Article Preview
TopIntroduction
Various threats (potential dangers exploiting system vulnerabilities) are militating against information assets as a result of vulnerabilities in information systems. Vulnerabilities are weaknesses or lack of countermeasures in the information systems themselves (Shon, 2013). Threats may be intentional or unintentional and can come from both internal and external sources. Internal (insider) threats to information security are critical issues for organizations (Baracaldo & Joshi, 2013; Wang, Gupta, & Rao, 2015). A global survey profiles the nature of data breaches in 19 organizations from 27 countries. The study covers more than 47,000 reported security incidents and 621 confirmed data breaches. The findings reveal that over 50% of the insiders who committed sabotage were formal employees, 70% of Internet Protocol address (IP) theft cases were committed by internal people intended to resign their job, and 75% of attacks were opportunists with financial motives targeting no specific individual or organization (Data Breach Investigations Report [DBIR], 2013). This report heightens the need for organizations to ensure that essential security controls are put in place and security policies are complied with.
Though several threats including browser exploits, data interception, malware, network exploits, spamming, spoofing, and theft/loss (US GAO, 2012) exist, technical (logical) controls are available to protect information systems. Technical controls such as firewalls, intrusion preventive and detection systems, antimalware, encryption, backup and restoration mechanisms, logging, monitoring, auditing, identification and authentication mechanisms were implemented in software configurations, hardware devices, and in procedures to protect information systems. Apart from technical controls, administrative controls (such as security policies and procedures) and physical controls (such as cable locks, fencing, closed-circuit TV, and lighting) play a major role in security systems (Shon, 2013). These controls provide functionalities intended to secure information systems.
These functionalities comprise of deterrent (intended to discourage a potential attacker), preventive (intended to avoid an incident from occurring), corrective (fixes components or systems after an incident has occurred), recovery (intended to bring the environment back to regular operations), and detective (identify an incident’s activities and potential intruder) (Shon, 2013). Despite these security measures, the major threat is the members of the organization themselves who are entrusted to protect information systems (Willison & Warkentin, 2013) and are required to comply with the organization’s security measures and policies. A recent study found that insiders (current and former employees, third parties) with trusted network access represent a major threat to information security, yet many organisations fail to implement processes and technologies to address internal incidents (PWC Report, 2015).
To ensure compliance with security objectives, legal, and regulatory requirements, organizations have established security policies to guide employees’ behaviour. The information security policy contains intentions, principles, rules, and guidelines which the management wants the employees to adhere to (Sommestad et al., 2014). It provides management direction and support for information security ((ISO/IEC, 2009). It generally describes the acceptable use of computer resources, information security roles and responsibilities, the type of training that employees should have, and the consequences of security policy violation (Sommestad et al., 2015). Providing adequate security to information security requires that technical information systems security and management personnel comply with security measures. For instance, critical data may be put at risk when the technical personnel fail to follow operational procedures, perform vulnerability assessment, check security in the third party products and services, perform regular backups, properly manage user accounts, secure mobile devices that are attached to the organization’s productive networks, effectively control malware activities, protect data transfer and network services, monitor, log, and audit information systems regularly.