A socio-technical perspective to counter cyber-enabled industrial espionage

Abstract

The ubiquitous digitization of information and the pervasive connectivity of work systems have inevitably facilitated cyber-enabled industrial espionage. Security failures explain most of cyber industrial espionage incidents, and insider threats represent a significant pattern in many case examples. Insiders can inadvertently or purposefully pose serious threats to organisations by facilitating access to or misuse of proprietary sensitive data. This paper argues that technical security solutions have rather limited scope to tackle this problem, and that a socio-technical approach has potential to provide a better means to address the challenge of preventing and responding to insider threats. Such an approach could bridge the gap between the design and implementation of security solutions and creation of an organisational culture that is security-aware.

This is a preview of subscription content, access via your institution.

Fig. 1

References

  1. Ackoff, R.L., and F.E. Emery. 1972. On purposeful systems. London: Tavistock.

    Google Scholar 

  2. Albrechtsen, E. 2007. A qualitative study of users’ view on information security. Computers & Security, 26: 276–289.

    Article  Google Scholar 

  3. Albrechtsen, E., and J. Hovden. 2010. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security 29: 432–445.

    Article  Google Scholar 

  4. Alotaibi, M., S. Furnell, and N. Clarke. 2016. Information security policies: a review of challenges and influencing factors. In 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), 352–358. IEEE.

  5. Alter, S. 2013. Work system theory: Overview of core concepts, extensions, and challenges for the future. Journal of the Association for Information Systems 14 (2): 72–121.

    Article  Google Scholar 

  6. Alter, S. 2017. Six work system lenses for describing, analyzing, or evaluating important aspects of is security. International Journal of Systems and Society (IJSS) 4 (2): 69–82.

    Article  Google Scholar 

  7. Bada, M., A.M. Sasse, and J.R. Nurse. 2015. Cyber security awareness campaigns: Why do they fail to change behaviour? Working Papers of the Sustainable Society Network vol. 3, First International Conference on Cyber Security for Sustainable Society 2015, Coventry University, 2627 February 2015, 118–132. arXiv preprint arXiv:1901.02672.

  8. Baron, R., and M. Pigeon. 2017. Adapting the EU Directive on Trade Secrets ‘Protection’ into National Law: A transposition guide for legislators and civil society organisations. Brussels: Corporate Europe Observatory, February 2017.

  9. Baskerville, R. 1991. Risk analysis: An interpretive feasibility tool in justifying information systems security. European Journal of Information Systems 1: 121–130.

    Article  Google Scholar 

  10. Baxter, G., and I. Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interacting with Computers 23 (1): 4–17.

    Article  Google Scholar 

  11. Beadnar, P.M. 2018. The socio-technical toolbox. Portsmouth: Portsmouth Craneswater Press.

    Google Scholar 

  12. Bednar, P.M., and V. Katos. 2009. Addressing the human factor in information systems security. MCIS2009. In ed. A. Poulymenakou, N. Pouloudi, and K. Pramatari, Proceedings of 4th Mediterranean Conference on Information Systems, 900–912. Athens, Greece, September 25–27.

  13. Bednar, P.M., and C. Welch. 2009. Inquiry into informing systems: Critical systemic thinking in practice, Chapter 14. In Foundations of informing science, ed. G. Gill. Santa Rosa: Informing Science Press.

    Google Scholar 

  14. Bissell, K., R.M. Lasalle, and P. Dal Chin. 2019. Ninth Annual Cost of Cybercrime Study, Accenture and the Ponemon Institute. https://www.accenture.com/us-en/insights/security/cost-cybercrime-study. Accessed 16 July 2019.

  15. Cabinet Office/Detica. 2011. The Costs of Cybercrime: A Detica report in Partnership with the Office of Cyber Security and Information Assurance in the Cabinet Office. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60942/THE-COST-OF-CYBER-CRIME-SUMMARY-FINAL.pdf. Accessed 16 July 2019.

  16. Carl, S. 2017. An unacknowledged crisis—economic and industrial espionage in Europe. Essays in honour of Nestor Courakis, 1316–1326. Athens: Ant. N. Sakkoulas Publications L.P. 2017.

