Introduction
In the present day, information security has become a crucial aspect of multiple organizations’ performance. According to Fagade and Tryfonas (2017), “modern economies, the dynamics of how organizations create, process and distribute information; and the increased reliance on large-scale interconnected information systems also lead to increased cyber-risk exposure” (p. 31). Although there are multiple ways in which cyberattacks may be executed, insider misuse of IT resources may be found among the most serious. In general, this type of cybersecurity-related risk refers to the use of the Internet and the organization’s computers by employees for purposes not connected with work responsibilities.
Insider misuse has already become a substantial threat to multiple business and governmental organizations. Alruban et al. (2017) state that this problem is more complex and challenging for identification and prevention due to the fact that “insiders have a significant knowledge about the internal resources and information compared to outsiders” (p. 1). In addition, while the use of the company’s hardware and software is presupposed by organizational performance, it becomes difficult to define whether an employee misuses IT resources or completes his tasks. That is why a considerable number of insider misuse-related cases remain unreported.
Types of Insider Misuse
At the same time, insider misuse is a broad term that has multiple aspects depending on its types, methods, motivation, and attack indicators. Al-Mhiqani et al. (2018) created a highly comprehensive classification of insider misuse in order to provide an opportunity to choose the most efficient response and prevention techniques in accordance with this event’’ type. Thus, first of all, the main category of insider misuse is its access which may be intentional or unintentional. Intentional, or malicious, insider misuse may be regarded as the most dangerous cyber-risk activity. It involves the intentional misuse of data systems through authorized access that allows “to copy documents to a CD or any other removable media to sabotage the data systems, steal intellectual property, or use the identifiable information stored in the organization
system to commit fraud” (Al-Mhiqani et al., 2018, p. 348). The intentional misuse of a company’s IT resources inevitably leads to data leakage and the provision of access to confidential information for third parties that may use it for their own benefit. In the case of governmental organizations, malicious misuse is more dangerous as data leakage may impact national well-being.
In turn, unintentional insider misuse presupposes the use of IT resources without an intention to steal data or provide access to it to third parties. While intentional misuse may be initiated by the intention to threaten or harm a company by former workers or competitors, fraud, vandalism, and other personal motives, unintentional insider misuse is performed by non-malicious employees “who unintentionally misuse or abuse computer systems and the organization’s information” (Al-Mhiqani et al., 2018, p. 350). Without stealing data, these pure insiders utilize the organization’s hardware and software for various activities unrelated to their job duties. For instance, they may send personal letters, accept freelance work, use peer-to-peer file-sharing programs, or download files from public websites.
Impact and Factors of Misuse
In general, unintentional inside misuse is traditionally regarded as a less serious threat in comparison with intentional data leakage. Nevertheless, even if an employee has no intention to harm his company, the misuse of its IT resources may have devastating consequences for its cybersecurity and data confidentiality. They include confidential information loss, the corruption of systems by malware, and security breaches that inevitably impact an organization’s productivity and its real or potential customers.
At the same time, the detection of the unintentional misusers of IT resources is challenging as they have no motives for offense. According to Al-Mhiqani et al. (2018), depending on his purpose, an attacker may demonstrate particular behavioral patterns. For instance, a seemingly offended worker may verbally express his dissatisfaction with a company and his intention to misuse its IT resources. However, in the case of unintentional insider misuse, factors are less obvious as they are predominantly connected with the psychological features of individuals.
Several studies dedicated to the investigation of digital devices’ use demonstrate the existence of a privacy paradox. According to Barth et al. (2019), it means that people’s “self-reported concerns about their online privacy appear to be in contradiction with their often careless online behaviors” (p. 55). In other words, a considerable number of individuals express serious concerns related to their privacy and personal data safety, however, they do nothing to protect it. Using smartphones, tablets, and computers, they download unverified applications, share confidential information, and misuse permissions contributing to data leakage. At the same time, this paradoxical behavior is determined by the psychological processes involved in decision-making. First of all, guided by rationality, a user may perform a calculation in order to assess risks outweighed by benefits (Barth et al., 2019). In addition, their concerns may be overridden by the application’s desirability, promised gratification, and time constraints (Barth et al., 2019). Finally, people may act on the basis of their intuition, ignoring risk assessment. In relation to governmental organizations, the misuse of IT resources is more likely to be caused by negligence when people do not pay attention to potential risks guided by the benefits of these resources’ use for their own benefit.
