AMES, Iowa -- Periodic news accounts about computer hacking and deployment of worms and viruses strike fear in companies that now conduct much of their business online. But an Iowa State University information security researcher says their real fear should be corporate espionage.
"What our studies -- and many others by my colleagues in the field of information security -- have suggested is that internal computer fraud is a more significant issue than external hacking," said Qing Hu, a professor and chair of logistics, operations and management information systems at Iowa State. "External hacking gets headlines, but internal fraud -- employees actually altering data or stealing secrets and sending them to other companies -- is more prevalent than it is reported.
"The unfortunate thing is that companies don't want to report these types of things," he said. "It's only when you talk to individual companies that the manager will sometimes admit, 'Yes, we do have to discipline certain employees because they access commercial secrets that they weren't supposed to, and we had to fire some people because they sold some of our commercial secrets -- from product designs to marketing plans to pricing information -- to other companies.'"
Hu has spoken with such managers for research he's conducted on corporate information security management and user behavior toward protective technologies. Those studies -- which were part of a sponsored research program by the U.S. Department of Defense from 2005-07 -- were published within the last two years in information system journals. They took a different approach to addressing the security problem.
"When I look at a security issue, I do not focus on the technology," said Hu, who is a Microsoft Certified Systems Engineer and Solution Developer. "Information security technology is abundant -- hardware, software, etc. -- and organizations have invested millions of dollars purchasing that technology and installing it on their systems. But still, we hear horror stories about T.J. Maxx's system being broken into, 45 million credit card numbers being stolen, or something happening to this company or that company. So why do those things keep happening while we have invested so much money in terms of buying the security hardware and software?"
Hu contends it's because company employees aren't often educated well enough on information security policies and procedures. His research specifically examined how individual factors and an organization's culture affect its information security management effectiveness.
"The purpose of doing this research is first, to provide a better understanding of human behavior in organizations in the context of information security," Hu said. "Second, it's to provide some practical guidelines to businesses that say, 'OK, if you consider security to be a big issue, not only do you need to install the most sophisticated software and hardware, you also need to educate and set up those programs for employees -- and then enforce them.' So you have to have those processes in place to encourage good behavior and inhibit the potential bad behavior."
Hu is currently working with colleagues in the U.S., China and Finland on multiple research projects based on criminology theories and large-scale international surveys. The studies are designed to identify the individual factors -- such as moral beliefs and self-control -- that may affect a person's propensity to commit information security-related crimes.
"We want to understand why certain employees are more inclined to do bad things, while others are not," he said. "In the criminology research, there is a spectrum of theories and perspectives that explain why certain people are so inclined to commit crime, while others can inhibit that urge. So what I want to do in the immediate future is to explain that as it pertains to information security."
He hopes to have results from those surveys within the year. Hu also plans to collaborate with researchers from Iowa State's criminology and criminal justice program on future studies.