Need a 15 page APA paper in next 2 days
The paper should contain subheadings: 1.) Literature Review on Gamification for security training. 2.) Literature Review on information Security Compliance. 3.) Literature review on flow theory ( https://en.wikipedia.org/wiki/Flow_(psychology) )..
Discuss on how gamification will lead to flow theory and finally lead to information security compliance.
Need updated research model with hypothesis (refer: https://core.ac.uk/reader/196661264 ,
RESEARCH ARTICLE
A LONGITUDINAL STUDY OF UNAUTHORIZED ACCESS
ATTEMPTS ON INFORMATION SYSTEMS: THE
ROLE OF OPPORTUNITY CONTEXTS1
Jingguo Wang
Department of Information Systems and Operations Management, College of Business,
University of Texas at Arlington, Arlington, TX 76019 U.S.A. {[emailprotected]}
Zhe Shan
Department of Information Systems and Analytics, Farmer School of Business, Miami University,
Oxford, OH 45056 U.S.A. {[emailprotected]}
Manish Gupta
Department of Management Science and Systems, School of Management,
State University of New York at Buffalo, Amherst, NY 14260 U.S.A. {[emailprotected]}
H. Raghav Rao
Department of Information Systems and Cyber Security, College of Business,
University of Texas at San Antonio, San Antonio, TX 78249 U.S.A. {[emailprotected]}
This study investigates employee behavior of unauthorized access attempts on information systems (IS)
applications in a financial institution and examines how opportunity contexts facilitate such behavior. By con-
textualizing multilevel criminal opportunity theory, we develop a model that considers both employee- and
department-level opportunity contexts. At the employee level, we hypothesize that the scope and data value of
the applications that an employee has legitimately accessed, together with the time when and location where
the employee initiates access, affect the likelihood of the employee making unauthorized access attempts. At
the department level, we hypothesize that department size moderates the impact of employee-level contextual
variables on the likelihood of an employee making unauthorized attempts. To test these hypotheses, we col-
lected six months of access log data from an enterprise single sign-on system of a financial institution. We find
the hypothesized main effects of all employee-level contextual variables and department size are supported.
In addition, department size reinforces the effects of data value, off-hour access, off-site access, and their
interaction term, except for that of scope, on the outcome variable. Robustness analyses indicate that the
proposed model does not align with those employees who might not know the systems well enough or who might
make honest mistakes. We also discuss the theoretical and practical implications of the study.
1
Keywords: Information security, insider threats, multilevel criminal opportunity theory, contextualization,
multilevel analysis, longitudinal data, user behavior analytics
1Indranil Bardhan was the accepting senior editor for this paper. Michael Chau served as the associate editor.
The appendices for this paper are located in the Online Supplements section of MIS Quarterlys website (https://misq.org).
DOI: 10.25300/MISQ/2019/14751 MIS Quarterly Vol. 43 No. 2, pp. 601-622/June 2019 601
Wang et al./Unauthorized Access Attempts on Information Systems
Introduction
Insider threats pose significant risk to an organizations digital
assets. According to the 2015 Vormetric insider threat report
(Vormetric 2015), 89% of organizations surveyed believe
they are at risk from insider attacks, and 55% suggest pri-
vileged users pose the greatest internal threat to corporate
data. Studies in behavioral information security have ex-
plored insiders psychological drives, including neutralization
(Siponen and Vance 2010; Willison and Warkentin 2013),
moral beliefs and reasoning (Myyry et al. 2009), and dis-
gruntlement (Willison and Warkentin 2013), among others,
that motivate offenses, for example, violating information
systems policies or abusing IT resources (Cram et al. 2018).
However, it is unclear how insider threats to digital assets
eventuate from individual, unique circumstances.2 An investi-
gation in this regard is necessary for developing effective
situational prevention mechanisms to mitigate insider threats
as opportunity is more tangible than motive (Padayachee
2016; Willison and Siponen 2009).
Criminal opportunity is a function of to the amount of con-
vergence between a motivated offender and a suitable target
(Cohen and Felson 1979; Wilcox et al. 2003). The oppor-
tunity that arises in an environment is often assumed to be a
necessary (if not sufficient) condition for a motivated offender
(i.e., someone primed to offend) to commit an offense or
crime (Cohen and Felson 1979; Hindelang et al. 1978; Wilcox
et al. 2003). The absence or presence of opportunity leads to
when and where a crime takes place. Understanding
opportunity and its structure is critical to designing effective
crime prevention mechanisms. Criminal opportunity contexts
refer to the social, physical, individual, and environmental
conditions that facilitate criminal opportunity by influencing
the supply of suitable targets, ineffective guardianship, and
their possible overlap, given a potential offender with criminal
inclinations or motives (Wilcox et al. 2003). Adapting the
opportunity structure for crime (Clarke 1995), Willison
(2002) describes a conceptual model for computer input fraud,
referred to as crime-specific opportunity structure. The model
provides a holistic conceptualization and urges consideration
of the relationships between offender, organizational contexts,
requisite safeguards, and the departments responsible for
them.
