By: Jeanine Haenel
Technological progress is like an ax in the hands of a pathological criminal. -Albert Einstein
Corporate hacking is much more prevalent today than it was 10 years ago. The abilities of even the "average" person have increased and they are able to get information that they may not have had before. Companies are cautious on who they hire and trust. Companies now have to hire, not only on the skills and experience of the potential employee but they must also consider their psychological and criminal history. But, how do they get this information easily and ethically?
The article, Methods for evaluating and effectively managing the security behavior of employees by Hu, Xu, Dinev, and Ling in 2011 states, "The 2008 CSI Computer Crime and Security Survey shows that 44% of respondents reported insider abuse of computer systems, making it the second most frequent form of security breach, only slightly behind virus incidents (49%), but well above the 29% of respondents who reported unauthorized access from external sources." By taking extra precaution on who is allowed to access their confidential information, corporations can certainly control some of the potential abuse they would have to rectify later on.
In a survey of IT managers of global companies, 60% of the respondents said employee misconduct involving information systems is a top concern. Employee information security policy violations vary widely because the motives, forms, and targets are different with each employee. An information security policy violation is defined as any act by an employee using computers that is against the established rules and policies of an organization for personal gains. Individuals with low self-control are more likely to give into the temptation. This is because low self-control leads to higher levels of perceived extrinsic benefits and perceived intrinsic benefits, which in turn strongly influence the intention to commit policy violations.
Employers previously thought that deterrence would be effective, however the results of this study suggest it may not be enough. So, what can an employer do? There are two options they may follow: lowering the perceived benefits of committing the violations, and screening applicants with a high level of self-control and strong moral beliefs for sensitive positions. To lower the perceived benefits, companies can take a number of proactive actions to reduce the perceived value of the data assets in the corporate information systems. To screen applicants, employers can use psychometric instruments to ensure that only those who are strong on self-control and have high morals are assigned to sensitive positions.
Employers must use caution when using the results of this study. The findings are based on a data sample from a population with a unique Eastern culture where the concept of following rules and policies may be very different than Western cultures. Finally, the small number of organizations where the surveys were administered could bias the data as well. A follow-up would be to replicate this study in multiple countries with various cultures using random samples that cover a large number of organizations.
References
Technology Quotes. (n.d.). Quoteland.com - Quotations on Every Topic, by Every Author, and in Every Fashion Possible. Retrieved February 10, 2012, fromhttp://www.quoteland.com/topic/Technology-Quotes/141/
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Methods for evaluating and effectively managing the security behavior of employees. Communications of the ACM,54(6), 54-60. doi: 10.1145/ 1953122.195314