Skip to main content
SpringerLink
Log in
Book cover

International Conference on Human-Computer Interaction

HCII 2020: Augmented Cognition. Human Cognition and Behavior pp 316–334Cite as

Confronting Information Security’s Elephant, the Unintentional Insider Threat

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 12197))

Abstract

It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of unintentional human error. Such lack of emphasis is surprising given relatively recent reports that highlight error’s central role in being the root cause for numerous security breaches. Unfortunately, efforts that recognize human error’s influence suffer from not employing a commonly accepted error framework and lexicon. We thus take this opportunity to review what the data show regarding error-based breaches across various types of organizations and create a nomenclature and taxonomy rooted in the rich history of safety research that can be applied to the information security domain. Our efforts represent a significant step in an effort to classify, monitor, and compare the myriad aspects of human error in information security in the hopes that more effective security education, training, and awareness (SETA) programs can be devised. Further, we believe our efforts underscore the importance of revisiting the daily demands placed on organizational insiders in the workplace.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Most information security reports focus on breaches of confidentiality rather than integrity and availability; thus, we have focused our efforts on these types of attacks in this section.

  2. 2.

    While beyond the scope of this paper to provide a tutorial on writing learning or training objectives, most experts in these fields agree that these objectives must at least declare an expectation of observable participant/learner behavior that demonstrates measurable change under a given condition (often time framed) [cf. Mayer 38].

References

  1. Reason, J.: Human Error. Cambridge University Press, Cambridge (1990)

    Book  Google Scholar 

  2. Goldberg, M.: 10 of the biggest data breaches over the last decade (2019). https://www.bankrate.com/finance/banking/us-data-breaches-1.aspx#slide=1. Accessed 30 Jan 2020

  3. Bissell, K., LaSalle, R., Dal Cin, P.: The Cost of Cybercrime: Ninth Annual Cost of Cybercrime Study. Accenture (2019)

    Google Scholar 

  4. Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: the enduring problem of human error. Database Adv. Inf. Syst. 36(4), 68–79 (2005)

    Article  Google Scholar 

  5. Verizon: Data Breach Investigations Report (2019)

    Google Scholar 

  6. Baskerville, R.: A taxonomy for analyzing hazards to information systems. In: Katsikas, S.K., Gritzalis, D. (eds.) SEC 1996. IAICT, pp. 167–176. Springer, Boston, MA (1996). https://doi.org/10.1007/978-1-5041-2919-0_14

    Chapter  Google Scholar 

  7. Reilly, R.B.: 95% of successful security attacks are the result of human error (2014). https://venturebeat.com/2014/06/19/95-of-successful-security-attacks-are-the-result-of-human-error/. Accessed 30 Jan 2020

  8. Targett, E.: Revealed: human error, not hackers, to blame for vast majority of data breaches (2018). https://www.cbronline.com/news/kroll-foi-ico. Accessed 30 Jan 2020

  9. Metinko, C.: Cybersecurity training sees flood of M&A (2018). https://www.forbes.com/sites/mergermarket/2018/08/17/cybersecurity-training-sees-flood-of-ma/#5d8e709d2266. Accessed 30 Jan 2020

  10. Statista: Spending on cybersecurity in the United States from 2010 to 2018 (2019). https://www.statista.com/statistics/615450/cybersecurity-spending-in-the-us/. Accessed 30 Jan 2020

  11. Carpenter, P.: Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. Wiley, Indianapolis (2019)

    Google Scholar 

  12. Cram, W.A., D’Arcy, J., Proudfoot, J.G.: Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q. 43(2), 525–554 (2019)

    Article  Google Scholar 

  13. von Solms, B., von Solms, R.: Cybersecurity and information security–what goes where? Inf. Comput. Secur. 26(1), 2–9 (2018)

    Article  Google Scholar 

  14. Conrad, E., Misenar, S., Feldman, J.: CISSP Study Guide, 2nd edn. Syngress, Waltham (2012)

    Google Scholar 

  15. Debenedetti, G. The email headache that won’t go away (2016). https://www.politico.com/story/2016/07/hillary-clinton-email-fbi-fallout-225113. Accessed 30 Jan 2020

  16. Response, S.S.: W32.Duqu: the precursor to the next Stuxnet (2011). https://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet. Accessed 30 Jan 2020

  17. Graff, G.M.: How a dorm room minecraft scam brought down the Internet (2017). https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/. Accessed 30 Jan 2020

  18. Spadafora, A.: 90 percent of data breaches are caused by human error (2019). https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-human-error. Accessed 30 Jan 2020

  19. IBM: X-Force Threat Intelligence Index (2019)

    Google Scholar 

  20. Targett, E.: Personal Communication with M. Canham (2020)

    Google Scholar 

  21. Justice, C.D.O.: California Data Breach Report, 2012–2015 (2016)

    Google Scholar 

  22. Chubb: Chubb cyber index: providing data driven insight on cyber threat trends (2020). https://chubbcyberindex.com/#/incident-growth. Accessed 30 Jan 2020

  23. Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)

    Article  Google Scholar 

  24. Norman, D.: The Design of Everyday Things, Revised and Expanded edn. Basic Books, New York (2013)

    Google Scholar 

  25. Perrow, C.: Normal Accidents: Living with High Risk Technologies, Updated edn. Princeton University Press, Princeton (2011)