  17. Checkland, P., and S. Holwell. 1998. Information, systems and information systems: Making sense of the field. Chichester: Wiley.

    Google Scholar 

  18. Cherns, A. 1976. Principles of socio-technical design. Human Relations 29 (8): 783–792.

    Article  Google Scholar 

  19. CPNI. 2013. Insider Threat Data Collection Study: Report of Main Findings. Retrieved from https://www.cpni.gov.uk/…/insider-data-collection-study-report-of-main-findings.pdf.

  20. CSIS. 2018. Economic Impact of cyber Crime—No Slowing Down. p17. Retrieved from https://csis-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf.

  21. Davenport, T.H., and L. Prusak. 2000. Working knowledge: How organizations manage what they know. Boston: Harvard Business School Press.

    Google Scholar 

  22. Dhillon, G., and G. Torkzadeh. 2006. Value-focused assessment of information system security in organizations. Information Systems Journal 16: 293–314.

    Article  Google Scholar 

  23. Dhillon, G., T. Oliveira, S. Susarapu, and M. Caldeira. 2016. Deciding between information security and usability: Developing value based objectives. Computers in Human Behavior 61: 656–666.

    Article  Google Scholar 

  24. Emery, M. 2000. The current version of emery’s open systems theory. Systemic Practice and Action Research 13 (5): 623–643.

    Article  Google Scholar 

  25. Furnell, S. 2016. The usability of security—revisited, Computer Fraud & Security, September 5–11.

  26. Global Economic Crime Survey. 2016. Adjusting the Lens on Economic Crime. Retrieved from https://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf.

  27. Information Commissioner. 2017. Warning for workers after charity employee is prosecuted for data protection offences. ICO News 8 November 2017. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/11/warning-for-workers-after-charity-employee-is-prosecuted-for-data-protection-offences/. Accessed 26 Apr 2019.

  28. IP Commission. 2017. The Theft Of American Intellectual Property: Reassessments Of The Challenge And United States Policy. The National Bureau of Asian Research. Retrieved from http://ipcommission.org/report/IP_Commission_Report_Update_2017.pdf.

  29. Isdell, N., and D. Beasley. 2011. Inside coca-cola: A CEO's life story of building the world's. St. Martin's Press.

  30. Keller, S., and B. Schaninger. 2019. A better way to lead large-scale change. McKinsey & Company. https://www.mckinsey.com/business-functions/organization/our-insights/a-better-way-to-lead-large-scale-change. Accessed 30 Jun 2019.

  31. Kolkowska, E., and G. Dhillon. 2013. Organizational power and information security rule compliance. Computers & Security 33: 3–11.

    Article  Google Scholar 

  32. Koppel, R., S. Smith, J. Blythe, and V. Kothari. 2015. Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health Technology and Informatics 280: 220–251.

    Google Scholar 

  33. Lesca, H., and N. Lesca. 2011. Weak signals for strategic intelligence: Anticipation tool for managers. Chichester: Wiley.

    Book  Google Scholar 

  34. Mohr, B.J. 2016. Creating high-performing organizations: The North American open socio-technical systems design approach. Chapter 2 in ed. B.J. Mohr and P. van Amelsvoort, Co-creating humane and innovative organizations: Evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.

  35. Mohr, B.J., and P. van Amelsvoort (eds.). 2016. Co-creating humane and innovative organizations evolutions in the practice of socio-technical system design. Portland: Global STS-D Network Press.

    Google Scholar 

  36. Moulières-Seban, T., D. Bitonneau, J.M. Salotti, J.F. Thibault, and B. Claverie. 2017. Human factors issues for the design of a cobotic system. In Advances in human factors in robots and unmanned systems, 375–385. Cham: Springer.

  37. Mumford, E. 2006. The story of socio-technical design: Reflections on its successes, failures and potential. Information Systems Journal 16 (1): 317–342.

    Article  Google Scholar 

  38. Mumford, E., and G.J. Beekman. 1994. Tools for change & progress: A socio-technical approach to business process re-engineering. Leiden: CSG Publications.

