Professor rona s beattie and dr david bamaung glasgow caledonian university email for corresponding author


CONCLUSIONS, ONGOING AND FUTURE RESEARCH



Download 137.08 Kb.
Page3/3
Date20.10.2016
Size137.08 Kb.
#6105
1   2   3

CONCLUSIONS, ONGOING AND FUTURE RESEARCH
This paper has established the context, complexity, and the case for the HRM and HRD functions, as well as senior managers, line managers, organisations and policy makers to take the subject of people security more seriously. As indicated above the consequences of not doing so can be grave for individuals, organisations and ultimately even nation states.
This paper has: provided the business case for people security; defined the field of people security and what we mean by insider threat; it continued by exploring the role of people security with particular emphasis on the complexity of this field; the paper then explored the types, risks and consequences of different insider threats and attacks, in particular comparing examples of unwitting and malicious insiders; and continued by also considering the role of HRM and HRD within people security. We hope that the discussion above has raised the awareness of academics, politicians, policy makers, and professionals from a range of disciplines about the need for further research, policy development and improved practice in this increasingly important field.
As this is part of an ongoing study the researchers are currently focusing on exploring the strategies for: mitigating insider threat and managing the consequences of such attacks and ‘near-misses’. This current empirical work, across sectors, includes examining the whole employee life cycle, as described above, including: pre-employee screening (often where most people security practices stop); induction; ongoing training; ongoing performance management; and managing exit.
Future phases of our empirical and conceptual work will also involve exploring a range of key ethical and strategic debates and issues including: duty of care v control/compliance; whistleblowing v information leakage; the intergenerational use of social media, mobile technology and people security e.g. BYOD policies; the impact of globalisation and international trade on business and HRM practices which present particular challenges for people security; and, the potential interaction with other fields e.g. the parallels with Health & Safety culture, strategies, practices including risk assessment and post-incident/near miss reviews.
Finally, the authors, along with colleagues in other institutions and agencies, are developing practical tools to help organisations address their people security needs more effectively, whilst at a strategic level they are currently developing education and training programmes for HR managers and professionals; senior managers; line managers; and related professions such as business continuity and risk managers, finance managers, security managers, and cyber/IT managers. These programmes will have the potential to be adapted to meet the needs of key infrastructure sectors, e.g. finance, energy, defence, health, and central government, as well as individual organisations. The findings of the ongoing and future research, as well as details of the applied outcomes, will be presented in future papers and publications.

REFERENCES
ACFE (2014) ACFE Report to the Nations on Occupational Fraud and Abuse. ACFE

Arnulf, J. K. and Gottschalk, P. (2013) Heroic Leaders as White-Collar Criminals: An Empirical Study. Journal of Investigative Psychology and Offender Profiling 10: 96-113.

Associated Press in Washington (2014) US charges security check firm that vetted Edward Snowden with fraud. In The Guardian, 23 January 2014 http://www.theguardian.com/world/2014/jan/23/us-charges-security-check-firm-vetted-edward-snowden-fraud

BBC News (2015) ‘Germanwings crash: Co-pilot Lubitz 'practised rapid descent' 6 May 2015 http://www.bbc.co.uk/news/world-europe-32604552 - accessed 06/05/15at18.16.

Beattie, R. S. (2006) “Line managers and workplace learning: learning from the voluntary Sector”, Human Resource Development International Vol. 9 (1): 99-119

Beattie, R. (2015) ‘Most of what you know about insider fraud is wrong’ in ‘Get a sneak preview of 2015’, People Management, January (pp40-45) http://www.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2015/01/02/get-a-sneak-preview-of-2015.aspx].

