Protecting intellectual property from insider threats. A management information security intelligence perspective

Pages181-202
DOIhttps://doi.org/10.1108/JIC-05-2019-0096
Published date31 December 2019
Date31 December 2019
AuthorHyungjin Lukas Kim,Anat Hovav,Jinyoung Han
Subject MatterAccounting & Finance,Behavioural accounting,Knowledge management,Information & knowledge management,HR & organizational behaviour
Protecting intellectual property
from insider threats
A management information security
intelligence perspective
Hyungjin Lukas Kim
Korea University, Seoul, Republic of Korea
Anat Hovav
Center for Information Systems and Technology Claremont,
Claremont Graduate University, California, USA, and
Jinyoung Han
Chung-Ang University, Seoul, Republic of Korea
Abstract
Purpose The purpose of this paper is to propose a theory of information security intelligence and examine
the effects of managersinformation security intelligence (MISI) on employeesprocedural countermeasure
awareness and information security policy (ISP) compliance intention.
Design/methodology/approach A survey approach and structural equation modeling is utilized. Partial
least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses.
In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a
professional survey service company.
Findings MISI positivelyaffects employeesawarenessof information security proceduralcountermeasures;
informationsecurity knowledgeand problem-solvingskills have positive effectson procedural countermeasures
awareness;MISI increases employeescompliance intentionthrough proceduralcountermeasure awareness;and
information security procedural countermeasures positively affect employeesISPcompliance intention.
Research limitations/implications This study proposes a theory of information security intelligence
and examines its impacts on employeescompliance intentions. The study highlights the mediating role of
information security procedural countermeasures between information security intelligence and employees
compliance intentions.
Practical implications Managers should improve and explicitly demonstrate information security
knowledge and problem-solving skills to increase employeesISP compliance intention. To protect the
organizations intellectual capital, managers should champion the development and promotion of PCM, rather
than leave these functions to the information security group.
Originality/value This is the first empirical study to propose and validate MISI.
Keywords Social competence, Intellectual capital, Compliance intention, Information security policy,
Information security intelligence, Information security procedural countermeasures,
Information security problem-solving skills, Information security knowledge
Paper type Research paper
1. Introduction
Intellectual capital (IC) is defined as intellectual material, knowledge, experience, intellectual
property and information used by the organization to create value (Dumay, 2016).
Organizationsare increasingly focusing on information management (La Torre et al.,2018) to
gain competitive advantage. However, the more data-driven the organizationscompetitive
strategy, the higher the risk of IC-related security incidents (Petty and Guthrie, 2000). In its
latest report, the Ponemon Institute (2019) recounted a significant rise in economic espionage
and theft of trade secrets and intellectual property. In addition to external attacks, IC is
exposed to risks from insider threats and inadvertent exposure (Clarke, 2016).
By default, employees possess some organizational proprietary information, and thus
pose a risk (Sheikh, 2014). For example, in 2018, the Samsung folding screen technology was
Received 10 May 2019
Revised 4 September 2019
29 October 2019
Accepted 4 November 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1469-1930.htm
Protecting
intellectual
property
JournalofIntellectualCapital
Vol.21 No. 2, 2020
pp.181-202
©EmeraldPublishingLimited
1469-1930
DOI10.1108/JIC-05-2019-0096
181
stolen and sold to two Chinese companies. As a result, Samsung lost six years and $130m of
research and development investment. To protect trade secrets, companies should educate
employees and foster organizational loyalty (Sheikh, 2014; La Torre et al., 2018).
Yet, despite the extensive research on the topic of insiders risk (e.g. Lebek et al., 2014;
Siponen and Vance, 2014; Hovav and Putri, 2016; Soomro et al., 2016; Cram et al., 2017),
organizations still struggle with internal security incidents (PWC, 2016; Ponemon
Institute, 2018, 2019). Procedural information security countermeasures (PCM), such as
information security policies (ISP) and security, education, training and awareness
(SETA) programs, have become key components of security management (DArcy et al.,
2009; Bulgurcu et al., 2010; Hovav and DArcy, 2012; Haeussinger and Kranz, 2013).
Employeesawareness of PCM has been found to directly or indirectly increase ISP
compliance (Herath and Rao, 2009; Siponen et al., 2009; Bulgurcu et al., 2010; Haeussinger
and Kranz, 2013; Hovav and Putri, 2016; Han et al., 2017) and decrease IS misuse
(DArcy et al., 2009; Hovav and DArcy, 2012). However, PCM could also hinder work
performance (Hu et al., 2011), reduce work efficiency (Wall, 2011) and increase users
reactance (Lowry et al., 2015; Hovav and Putri, 2016; Jeon et al., 2018).
Furthermore, to date, there is limited research that aims to understand the contextual
factors that influence misuse and compliance behaviors (Willison and Warkentin, 2013).
Specifically, while the extant literature has examined the influence of managerssupport
and commitment toward security on users, it has not examined the influence of managers
capabilities on employeescompliance intention. Research in information security suggests
that managerssupport influences employeesattitude and intentions toward security
(Kankanhalli et al., 2003; Chan et al., 2005; Knapp et al., 2006). Managers can provide
legitimacy to employeesISP-compliant behavior by shaping their beliefs, norms, and
attitudes toward new programs, initiatives or policies (Hu et al., 2012).
In the contextof safety management, employeesperceptionsof managerscapabilitieswas
found to affect employeesbehavior (Fruhen et al., 2014). For example,managersknowledge
of safety was found to have a positive influence on employeesacceptance of safety-related
policies (Elangovan and Xie, 2000). Similarly,managerscrisis response capabilities influence
employeespost-crisis behaviors (Mumford et al., 2000; Carmeli et al., 2013). While the above
studies, examined the relationships between managerscapabilities and employeesbehavior
in a tangible, physical context, this paper extents these relationships to information security,
as suggested by Line and Albrechtsen (2016). Specifically, the paper proposes that perceived
management capabilities influence usersPCM awareness and compliance intention. To that
end, this work introduces a theory of information security intelligence, whichis derived from
prior work on safety intelligence (SI) (Kirwan, 2008; Fruhen et al., 2014).
SI is a relatively new concept, which was initially developed for the air traffic
management (ATM) industry in 2014. SI comprises of three main constructs: managers
traits (i.e. personality and regulatory commitment), managersskills (i.e. problem-solving
and social competence) and safety knowledge (Fruhen et al., 2014). However, the salience
of these constructs varies depending on industry characteristics (Harvey et al., 2015).
To date, SI has been applied only to physical risk (i.e. air traffic and construction). In this
paper, we apply SI to cyber risk, which is a fundamentally different context. We propose
the concept of managersinformation security intelligence (MISI), which refers to an
employees perception of their senior managers ability to understand security issues, and
knowledge relevant to the managers ISP-making. For brevity, in the remaining of this
paper, the term managersis used to denote senior managers of a company. MISI
includes three of the original SI sub-dimensions: perceived information security
knowledge (PISK), perceived social competence (PSC) and perceived information
security problem-solving skills. We chose to omit managerstraits because this paper
focuses on managerscapabilities rather than managerspersonality.
JIC
182
21,2

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT