Researcher says internal security breaches pose a bigger threat than hackers

August 3, 2009

( -- Periodic news accounts about computer hacking and deployment of worms and viruses strike fear in companies that now conduct much of their business online. But an Iowa State University information security researcher says their real fear should be corporate espionage.

"What our studies -- and many others by my colleagues in the field of information security -- have suggested is that internal computer fraud is a more significant issue than external hacking," said Qing Hu, a professor and chair of logistics, operations and management information systems at Iowa State. "External hacking gets headlines, but internal fraud -- employees actually altering data or stealing secrets and sending them to other companies -- is more prevalent than it is reported.

"The unfortunate thing is that companies don't want to report these types of things," he said. "It's only when you talk to individual companies that the manager will sometimes admit, 'Yes, we do have to discipline certain employees because they access commercial secrets that they weren't supposed to, and we had to fire some people because they sold some of our commercial secrets -- from product designs to marketing plans to pricing information -- to other companies.'"

Hu has spoken with such managers for research he's conducted on corporate information security management and user behavior toward protective technologies. Those studies -- which were part of a sponsored research program by the U.S. Department of Defense from 2005-07 -- were published within the last two years in information system journals. They took a different approach to addressing the security problem.

"When I look at a security issue, I do not focus on the technology," said Hu, who is a Microsoft Certified Systems Engineer and Solution Developer. "Information security technology is abundant -- hardware, software, etc. -- and organizations have invested millions of dollars purchasing that technology and installing it on their systems. But still, we hear horror stories about T.J. Maxx's system being broken into, 45 million credit card numbers being stolen, or something happening to this company or that company. So why do those things keep happening while we have invested so much money in terms of buying the security hardware and software?"

Hu contends it's because company employees aren't often educated well enough on information security policies and procedures. His research specifically examined how individual factors and an organization's culture affect its information security management effectiveness.

"The purpose of doing this research is first, to provide a better understanding of human behavior in organizations in the context of information security," Hu said. "Second, it's to provide some practical guidelines to businesses that say, 'OK, if you consider security to be a big issue, not only do you need to install the most sophisticated software and hardware, you also need to educate and set up those programs for employees -- and then enforce them.' So you have to have those processes in place to encourage good behavior and inhibit the potential bad behavior."

Hu is currently working with colleagues in the U.S., China and Finland on multiple research projects based on criminology theories and large-scale international surveys. The studies are designed to identify the individual factors -- such as moral beliefs and self-control -- that may affect a person's propensity to commit information security-related crimes.

"We want to understand why certain employees are more inclined to do bad things, while others are not," he said. "In the criminology research, there is a spectrum of theories and perspectives that explain why certain people are so inclined to commit crime, while others can inhibit that urge. So what I want to do in the immediate future is to explain that as it pertains to information security."

He hopes to have results from those surveys within the year. Hu also plans to collaborate with researchers from Iowa State's criminology and criminal justice program on future studies.

Provided by Iowa State University (news : web)

Explore further: Microsoft: New security tech products

Related Stories

Cisco CEO to use 'holistic' security

February 17, 2006

Network security is evolving from a "pinpoint" system of attacking isolated threats to a large-scale "holistic" approach to security, said John Chambers, CEO of Cisco Systems, at the 2006 RSA Conference.

Managing computer fraud

May 23, 2008

Shalini Kesar, a computer scientist at Southern Utah University in Cedar City, has devised an antifraud strategy for business. Writing in the International Journal of Business Information Systems from Inderscience Publishers, ...

Wake-up call to business: Tighten up on information security

June 30, 2008

According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce ...

Recommended for you

Fighting climate change with 'poop power'

December 2, 2015

The stench of clogged toilets fills the air at the US capital's wastewater treatment facility. And for good reason—it's one of the world's largest projects to transform human waste into electricity.

Roboticists learn to teach robots from babies

December 1, 2015

Babies learn about the world by exploring how their bodies move in space, grabbing toys, pushing things off tables and by watching and imitating what adults are doing.

Xbox gaming technology may improve X-ray precision

December 1, 2015

With the aim of producing high-quality X-rays with minimal radiation exposure, particularly in children, researchers have developed a new approach to imaging patients. Surprisingly, the new technology isn't a high-tech, high-dollar ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.