BaMaung, D. and Beattie, R. (2014) HRM THE MISSING LINK: Is Personnel Security A Critical Gap In Organisational And National Security? A paper presented at The International Research Society for Public Management Conference XVIII, 9 – 11 APRIL 2014, Carleton University, Ottawa, Canada

Beattie, R. and BaMaung, D. (2015a) Mind the gap: HRM/D’s role in keeping organisations safe. A paper presented at the 16th International Conference on Human Resource Development Research and Practice across Europe Towards Evidence Based HRD Practice: Bridging the Gap. 3-5 June. University of Cork, Cork, Ireland Forthcoming

Beattie,R. and BaMaung, D. (2015b) The Role of HRM in combating the ‘Insider Threat’: an organizational and global perspective. International Journal of Public Administration Forthcoming.

Analoui, F. (1995) Workplace sabotage: its styles, motives and management. Journal of Management Development Vol 14, No.7 1996 pp48-65 MCB University Press.

Andersen, D. et al (2004) Preliminary system dynamics maps of the insider cyber-threat problem. In Proceedings of the 22nd International Conference of the System dynamics Society (pp. 25-29).

Anderson, J. C., et al. (1994). A theory of quality management underlying the Deming management method. Academy of Management Review, 19(3), 472-509.

BBC News (2012) Q&A: News of the World phone-hacking scandal 4 August 2012 http://www.bbc.co.uk/news/uk-11195407 - accessed 06/05/2015 at 14.11

BBC News (2013) Bradley Manning sentenced to 35 years in Wikileaks case. Published on BBC News site - http://www.bbc.co.uk/news/world-us-canada-23784288 (accessed 10 Feb 2014)

Bishop, M. et al. (2009) Case studies of an insider framework. In Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS’09), Hawaii, USA. IEEE, Jan 2009, pp 1-10

Blackwell, C. (2009) Combating the Insider Threat: What System Administrators need to know. UK Unix and Open Systems User Group, presentation to the UK UUG Spring 2009 Conference 24-26 Mar 2009, London

Blackwell, C. (2009a) A Security Architecture to Protect against the Insider Threat from Damage, Fraud and Theft. Published in the proceeding of the CSIIRW ’09 (proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies Article No. 45)

Bowen et al. (2009) Baiting Inside Attackers Using Decoy Documents. Security and Privacy in Carney, J. (2013) The truth about why Jeff Skilling’s jail sentence got downsized. CNBC News – (21 June 2003) http://www.cnbc.com/id/100835443

Chan, S. P. (2013) Timeline: how G4S's bungled Olympics security contract unfolded. The Telegraph 21May 2013

http://www.telegraph.co.uk/finance/newsbysector/supportservices/10070425/Timeline-how-G4Ss-bungled-Olympics-security-contract-unfolded.htmlaccessed060515at16.30

Communication Networks: 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009: Revised Selected Papers

Cappelli, D. et al (2008) Spotlight On: Programming Techniques Used as an Insider Attack Tool. CERT Research Paper December 2008, Published by Carnegie Mellon University.

Cappelli, D. et al (2009) Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1. CERT Research paper published by Carnegie Mellon University January 2009

Cappelli, D. et al (2012) The CERT Guide to Insider Threats – How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Published by Pearson Education Inc.

Catrantzos, N. (2010) Tackling the Insider Threat. Crisp Report – Connecting Research in Security to Practice. Published by ASIS International,

Catrantzos, N. (2012) Managing the Insider Threat – No Dark Corners. Published by CRC Press, Taylor and Francis Group, Boca Raton, FL

Colwill, C. (2009) Human factors in information security: The insider threat – Who can you trust these days? Published in Information Security Technical Report, Volume 14, Issue 4, November 2009, Pages 186-196

CPNI (2013) CPNI Insider Threat Data Collection Study:Report of Main Findings.

Da Veiga, A., & Eloff, J. H. (2010). A framework and assessment instrument for information security culture. Computers and Security, 29(2), 196-207.

Deery, S. J., & Iverson, R. D. (2005). Labor-management cooperation: Antecedents and impact on organizational performance. Industrial and Labor Relations Review, 588-609.

Furnell, S. (2004) Enemies within: the problem of insider attacks. Computer Fraud and Security 2004 Vol 2004 PT 7 pp 6-11

Furnham, A. & Taylor, J. (2013) Bad Apples – Identify, Prevent & Manage Negative Behaviour at Work. Published by Palgrave MacMillan, Hampshire, England.

