Abstract
There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Albrechtsen, E., & Hovden, J. (2009). Improving information security awareness and behavior through dialogue, participation and collective reflection. An intervention study. Computers & Security, XXX, 1–14.
Bishop, M., & Gates, C. (2008). Defining the insider threat. Proceedings of the Cyber Security and Information Intelligence Research Workshop, article 15.
Bloom, B. S., & Krathwohl, D. R. (1956). Taxonomy of educational objectives: The classification of educational goals, by a committee of college and university examiners. Handbook 1: Cognitive domain, New York, Longmans.
Brackney, R. C., & Anderson, R. H. (2004). Understanding the Insider Threat. Proceedings of a March 2004 Workshop, RAND Corporation.
Camerer, C. F. (2000). Prospect theory in the wild. In D. Kahnman & A. Tversky (Eds.), Choices, values, and frames (p. Chap. 16). Cambridge: Cambridge University Press.
Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26, 63–72.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.
Deloitte (2009). Protecting what matters: The 6th annual global security survey. Deloitte Touche Tohmatsu.
DeMillo, R. A., & Spafford, E. H. (2004). Four grand challenges in trustworthy computing. Computing Research Association, 2004.
Diamond, L. (1988). The impact of information form on the perception of risk. International Conference on Information Systems, 91–97.
Dillon, R. L., & Tinsley, C. H. (2008). How near-misses influence decision making under risk: a missed opportunity for learning. Management Science, 54(8), 1425–1440.
Farahmand, F., Atallah, M., & Kensynski, B. (2008). Incentives and Perceptions of Information Security Risks. Proc. of the Twenty Ninth International Conference on Information Systems, Paris.
Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making, 13, 1–17.
Fischoff, B., et al. (1978). How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits? Policy Sciences, 9(2), 127–152.
Gefen, D. P., & Pavlou, P. A. (2006). The modeling role of perceived regulatory effectiveness of the online marketplaces on the role of trust and risk transaction intensions. WI: International Conference on Information Systems.
Goodhue, D. L., & Straub, D. W. (1991). Security concerns of systems users; a study of perceptions of the adequacy of security. Information & Management, 20, 13–27.
Greitzer, F. L., et al. (2008). Combating the insider cyber threat. IEEE Security and Privacy, 61–64.
Hammond, K. R. (1993). Naturalistic decision making from a Brunswikian viewpoint: Its past, present, future. In G. A. Klein, J. Orasanu, R. Calanrewood, & E. Zsambok (Eds.), Decision making in action: Models and methods (pp. 205–227). Norwood: Albex.
Heath, L., et al. (1994). Applications of Heuristics and biases to social issues. Plenum.
Hu, X., Lin, Z., Whinston, A., & Zang, H. (2001). Perceived risk and escrow adoption. International Conference on Information Systems (pp 271–274).
Jennex, M. E., & Zyngier, S. (2007). Security as a contributor to knowledge management success. Information Systems Frontiers, 9, 493–504.
Johnson, E. J., & Tversky, A. (1984). Representations of perceptions of risk. Journal of Experimental Psycholog: General, 113, 55–70.
Kahneman, D., & Lovallo, D. (1993). Timid choices and bold forecasts: a cognitive perspective on risk taking. Management Science, 39(1), 17–31.
Kahneman, D., Slovic, P., & Tversky, A. (1982). Judgment under uncertainty; Heuristics and biases. Cambridge University press.
Kenney, R. L., & Raiffa, H. (1976). Decisions with multiple objectives: Preferences and value tradeoffs. Wiley.
Kim, K., & Prabhakar, P. (2000). Initial trust, perceived risk, and the adoption of the internet banking. International Conference on Information Systems (pp 537–543).
Knight, F. H. (1921). Risk, uncertainty and profit. Dodo.
Lehto, M. R., & Buck, J. R. (2008). Introduction to human factors and ergonomics for engineers. CRC.
Levy, M., & Levy, H. (2002). Prospect theory: much ado about nothing. Management Science, 48(10), 1334–1349.
