Acta Informatica Pragensia 2014, 3(3), 222-238 | DOI: 10.18267/j.aip.434127

When Sentry Goes Stealing: An Information Systems Security Case Study in Behavioural Context

Syed Irfan Nabi1, Zaheeruddin Asif1, Abdulrahman A. Mirza2
1 Faculty of Computer Science, Institute of Business Administration, Main Campus, University Road, Karachi, Pakistan
2 Information Systems Department, College of Computer and Information Sciences, King Saud University, 2099, Building 31, Riyadh 11543, Saudi Arabia

In this paper we describe a case where the top management of a small holding company is involved in a love-hate relationship with its own IT department. The top management firmly believes that IT staff is involved in leaking out company's secrets. However, having no expertise in IT and even lesser grasp on the complexity of IT architecture resulting from recent mergers and acquisition, the top management finds itself crucially dependent on its IT systems, yet unable to trust them fully. The theories of deterrence and reasoned action are used to explain the otherwise objectionable behaviour of the perpetrator.

Keywords: Insider Threat, Human Behaviour, Information Security, Information Systems, Theory of Deterrence

Received: October 19, 2014; Revised: December 4, 2014; Accepted: December 12, 2014; Published: December 31, 2014  Show citation

ACS AIP APA ASA Harvard Chicago Chicago Notes IEEE ISO690 MLA NLM Turabian Vancouver
Nabi, S.I., Asif, Z., & Mirza, A.A. (2014). When Sentry Goes Stealing: An Information Systems Security Case Study in Behavioural Context. Acta Informatica Pragensia3(3), 222-238. doi: 10.18267/j.aip.43
Download citation

References

  1. Ajzen, I. (1991). The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211 Go to original source...
  2. Angell, I. (1994). The impact of globalization on today's business, and why Information System Security is strategic. In Annual Congress of the European Security Forum, Cologne, Germany.
  3. Angell, I. (2001). The New Barbarian Manifesto: How to Survive the Information Age?. UK: Kogan page.
  4. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., Boss, R. (2009). If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151-164. Go to original source...
  5. Bulgurcu, B., Cavusoglu, H., Benbasat, I. (2010). Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation. In 43rd Hawaii International Conference on System Sciences (HICSS) (pp. 1-7). Go to original source...
  6. Cavusoglu, H., Mishra, B., Raghunathan, S. (2004). The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9(1), 70-104. Go to original source...
  7. Dhillon, G., Backhouse, J. 2001. Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal, 11(2), 127-154. Go to original source...
  8. Eloff, J., Labuschagne, L., Badenhorst, K. (1993). A comparative framework for risk analysis methods. Computers & Security, 12(6), 597-603. Go to original source...
  9. Garg, A., Curtis, J., Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management & Computer Security. 11(2), 74-83. Go to original source...
  10. Gomm, R., Hammersley, M., Foster, P. (Eds.). (2000). Case study method: Key texts, key issues. Thousand Oaks: SAGE Publications.
  11. Halliday, S., Badenhorst, K., Solms, R. von. (1996). A business approach to effective information technology risk analysis and management. Information Management & Computer Security, 4(1), 19-31. Go to original source...
  12. Householder, A., Houle, K., Dougherty, C. (2002). Computer attack trends challenge internet security. Computer, 35(4), 5-7. Go to original source...
  13. Khan, B., Alghathbar, K., Nabi, S., Khan, M. (2011). Effectiveness of Information Security Awareness Methods based on Psychological Theories. African Journal of Business Management, 5(26), 10862-10868. Go to original source...
  14. Kohlberg, L. (1984). The psychology of moral development: the nature and validity of moral stages. New York: Harper & Row.
  15. Leonard, L., Cronan, T., Kreie, J. (2004). What influences IT ethical behavior intentions: planned behavior, reasoned action, perceived importance, or individual characteristics? Information & Management, 42(1), 143-158. Go to original source...
  16. Mahmood, M., Siponen, M., Straub, D., Rao, H., Raghu, T. 2010. Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Quarterly, 34(3), 431-433. Go to original source...
  17. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. Go to original source...
  18. Puhakainen, P., Siponen, M. (2010). Improving employees' compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757-778. Go to original source...
  19. Shey, H. (2012). Understand the State of Data Security and Privacy: 2012 To 2013. Cambridge: Forrester Research.
  20. Siponen, M. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41. Go to original source...
  21. Siponen, M., Oinas-Kukkonen, H. (2007). A review of information security issues and respective research contributions. SIGMIS Database, 38(1), 60-80. Go to original source...
  22. Stake, R. E. (1995). The art of case study research. Thousand Oaks: SAGE Publications.
  23. Stanfford, M., & Warr, M. 1993. "A Reconceptualization of General and Specific Deterrence," Journal of Research in Crime and Delinquency (30:2), pp. 123-135. Go to original source...
  24. Warkentin, M., Willison, R. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems, 18(2), 101-105. Go to original source...
  25. Wharton, F. (1992). Risk management: Basic concepts and general principles. In J. Ansell & F. Wharton (eds), Risk: Analysis, Assessment and Management. New York: John Wiley & Sons.
  26. Yin, R. K. (2003). Applications of Case Study Research (applied Social Research Methods). Thousand Oaks: Sage Publications.
  27. Yin, R. K. (2013). Case Study Research: Design and Methods. Thousand Oaks: SAGE Publications.

This is an open access article distributed under the terms of the Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, distribution, and reproduction in any medium, provided the original publication is properly cited. No use, distribution or reproduction is permitted which does not comply with these terms.