A Multi-dimensional Model for Determining Susceptibility to Unintentional Insider Threats: the Case of Social Engineering Through Phishing

Abstract

Many of the information security incidents that make headlines around the world are perpetrated by authorized users of the information systems. These users are commonly referred to as insiders. The Unintentional Insider Threat is posed by insiders who inadvertently compromise information systems. Literature shows that the Unintentional Insider Threat is under researched and should be the focus of current insider threat research. One predominant case of Unintentional Insider Threat is social engineering particularly through phishing. There is need for a unified multidimensional theoretical model that facilitates an understanding of the Unintentional Insider Threat phenomenon. This research is a response to this gap. The presented multi-dimensional theoretical model is grounded on the Elaboration Likelihood Model and Protection Motivation Theory. In addition, it is developed after evaluating 62 research articles on the Unintentional Insider Threat. The model presents: 1 dependent variable, 22 independent variables and 12 control variables. This model is then validated using data from an empirical study that is guided by the realist, positivist and objective ontological and epistemological views; using a deductive research approach. Quantitative data is collected by staging a naturalistic experiment which presents a real-life social engineering phishing attack. This is after gaining approvals for the research from an institution’s research board (IRB) and its administration. This allows study participants to be observed without alerting them on the ongoing research, therefore, providing data with high ecological and external validity. Participants are then requested to fill in a cross-sectional survey in order to measure latent constructs and variables that were not directly observed. Data is analyzed using Structural Equation Modeling (SEM) because the technique allows for all the variables and relationships to be tested in their entirety; and accommodates latent constructs in the model analysis. A total of 192 cases are analyzed from an effective sample size of 241 persons who participated in the experiment giving a 79.67% response rate. A total of 22 hypotheses are tested. Of these, 10 are supported while 12 are not supported by the provided model specification and sample dataset. The model is able to explain 41.4% of the Elaboration variance, 43.1% of Threat Detection variance, 19.1% of Threat Avoidance variance and more importantly 28.7% of Unintentional Insider Threat outcome variance and performs better than models presented in other studies. This study makes several contributions to theory, knowledge, policy and practice. It presents a unified theoretical model that gives a multi-dimensional understanding of the Unintentional Insider Threat phenomenon from demographic, organizational, insider and attack factors. This model can be used to provide a theoretical grounding in the study of various unintentional insider threats and can also be comparatively applied by other researches in different contexts. The body of knowledge is extended in the testing and analysis of 22 hypotheses and discussion of the findings. The various factors presented in the multi-dimensional model encourage policy makers to address the Unintentional Insider Threat not only using technology but also through addressing psychological and sociological imperatives. Recommendations for policy and practice show that organizations should invest in measures that equip users with the ability to detect threats; particularly through their knowledge on detection cues and high determinants of trust. In addition, efforts must be taken to increase cognitive elaboration so as to intentionally counter factors that try to diminish insider’s ability to examine deceptive scenarios.