A survey of insider information security threats management in commercial Banks in Kenya

Abstract

The technological advances in information security have done a lot to contain and even prevent most of the remote or physical threats to information security. However, organizations now face a more subtle and greater information security threat; the insider. This research study is inspired by the emerging question of whether organizations have become more secure or more vulnerable by looking at the insider threat issue. Fraud, much of which includes insider attacks, has tripled in the last 3 years and continues to be a big concern for the banking industry in Kenya. This study seeks to fill the gaps in knowledge and approaches relating to Insider Information Security threats by analyzing the types of information security threats facing commercial banks in Kenya and the mitigation strategies to insider information security threats. The study made use of the survey research design model. Surveys are more flexible in the sense that a wider range of information is collected. Questionnaires were used to gather data from representatives of the various commercial banks. Statistical methods such as mean, standard deviation and factor analysis were utilized to analyze the data collected from the respondents. The findings indicate that since most of these mitigation strategies are utilized in many of the banks in various degrees, there is need for them to be fortified with proper training, awareness, motivation, and management of work place issues like workload pressures. While financial gain seems to be an obvious motivation for insiders, other motivations also drive these acts as the study reveals. Frustrated employees for instance may think of harming the organization as a result of their frustration. A key challenge for the banks is the associated cost of information security tools and mitigation strategies. However, the relatively high premium on information security as seen in the increasing reports of the number and magnitude of breaches has compelled organizations to put the matter for consideration in the highest management levels. Demographic details also points out the age bracket which is prune to the insider threat activities. Banks need to be on the lookout for the below 40 years of age. New recruitments for such staff would require thorough prescreening and as well refresh training on the essence of personal integrity. The insider threat challenges should be approached comprehensively and must also be viewed as a people problem, rather than the conventional technical approach. Owing to the disconcerting fact that the conventional technical approaches and mitigations will not in themselves secure the modern day organization, there is need for a deeper understanding of insider threats. This study is aimed at providing insights into the insider threats by looking at the banking industry, one of the most important and fastest growing industries in Kenya.