Examining the Past to Learn about the Future: Applying Secondary Data for the Qualitative Study of Internal Computer Abuse (ICA)
Forthcoming in ACIS 2016 JAIS Workshop Advances in Qualitative IS Research Methodologies, Sydney, Australia, November 30
5 Pages Posted: 31 Oct 2016
Date Written: 2016
Organizations and security practitioners expend considerable effort monitoring and preventing the potential external exploits of hackers and malware. However, they must also acknowledge the equally real threat posed by criminal internal computer abuse (ICA) by organizational insiders (e.g., data theft, insider trading, data poaching, access breaches, piracy of intellectual property, sabotage). Numerous industry reports cite ICA as one of the biggest threats that organizations face (Ernst and Young 2014; PwC 2015), and while IS security researchers are increasingly studying this form of behavior, they are faced with several research stumbling blocks. Gaining access to organizations is problematic for most management researchers; however, this is particularly challenging for organizational security researchers. Organizations are extremely sensitive about their security data, especially in terms of how any weaknesses in this area may produce adverse publicity, reputational damage, or further exploits. Consequently, IS Security researchers are often viewed as threats in their own right and rarely afforded such organizational access.
Moreover, it is not a feasible option for IS security researchers to interview individuals who have been prosecuted and incarcerated for their ICA, because most are never caught or punished. Given concerns over reputational and market damage, when security breaches occur, organizations will often deal with the matter "in house" to the exclusion of law enforcement agencies and subsequent prosecutions. Admittedly, some individuals are prosecuted for ICA and do receive custodial sentences, but gaining legal permission to talk to such individuals and to receive ethical approval for such a study is a huge hurdle. Few legal teams allow such access.
Given these data-collection barriers, it is not surprising to learn that the study of ICA has mostly been overlooked by security researchers in favor of subject areas with fewer hurdles and challenges. Indeed, the vast majority of IS sec studies examine intentions to comply with organizational information security policies. Although, insights into intentions can be helpful, what organizational security research needs for greater breakthroughs is insights into actual “black hat” security behaviors that are criminal and devastating to organizations - particularly ICA (Mahmood et al. 2010).
Despite calls for further research into ICA (Crossler et al. 2013; Lowry et al. 2015; Posey et al. 2013; Willison and Warkentin 2013), the obstacles associated with this task present something of an impasse when attempting to study this form of behavior. Therefore, in conjunction with these calls, which have suggested what to study, there is an equal need to ask how ICA can be studied. We assert that addressing this conundrum requires a degree of innovation and a willingness to consider new qualitative approaches in the face of a seemingly intractable data-collection barrier.
Consequently, we propose a possible solution to this issue by considering how secondary data can be innovatively used for qualitative ICA research. Specifically, our paper reviews the commercially and publically available sources of security breaches that can potentially be used for such an effort, and demonstrate some of the valuable information in these sources that have yet to be leveraged. This is followed by a consideration of how such data could be applied. For instance, a couple of preliminary ICA case studies have been developed through secondary sources - including court records, official reports and newspaper articles (Willison 2002; Baskerville et al. 2014). But this technique is rarely performed, and is an exciting approach that we can further explain and support, including with details on how to improve on what has been done. Support for this approach comes mostly from the ethnographic tradition (Geertz 1973; Hammersley and Atkinson 1995), in which archival material has proved an invaluable source of data. Indeed, in some instances, specific accounts of people in particular localities have been based solely on secondary documents (Denning 1980; Silverman and Gulliver 1992; Vincent 1984; Woods 1994).
Another more traditional qualitative use of secondary data that we also address involves qualitatively coding empirical data (e.g., breach incidents) and then analyzing these codings with various empirical methods. But again, this is rarely done with organizational security data. Notably, we have discovered several public sources of breach data that can be used for qualitative analysis, and are virtually overlooked by the IS security community. After discussing the different approaches in which secondary data can be applied, qualitative approaches to coding, and the benefits they offer over existing empirical approaches, we provide some concluding thoughts on future research opportunities in secondary qualitative use of organizational-level security data.
Rather than regard these qualitative approaches to secondary organizational security data as the poor cousins to traditional highly positivistic empirical approaches (e.g., surveys and experiments), we view the application and use of secondary sources as their equal, if not a potentially superior source. Again, unlike other IS areas of study, such as systems development, in which the associated behavior and practices can be studied in the organizational context, the nature of ICA makes it virtually impossible to examine this behavior in situ. Therefore, arguably the best way our understanding of such behavior can improve is through insights garnered through these secondary sources. Given the aforementioned difficulties associated with empirical ICA research, we believe the use of these sources is a promising step forward in understanding this form of criminal behavior.
Keywords: security, organizational security, qualitative methods
Suggested Citation: Suggested Citation