CCE Theses and Dissertations
Campus Access Only
All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.
Date of Award
2012
Document Type
Dissertation - NSU Access Only
Degree Name
Doctor of Philosophy in Information Systems (DISS)
Department
Graduate School of Computer and Information Sciences
Advisor
Gurvirender P. Tejay
Committee Member
Wei Li
Committee Member
Sumitra Mukherjee
Keywords
computer security, confirmatory factor analysis, Insider threat, organization security, routine activities theory, structural equation modeling
Abstract
The purpose of this research is to identify the factors that influence organizational insiders to violate information security policies. There are numerous accounts of successful malicious activities conducted by employees and internal users of organizations. Researchers and organizations have begun looking at methods to reduce or mitigate the insider threat problem. Few proposed methods and models to identify, deter, and prevent the insider threat are based on empirical data. Additionally, few studies have focused on the targets or goals of the insider with organizational control as a foundation. From a target perspective, an organization might be able to control the outcome of a malicious insider threat attack.
This research applied a criminology lens as an organization policy violation is, or resembles, a criminal activity. This research uses the Routine Activities Theory (RAT) as a guide to develop a theoretical model. The adoption of RAT was for its focus on the target and the protective controls, while still taking into account the motivated offender. The study identified the components of the model concerning insider threats, espionage, and illicit behavior related to information systems through literature. This led to the development of 10 hypotheses regarding the relationships of key factors that influence malicious insider activity. Data was collected using a scenario-based survey, which allowed for impartial responses from a third-person perspective. This technique has become popular in the field of criminology, as the effects of social desirability, acceptance, or repudiation will not be a concern. A pilot test verified the survey's ability to collect the appropriate data. The research employed Structural Equation Modeling (SEM) and Confirmatory Factor Analysis (CFA) techniques to analyze and evaluate the data. SEM and CFA techniques identified the fit of the model and the factors that influence information security policy violations. The result of the analysis provided criteria to accept the hypotheses and to identify key factors that influence insider Information System policy violations. This research identified the relationships and the level of influence between each factor.
NSUWorks Citation
Gary Doss. 2012. An Approach to Effectively Identify Insider Attacks within an Organization. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (138)
https://nsuworks.nova.edu/gscis_etd/138.