An investigation into cyber security threats posed by insiders: a case of public organisations.

Thumbnail Image
Chinyemba, Melissa Kaemby
Journal Title
Journal ISSN
Volume Title
The University of Zambia
Insider attacks are the most hazardous threats faced by most organisations today and is an overwhelming task to deter, because employees require legitimate access privileges to organisational resources for their daily tasks. If they misuse this trust accidentally or intentionally, it can compromise data security, thereby, negatively impacting the corporations’ reputation and revenue. Most Zambian public organisations have continuously been caught unaware on how their confidential information has ended up in the public domain. This is because most of these organisations have neither adopted nor fully implemented any of the security standards or frameworks such as Control Objective for Information and related Technology (COBIT) and or International Standards Organisation (ISO) 27000. The study established a theoretical model from ISO 27001 controls literature that analysed the Information and Communication Technology (ICT)/Cyber gaps for organisational cyber readiness. Using Actor-Network Theory (ANT) and Theory of Planned Behaviour (TPB), the study established the types of vulnerabilities that can be exploited by insiders and evaluated the effectiveness of the current controls in public organisations. Further, the study carried out a gap analysis using ISO 27001:2013 to understand the security gaps that relates to insiders so as to be able to propose an insider threats mitigating model with a core focus on user awareness and access control. The approach to this study was both quantitative and qualitative research. Questionnaires and interviews were used as an assessment tool for empirical study. The targeted population was the ICT/Cybersecurity Stake holders in public organisations that included; Executive Management, ICT/Cyber Security, ICT, Human Resources (HR), Legal, Enterprise Risk Management (ERM) and Internal Audits staffs, applying a convenient sampling method for participant identification. Microsoft-excel and SPSS were used for statistical analysis. All the three objectives of this study were achieved. The findings showed that, out of a total of eight public organisations under study only 25% had adopted international security standards and frameworks though partially implemented. The other 25% have adopted some security base practices while 50% have no security measures in place. The findings also revealed that most public organisations lack key ICT/Cyber Security policies and procedures. Additionally, the current controls are not effective enough to deter cyber security threats by insiders from exploiting their employers. Further, the findings yielded a useful model for mitigation of insider Cyber Security threats and highlighted relationships between management involvement, organisational Cyber Security values and the Cyber Security culture in public organisations. The significance of this study is to enforce cyber readiness in public organisations with an aim of enhancing insider data security mechanisms through the use of user awareness, access control, underground screening and Non-disclosure agreements (NDA).
Thesis of Master of Engineering in Information and Communications Technology (ICT) Security