Lichtenstein, S., & Slovic, P. (1971). Reversals of preference between bids and choices in gamble decisions. Journal of Experimental Psychology, 89(1), 46–55.
MacGregor, D. G., et al. (1999). Perception of financial risk: a survey study of advisors and planners. Journal of Financial Planning, 12(8), 68–86.
Maloof, M. A., & Stephens, G. D. (2007). ELICIT: a system for detecting insiders who violate need-to-know. Lecture Notes in Computer Science, 4637, 146–166.
Masterson, S. S., et al. (2000). Integrating justice and social exchange: the differing effects of fair procedures and treatment on work relationships. Academy of Management Journal, 43(4), 738–748.
Moores, T. T., & Dhillon, G. (2003). Do privacy seals in e-commerce really work? Communication of ACM, 46(12), 265–271.
Odean, T. (1998). Are investors reluctant to realize their losses? Journal of Finance, 53, 1775–1798.
Paese, P. W., Bieser, M., & Tubbs, M. E. (1993). Framing effects and choose shifts in group decision making. Organizational Behavior and Human Decision Processes, 56, 149–165.
Savage, L. J. (1954). The foundations of statistics. Wiley.
Schroeder, N. J. (2005). Using prospect theory to investigate decision-making bias within an information security context. Dept. of the Air Force Air University, Air Force Institute of Technology.
Slovic, P. (1987). Perceptions of risk. Science, 236, 280–285.
Slovic, P., et al. (2007). The affect heuristic. European Journal of Operational Research, 177, 1333–1352.
Stamper, C. L., & Masteson, S. (2002). Insider or outsider? How employee perception of insider status affect their work behavior. Journal of Organizational Behavior, 23, 875–894.
Starr, C. (1969). Social benefits versus technological risks. Science, 165(3899), 1232–1238.
Stolfo, S. J., et al. (2008). Insider attack and cyber security, advances in information security. Springer.
Stonebruner, G., Gougen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST SP800-30.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Sveen, F. O., Rich, E., & Jager, M. (2007). Overcoming organizational challenges to secure knowledge management. Information Systems Frontiers, 9, 481–492.
Taylor, R. G. (2006). Management perception of unintentional information security risks. International Conference on Information Systems (pp 1581–1597).
Trepel, C., Fox, C. R., & Poldrack, R. A. (2005). Prospect theory on the brain? Toward a cognitive neuroscience of decision under risk. Cognitive Brain Research, 23(1), 34–50.
Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: heuristics and biases. Science, 185, 1124–1131.
Tversky, A., & Kahneman, D. (1979). Prospect theory: an analysis of decisions under risk. Econometrica, 47(2), 263–291.
von Neumann, J., & Morgenstern, O. (1947). Theory of games and economic behavior. Princeton University Press.
Wells, J. T. (2005). Principles of fraud examination. Wiley.
Willison, R., & Siponen, M. (2009). Overcoming the insider: reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133–137.
Wood, B. (2000). An insider threat model for adversary simulation. SRI International, Research on Mitigating the Insider Threat to Information Systems—#2 Proceedings of a Workshop Held by RAND.
Zajonc, R. B. (1980). Feeling and thinking: preferences need no inferences. American Psychologist, 35, 151–175.
Acknowledgments
This material is based in part upon work supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) research program. The I3P is managed by Dartmouth College. The views and conclusions contained in this document should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, or Dartmouth College. Sponsors of the Center Education and Research in Information Assurance and Security (CERIAS) also supported portions of this work. The authors would also like to acknowledge the contribution of Mr. William Keck in literature review.
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is an extension and expansion of the work presented as “Insider Behavior: An Analysis of Decision under Risk” at the First International Workshop on Managing Insider Security Threats, International Federation for Information Processing (IFIP) International Conference on Trust Management, June 2009, Purdue University.
Rights and permissions
About this article
Cite this article
Farahmand, F., Spafford, E.H. Understanding insiders: An analysis of risk-taking behavior. Inf Syst Front 15, 5–15 (2013). https://doi.org/10.1007/s10796-010-9265-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-010-9265-x