Information Technology Reference
In-Depth Information
certainty of sanctions would influence “computer abuse.” Other work in this area includes Loch and
Conger (1996); Armstrong et al. (2000); Stanton (2002); and Morahan-Martin and Schumacher
(2001). Interestingly, these projects and related work on the “insider threat” to information security
(e.g., Anderson et al., 1999; Schultz, 2002; Shaw, Post, and Ruby, 2002) have all tended to focus pri-
marily on the intentionally disruptive behavior enacted by a small proportion of the workers in any
given organization. The few exceptions to this spotlight on troublesome actions have included some
examinations of the importance of user awareness and training (e.g., Spurling, 1995; Thomson and
von Solms, 1998), and analyses of the ethical guides that may influence security related behavior
(e.g., Siponen, 2001; Trompeters and Eloff, 2001). We believe that these latter projects hold sub-
stantial promise for helping to shift behavior-focused research away from the common assumption
that workers are wrongdoers whose behavior must be carefully circumscribed. In contrast to that
common assumption, our own research program, as described below, focuses on understanding the
origins and contexts of both positive and negative security-related behaviors.
RESEARCH PHASE 1: FRAMING THE PROBLEM
Over a period of about a year, we conducted longitudinal research in four organizations: a hospi-
tal, a manufacturing facility, a mental health services provider, and a private university. In each
case, the institution was undergoing a series of organizational changes related to the deployment
of new information technology, in most cases an enterprise resource system (a large, modular
software system that provides information services for several functional areas). As one facet of
our project we interviewed information security professionals about information security issues
that they faced. We also queried regular employees about their perspectives on information secu-
rity. In total, we interviewed fifty-nine individuals, of whom approximately 30 percent had work
responsibilities in information security. In keeping with the exploratory nature of the study, we
used “bottom up” thematic coding to understand common ideas expressed in the interviews.
Early on, information security professionals taught us that their most worrisome concerns lay with
the internal employees who comprised their “user population,” and not with technology issues per se.
Although external attacks on computer systems were reportedly ubiquitous, technical controls existed
in abundance to handle these problems (e.g., firewalls and antivirus protection). By contrast, internal
employees often have extensive access to systems and data, along with specialized knowledge and
expertise on the organizations' business practices, and these constitute important sources of vulnera-
bility. A representative verbatim comment from an information security professional was:
“Well, you know most of the most dangerous attacks come from inside the organization, the
most damage that is going to occur is
not
the people from outside the organization. It prob-
ably is going to be someone working for you . . .”
Following up on this concern, we began to ask information security professionals about the
specific kinds of employee behaviors that they considered most important with respect to infor-
mation security. Many respondents mentioned password management (i.e., choosing a good pass-
word and changing it frequently), as well as logging out of unused systems, performing backups
of critical data, avoiding illegal software use, and updating security software (e.g., antivirus sig-
natures). A representative quotation here was:
Interviewer
:
I am going to change the focus here again, and ask about things . . . that non-
IT professionals do that affect information security.
Search WWH ::
Custom Search