Gayathri, A. (2013) CIA Suspected Edward Snowden WAS Trying To Access Classified Information in 2009 But Supervisor’s warning Never Reached NSA: Report. International Business Times web site (accessed 23.2.14) http://www.ibtimes.com/cia-suspected-edward-snowden-was-trying-access-classified-information-2009-supervisors-warning-never

Hanley, M. et al (2009) Spotlight On: Malicious Insiders with Ties to the Internet Underground Community. CERT paper published by Carnegie Mellon University

Harding, L. (2014) The Snowden Files. The Inside Story of the World's Most Wanted Man. Published by Vintage.

Jackson, G (2012) Predicting Malicious Behaviour – Tools and Techniques for Ensuring Global Security. Published by John Wiley & Sons Inc., Indianapolis IN

Johnson, S. (2014) ‘Social engineering attacks: Is security focused on the wrong problem?’ TechTarget Search Security web site http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem

Lacey, D. (2009) Managing the Human Factor in Information Security. John Wiley & Sons Ltd., Chichester, England

Lok, P., & Crawford, J. (2004). The effect of organisational culture and leadership style on job satisfaction and organisational commitment: A cross-national comparison. Journal of Management Development, 23(4), 321-338.

Londono, E. (2014) Army Pvt. Chelsea Manning, formerly known as Bradley, to request legal name change. Washington Post web site (accessed 15 Feb 2014) http://www.washingtonpost.com/world/national-security/army-pvt-chelsea-manning-formerly-known-as-bradley-to-request-legal-name-change/2014/03/20/526a005e-b077-11e3-95e8-39bef8e9a48b_story.html

MacDonald, L. (undated) Responsibilities of the Line Managers in HR. Houston Chronicle web site http://smallbusiness.chron.com/responsibilities-line-managers-hr-35205.html (accessed 26.3.15)

Martins, E. C., & Terblanche, F. (2003) Building organisational culture that stimulates creativity and innovation. European Journal of Innovation Management, 6(1), 64-74.

Maxwell, E. (2013) ‘Why do we need a duty of candour?’ The Health Foundation 27 March 2013 http://www.health.org.uk/blog/why-do-we-need-a-duty-of-candour/ accessed 04/05/15 at 15.56

Melara, C. et al (2003) A system dynamics model of an insider attack on an information system. Proceedings of the 21st International Conference of the System Dynamics Society. New York, NY, July 20-24, 2003. Albany, NY: Systems Dynamics Society 2003

Moore, A. et al (2008) The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures. Technical Report May 2008, CERT Programme. Published by Carnegie Mellon University

Moore, A. et al (2009) Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model. In the Proceedings of the 1st International Workshop on Managing Insider Security Threats (MIST 2009), Purdue University, West Lafayette. June 15-19, 2009

Nissenbaum, D. (2014) US Gives New Contract To Firm That Vetted NSA Leaker Edward Snowden. The Wall Street Journal, July 2, 2014 http://www.wsj.com/articles/u-s-gives-new-contract-to-firm-that-cleared-nsa-leaker-1404344583

Nixon, W. & Kerr, K. (2008) Background Screening and Investigations – Managing Hiring Risk from the HR and security Perspectives. Elsevier Inc., Burlington MA, USA

Parker, R., & Bradley, L. (2000). Organisational culture in the public sector: evidence from six organisations. International Journal of Public Sector Management, 13(2), 125-141.

Power, R. & Forte, D. (2006) Thwart the insider threat: a proactive approach to personnel security. Computer Fraud and Security, July 2006 pp 10-14

Randazzo, M. et al (2004) Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. CERT paper published by Carnegie Mellon University

Richards, J. (2000) The Insider espionage Threat. Contained within Appendix F pp 89-95 Conference Proceedings ‘Research on Mitigating the Insider Threat to Information Systems - #2 ed’, Anderson et al, National Defence research Institute, RAND, Santa Monica

Ring, T. (2014) Cyber gang behind £1.12m ‘KVM’ bank fraud convicted. SC Magazine 14 March 2014 http://www.scmagazineuk.com/cyber-gang-behind-125m-kvm-bank-fraud-convicted/article/338272/

Ruppert, B. (2009) Protecting Against Insider Attacks. Published by SANS Institute April 2009

Schmitt, E. (2013) C.I.A. Warning in Snowden in ’09 Said to Slip Through the Cracks. Published 10 October 2013 on NY Times web site (accessed 23.2.14)

http://www.nytimes.com/2013/10/11/us/cia-warning-on-snowden-in-09-said-to-slip-through-the-cracks.html?pagewanted=all&_r=0

Sawer, P. (2014) Hospital admits Duchess of Cambridge prank call nurse needed ‘more support’ The Telegraph 12 Set 2014 http://www.telegraph.co.uk/news/uknews/kate-middleton/11091952/Hospital-admits-Duchess-of-Cambridge-prank-call-nurse-needed-more-support.html

Schneier, B. (2000) Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons.

Schultz, E. (2002), A framework for understanding and predicting insider attacks. Computers and Security 21 (6): 526-531

Shaw, E. et al (1998) Insider Threats to Critical Information Systems. Technical Report 2; Characteristics of the Vulnerable Critical Information Technology Insider (CITI) Political Psychology Associates Ltd., June 1998.

Simms, J. (2013) Do you really know who you’re hiring? People Management, Dec 2013 pp. 33 - 36

Singleton, T.W. & Singleton, A.J. (2010) Fraud Auditing and Forensic Accounting, 4th Edition. John Wiley & Sons, New Jersey

Spitzner, L. (2003) Honeypots: Catching the Insider Threat. Published in 19th Annual Computer Security Applications Conference 2003, Proceedings (8-12 Dec 2003) pp 170-179

Spooner, D. et al (2009) Spotlight On: Insider Theft of Intellectual Property inside the U.S. Involving Foreign Governments or Organizations. CERT Research Paper June 2009. Carnegie Mellon University.

Stephens, M. & Mortell, N. (2010) Screen Test. Workplace Law, May 4, 2010

Stephens, M. and Mortell, N. (2013) Recruitment Agencies: How well do they screen our staff (re-visited)? Workplace Law, July 2013

Tarver, P. (2005) Anatomy of an Insider Attack. Published Jan 16, 2005. A Global Information Assurance Certification Paper, Copyright SANS Institute

The Chronicle of Higher Education (2014) Data Breaches Put a Dent in Colleges’ Finances as Well as Reputations. March 17 http://chronicle.com/article/Data-Breaches-Put-a-Dent-in/145341/accessed 060515 at 16.19

The Stationery Office (2013) Report of the Mid-Staffordshire NHS Foundation Trust Public Inquiry. The Stationery Office: London.

Udoeyop, A. et al (2009) Heuristic Identification and Tracking of Insider Threat Prospectus. August 14, 2009

Willison, R. & Warkentin, M. (2009) Motivations for Employee Computer Crime: Understanding and Addressing Workplace Disgruntlement through the Application of Organisational Justice. IFIP TC 8 International Workshop on Information Systems Security Research, 2009 pp 127-144.



Winnett, R. & Mason, R. (2012) Fred Goodwin is shredded: former RBS boss stripped of knighthood. The Telegraph (31 Jan 2012) http://www.telegraph.co.uk/finance/financialcrisis/9053010/Fred-Goodwin-is-shredded-former-RBS-boss-stripped-of-knighthood.html

1 Given the nature of the subject the case studies’ identities have been anonymised and limited detail provided.

2 The authors are currently engaged with other agencies, such the CIPD, around this topic.

3 CPNI is the leading body in the provision of protective security advice to the UK Critical Infrastructure.

4 URL: http://www.cpni.gov.uk/advice/personnel-security1/insider-threats/


5



Download 137.08 Kb.

Share with your friends:
1   2   3




The database is protected by copyright ©ininet.org 2024
send message

    Main page