Mitigating Leakage of Organizational Information in the Hyper-Connected Era:

From the Perspectives of Managers and Employees

Dr. Nurul Nuha Abdul Molok, Ph.D., LA27001, CCDAHead

Dept. of Information SystemsFaculty of Information & Communication Technology (ICT)

International Islamic University Malaysia

Research Symposium21 November 2019

Outline

From the News

Information leakage cases

Insider threats

Inadvertent information leakage

Organizational information to be protected

Mitigating inadvertent information leakage

From the News

What would happen when 5G comes?

Information Leakage

• “a breach of the confidentiality of information, typically originating from staff inside an organisation and usually resulting in internal information being disclosed into the public domain” (ISF, 2007, p.2) across organisational boundaries

• May be intentional and unintentional

• May be malicious and non-malicious (but inappropriate)

Impacts of Leakage

• loss of competitive advantage, reputation and revenue

•penalties from breaches of confidentiality agreements

•malicious hackers will identify pathways into organizations

Our Research Findings:What do employees disclose on social media?

•Communicating with colleagues• Generally, participants communicated with

colleagues about meetings, tasks, celebrations, commiserations and frustrations.

• Employees posted about frustrations at work typically expressing their dissatisfactions with the boss, colleagues, workloads and clients

Our Research Findings:What do employees disclose on social media

• Types of organizational information disclosed on Facebook• Information about the organization

• Information about bosses and supervisors

• Information about colleagues

• Information about job description, meetings or tasks

• Information about company events

• Information about clients

• Information about other stakeholders

Our Research Findings:Feedback from the industry

• Risky OSN Behaviour• Posting information that

might be sensitive to the organization

• Having a social media profile that is not protected

• Accepting friends’ requests from unknown people

• Playing games and using third party applications

• Clicking external links

• Security Impacts• Information or intelligence

gathering

• Reputational risk

• Malware distribution

• Identity theft

• Network performance issue

• Employees’ productivity level

Garden of Knowledge and Virtue

Strategies to mitigate information leakage

Garden of Knowledge and Virtue

ICT Security Policies

• Information security policy (ISP)• clear classification of confidential and sensitive information

• Acceptable use policy of the Internet and social media• aligned with business processes and job requirement

• Must be designed, implemented, enforced and reviewed to ensure effectiveness (ISO/IEC, 2013)

• Communicated with and understood by employees

• Requires employees’ deep understanding and beliefs about the severity of security breaches

Garden of Knowledge and Virtue

Security Education, Training & Awareness

• Improves employee security behaviour by:

• (1) building in-depth knowledge to design, implement, or operate information security programs for organisations and systems through security education for employees with information security responsibilities;

• (2) developing employees’ skills to perform their jobs while using IS more securely through security training, and

• (3) improving employees’ awareness to protect IS resources against risks through security awareness programs.• Tailored awareness programs in accordance to management levels

Garden of Knowledge and Virtue

Technical Controls

• Data leakage/loss prevention/protection (DLP) systems • as the control mechanism for

unintentional information leakage among employees that may happen through any leakage platforms including email and social media

• Web filtering systems

• Unified Threat Management (UTM) • all-in-one security appliances include

firewall, IDS/IPS, DLP, antivirus, VPN capabilities, antispam, malicious web traffic filtering, antispyware, content filtering, traffic shaping

Our Research Findings: Mitigating inadvertent information leakage

• The strategy was influenced by• Management’s perception of security impacts of employees’

behaviour• The security managers’ perception of the security issue had a huge

impact on what security strategy they chose

• Management’s commitment to security initiatives• Assignment of security responsibility• Employees’ behaviour

• Maturity framework to mitigate sensitive information leakage through social media

Garden of Knowledge and Virtue

nurulnuha@iium.edu.my