    Google Scholar 

  26. Rasmussen, J.: Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans. Syst. Man Cybern. SMC-13(3), 257–266 (1983)

    Google Scholar 

  27. SKYbrary: Human error types (2016). https://www.skybrary.aero/index.php/Human_Error_Types. Accessed 30 Jan 2020

  28. Rader, E., Munasinghe, A.: “Wait, do I know this person?” Understanding misdirected Email. In: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, Glasgow, Scotland (2019)

    Google Scholar 

  29. Posey, C., et al.: Bridging the divide: a qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inf. Manag. 51(5), 551–567 (2014)

    Article  Google Scholar 

  30. Chubb: Chubb Cyber Library (2020). https://chubbcyberindex.com/#/cyber-library. Accessed 30 Jan 2020

  31. Robinson, S.L., Bennett, R.J.: A typology of deviant workplace behaviors: a multidimensional scaling study. Acad. Manag. J. 38(2), 555–572 (1995)

    Google Scholar 

  32. Silic, M., Back, A.: Shadow IT–a view from behind the curtain. Comput. Secur. 45, 274–283 (2014)

    Article  Google Scholar 

  33. Posey, C., Canham, M.: A computational social science approach to examine the duality between productivity and cybersecurity policy compliance within organizations. In: International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS), Washington D.C. (2018)

    Google Scholar 

  34. Wilson, M., Hash, J.: SP 800-50: Building an Information Technology Security Awareness and Training Program, NIST, Gaithersburg (2003)

    Google Scholar 

  35. Aldawood, H., Skinner, G.: Educating and raising awareness on cyber security social engineering: a literature review. In: 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), Wollongong, NSW, Australia. IEEE (2018)

    Google Scholar 

  36. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

    Article  Google Scholar 

  37. Cannon, H.M., Feinstein, A.H.: Bloom beyond Bloom: Using the revised taxonomy to develop experiential learning strategies. In: Developments in Business Simulation and Experiential Learning: Proceedings of the Annual ABSEL Conference, Orlando, FL (2005)

    Google Scholar 

  38. Mayer, R.E.: Applying the Science of Learning. Pearson/Allyn & Bacon, Boston (2011)

    Google Scholar 

  39. Burns, A., et al.: Intentions to comply versus intentions to protect: a VIE theory approach to understanding the influence of insiders’ awareness of organizational SETA efforts. Decis. Sci. 49(6), 1187–1228 (2018)

    Article  Google Scholar 

  40. Kennedy, D.: Writing and Using Learning Outcomes: A Practical Guide. University College Cork (2006)

    Google Scholar 

  41. Kerr, S.: On the folly of rewarding A, while hoping for B. Acad. Manag. J. 18(4), 769–783 (1975)

    Google Scholar 

  42. MITRE: Common vulnerabilities and exposures (2020). https://cve.mitre.org/. Accessed 30 Jan 2020

  43. Weick, K.E., Sutcliffe, K.M.: Managing the unexpected: sustained performance in a complex world. Wiley, Hoboken (2015)

    Book  Google Scholar 

  44. Weick, K.E.: Organizational culture as a source of high reliability. Calif. Manag. Rev. 29(2), 112–127 (1987)

    Article  Google Scholar 

  45. Roberts, K.H.: Some characteristics of one type of high reliability organization. Org. Sci. 1(2), 160–176 (1990)

    Article  Google Scholar 

  46. Field, T.: Insider threat: ‘you can’t stop stupid’ (2010). https://www.bankinfosecurity.com/insider-threat-you-cant-stop-stupid-a-2789. Accessed 30 Jan 2020

  47. Matyszczyk, C.: IT and security professionals think normal people are just the worst (2019). https://www.zdnet.com/article/it-professionals-think-normal-people-are-stupid/. Accessed 31 Jan 2020

  48. Kraemer, S., Carayon, P., Clem, J.: Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 28(7), 509–520 (2009)

    Article  Google Scholar 

  49. Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56(February), 70–82 (2016)

    Article  Google Scholar 

  50. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  51. Norman, D.A.: The way I see it when security gets in the way. Interactions 16(6), 60–63 (2009)

    Article  Google Scholar 

Download references

Acknowledgement

This research was in part sponsored by the U.S. Army CCDC Soldier Center and was accomplished under Cooperative Agreement Number W911NF-15-2-0100. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of U.S. Army CCDC Soldier Center or the U.S. Government.

Author information

Authors and Affiliations

  1. School of Modeling, Simulation, and Training, University of Central Florida, Orlando, FL, USA

    Matthew Canham & Patricia S. Bockelman

  2. College of Business, University of Central Florida, Orlando, FL, USA

    Clay Posey

Authors
  1. Matthew Canham
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clay Posey
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patricia S. Bockelman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Clay Posey .

Editor information

Editors and Affiliations

  1. Soar Technology Inc., Orlando, FL, USA

    Dylan D. Schmorrow

  2. Design Interactive, Inc., Orlando, FL, USA

    Cali M. Fidopiastis

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Canham, M., Posey, C., Bockelman, P.S. (2020). Confronting Information Security’s Elephant, the Unintentional Insider Threat. In: Schmorrow, D., Fidopiastis, C. (eds) Augmented Cognition. Human Cognition and Behavior. HCII 2020. Lecture Notes in Computer Science(), vol 12197. Springer, Cham. https://doi.org/10.1007/978-3-030-50439-7_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-50439-7_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-50438-0

  • Online ISBN: 978-3-030-50439-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation