Week 13 – Wang et al. 2015 – Joe
Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS quarterly, 39(1).
Insider threats to information security are considered to be a critical issue for organizations. However, research on quantification of the risk of insider threats on information assets is sparse. Extending from the original context of explaining predatory crimes in the physical environment, this paper synthesizes routine activity theory (RAT) with survival modeling, and makes the following main contributions: In order to understand what causes applications to be exposed to insider threats, the study conceptualizes and operationalizes the main constructs of RAT (value, inertia, visibility, accessibility (VIVA), and absence of guardians) in the domain of information systems security.
To quantify the risk that an application will experience unauthorized access attempts, the authors applied survival modeling. With log data of an enterprise single sign-on (ESSO) system and information regarding integrated IS applications from a regional financial institution, the authors then focus on the investigate the main constructs of RAT. The survival analysis results show that 1) the business value of an application (BVM) increased the risk of an application experiencing unauthorized attempts; 2) Control strength (CSTR) decreased the risk of an application experiencing unauthorized attempts; 3) Access prevalence level (log (APL)) increased the risk of an application experiencing unauthorized attempts; 4) OLIM increased the risk of an application experiencing unauthorized attempts; 5) data protection level (DPL) decreased the risk of an application experiencing unauthorized attempts. Basically, all the five hypotheses are supported by the empirical results.
Theoretically, this paper introduces the measurements for managing risks against insider threats within an organization. They conceptualized and operationalized the risk of insider threats associated with information assets, thus providing a foundation for future research in risk management of digital assets. Practically, this study suggested that practice of risk management of IS applications should be adapted to the organizational context, and account for users’ behavioral patterns.