Abstract
The notion of insider has multiple facets. An organization needs to identify which ones to respond to. The selection, implementetion and maintenance of information security countermeasures requires a complex combination of organisational policies, functions and processes, which form Information Security Management. This chapter examines the role of current information security management practices in addressing the insider threat. Most approaches focus on frameworks for regulating insider behaviour and do not allow for the various cultural responses to the regulatory and compliance framework. Such responses are not only determined by enforcement of policies and awareness programs, but also by various psychological and organisational factors at an individual or group level. Crime theories offer techniques that focus on such cultural responses and can be used to enhance the information security management design. The chapter examines the applicability of several crime theories and concludes that they can contribute in providing additional controls and redesign of information security management processes better suited to responding to the insider threat.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Ajzen, I., Fishbein, M.: Understanding attitudes and predicting social behaviour. Englewood Cliffs, Prentice-Hall, NJ (1980).
Akers, R.L.: Deviant behavior: a social learning perspective. Belmont, CA (1977)
Anderson, R.H., Bozek, T., Longstaff, T., Meitzler, W., Skroch, M., Van Wyk, K.: Research on Mitigating the Insider Threat to Information Systems - no.2, RAND Conference Proceedings (2000)
Ashenden, D.: Information Security management: A human challenge? Information Security Technical Report.13 (4), 195–201 (2008)
Balfe, S., Reidt, S.: Key Deactivation Strategies in MANETs: A Survey (2008) Available online.http://www.sreidt.com/wp-content/uploads/2009/01/reidt2008\ textunderscorerevocation.pdfCited20July2009
Beer, S.: The Heart of Enterprise. John Wiley & Sons (1995)
Bishop, M., Gollmann, D., Hunker, J., Probst, C.W.: Countering Insider Threats, Dagstuhl Seminar 08302 (2008)
Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T.J.: Common Sense Guide to Prevention and Detection of Insider Threats, Ver. 3.1. Carnegie Mellon University (2009)
Centre for the Protection of National Infrastructure: Ongoing personnel security - A good practise guide. United Kingdom (2008)
Centre for the Protection of National Infrastructure: Pre-Employment Screening - A good practise guide, 3rd Edition. United Kingdom (2009)
Centre for the Protection of National Infrastructure: Risk Assessment for Personnel Security - A guide, 3rd Edition, United Kingdom (2009)
Clarke, R.: Situational crime prevention: theory and practice. British Journal of Criminology. 20 , 136-137 (1980)
Clarke, R.: Situational crime prevention: successful case studies. Harrow and Heston, NY (1997)
Coles-Kemp, L.: Anatomy of an Information Security Management System. Ph.D. thesis, King’s College, University of London (2008)
Coles-Kemp, L.: The Effect of Organisational Structure and Culture on Information Security Risk Processes. Risk Research Symposium 2009 (2009). Available online.http://www.kcl.ac.uk/schools/sspp/geography/research/hrg/ papersCited20July2009
Crinson, I.: Assessing the ‘insider-outsider threat’ duality in the context of the development of public-private partnerships delivering ‘choice’in healthcare services:Asociomaterial critique. Information SecurityTechnical Report, 13 (4), 202–206 (2008)
Dhillon, G.: Managing Information System Security. Macmillan Press, London (1997)
Dhillon, G., Silva, L., Backhouse, J. (2004) Computer Crime at CEFORMA:ACase Study. International Journal of Information Management, 24, 551–561 (2004)
Drenth, P.: Culture Consequences in organizations. In.: Drenth, P.J.D., Koopman, P.L., Wilpert, B. (eds), Organizational Decision-Making under Different Economic and Political Conditions, 199–206 (1996)
Hirschi,T.: Causesof delinquency. Berkeley, Universityof California Press,CA (1969)
Humphreys, E.:Information security management standards: Compliance, governance and risk management. Information SecurityTech. Report, 13 (4), 247–255 (2008)
ISO/IEC 27001:2005, Information technology -Security techniques -Information security management systems -Requirements (2005)
ISO/IEC 27002:2005, Information technology -Security techniques -Code of practice for information security management (2005)
Martins, A., Elof, J.: Information Security Culture. In: Proc. of IFIP TC11 17th International Conference on Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, 203–213 (2002)
Overill, R.E.: ISMS Insider Intrusion Prevention and Detection. Information SecurityTechnical Report, 13 (4), 216–219 (2008)
Schlienger,T.,Teufel, S.:Information Security Culture: The Socio-Cultural Dimensionin Information Security Management. In: Proc. of IFIP TC11 17th International Conference on 27. Information Security (SEC2002), Cairo, Egypt. IFIP Conference Proceedings 214, pp. 191202 (2002)
Schwaniger,M.:ManagingComplexity-ThePathToward IntelligentOrganisations.Systemic Practice and Action Research, 13 (1999)
Straub, D.W.,Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22 (4) 441–465 (1998)
Sutherland, E.: Criminology. J.B. Lippincott, Philadelphia (1924)
Theoharidou, M.,Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to Information Systems and the effectiveness of ISO 17799. Computers & Security, 24 (6), 472–484 (2005)
Theoharidou, M., Gritzalis, D.: Situational Crime Prevention and Insider Threat: Countermeasuresand Ethical Considerations.In:Tavani,H. et al. (Eds.): Proc. of the 8th International Computer Ethics Conference (CEPE-2009), Greece (2009)
von Solms, B.: Information Security -The ThirdWave? Computers&Security, 19 (7) 615–620 (2000)
Walker,T.: Practical managementof malicious insider threat -An enterprise CSIRTperspective. Information SecurityTechnical Report, 13 (4), 225–234 (2008)
Willison, R.: Understanding and addressing criminal opportunity: the application of situational crime prevention to IS security. Working Paper Series 100. Dept. of Information Systems, London School of Economics and Political Science (2001)
Willison, R.: Understanding the offender/environment dynamic for computer crimes: Assessing the feasibility of applying criminological theory to the IS security context. In: Proc. of the 37th Hawaii International Conference on System Sciences (2004)
Willison, R.: Understanding the perpetration of employee computer crime in the organizational context.Working paper no.4, Copenhagen Business School (2006)
Willison, R.: Understanding the perpetration of employee computer crime in the organizational context. Information&Organization, 16 (4), 304–324 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Coles-Kemp, L., Theoharidou, M. (2010). Insider Threat and Information Security Management. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds) Insider Threats in Cyber Security. Advances in Information Security, vol 49. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-7133-3_3
Download citation
DOI: https://doi.org/10.1007/978-1-4419-7133-3_3
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-7132-6
Online ISBN: 978-1-4419-7133-3
eBook Packages: Computer ScienceComputer Science (R0)