Potential Solutions
It goes without saying that the issue of insider misuse requires an efficient response. Thus, Böse et al. (2017) suggest the application of streaming analytics for the detection of heterogeneous data streams to prevent insider threats. Subsequently, according to Clarke et al. (2017), the use of transparent biometrics may be regarded as a solution for its prevention. This robust approach implies the application of physiological and behavioral transparent biometrics that may capture biometric signals non-intrusively and covertly for “the identification of the individuals who are misusing systems and information” (Clarke et al., 2017, p. 4031). In general, this approach may be applied to unintentional misusers as well, especially to those who do not demonstrate a commitment to organizational standards and ethical principles. In this case, the process should be updated for the identification of activities not related to organizational performance.
At the same time, while unintentional misuse is associated with negligence and the intention to harm an organization deliberately is absent, another efficient approach may be the spread of awareness concerning data security among employees. In other words, training dedicated to cybersecurity may be organized for employees in order to explain that any activities that are not related to work may threaten an organization’s data confidentiality. However, in the case of misuse, subsequent strategies may be either employee-oriented or punitive. For instance, workers may be provided with a comfortable environment through the creation of computer spaces for personal usage that offer a potential solution, especially if the problem of unintentional misuse is inevitable. In turn, on the basis of an opposite approach, a system of financial punishment may be introduced for employees who violate an organization’s regulations and misuse its IT resources.
Organizational Theories and Their Impact on Organizational Performance
However, the choice of approaches and other responsive techniques is considerably determined by an organizational structure. In turn, organizations’ structures, designs, and employees’ behavioral patterns are incorporated into organizational theories. In general, organizational theories play a crucial role in organizational performance as, with their help, multiple issues in organizational performance may be identified and solved. They are studied in order to receive a meaningful insight into an organization’s structure, goals, and members to elaborate on strategies for successful development in the future. First of all, organizational theories are based on people’s cultural peculiarities, value systems, organizational dynamics, and learning styles that define organizational dimensions, such as the Power Distance Index (PDI), Individualism versus Collectivism (IDV), and the Masculinity versus Femininity (MAS) (Abi-Raad, 2019). In this case, organizational performance may be adapted in accordance with a suitable theory to boost its efficiency.
Conclusion
Moreover, organizational theories suggest a multidimensional approach to an organization’s difficulties. According to Birken et al. (2017), “organizational theories offer implementation researchers a host of existing, highly relevant, and heretofore largely untapped explanations of the complex interaction between organizations and their environment” (p. 2). In other words, an applied theory assesses the political, cultural, and legal impact of external factors of the business environment on inner strategies for its efficient improvement. In this case, organizational theories help a company prepare for changes, especially unexpected ones, enhance all operational processes, and maximize productivity. Thus, with an improvement in organizational performance, organizational theories positively contribute to the nation’s overall economic potential.
References
Abi-Raad, M. (2019). Western organizational theories: Middle Eastern style: How much do you know about the culture. The Journal of Organizational Management Studies, 2019, 1-16.
Al-Mhiqani, M. N., Ahmad, R., Abidin, Z. Z., Yassin, W. M., Hassan, A., Mohammad, A. N., & Clarke, N. L. (2018). A new taxonomy of insider threats: an initial step in understanding authorised attack. International Journal of Information Systems and Management, 1(4), 343-359.
Alruban, A., Clarke, N., Li, F., & Furnell, S. (2017). Insider misuse attribution using biometrics.ARES ’17, 1-7. Web.
Barth, S., de Jong, M. D., Junger, M., Hartel, P. H., & Roppelt, J. C. (2019). Putting the privacy paradox to the test: Online privacy and security behaviors among users with technical knowledge, privacy awareness, and financial resources.Telematics and Informatics, 41, 55-69. Web.
Birken, S. A., Bunger, A. C., Powell, B. J., Turner, K., Clary, A. S., Klaman, S. L., Yu, Y., Whitaker, D. J., Self, S. R., Rostad, W. L., Chatham, J. R. S., Kirk, M. A., Shea, C. M., Haines, E., & Weiner, B. J. (2017). Organizational theory for dissemination and implementation research. Implementation Science, 12(1), 1-15.
Böse, B., Avasarala, B., Tirthapura, S., Chung, Y. Y., & Steiner, D. (2017). Detecting insider threats using RADISH: A system for real-time anomaly detection in heterogeneous data streams. IEEE Systems Journal, 11(2), 471-482
Clarke, N., Li, F., Alruban, A., & Furnell, S. (2017). Insider misuse identification using transparent biometrics. Proceedings of the 50th Hawaii International Conference on System Sciences, 4031-4040.
Fagade, T., & Tryfonas, T. (2017). Malicious insider threat detection: A conceptual model. Security and Protection of Information 2017, 31-44.