A Longitudinal Study of Unauthorized Access Attempts on Information Systems: The Role of Opportunity Contexts
Friday, March 30, 2018
10:30 AM – noon
Speakman Hall Suite 200
This study investigates employees’ unauthorized access attempts on information systems (IS) applications in a financial institution and how opportunity contexts impact such attempts. By contextualizing multilevel criminal opportunity theory, we develop a model that considers both employee- and department-level opportunity contexts. At the employee level, we hypothesize that the number of IS apps an employee has legitimately accessed and the level of confidentiality of those apps, together with the time when and the location where the employee initiated the access, affect the likelihood of unauthorized attempts. At the department level, we hypothesize that department size moderates the impact of employee-level contextual variables on the likelihood of unauthorized attempts occurring. To test the hypotheses, we collected six months of access log data from an enterprise single sign-on system of a financial institution. We find the hypothesized main effects of all employee-level contextual variables are supported. In addition, department size reinforces the effects of off-hour access, off-site access, and their interaction term. Robustness analyses indicate that the results do not align with employees who do not know the systems well enough and may be making mistakes. We also discuss the theoretical and practical implications of the study.