Modeling Insider Threat Behavior
Data breaches in organizations are a serious concern that can generate potential economical and reputational losses. Ultimately data breaches can impact organizations’ business continuity management. In the healthcare arena, according to (Higgins 2016), around 90% of organizations have suffered from at least one data breach between 2014-2016 and on average, each organization spends $2.2 million per data breach incident. A survey by Ponemon Institute found that at 79% (138 out of 175) healthcare organizations there were more than two data breaches in the past two years. However, in most of cases the number of healthcare records breached were small (less than 500 data records), and breaches were not reported to the US Department of Health and Human Services nor were dealt with by the news media (Ponemon_Institute 2016). These kinds of small number of data breaches may be perpetrated by insiders who work or who have previously worked in the organization or had relationships to contractors who knew about the specific healthcare organization. A (Trend_Micro 2015) report points out that 70.4% of data breaches are caused by internal reasons such as insider leaks, unintentional disclosure and device loss, while 25% data breaches are caused by hacking attacks from outside of organizations. Specifically, healthcare industry is the sector that experiences the most number of data breach incidents among other industries followed by education, government, and retail and also had higher insider threat issues including leakage of personally identifiable information (PII), health information, financial data, and payment card data, than other sectors (Peters 2015). In this research, we propose to focus on environmental and individual factors that can impact employees’ assessment of data breach risk. Employees of organizations are actually handing all kinds of sensitive information and they are the right people to gain insight about data that is vulnerable to be breached. Earlier research has focused on this topic in the context of financial institutions and this effort will result in a comparison between financial and healthcare institutions. This proposal will contribute to the literature on securing data in the context potential data breaches that can be caused by employees in the organizations (Insiders). This will benefit development of more concrete information assurance policies specifically by studying actual employees’ environmental and individual perception regarding sensitive data. We propose to theorize a model where we consider that assessed sensitive data risk is the function of organizational environment factors and individual factors that in turn would influence appropriate sensitive data management. The study will be conducted among industry employees including employees who are working for information security in the organization.
Principal Investigator: Lee, Jae Ung -- Department of Computer Information Systems
|Start Period: 00/00/0000
||End Period: 00/00/0000
No Affiliated People