Understanding the Perspectives of Information Security Managers on Insider Threat
Preprints are manuscripts made publicly available before they have been submitted for formal peer review and publication. They might contain new research findings or data. Preprints can be a draft or final version of an author's research but must not have been accepted for publication at the time of submission.
Insider threat is one of the main issues faced by organizations as information systems become inherent to the success and competitiveness of businesses in contemporary environments. However, there is insufficient understanding of the phenomenon of insider threat by information security managers responsible for ensuring the availability, confidentiality, and integrity of data and information systems. Therefore, it is crucial to address issues related to insider threat. The focus of this phenomenological qualitative research was on the lived experiences of information security managers’ perceptions, understanding, and how they employ mechanisms to reduce cyber-crimes perpetrated in U.S. East Coast organizations. The research questions examined how information technology (IT) managers experienced and understood insider threats and how their experiences and understanding shaped their behavior to curb insider threat. The social control theory was useful for the purpose of explaining the reasons why individuals with legitimate access could decide to exploit vulnerabilities in the critical assets of businesses. Twelve participants, all IT security managers, selected through purposive sampling for semi-structured one-to-one interview, took part in the study. Findings from the study indicated that malicious insider threats pose a growing risk to organizations and inadvertent insider threats were more common but less damaging than malicious insider threats. Further, insider threats were associated with disgruntled employees who committed sabotage or theft to meet financial needs and revenge. Experience and understanding of insider threats influenced IT managers to advocate for the implementation of training to raise awareness of security policies to deter insider threats. Based on the findings, IT security managers should use technical and administrative approaches to prevent, detect, and monitor systems to control insider threats.