Human element of corporate espionage risk management : literature review on assessment and control of outsider and insider threats
Sandberg, Jarkko (2015)
Sandberg, Jarkko
2015
Vakuutustiede - Insurance
Johtamiskorkeakoulu - School of Management
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2015-05-12
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:uta-201505211467
https://urn.fi/URN:NBN:fi:uta-201505211467
Tiivistelmä
The primary purpose of this study is to determine how suitable human risk management con- trols are against corporate espionage. Information risks are ascending problem with corpora- tions all over the world. Cyber attacks are commonplace, and the attackers are often trying to compromise valuable data assets. These malicious targeted attacks are bypassing traditional information security controls; therefore, organizations are endangered by these threats. Since the traditional information security measures cannot effectively prevent trade secret thefts, companies must look for alternative remedies to mitigate the risks of corporate espionage. One eligible solution is to focus on the human element of information risks management, and thereby defeating the malicious corporate spies.
This theoretical thesis aims to consolidate various sources of research literature in order to approach targeted threats from a human risk management perspective. The literature review incorporates research from various fields, such as cyber security, information risk manage- ment, corporate espionage, insider threat, and social engineering. The objective of the thesis is to merge these fields together, and identify the most suitable risk management controls against corporate espionage activities. Corporate espionage activities often include exfiltrating valuable data via Internet and information technology. Hence, the espionage activities are oc- curring in a challenging risk environment, which is introduced in this thesis.
A large part of this thesis focuses on the assessment of insider and outsider threats. These threat actors are analyzed and evaluated thoroughly, focusing on the motivation and oppor- tunity of the perpetrators. The two main attack methods are social engineering and malicious insider activity. These attack methods are extremely dangerous to companies of all size, and risk management literature has largely ignored the subject. The legal ramifications to the problems are inadequate as well, since corporate espionage attacks often emanate from states with weaker legislation towards Internet crimes. However, companies can brace themselves against malicious insider activity and social engineering with careful assessment and risk management decisions. The research literature supports the view that the most effective ways to mitigate risks of corporate espionage is to control the awareness and behavior of organiza- tion s employees. The corporate espionage risks will not subside by themselves; hence, or- ganizations must reinforce their policies and data management procedures.
This theoretical thesis aims to consolidate various sources of research literature in order to approach targeted threats from a human risk management perspective. The literature review incorporates research from various fields, such as cyber security, information risk manage- ment, corporate espionage, insider threat, and social engineering. The objective of the thesis is to merge these fields together, and identify the most suitable risk management controls against corporate espionage activities. Corporate espionage activities often include exfiltrating valuable data via Internet and information technology. Hence, the espionage activities are oc- curring in a challenging risk environment, which is introduced in this thesis.
A large part of this thesis focuses on the assessment of insider and outsider threats. These threat actors are analyzed and evaluated thoroughly, focusing on the motivation and oppor- tunity of the perpetrators. The two main attack methods are social engineering and malicious insider activity. These attack methods are extremely dangerous to companies of all size, and risk management literature has largely ignored the subject. The legal ramifications to the problems are inadequate as well, since corporate espionage attacks often emanate from states with weaker legislation towards Internet crimes. However, companies can brace themselves against malicious insider activity and social engineering with careful assessment and risk management decisions. The research literature supports the view that the most effective ways to mitigate risks of corporate espionage is to control the awareness and behavior of organiza- tion s employees. The corporate espionage risks will not subside by themselves; hence, or- ganizations must reinforce their policies and data management procedures.