Insider threats among Dutch SMEs: Nature and extent of incidents, and cyber security measures
| Published date | 01 December 2023 |
| DOI | http://doi.org/10.1177/26338076231161842 |
| Author | Asier Moneva,Rutger Leukfeldt |
| Date | 01 December 2023 |
| Subject Matter | Articles |
Insider threats among Dutch
SMEs: Nature and extent of
incidents, and cyber security
measures
Asier Moneva and Rutger Leukfeldt
Netherlands Institute for the Study of Crime and Law Enforcement
(NSCR), Amsterdam, Netherlands; Centre of Expertise Cyber Security,
The Hague University of Applied Sciences, The Hague, Netherlands
Abstract
Insider threats represent a latent risk to all organisations, whether they are large companies or
Small or Medium-sized Enterprises (SMEs). Insiders, the individuals with privileged access to the
assets of organisations, can compromisetheir proper functioningand cause serious consequences
that can be direct—suchas financia l—or indirect—such as reputational. Insiderincidents can have
a negativeimpact on SMEs, as their resources are oftenlimited, making it paramountto implement
adequatecyber security measures.Despite its indisputablerelevance,the empirical study ofinsider
incidents froma criminological point of view has received little attention.This paper presents the
results of an exploratory study that aims to understand the nature and extent of three types of
insider incidents—malicious,negligent, and well-meaning—andhow they are related to the adop-
tion of cybersecurity measures.Tothat end, we administereda questionnaire amonga panelof 496
Dutch SME entrepreneurs and managers and analysed the results quantitatively and qualitatively.
The results show that although the prevalence of insider incidents is relatively low among
Dutch SMEs,few organisationsreport a disproportionatenumber of incidentsthat often entail ser-
ious consequences. A regression model shows that thereare cyber security measures related to
both higher andlower incident likelihood.The implications of these findingsfor the cyber security
policies of SMEs are discussed.
Keywords
Insider threats, insider incidents, insiders, SMEs, organisations, cyber security
Date received: 2 August 2022; accepted: 15 February 2023
Corresponding author:
Asier Moneva, Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), De Boelelaan 1077, 1081
HV Amsterdam, Netherlands.
Email: amoneva@nscr.nl
Article
Journal of Criminology
2023, Vol. 56(4) 416–440
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/26338076231161842
journals.sagepub.com/home/anj
Introduction
The increasing digitisation of business means that organisations and among them, especially
Small and Medium-sized Enterprises (SMEs), must face cyber security challenges that often
overwhelm them. Cyber threats can be external, when they originate outside the organisation,
or internal, when they originate inside. Due to privileged access to information, the latter are
arguably the most dangerous (e.g., CERT National Insider Threat Center, 2019). To protect
against insider threats, SME managers must consider a myriad of cyber security solutions to
develop a strong cyber security culture that is tailored to the organisation’s needs and resources
and encourages secure behavior among its employees (Bada & Nurse, 2019). However, little is
known about how the adoption of these cyber security measures in SMEs relates to insider vic-
timisation, as few criminological studies have addressed this issue (Williams et al., 2019), espe-
cially outside the Anglosphere. This paper presents an exploratory study using a survey design
about the nature and extent of insider threats affecting Dutch SMEs and how these threats relate
to the adoption of cyber security measures.
1
Some international figures illustrate the complex cyber security landscape faced by organi-
sations. In the 2021 edition of the United Kingdom (U.K.) Cyber Security Breaches Survey,
39% of businesses reported cyber security incidents in the past year (Johns, 2021), down
7% on the previous year (Johns, 2020)—probably due to the pandemic (Buil-Gil et al.,
2020; Kemp et al., 2021). These incidents had a mean cost of £8,460 per business. Data
from the Canadian Survey of Cyber Security and Cybercrime indicates that, in 2019, 21%
of all businesses reported being impacted by cyber security incidents (Statistics Canada,
2020). This affected 18% of the small businesses and 29% of medium-sized businesses. In
the Netherlands, a report by the CPB Netherlands Bureau for Economic Policy Analysis, indi-
cates that 48% of Dutch companies experienced a cyber security incident in 2018 (Overvest
et al., 2019). According to two reports based on two different online surveys, in the case of
Dutch SMEs, this figure was 29% in 2013 (Veenstra et al., 2015) and 19% between 2016
and 2017 (Notté et al., 2019). Although it seems that, in general, larger companies report
more incidents (Johns, 2021), they also have more resources and therefore probably better
detection tools and reporting mechanisms (Buil-Gil et al., 2021). One of the reasons why esti-
mates of cyber victimisation in companies may differ is that the definitions of cybercrime,
cyber-attack, or cyber security incident are neither clear nor consistent across studies and
may include different crime measures. Such differences may also be masked by a large dark
figure among SMEs (Statistics Canada, 2020; van de Weijer et al., 2021; Veenstra et al., 2015).
A Delphi study involving 129 cyber security experts in Spain suggests that government,
large enterprises, and public cyber security institutions are aware that SMEs are not prepared
to defend against cyber security threats (Del-Real & Díaz-Fernández, 2022). These findings
align with survey data from other countries. Although most SMEs in the United Kingdom,
Canada, and the Netherlands adopt basic cyber security measures such as having up-to-date
antivirus software and firewalls, it appears that they are still unprepared to respond adequately
to many cyber security incidents. In fact, only 13% of small and 36% of medium-sized com-
panies in the United Kingdom train their employees in cyber security, and 19% and 42%
respectively have evaluated their response to such situations (Johns, 2020, 2021). In
Canada, less than half of the businesses that reported using Internet of Things devices assessed
their security (Statistics Canada, 2020). Although Dutch companies are increasingly adopting
cyber security measures, such as two-factor authentication and log file creation, SMEs have yet
Moneva and Leukfeldt 417
To continue reading
Request your trial