurance, Frankfurt, Germany, 209–219, July 19–21.
Sarker, S., S. Chatterjee, X. Xiao, and A. Elbanna .2019. The sociotechnical “Axis of Cohesion” for the IS discipline: Its historical legacy and its continued relevance, MISQ (forthcoming).
Shedden, P., R. Scheepers, W. Smith, and A. Ahmad. 2011. Incorporating a knowledge perspective into security risk assessments. VINE Journal Information Knowledge Management System 41 (2): 152–166.
Silberg, J. and J. Maryilka. 2019. Tackling bias in artificial intelligence (and in humans). McKinsey Global Institute. https://www.mckinsey.com/featured-insights/artificial-intelligence/tackling-bias-in-artificial-intelligence-and-in-humans. Accessed 27 Apr 2019.
Siponen, M., and R. Willison. 2009. Information security management standards: Problems and solutions. Information & Management 46: 267–270.
Sommerville, I. 2011, Software engineering, Pearson Education Inc, ISBN: 978-0-13-705346-9.
Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.
Spears, J.L., and H. Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34 (3): 503–522.
Stahl, B.C., N.F. Doherty, and M. Shaw. 2012. Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal 22: 77–94.
Symantec Internet Security Threat Report 20. 2015. https://www.symantec.com/content/en/us/enterprise/other_resources/21347933_GA_RPT-internet-security-threat-report-volume-20-2015.pdf. Accessed 16 July 2019.
The Global State of Information Security Survey. 2016. Managing cyber risks in an interconnected world. www.pwc.com/gsiss2015.
Trist, E., H. Murray and F. Emery. 1997. The social engagement of social science: A Tavistock anthology: The socio-ecological perspective (Tavistock Anthology), University of Pennsylvania. http://www.moderntimesworkplace.com/archives/ericsess/sessvol1/sessvol1.html. Accessed 26 Apr 2019.
Verizon Data Breach Investigation Report. 2018. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf. Accessed 16 July 2019.
Wright, P.C., and G. Roy. 1999. Industrial espionage and competitive intelligence: One you do; one you do not. Journal of Workplace Learning 11 (2): 53–59.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sadok, M., Welch, C. & Bednar, P. A socio-technical perspective to counter cyber-enabled industrial espionage. Secur J 33, 27–42 (2020). https://doi.org/10.1057/s41284-019-00198-2
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-019-00198-2