Towards a framework for mitigating information security insider threats in public institutions: case study office of the auditor general

Abstract

Public institutions need to understand the vulnerabilities and risks associated with insider threats and implement sound information security practices to defend against them. It is important to note that effective management of insider threats requires a risk-based and organizational-wide approach that includes various stakeholders. The research revealed several information security weaknesses that insiders are likely to exploit in public institutions. The underlying cause of these weaknesses is public institution‟s failure to fully or effectively implement information security programs, which involve assessing and managing risk, implementing both technical and non-technical controls, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of security controls, and implementing appropriate remedial actions. The proposed framework is drawn from existing information security best practices and standards, as well as from the research findings to provide guidance for public institutions to improve their position against insider threats. The proposed framework provides an enterprise wide solution to insider threats. The proposed framework consists of four security layers: Information Security Governance, Insider Risk Management, Defense-in-depth strategy and Continuous Information Security Improvement. Public institutions should deploy and enforce controls at each layer to address the insider problem. The four layers do not operate independently of each other, rather, the implementation of controls across all four layers form the core of this approach