Ali Yayla


Over the past decade, several studies, industry reports and surveys have revealed that insider threats constitute a significant role in information security. Following the literature, we categorized insider threats as intentional and unintentional. Computer misuse and fraud are considered as the two most common intentional threats, whereas, user errors and negligence are considered as the two most common unintentional threats. Building on the organizational behavior, psychology and criminology literatures, in this paper, we introduce different socio-behavioral control mechanisms to mitigate insider threats to information security. These mechanisms include employees’ integration and commitment to their job and organization, deterrence measures, management of work related stress, awareness of security issues, and motivation of employees. These socio-behavioral mechanisms are also accompanied by technical aspects such as user interface of security tools and technology-based controls. Lastly, the integrative and reinforcing role of security policies within the proposed framework is discussed.