An Investigation into Information Security Threats from Insiders and how to Mitigate them: A Case Study of Zambian Public Sector

Abstract

Insider attacks are security breaches posed by an existing or former organizational stakeholder with unrestricted access rights to the resources who, with or without intent, compromises the confidentiality, integrity and availability of organizational data. Zambian public organizations are vulnerable to insider attacks due to a number of factors that include; technology complexity, understaffing, financial gains, lack of security policies and procedures, lack of adoption and implementation of international security frameworks and standards such as ISO 27000 and COBIT. Insider threats can be categorized into three dimensions namely; Information Technology (IT) Sabotage, Financial Fraud and Intellectual Property (IP) theft. This paper reports the results from three targeted public organizations in Zambia. These are among the few that seem to recognised cyber threats and have partially adopted some parts of security base practices and international information security standards such as COBIT 5.0 and ISO 27001 standard. The study aimed at assessing the security GAPs using ISO 27001:2013 Information Security Management System (ISMS) standard. The study approach used was quantitative and qualitative with survey questionnaires and interviews as assessment tools for empirical data collection. The study shows that Zambian public sector has related challenges in mitigation of insider attacks that calls for considered efforts in developing measures for mitigation of these challenges in order to ensure national cyber security readiness and enhancing data privacy. The study reviewed that majority of the organizations assessed lack insider security deterring policies such as access control, non-disclosure agreements (NDA), pre-employment screening and unacceptable use. Additionally, the findings indicated that majority of public organizations have not made any efforts towards cyber security readiness, while only about 33% have adopted some security base practices. Further, using Actor Network Theory (ANT) and Theory of Planned Behavior (TPB), the study proposed an expedient insider mitigation model with an emphasis on user awareness and access control considering that it is difficult to model human behavior.