2023

INCREASING AWARENESS OF INSIDER INFORMATION SECURITY THREATS IN HUMAN RESOURCE DEPARTMENT

An insider threat for companies is defined as a threat caused by malicious user who is an employee company. In recent years, there are number of work on insider threats in information security technologies. These works shows that companies should increasingly and seriously should take into account these threats. Human factors in companies constitute one of the weakest links in information security technology and its products used in human resource (HR) management departments. In the literature, insider threats are generally classified into two main categories: 1) Intentional insider threats and 2) Unintentional insider threats. In this work, we address the employees working in HR departments of various companies from different sectors. Since HR departments are one of the critical departments for insider threats, we focus on the scenario that a malicious insider accesses critical, important and/or personal data. In this scenario, a malicious employee of HR department may change or misuse of the data belonging to his/her company (product data, marketing data, strategy documents etc.) and/or the data belonging to the other employees (e-mails, ID numbers, birth dates, salaries, health data etc.) by intentionally or unintentionally. By taking into account the previous works done in the literature, we prepare new questionnaire for this work. The questionnaire is applied to HR managers and employees of various sectors. Our aim is to increase HR managers and HR employees awareness of insider information security threats.

Keywords:

Information Security Insider Threats, Human Resource Department,

PDF

___

Ball, Kirstie S. (2001), “The Use of Human Resource Information Systems: A Survey”, Personnel Review, Vol.30, No.6, pp.677-693.
Cole, Eric and Ring, Sandra (2006) Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, Canada: Syngress Publications.
Deloitte Turkey, Basın Bülteni, “Kurumların bilgi güvenliğine yaklaşımı zayıflıyor”, http://www.deloitte.com, [Accessed 28.12.2011].
Kavanagh, Michael J. and Thite, Mohan (2008), Human Resource Information Systems: Basics, Applications and Future Directions, Sage Publications.
Kraemer, Sara; Carayon, Pascale (2007), Human Errors and Violations in Computer and Information Security: The Viewpoint of Network Administrators and Security Specialists, Applied Ergonomics, Vol.38, No:2, pp.143-154.
Loch, Karen D., Carr Houston H. and Warkentin Merrill E. (1992), “Threats to Information Systems: Today's Reality, Yesterday's Understanding”, MIS Quarterly, Vol.16, No:2, pp.173–186.
Richardson, Robert (2008), 2008 CSI/FBI Computer Crime & Security Survey, http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf, [Accessed 18.03.2012] Schultz, Eugene E. and Shumway, Russell (2001), Incident Response: A Strategic Guide to Handling for System and Network Security Breaches, Indianapolis: New Riders Publications. Schultz, Eugene E., (2002) “A Framework For Understanding and Predicting Insider Attacks” Computers and Security, Vol.21, No:6, pp. 526-531.
Yayla, Ali (2011), Controlling Insider Threats with Information Security Politicies" ECIS 2011 Proceedings, http://is2.lse.ac.uk/asp/aspecis/20110246.pdf, [Accessed 27.03.2012].
Cyber Security Watch Survey, magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.