Article Preview
TopIntroduction
Findings from recent surveys reveal that 44% of data breaches are the result of insider threats (PwC, 2018) and a further 90% of cybersecurity professionals feel vulnerable to insider attacks (CA Technologies, 2018). An insider is any individual who has legitimate access to an organization’s information technology infrastructure (Magklaras & Furnell, 2005) while an insider threat uses the authority granted to him/her for illegitimate gain (Schultz, 2002). Insider threats range from a disgruntled employee to a system developer who has in-depth knowledge of the system (Hunker & Probst, 2011).
The fraud triangle is often used as a tool towards understanding insider threat crime which is based on three elements – motivation, opportunity and rationalization (Farahmand & Spafford, 2013). Logically organizations focus on reducing the insider’s motivation and opportunities for malfeasance (Farahmand & Spafford, 2013). However, it may be prudent to consider the rationalization for insider crime, which is arguably the most obscure element. Insiders tend “to undervalue their actions and to resort to rationalizations” (Padayachee, 2015, p. 55). Gonzalez and Kopp (2017) argue, from a fraud perspective, that motivation and opportunity are more based on fact, however, rationalization is based on personality traits and must be examined from within the context of psychological factors and it is therefore the most challenging construct to assess. Several authors have acknowledged the value of understanding the techniques of neutralization (i.e. internalized techniques used by criminals to rationalize or justify crime) towards mitigating insider threats (Harrington, 1996; Siponen & Vance, 2010; Warkentin, Willison, & Johnston, 2011; Willison, Warkentin, & Johnston, 2018). While neutralization mitigation (i.e. strategies used suppress the techniques used by criminals to justify or rationalize crime) plays an important role in minimizing insider threats, it is also imperative to understand the cogent cognitive processes, as some studies seems to suggest that this strategy may be rendered ineffective under some circumstances (Li & Cheng, 2013).
Willison and Warkentin (2010) call for more research into discovering the moderators that influence the rationalizations (i.e. neutralization techniques) of insider threats. It may be argued that personality traits could be a factor in influencing neutralization techniques (Fagade & Tryfonas, 2017). However, Greitzer, Kangas, Noonan, Dalton, and Hohimer (2012) argue that personality traits are not enough to identify an insider threat, however, they may assist in building a nuanced picture of other indicators which may help to understand the insider threat. Schultz (2002) suggests that personality traits could be useful predictors for insider threats. Barlow, Warkentin, Ormond, and Dennis (2018) have called for more research on anti-neutralization statements (i.e. communication that prevent rationalizations – a neutralization mitigation strategy). They suggest that individuals experience anti-neutralizations uniquely according to personality traits. Greitzer et al. (2012) suggest that certain psychological tendencies can be used as “leads” for security specialists to identify high-risk insiders. Cheng, Li, Zhai, and Smyth (2014) also suggest that personality factors should be considered in conjunction with employee maleficence in cyberspace.