Information Technology Reference
In-Depth Information
Table 12.1
Behaviors Generating Greatest Disagreement
Category
SD Expertise
SD Intentionality
Behavior Description
Detrimental
1.60
1.10
She mailed an encryption software CD to a
Misuse
foreign country in violation of international or
regional export control laws.
Aware
1.49
.65
She did a training program to become familiar
Assurance
with indicators of virus infection and to learn
how to report operational anomalies to
resource administrators.
Aware
1.44
.86
He participated in advanced security training
Assurance
designated by the organization.
Basic Hygiene
1.42
.47
He did a training program to learn about the
sensitivity/criticality of special company files
so that he could apply appropriate protective
measures when handling the information.
Basic Hygiene
1.38
1.17
She constructively criticized organizational
security policies to her boss.
Detrimental
1.29
1.42
He found and saved trade secret information
Misuse
about other companies using the Internet.
Detrimental
.84
1.34
To assess how well the network was running,
Misuse
he set up a network monitoring device that
intercepted data not intended for his system.
Intentional
1.03
1.33
He used an intrusion detection program on
Destruction
the company's network, even though that was
not part of his job.
Detrimental
1.11
1.28
He used unsolicited e-mail to advertise a
Misuse
service offered by the organization.
Intentional
1.20
1.21
She deleted a colleague's account information
Destruction
so that he would not be able to access his files.
Note:
SD refers to standard deviation, used here as an index of disagreement among raters. Values in boldface
indicate which variable served as the sorting key. The first five behaviors were the most disagreed upon for the
expertise variable, while the last five were the most disagreed upon for the intentionality variable.
consistent with the classification scheme. We expect that most security-related behaviors that
occur in organizations could be positioned on this two-dimensional taxonomy.
From a practical perspective, this work simplifies the task of developing criterion measures
that assess security-related behavior in organizations. Such criterion measures must attempt to
capture, through observations, self-ratings, or other ratings, the occurrence of behaviors that require
high and low expertise and the occurrence of behaviors whose apparent intentionality spans the
malicious-benevolent spectrum. Another important characteristic of this two-dimensional taxon-
omy is that it provides clear indications of paths that organizations can take toward improving
their security status. In general, any interventions that shift intentionality toward the benevolent
end of the continuum ought to improve the organization's security status. Likewise, with the excep-
tion of those employees who may have malicious intentions toward the organization, providing
training and other forms of expertise development appear to have the potential to benefit the orga-
nization's information security.
Search WWH ::
Custom Search