Sage Journals: Discover world-class research

Abstract

Insider threats represent a latent risk to all organisations, whether they are large companies or Small or Medium-sized Enterprises (SMEs). Insiders, the individuals with privileged access to the assets of organisations, can compromise their proper functioning and cause serious consequences that can be direct—such as financial—or indirect—such as reputational. Insider incidents can have a negative impact on SMEs, as their resources are often limited, making it paramount to implement adequate cyber security measures. Despite its indisputable relevance, the empirical study of insider incidents from a criminological point of view has received little attention. This paper presents the results of an exploratory study that aims to understand the nature and extent of three types of insider incidents—malicious, negligent, and well-meaning—and how they are related to the adoption of cyber security measures. To that end, we administered a questionnaire among a panel of 496 Dutch SME entrepreneurs and managers and analysed the results quantitatively and qualitatively. The results show that although the prevalence of insider incidents is relatively low among Dutch SMEs, few organisations report a disproportionate number of incidents that often entail serious consequences. A regression model shows that there are cyber security measures related to both higher and lower incident likelihood. The implications of these findings for the cyber security policies of SMEs are discussed.

Keywords

Insider threats insider incidents insiders SMEs organisations cyber security

Get full access to this article

View all access options for this article.

References

Bada

Nurse

J. R. C.

(2019). Developing cybersecurity education and awareness programmes for small- and medium-sized enterprises (SMEs). Information & Computer Security, 27(3), 393–410. https://doi.org/10.1108/ICS-07-2018-0080

Bijleveld

C. C. J. H.

van de Weijer

S. G. A.

Ruiter

Van der Geest

(2018). Analysis techniques for non-experimental data: An introduction. Eleven International Publishing.

Buil-Gil

Lord

Barrett

(2021). The dynamics of business, cybersecurity and cyber-victimization: Foregrounding the internal guardian in prevention. Victims & Offenders, 16(3), 286–315. https://doi.org/10.1080/15564886.2020.1814468

Buil-Gil

Miró-Llinares

Moneva

Kemp

Díaz-Castaño

(2020). Cybercrime and shifts in opportunities during COVID-19: A preliminary analysis in the UK. European Societies, 23(sup1), S47–S59. https://doi.org/10.1080/14616696.2020.1804973

CERT National Insider Threat Center. (2019). Common sense guide to mitigating insider threats (CMU/SEI-2018-TR-010; 6th ed.., pp. 1–168). Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=540644

Commission Recommendation of 6 May 2003 Concerning the Definition of Micro, Small and Medium-Sized Enterprises (2003). Pub. L. No. 2003/361/EC, 124/36 Legislation 1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2003.124.01.0036.01.ENG&toc=OJ:L:2003:124:TOC

Cornish

D. B.

Clarke

R. V.

(2003). Opportunities, precipitators and criminal decisions: A reply to Wortley’s critique of situational crime prevention. In Smith

M. J.

Cornish

D. B.

(Eds.), Theory for practice in situational crime prevention (pp. 41–96). Criminal Justice.

Costa

D. L.

(2017). CERT Definition of ‘Insider Threat’—Updated. Insider Threat Blog . https://insights.sei.cmu.edu/insider-threat/2017/03/cert-definition-of-insider-threat—updated.html

Cummings

Lewellen

McIntire

Moore

A. P.

Trzeciak

(2012). Insider threat study: Illicit cyber activity involving fraud in the U.S. Financial Services Sector (CMU/SEI-2012-SR-004; pp. 1–76). Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/SpecialReport/2012_003_001_28137.pdf

10.

Del-Real

Díaz-Fernández

A. M.

(2022). Understanding the plural landscape of cybersecurity governance in Spain: A matter of capital exchange. International Cybersecurity Law Review, 3(2), 313–343. https://doi.org/10.1365/s43439-022-00069-4

11.

Executive Order 13587, Presidential Documents, 198 76 1 (2011). https://www.dni.gov/files/NCSC/documents/nittf/EO_13587.pdf

12.

Ford

J. D.

(2017). Polyvictimization (pp. 9780195396607–0223) [Data set]. Oxford University Press. https://doi.org/10.1093/obo/9780195396607-0223

13.

Hartel

Junger

Wieringa

(2011). Cyber-crime science = Crime science + Information security .

14.

Hills

Anjali

(2017). A human factors contribution to countering insider threats: Practical prospects from a novel approach to warning and avoiding. Security Journal, 30(1), 142–152. https://doi.org/10.1057/sj.2015.36

15.

Johns

(2020). Cyber security breaches survey 2020: Statistical release (pp. 1–58). Department for Digital, Culture, Media and Sport. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/893399/Cyber_Security_Breaches_Survey_2020_Statistical_Release_180620.pdf

16.

Johns

(2021). Cyber security breaches survey 2021: Statistical release (pp. 1–66). Department for Digital, Culture, Media and Sport. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/972399/Cyber_Security_Breaches_Survey_2021_Statistical_Release.pdf

17.

Keeney

Kowalski

Cappelli

Moore

Shimeall

Rogers

(2005). Insider threat study: Computer system sabotage in critical infrastructure sectors (pp. 1–45). U.S. Secret Service & Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/SpecialReport/2005_003_001_51946.pdf

18.

Kemp

Buil-Gil

Moneva

Miró-Llinares

Díaz-Castaño

(2021). Empty streets, busy internet: a time-series analysis of cybercrime and fraud trends during COVID-19. Journal of Contemporary Criminal Justice, 37(4), 480–501. https://doi.org/10.1177/10439862211027986

19.

