INCREASING AWARENESS OF INSIDER INFORMATION SECURITY THREATS IN HUMAN RESOURCE DEPARTMENT

Year 2012, Volume: 4 Issue: 1, 45 - 54, 01.06.2012

Burcin Cetin Karabat Cagatay Karabat

Abstract

An insider threat for companies is defined as a threat caused by malicious user
who is an employee company. In recent years, there are number of work on
insider threats in information security technologies. These works shows that
companies should increasingly and seriously should take into account these
threats. Human factors in companies constitute one of the weakest links in
information security technology and its products used in human resource (HR)
management departments. In the literature, insider threats are generally classified
into two main categories: 1) Intentional insider threats and 2) Unintentional
insider threats.
In this work, we address the employees working in HR departments of various
companies from different sectors. Since HR departments are one of the critical
departments for insider threats, we focus on the scenario that a malicious insider
accesses critical, important and/or personal data. In this scenario, a malicious
employee of HR department may change or misuse of the data belonging to
his/her company (product data, marketing data, strategy documents etc.) and/or
the data belonging to the other employees (e-mails, ID numbers, birth dates,
salaries, health data etc.) by intentionally or unintentionally.
By taking into account the previous works done in the literature, we prepare new
questionnaire for this work. The questionnaire is applied to HR managers and
employees of various sectors. Our aim is to increase HR managers and HR
employees awareness of insider information security threats.

Keywords

Information Security, Insider Threats, Human Resource Department

References

• Ball, Kirstie S. (2001), “The Use of Human Resource Information Systems: A Survey”, Personnel Review, Vol.30, No.6, pp.677-693.
• Cole, Eric and Ring, Sandra (2006) Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, Canada: Syngress Publications.
• Deloitte Turkey, Basın Bülteni, “Kurumların bilgi güvenliğine yaklaşımı zayıflıyor”, http://www.deloitte.com, [Accessed 28.12.2011].
• Kavanagh, Michael J. and Thite, Mohan (2008), Human Resource Information Systems: Basics, Applications and Future Directions, Sage Publications.
• Kraemer, Sara; Carayon, Pascale (2007), Human Errors and Violations in Computer and Information Security: The Viewpoint of Network Administrators and Security Specialists, Applied Ergonomics, Vol.38, No:2, pp.143-154.
• Loch, Karen D., Carr Houston H. and Warkentin Merrill E. (1992), “Threats to Information Systems: Today's Reality, Yesterday's Understanding”, MIS Quarterly, Vol.16, No:2, pp.173–186.
• Richardson, Robert (2008), 2008 CSI/FBI Computer Crime & Security Survey, http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf, [Accessed 18.03.2012] Schultz, Eugene E. and Shumway, Russell (2001), Incident Response: A Strategic Guide to Handling for System and Network Security Breaches, Indianapolis: New Riders Publications. Schultz, Eugene E., (2002) “A Framework For Understanding and Predicting Insider Attacks” Computers and Security, Vol.21, No:6, pp. 526-531.
• Yayla, Ali (2011), Controlling Insider Threats with Information Security Politicies" ECIS 2011 Proceedings, http://is2.lse.ac.uk/asp/aspecis/20110246.pdf, [Accessed 27.03.2012].
• Cyber Security Watch Survey, magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.