Literature Review Draft
Abstract
In the information era where almost all companies and individuals rely on the information systems and computers providing information security is even more important. Companies are in the environment where constant threats are present. External threats to the information security have in the past been more examined and also received more attention than the inside threats. The research of possible threats to the information security has shown that more focus must be given to the inside threats since they represent a slightly smaller number of all attacks and should not be overlooked. The theory and literature on the topic is becoming ever more important and much research still needs to be done to avoid economic, reputation, data and information loss. The information threats are similar to the ones showing in the early stages of information development and the past events and the development are a major part for better understanding of today similar methods. By addressing the internal threats of information security the overall information threats can be decreased.
Key words: information security, threats to information security
A brief literature review
The important and relevant literature will be examined on the topic of information security.
Whitman (2003) has defined 12 categories of threats to information security and examined the existence or nonexistence of the security policy inside the companies that is one of the most important layers in providing information security. In his work he classified the information treats into categories of importance based on the survey carried out within the numerous organizations. The work gives as the threat perception of companies.
Chekwa et al (2013) has indicated the need for further research in this area. The authors have identified the private and public sector based on the perceived importance of various information threats. Security problems in both sectors have not been overcome for both sectors are vulnerable to the same threats and yet they have different perceptions and both place external threats prior the internal ones.
Kessler (2012) continues to argue that information protection is nothing new since the threats to information security have not changed. The threats and concepts of threats are the same they only use different methods. The problems lie in the development stage of the internet that did not had the security as the main component in mind. Almost all shortcomings were known quickly after the ARPANET, intranet and internet development. The developing stages from 1960 onward were more focusing on providing user friendly, the easier and faster program that were functional where security has not been addressed since the design was not meant to be made for the whole world to participate in.
Roy Sarkar (2010) contends the inside threat is more perplexing and elusive and must be understood. With the introduction of data collected by The Computer Security Institute about the abuse of computer systems showed that inner threats are presenting the same level of threats as external. The insider threat is big when possible motivation of workers exists since they have insider knowledge, access to information and data and opportunity. He identified that breaches are the most possible among workers with the highest level of authorized access. The different reasons for breaches were also identified in his work.
Workman (2008) continues to point out that little empirical research has been done on the human carelessness and this insider threat will continue until the research has been completed. He pointed out that many researches have been so far made but the practice is way behind the knowledge. He examines in which cases and environment the people are more willing to share private and sensitive data.
Colwill (2009) continues to contend that more should be done to detect and protect an organization from these insider threats. Almost all companies have accepted the measures to protect them before external threats such as security policies, backups, scans for spyware, filters and other software techniques but not many have done anything to prevent insider threats. The correlation and statistics about the comparison between internal and external threats show that companies should do more than focus solely on the outside.
There are other variables that are considered in the insider threat mindset and Maasberg & Beebe (2014) imply that the mindset is of an addiction in nature. The authors pointed out the influence and factors that lead workers to become a potential threat to the company and the factor and relations that decrease that possibility.
All of the mentioned authors have given instructions how to overcome the problem of insufficient focus on internal information threats and expressed concerns of further vulnerabilities because of addressing only outside not the inside threats.
Method
Research question
Research question will focus on answering what are the major security threats to information security?
Theoretical framework
The dependent variable, threats to information security, can be better explained by the independent variables of, external and internal threats. As many organizations spend endless resources of time and money to detect, contain, or deter the external threats. Little if anything is actually done to curtail the biggest threat of all, the internal threat. While the organizational leaders have a tendency to employ resources towards identifying and neutralizing the external threat they are thus lulled into a false sense of security. This false sense of security is one of the root causes for the internal threat to continue to go unnoticed.
The biggest threat to an organizations information security is the insider. The organizations have to understand what makes the internal threat the biggest threat to their organization and their information security. By understanding the personality traits and characteristics that make up this type or individual the management and other individuals within the organization will have a better understanding when they see or identify some of these characteristics or behaviors. Once these characteristics or behaviors are identified an organization can better asses the risks and threats to their information security and create protective measures that are more effective in securing their information from loss.
The two independent variables will be better able to explain that the biggest threat to information security in an organization is the internal threat. The necessity of identifying the threat will allow an organization to better utilize their resources in the threat assessment to their information security.
Hypothesis
External and internal threats to information security has not been equally addressed by the companies which has resulted in demised security that makes companies more vulnerable to possible economic and reputation loss.
Reference
Chekwa, C., Ogungbure, A., Chukwuanu, M., & Thomas, E., Jr. (2013). Information security threats: What is public versus private sector's perception? International Journal of Business and Public Administration (IJBPA), 10(1), 87.
Colwill, C. (2009). Human factors in information security: The insider threat – who can you trust these days? Information Security Technical Report, 14(4), 186-196. doi:10.1016/j.istr.2010.04.004
Kessler, G. C. (2012). Information security: New threats or familiar problems? Computer, 45(2), 59-65. doi:10.1109/MC.2011.262
Maasberg, M., & Beebe, N. L. (2014). The enemy within the insider: Detecting the insider threat through addiction theory. Journal of Information Privacy & Security, 10(2), 59- 70. doi:10.1080/15536548.2014.924807
Roy Sarkar, K. (2010). Assessing insider threats to information security using technical, behavioral and organizational measures. Information Security Technical Report, 15(3), 112-133. doi:10.1016/j.istr.2010.11.002
Wall, D. S. (2013). Enemies within: Redefining the insider threat in organizational security policy. Security Journal, 26(2), 107. doi:10.1057/sj.2012.1
Whitman, M. (2003). Enemy at the gate: Threats to information security. New York: ACM. doi:10.1145/859670.859675
Whitman, M. E. (2004). In defense of the realm: Understanding the threats to information security. International Journal of Information Management, 24(1), 43-57. doi:10.1016/j.ijinfomgt.2003.12.003
Workman, M. (2008). Wisecrackers: A theory‐grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662-674. doi:10.1002/asi.20779