Researcher says internal security breaches pose a bigger threat than hackers

Aug 03, 2009

(PhysOrg.com) -- Periodic news accounts about computer hacking and deployment of worms and viruses strike fear in companies that now conduct much of their business online. But an Iowa State University information security researcher says their real fear should be corporate espionage.

"What our studies -- and many others by my colleagues in the field of information security -- have suggested is that internal computer fraud is a more significant issue than external hacking," said Qing Hu, a professor and chair of logistics, operations and management information systems at Iowa State. "External hacking gets headlines, but internal fraud -- employees actually altering data or stealing secrets and sending them to other companies -- is more prevalent than it is reported.

"The unfortunate thing is that companies don't want to report these types of things," he said. "It's only when you talk to individual companies that the manager will sometimes admit, 'Yes, we do have to discipline certain employees because they access commercial secrets that they weren't supposed to, and we had to fire some people because they sold some of our commercial secrets -- from product designs to marketing plans to pricing information -- to other companies.'"

Hu has spoken with such managers for research he's conducted on corporate information security management and user behavior toward protective technologies. Those studies -- which were part of a sponsored research program by the U.S. Department of Defense from 2005-07 -- were published within the last two years in information system journals. They took a different approach to addressing the security problem.

"When I look at a security issue, I do not focus on the technology," said Hu, who is a Microsoft Certified Systems Engineer and Solution Developer. "Information security technology is abundant -- hardware, software, etc. -- and organizations have invested millions of dollars purchasing that technology and installing it on their systems. But still, we hear horror stories about T.J. Maxx's system being broken into, 45 million credit card numbers being stolen, or something happening to this company or that company. So why do those things keep happening while we have invested so much money in terms of buying the security hardware and software?"

Hu contends it's because company employees aren't often educated well enough on information security policies and procedures. His research specifically examined how individual factors and an organization's culture affect its information security management effectiveness.

"The purpose of doing this research is first, to provide a better understanding of human behavior in organizations in the context of information security," Hu said. "Second, it's to provide some practical guidelines to businesses that say, 'OK, if you consider security to be a big issue, not only do you need to install the most sophisticated software and hardware, you also need to educate and set up those programs for employees -- and then enforce them.' So you have to have those processes in place to encourage good behavior and inhibit the potential bad behavior."

Hu is currently working with colleagues in the U.S., China and Finland on multiple research projects based on criminology theories and large-scale international surveys. The studies are designed to identify the individual factors -- such as moral beliefs and self-control -- that may affect a person's propensity to commit information security-related crimes.

"We want to understand why certain employees are more inclined to do bad things, while others are not," he said. "In the criminology research, there is a spectrum of theories and perspectives that explain why certain people are so inclined to commit crime, while others can inhibit that urge. So what I want to do in the immediate future is to explain that as it pertains to information security."

He hopes to have results from those surveys within the year. Hu also plans to collaborate with researchers from Iowa State's criminology and criminal justice program on future studies.

Provided by Iowa State University (news : web)

Explore further: UT Dallas professor to develop framework to protect computers' cores

add to favorites email to friend print save as pdf

Related Stories

Managing computer fraud

May 23, 2008

Shalini Kesar, a computer scientist at Southern Utah University in Cedar City, has devised an antifraud strategy for business. Writing in the International Journal of Business Information Systems from Inderscience Publis ...

Cisco CEO to use 'holistic' security

Feb 17, 2006

Network security is evolving from a "pinpoint" system of attacking isolated threats to a large-scale "holistic" approach to security, said John Chambers, CEO of Cisco Systems, at the 2006 RSA Conference.

Wake-up call to business: Tighten up on information security

Jun 30, 2008

According to the Department of Trade and Industry there are 4.5 million businesses in the UK of which 99.3% are small to medium sized enterprises (SMEs), employing 0-49 employees. These comprise 58.9% of the total workforce ...

Recommended for you

User comments : 0

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...