Logo des Repositoriums

Auflistung nach Schlagwort "Information Security"

1 - 5 von 5
  • Zeitschriftenartikel
    Insider Threats – Der Feind in den eigenen Reihen
    (HMD Praxis der Wirtschaftsinformatik: Vol. 57, No. 3, 2020) Weber, Kristin; Schütz, Andreas E.; Fertig, Tobias
    Eine große Bedrohung für die Informationssicherheit geht von Mitarbeitern aus, die absichtlich der eigenen Organisation schaden wollen. Mitarbeiter besitzen Zugriffsrechte für sensible Informationen und genießen das Vertrauen des Unternehmens. Werden sie allerdings aufgrund persönlicher Motive oder äußerer Umstände zu Whistleblowern, Spionen, Betrügern, Saboteuren, Malicious Enablern oder Datendieben, können sie großen Schaden anrichten. Dieser Artikel untersucht die Motive sogenannter Malicious Insider und stellt die sechs verschiedenen Typen anhand von realen Beispielen der jüngeren Vergangenheit vor. Er zeigt, welche erkennenden, präventiven und reaktiven Maßnahmen Organisationen ergreifen sollten, um die Risiken durch Attacken von böswilligen Insidern zu minimieren. Der Fokus liegt auf den erkennenden Maßnahmen. Durch frühzeitiges Eingreifen werden Mitarbeiter gar nicht erst zu Malicious Insidern. Eine Kombination aus persönlicher Veranlagung (z. B. Introversion, Gier, Kritikunfähigkeit), Stressfaktoren (z. B. Frustration, Unzufriedenheit) und auffälligem Verhalten (z. B. außergewöhnliche Arbeitszeiten oder Reiseziele) weist häufig auf potentielle Täter hin. Employees that intentionally want to harm their organization pose a major threat to information security. Employees have access rights to sensitive information, and their organization trusts them. However, they can substantially harm their organization, if they become Whistleblowers, Spies, Scammers, Saboteurs, Malicious Enablers, or Data Thieves due to different personal motives or external circumstances. This paper analyzes motives of so-called Malicious Insiders. It introduces the six types of Malicious Insiders by showing real cases from the recent past. The paper lays out which recognizing, preventive, and reactive measures organizations can take in order to minimize the risks associated with insider threats. The focus is on recognizing potential Malicious Insiders, because through early intervention, employees might not become malicious first. A combination of personal predispositions (e.g., introversion, greed, inability to accept criticism), stressors (e.g., frustration, dissatisfaction), and concerning behavior (e.g., unusual working hours or travel destinations) often points towards potential offenders.
  • Zeitschriftenartikel
    Ok, gegen Cupids Pfeil hilft keine Firewall – Sichere(s) Daten durch ganzheitlichen Kompetenzaufbau
    (HMD Praxis der Wirtschaftsinformatik: Vol. 61, No. 1, 2024) Finster, Rebecca; Kronschläger, Thomas; Grogorick, Linda; Robra-Bissantz, Susanne
    In einer ständig präsenten digitalen Umgebung, die Technologie als zentrales Angebot nutzt, gewinnt Online-Dating immer mehr an Popularität. Ein Großteil der jüngeren Bevölkerung hat Erfahrung damit. Doch diese Entwicklung bringt neue Herausforderungen in Bezug auf Datenschutz und Informationssicherheit mit sich. Online-Dating-Plattformen (z. B. OkCupid ) und -Apps (z. B. Tinder ) führen zur Entstehung von Cyberintimität und eröffnen Risiken, wie Social Engineering, bei denen Menschen beeinflusst werden, um vertrauliche Informationen preiszugeben. Diese Bedrohungen könnten nicht nur persönliche Leben beeinträchtigen, sondern auch die Sicherheit von Unternehmen gefährden. Opfer von Social Engineering könnten in der vermeintlich privaten Online-Dating-Umgebung unbeabsichtigt sensible Informationen enthüllen und dadurch Unternehmensnetzwerke gefährden. Daher ist es von großer Bedeutung, digitale Fähigkeiten in Kompetenzbereichen wie Information Security Awareness und Kommunikation zu stärken und eine kritische Herangehensweise an online geteilte Informationen zu entwickeln. Diese Untersuchung analysiert die Verbindung zwischen Informationssicherheit und Online-Dating durch eine interdisziplinäre hermeneutische Analyse. Dabei liegt der Fokus auf der Rolle von Kommunikation und anderen digitalen Kompetenzen im Kontext von Informationssicherheit und Social Engineering und verdeutlicht die Wichtigkeit von Informationssicherheit über das Berufsleben hinaus. In an ever-present digital environment that revolves around technology, online dating is gaining significant popularity. A large portion of the younger population has experience in this area. However, this trend brings with it new data privacy and information security challenges. Online dating platforms (e.g. OKCupid ) and apps (e.g. Tinder ) contribute to the emergence of cyber intimacy and introduce risks such as social engineering, where individuals are manipulated to gain confidential information. These threats can affect not only personal lives, but also the security of businesses. Victims of social engineering may inadvertently reveal sensitive information in supposedly private online dating situations, putting corporate networks at risk. As a result, it is critical to improve digital skills in competence areas such as information security awareness and communication, while adopting a critical approach to information shared online. A study explores the nexus between information security and online dating through an interdisciplinary hermeneutic analysis. Special emphasis is placed on the role of language, data protection, and other digital competences in the context of information security and social engineering and emphasizes the importance of information security beyond professional life.
  • Konferenzbeitrag
    On the possible impact of security technology design on policy adherent user behavior - Results from a controlled empirical experiment
    (SICHERHEIT 2018, 2018) Kurowski, Sebastian; Fähnrich, Nicolas; Roßnagel, Heiko
    This contribution provides results from a controlled experiment on policy compliance in work environments with restrictive security technologies. The experimental setting involved subjects forming groups and required them to solve complex and creative tasks for virtual customers under increasing time pressure, while frustration and work impediment of the used security technology were measured. All subjects were briefed regarding existing security policies in the experiment setting, and the consequences of violating these policies, as well as the consequences for late delivery or failure to meet the quality criteria of the virtual customer. Policy breaches were observed late in the experiment, when time pressure was peaking. Subjects not only indicated maximum frustration, but also a strong and significant correlation (.765, p<.01) with work impediment caused by the security technology. This could indicate that user-centred design does not only contribute to the acceptance of a security technology, but may also be able to positively influence practical information security as a whole.
  • Textdokument
    Response and Cultural Biases in Information Security Policy Compliance Research
    (Open Identity Summit 2017, 2017) Kurowski, Sebastian; Dietrich, Fabina
    This contribution tries to shed light on whether current information security policy compliance research is affected by response (such as social desirability) or cultural biases. Based upon the hypothesis that response biases may be subject to information processing of the questionnaire item by the respondent, a classification of questionnaire items of 17 surveys is provided. Furthermore, the Individualism and Power Distance indices are gathered for the survey samples. Correlation analysis reveals that the Power Distance index correlates negatively, while Individualism correlates positively with the mean self-reported policy compliance. These findings support previous findings on the role of Power Distance and contradict the influence of response and social desirability biases on self-reported information security policy compliance.
  • Konferenzbeitrag
    Risk variance: Towards a definition of varying outcomes of IT security risk assessment
    (Open Identity Summit 2022, 2022) Kurowski, Sebastian; Schunck, Christian H.
    Assessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.