A Multi-dimensional Model for Determining Susceptibility to Unintentional Insider Threats: the Case of Social Engineering Through Phishing
Abstract
Many of the information security incidents that make headlines around the
world are perpetrated by authorized users of the information systems. These users are
commonly referred to as insiders. The Unintentional Insider Threat is posed by insiders
who inadvertently compromise information systems. Literature shows that the
Unintentional Insider Threat is under researched and should be the focus of current
insider threat research. One predominant case of Unintentional Insider Threat is social
engineering particularly through phishing. There is need for a unified multidimensional
theoretical model that facilitates an understanding of the Unintentional
Insider Threat phenomenon. This research is a response to this gap.
The presented multi-dimensional theoretical model is grounded on the
Elaboration Likelihood Model and Protection Motivation Theory. In addition, it is
developed after evaluating 62 research articles on the Unintentional Insider Threat. The
model presents: 1 dependent variable, 22 independent variables and 12 control
variables. This model is then validated using data from an empirical study that is guided
by the realist, positivist and objective ontological and epistemological views; using a
deductive research approach. Quantitative data is collected by staging a naturalistic
experiment which presents a real-life social engineering phishing attack. This is after
gaining approvals for the research from an institution’s research board (IRB) and its
administration. This allows study participants to be observed without alerting them on
the ongoing research, therefore, providing data with high ecological and external
validity. Participants are then requested to fill in a cross-sectional survey in order to
measure latent constructs and variables that were not directly observed. Data is
analyzed using Structural Equation Modeling (SEM) because the technique allows for
all the variables and relationships to be tested in their entirety; and accommodates latent
constructs in the model analysis. A total of 192 cases are analyzed from an effective
sample size of 241 persons who participated in the experiment giving a 79.67%
response rate. A total of 22 hypotheses are tested. Of these, 10 are supported while 12
are not supported by the provided model specification and sample dataset. The model
is able to explain 41.4% of the Elaboration variance, 43.1% of Threat Detection
variance, 19.1% of Threat Avoidance variance and more importantly 28.7% of
Unintentional Insider Threat outcome variance and performs better than models
presented in other studies.
This study makes several contributions to theory, knowledge, policy and
practice. It presents a unified theoretical model that gives a multi-dimensional
understanding of the Unintentional Insider Threat phenomenon from demographic,
organizational, insider and attack factors. This model can be used to provide a
theoretical grounding in the study of various unintentional insider threats and can also
be comparatively applied by other researches in different contexts. The body of
knowledge is extended in the testing and analysis of 22 hypotheses and discussion of
the findings. The various factors presented in the multi-dimensional model encourage
policy makers to address the Unintentional Insider Threat not only using technology
but also through addressing psychological and sociological imperatives.
Recommendations for policy and practice show that organizations should invest in
measures that equip users with the ability to detect threats; particularly through their
knowledge on detection cues and high determinants of trust. In addition, efforts must
be taken to increase cognitive elaboration so as to intentionally counter factors that try
to diminish insider’s ability to examine deceptive scenarios.
Publisher
University of Nairobi
Rights
Attribution-NonCommercial-NoDerivs 3.0 United StatesUsage Rights
http://creativecommons.org/licenses/by-nc-nd/3.0/us/Collections
The following license files are associated with this item: