Deterrence and prevention-based model to mitigate information security insider threats in organisations

Safa, Nader Sohrabi; Maple, Carsten; Furnell, Steven; Azad, Muhammad Ajmal; Perera, Charith; Dabbagh, Mohammad; Sookhak, Mehdi

doi:10.1016/j.future.2019.03.024

Cited by 73 publications

(45 citation statements)

References 52 publications

(78 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on the foregoing, it would be most correct to consider "combating crime" as a term that unites all the activities. Prevention should become relevant when it comes to a potential but not yet conceived crime (prevention) [7][8][9]; about a crime conceived and prepared but not yet committed at the stage of preparation (prevention) [10,11]; about a crime started but still unfinished at the stage of attempt (suppression) [12]. If a crime is over, then it is time to carry out measures to combat (identification, disclosure, investigation, etc.)…”

Section: Resultsmentioning

confidence: 99%

Prevention of crime by criminal law and operational-search means

et al. 2021

View full text Add to dashboard Cite

In the early 2000s, the Russian legislator massively introduced the term “preventing crime” into regulations thus replacing the concept of “fighting against crime”. Thus, the changes influenced federal law No. 130-FZ “Combating Terrorism” dated 25 July 1998 and many other laws. The very concept of the state’s response to violation of the established prohibitions has changed. If in the old version of the laws, punishment for committing a crime was the main preventive measure, then in the new understanding the key efforts of the state should have been focused on preventing the very event of a crime. On the one hand, this is an absolutely correct step, since it is much more profitable for the state (in socio-economic, political and other respects) to keep the population from violating the established rules than to be forced to launch a complex and expensive criminal procedural mechanism (to identify, disclose, investigate crimes, consider them in court, execute punishment, etc.). On the other hand, in the new laws, the term “prevention” is used ambiguously, to both characterise “crime prevention” activities and characterise “crime control” activities. The research objective is to find the most optimal ways to eliminate theoretical and practical contradictions arising from the law enforcement in connection with the tautology of the texts of federal laws in the field of combating crime. In the course of the research, the dialectical method of cognition was used, as well as general scientific (analysis and synthesis, induction and deduction, logical, systemic and structural methods) and specific scientific methods of cognition (historical, statistical and formal-legal). It is proposed to unify the definition of “combating crime” by introducing the same definitions into the federal law “Operational Investigative Activity”, “Countering Terrorism”, and other regulatory documents related to “combating crime”.

show abstract

Section: Resultsmentioning

confidence: 99%

Prevention of crime by criminal law and operational-search means

et al. 2021

View full text Add to dashboard Cite

show abstract

“…In the same way, they have argued that security managers are more interested in actual behaviors than intention. Reference [93] presented a TPB, GDT (i.e., sanction severity, sanction certainty), and SCPT based framework to mitigate insiders' information security misbehavior. This framework was tested upon a total of 444 employees from different organizations.…”

Section: Authorsmentioning

confidence: 99%

“…The intention is not the only predictor of actual behavior [93] Quantitative study design SEM used for results analysis 444 correct responses considered SCPT and GDT have significant effects on the insider's negative attitude towards misbehavior…”

Section: Computer Users Participated Via a Web-based Surveymentioning

confidence: 99%

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

et al. 2021

View full text Add to dashboard Cite

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

show abstract

“…Adopting an IS does not mean that it can work autonomously until every stake holder of that system is involved and motivated about its importance and criticality [48] and requires a dynamic system to control the threats occurring at run time with a changing system's functional requirements [49]. Studies [7,32,42,44,46,50] have shown that people using the ERP are a major threat to its security, which intentionally or un-intentionally damages the security. These damages can be reduced by explaining the criticality of the security, by educating the populace, by setting accountability, or by deterrence.…”

Section: Security Standards and Security Requirements Frameworkmentioning

confidence: 99%

Security Requirements Engineering Framework with BPMN 2.0.2 Extension Model for Development of Information Systems

2020

View full text Add to dashboard Cite

With recent advancements of technologies such as Internet of Things and cloud computing, security of information systems has emerged as a critical issue. This has created a need for elicitation and analysis of the security requirements at an early stage of system development. These requirements should also be expressed using visual notations that can encapsulate the vision of different stakeholders related to security. While business process management notation (version 2.0.2) is a widely used graphical representation for business requirements and makes it easier to define and communicate business processes between different stakeholders of the system. Moreover, extension mechanisms are available to model the specific needs of an organization. Due to its flexible structure for defining new extensions, it can be adapted to model security requirements in the information system (IS). Towards this, we propose a threat profile security framework to define the security requirements of manufacturing systems for businesses, which are at a stage of infancy to adapt or evolve the IS with the changing needs of a business environment. In particular, the framework is modeled by extending Business Process Management Notation and is applied in a manufacturing industry process at the shop floor level. We show through a case study example that the threat goal-based framework is broader and, hence, covers a majority of security concerns of organizations.

show abstract

Deterrence and prevention-based model to mitigate information security insider threats in organisations

Cited by 73 publications

References 52 publications

Prevention of crime by criminal law and operational-search means

Prevention of crime by criminal law and operational-search means

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

Security Requirements Engineering Framework with BPMN 2.0.2 Extension Model for Development of Information Systems

Contact Info

Product

Resources

About