Insider threats pose significant risk to an organisation’s digital assets that can severely impact business objectives. According to the 2015 Vormetric insider threat report, 89 per cent of organisations surveyed believe they are at risk from insider attacks, and 55 per cent suggest privileged users pose the greatest internal threat to security of corporate data. Information security researchers have been trying to investigate and respond to this challenge from both the technical and managerial perspectives.

Studies in behavioural information security have explored insiders’ psychological drives, including neutralisation, moral beliefs and reasoning, and disgruntlement, among others, that motivate offences, e.g., violating information systems policies. Often, those studies assume that opportunity for insiders to commit such offences are abundant, and miss to account for the variation in existence of criminal opportunities. It is unclear so far, how insider threats to digital assets eventuate from individual and community circumstances. An investigation in this regard is necessary for developing effective situational prevention mechanisms to mitigate insider threats, as opportunity is more tangible than motive.

This study examined how situational contexts amend insider behaviour by investigating employee behaviour of unauthorised access attempts on information systems applications in a financial institution. Taking the perspective of potential offenders, this study focuses on aspects of what is known in the practitioner world as user behaviour analytics, which involves the examination of historical user activity logs to identify anomalous patterns of behaviour by both legitimate and malicious users. A key aspect of enterprise control and risk management strategy is to manage a suspicious activity-monitoring program that tracks employees’ unauthorised access attempts on information system applications.

We collected application access log data from an enterprise single sign-on (ESSO) system at a US-based financial institution. The ESSO system integrates more than 30 applications within the organisation and allows employees to traverse through these applications without repeated sign-in. The ESSO system tracks users’ authentication and access activities on these applications. The dataset has a hierarchical structure in which an employee was observed over six months, and each employee belonged to a department. An employee’s behaviour observed at multiple time points may be correlated with and driven by the same individual characteristics as opposed to contextual variables. Similarly, the behaviour of employees from the same department may be driven by department characteristics.

For data analyses, we employed multilevel modelling as an effective way to examine the data with a hierarchical structure and better estimate the effects of variables at different levels as well as their cross-level interactions. The results indicate that individual-level contextual variables including the number and the confidentiality of accessible applications, access time, and access location play important roles in influencing unauthorised access attempts by an employee.  In addition, employees in a larger department are more likely to take advantage of the opportunities present in their environment. This study highlights the importance of contextual explanations of insider activities and sheds lights on the role of opportunity contexts in insider threats.

With the increasing trend of allowing employees to have a flexible schedule in organisations, more and more employees work after regular hours and/or from remote locations. Empowering workers with access to systems and data from anywhere and at any time is rapidly morphing the traditional threat landscape, suggesting the need for a major re-calibration of access management practices and strategy. Our study helps security managers better understand how employee activities may change along with their surroundings. Management can create a dynamic risk profile for employees, one that not only relies on static attributes of the users, but also considers the characteristics of where and when access is initiated. Our study also suggests that the risk profiles for adaptive authentication should consider time of user access, access location, the history of application access, and characteristics of the department the user is in. Those considerations could include fine-grained access and policy-based review of access logs. Finally, for security managers, our findings can inform the development of situational crime prevention techniques through changes in the conditions and circumstances that foster insider crimes.



Jingguo Wang is a professor in the department of information systems and operations management in the College of Business Administration at the University of Texas at Arlington. He holds a PhD in management science and systems and an MS in industrial engineering from the State University of New York at Buffalo, and a BS in computer science from Fudan University, China.


Jay Shan is an assistant professor in department of information systems and analytics at Miami University’s Farmer School of Business. He earned his PhD in business administration and operations research from Penn State University’s Smeal College of Business. His research interests include fintech innovation, blockchain, information security management, patient-centred healthcare and business process analytics.


Manish Gupta is senior audit manager at one of the 15 largest banks in the US, overseeing entire enterprise wide security and technology audit portfolios. Previously he has held senior management and leadership roles in the functions of cybersecurity and technology risk management. Spanning more than 15 years, his professional experience includes establishing, leading and governing effective programs for various cybersecurity capabilities including regulatory compliance, risk management and governance. He is also adjunct assistant professor at State University of New York at Buffalo, teaching graduate courses in IT auditing and IT risk management since 2012.

H. R. Rao is the AT&T Distinguished Chair in infrastructure assurance and security at the University of Texas at San Antonio’s College of Business. He also holds a courtesy appointment as full professor in the UTSA department of computer science. Prior to working at UTSA, he was the SUNY Buffalo Distinguished Service Professor. His interests are in the areas of management information systems, decision support systems, e-business, emergency response management systems and information assurance.