Kowalski

Cappelli

Moore

(2008a). Insider threat study: Illicit cyber activity in the information technology and telecommunications sector (pp. 1–59). U.S. Secret Service & Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/WhitePaper/2008_019_001_52266.pdf

20.

Kowalski

Conway

Keverline

Williams

Cappelli

Willke

Moore

(2008b). Insider threat study: Illicit cyber activity in the government sector (pp. 1–36). U.S. Secret Service & Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/WhitePaper/2008_019_001_52247.pdf

21.

Mazzarolo

Fernández Casas

J. C.

Jurcut

A. D.

Le-Khac

N.-A.

(2021). Protect against unintentional insider threats: The risk of an employee’s cyber misconduct on a social media site. In Weulen Kranenbarg

Leukfeldt

E. R.

(Eds.), Cybercrime in context: Vol. I (pp. 79–101). Springer International Publishing. https://doi.org/10.1007/978-3-030-60527-8_6

22.

MSRC Team. (2020, January 22). Access misconfiguration for customer support database. Microsoft Security Response Center. https://msrc-blog.microsoft.com/2020/01/22/access-misconfiguration-for-customer-support-database/

23.

Newman

G. R.

Clarke

R. V.

(2003). Superhighway robbery: Preventing e-commerce crime. Willan.

24.

Notté

R. J.

Slot

L. K.

van ‘t Hoff-de Goede

Rutger

L. (2019). Nulmeting: Cybersecurity in het mkb (pp. 1–30). The Hague University of Applied Sciences. https://www.dehaagsehogeschool.nl/docs/default-source/documenten-onderzoek/lectoraten/cybersecurity-in-het-mkb/cybersecurity-in-het-mkb_nulmeting_notte_et_al_2019.pdf

25.

Overvest

Non

Dinkova

El-Dardiry

Windig

(2019). Cyber security risk assessment for the economy 2019 (pp. 1–38). CPB Netherlands Bureau for Economic Policy Analysis. https://www.cpb.nl/sites/default/files/omnidownload/CPB-Cyber-Security-Risk-Assessment-for-the-Economy-2019.pdf

26.

Randazzo

M. R.

Keeney

Kowalski

Cappelli

Moore

(2005). Insider threat study: Illicit cyber activity in the banking and finance sector (CMU/SEI-2004-TR-021; pp. 1–36). U.S. Secret Service & Carnegie Mellon University. https://resources.sei.cmu.edu/asset_files/SpecialReport/2004_003_001_50299.pdf

27.

Reveraert

Sauer

(2021). Redefining insider threats: A distinction between insider hazards and insider threats. Security Journal, 34(4), 755–775. https://doi.org/10.1057/s41284-020-00259-x

28.

Safa

N. S.

Maple

Furnell

Azad

M. A.

Perera

Dabbagh

Sookhak

(2019). Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Generation Computer Systems, 97, 587–597. https://doi.org/10.1016/j.future.2019.03.024

29.

Statistics Canada. (2020). About one-fifth of Canadian businesses were impacted by cyber security incidents in 2019 (pp. 1–4). Statistics Canada. https://www150.statcan.gc.ca/n1/en/daily-quotidien/201020/dq201020a-eng.pdf

30.

Theoharidou

Gritzalis

(2009). Situational crime prevention and insider threat: Countermeasures and ethical considerations. pp. 808–820.

31.

Twitter Inc. (2020, July 30). An update on our security incident. Twitter Blog . https://blog.twitter.com/en_us/topics/company/2018/enabling-further-research-of-information-operations-on-twitter.html

32.

U.S. Department of Justice. (2020, August 26). San Jose man pleads guilty to damaging Cisco’s network. U.S. Attorney’s Office Northern District of California. https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network

33.

van de Weijer

S. G. A.

Leukfeldt

E. R.

van der Zee

(2021). Cybercrime reporting behaviors among small- and medium-sized enterprises in the Netherlands. In Weulen Kranenbarg

Leukfeldt

E. R.

(Eds.), Cybercrime in context: Vol. I (pp. 303–325). Springer International Publishing. https://doi.org/10.1007/978-3-030-60527-8_17

34.

Veenstra

Zuurveen

Stol

(2015). Cybercrime onder bedrijven: Een onderzoek naar slachtofferschap van cybercrime onder het Midden- En Kleinbedrijf en Zelfstandigen Zonder Personeel in Nederland (pp. 1–242). NHL Stenden University of Applied Sciences. https://cybersciencecenter.nl/media/1054/2015-05-13-cybercrime-onder-bedrijven-def.pdf

35.

Wall

D. S.

(2013). Enemies within: Redefining the insider threat in organizational security policy. Security Journal, 26(2), 107–124. https://doi.org/10.1057/sj.2012.1

36.

Williams

M. L.

Levi

Burnap

Gundur

R. V.

(2019). Under the corporate radar: Examining insider business cybercrime victimization through an application of routine activities theory. Deviant Behavior, 40(9), 1119–1131. https://doi.org/10.1080/01639625.2018.1461786

37.

Willison

Siponen

(2009). Overcoming the insider: Reducing employee computer crime through situational crime prevention. Communications of the ACM, 52(9), 133–137. https://doi.org/10.1145/1562164.1562198

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.20 MB

Insider threats among Dutch SMEs: Nature and extent of incidents,and cyber security measures

Abstract

Keywords

Get full access to this article

References

Supplementary Material