    Google Scholar 

  39. Mumford, E., and M. Weir. 1979. Computer systems in work design—the ETHICS method. New York: Wiley.

    Google Scholar 

  40. Naughton, J. 2018. How Facebook got into a mess—and why it can’t get out of it. The Observer, 28 April 2018. https://www.theguardian.com/technology/2018/apr/07/facebookgot-into-mess-cant-get-out-of-it-mark-zuckerberg-surveillance-capitalism. Accessed 30 Jun 2019.

  41. Nissen, H.-E. 2002. Challenging traditions of inquiry in software practice, Chapter 4. In Social thinking—software practice, ed. Y. Dittrich, C. Floyd, and R. Klischewski. Cambridge Mass: MIT Press.

    Google Scholar 

  42. Nonaka, I. 1991. The knowledge creating company, Harvard Business Review, 69 Nov–Dec 1991.

  43. Oz, E., and A. Jones. 2008. Management information systems. London: Cengage Learning EMEA. ISBN 978-1-84480-758-1.

    Google Scholar 

  44. Parsons, K., A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram. 2014. Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security 42: 165–176.

    Article  Google Scholar 

  45. Pava, C.H.P. 1983. Designing managerial and professional work for high performance: A Socio-technical Approach. National Productivity Review 2 (2): 126–135.

    Article  Google Scholar 

  46. Sadok, M., and P.M. Bednar. 2016. Information security management in SMEs: Beyond the IT challenges. In Proceedings of International Symposium on Human Aspects of Information Security & Assurance, Frankfurt, Germany, 209–219, July 19–21.

  47. Sarker, S., S. Chatterjee, X. Xiao, and A. Elbanna .2019. The sociotechnical “Axis of Cohesion” for the IS discipline: Its historical legacy and its continued relevance, MISQ (forthcoming).

  48. Shedden, P., R. Scheepers, W. Smith, and A. Ahmad. 2011. Incorporating a knowledge perspective into security risk assessments. VINE Journal Information Knowledge Management System 41 (2): 152–166.

    Google Scholar 

  49. Silberg, J. and J. Maryilka. 2019. Tackling bias in artificial intelligence (and in humans). McKinsey Global Institute. https://www.mckinsey.com/featured-insights/artificial-intelligence/tackling-bias-in-artificial-intelligence-and-in-humans. Accessed 27 Apr 2019.

  50. Siponen, M., and R. Willison. 2009. Information security management standards: Problems and solutions. Information & Management 46: 267–270.

    Article  Google Scholar 

  51. Sommerville, I. 2011, Software engineering, Pearson Education Inc, ISBN: 978-0-13-705346-9.

  52. Soomro, Z.A., M.H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36 (2): 215–225.

    Article  Google Scholar 

  53. Spears, J.L., and H. Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34 (3): 503–522.

    Article  Google Scholar 

  54. Stahl, B.C., N.F. Doherty, and M. Shaw. 2012. Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal 22: 77–94.

    Article  Google Scholar 

  55. Symantec Internet Security Threat Report 20. 2015. https://www.symantec.com/content/en/us/enterprise/other_resources/21347933_GA_RPT-internet-security-threat-report-volume-20-2015.pdf. Accessed 16 July 2019.

  56. The Global State of Information Security Survey. 2016. Managing cyber risks in an interconnected world. www.pwc.com/gsiss2015.

  57. Trist, E., H. Murray and F. Emery. 1997. The social engagement of social science: A Tavistock anthology: The socio-ecological perspective (Tavistock Anthology), University of Pennsylvania. http://www.moderntimesworkplace.com/archives/ericsess/sessvol1/sessvol1.html. Accessed 26 Apr 2019.

  58. Verizon Data Breach Investigation Report. 2018. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf. Accessed 16 July 2019.

  59. Wright, P.C., and G. Roy. 1999. Industrial espionage and competitive intelligence: One you do; one you do not. Journal of Workplace Learning 11 (2): 53–59.

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Moufida Sadok.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Sadok, M., Welch, C. & Bednar, P. A socio-technical perspective to counter cyber-enabled industrial espionage. Secur J 33, 27–42 (2020). https://doi.org/10.1057/s41284-019-00198-2

Download citation

Keywords

  • Cyber-security
  • Socio-technical
  • Industrial espionage
  • Work system
  • Insider threat