Recognizing the importance of opportunity in offense occur-
rence and the interdependence between the activities and
behavior patterns of victims and the decisions and behaviors
of offenders (Wilcox et al. 2003), some studies have exam-
ined how environmental settings (or opportunity contexts)
influence the victimization risk of targets (Miethe and Meier
1990). In investigating the causes of cybercrime victimiza-
tion, prior studies suggest that an individuals online lifestyle
patternsindicated by daily online activities or choices that
provide or inhibit criminal opportunityaffect ones likeli-
hood of becoming a victim of cybercrime (Holt and Bossler
2008). In investigating the attack proneness of information
systems3 in a financial institution, Wang, Gupta, and Rao
(2015)4 suggest that IS applications victimization risks are
significantly influenced by application characteristics re-
flecting target suitability and the absence or presence of
guardians in surroundings.
Through a victim perspective, those studies quantify the risks
for a potential target. Their findings enable the development
of effective mitigation strategies that largely rely on modi-
fying the characteristics or behavioral patterns of a target to
reduce suitability for potential attacks. However, such stra-
tegies could be difficult to implement when the characteristics
and/or behavioral patterns of the target, such as an IS applica-
tion, are difficult to change. Furthermore, such a perspective
does not provide useful direct insights regarding potential
offenders behaviors and how opportunity contexts can foster
illegitimate acts. A systematic theorization and empirical
validation of how opportunity contexts drive malicious acts
with regard to digital assets could guide organizations on how
to develop pragmatic intervention strategies to alter the
behaviors of potential offenders (Padayachee 2016; Willison
and Siponen 2009).
Taking the perspective of potential offenders, this study
focuses on aspects of what is known in the practitioner world
as user behavior analytics.5 User behavior analytics involves
the examination of historical data logs to identify anomalous
patterns of behavior both by legitimate and malicious users.
It is a means for organizations to counter likely digital crimes
that pose risk to systems in organizations. In a corporate
environment, it involves monitoring of the network, the em-
ployees, and the assets.6 In particular, this paper investigates
employee behavior of making unauthorized attempts to access
applications or web resources without appropriate privileges
(e.g., read, write/modify, and execution). As employees could
2See Appendix A for a review of relevant literature.
3We use the terms information systems and information systems applications
interchangeably to refer to software programs designed to perform a function
or suite of related functions.
4 See Appendix B for a detailed comparison of Wang, Gupta, and Rao and
the current study.
5 http://searchsecurity.techtarget.com/definition/user-behavior-analytics-UBA
6https://www.securityondemand.com/news-posts/exactly-behavioral-
analytics/
602 MIS Quarterly Vol. 43 No. 2/June 2019
Wang et al./Unauthorized Access Attempts on Information Systems
gain access to certain organizational data that they probably
should not have, unauthorized access attempts may point to
the loopholes in an organization where there is a lack of ade-
quate policies and safeguards, and the potentially damaging
consequences (Shaw et al. 1999). Thus, both the industry and
academic researchers consider unauthorized access attempts
as a key risk indicator of insider threats. A key aspect of cor-
porate control and risk management strategies is to execute
suspicious activity monitoring that tracks unauthorized access
attempts employees make on information system applications
(Davis 2010, 2011).
This study contextualizes multilevel criminal opportunity
theory (Wilcox et al. 2003) to the domain of insider threats
and expounds on opportunity contexts. It carries out multi-
level analyses that incorporate contextual variables at both the
employee and department levels to explain employees unau-
thorized access attempts. Multilevel models provide a con-
venient analytical framework with concordance between
theoretical approaches and statistical analyses for data with a
hierarchical structure. At the employee level, we hypothesize
that the scope and data value of the applications that an
employee has legitimately accessed, together with the time
when, and the location where, the employee initiated the
access, affect the likelihood of unauthorized attempts oc-
curring. At the department level, we hypothesize that
department size moderates the impact of the employee-level
contextual variables on the likelihood of unauthorized
attempts occurring.
For hypothesis testing, we gathered application access logs
spanning six months (FebruaryJuly 2014) from an enterprise
single sign-on system (ESSO) in a financial institution in the
northeast United States. According to the results, the effects
of all employee-level contextual variables and department size
on the likelihood of employees having unauthorized access
attempts are significant. In addition, department size moder-
ates the effects of data value, access time, access location, and
their interaction, except for the effect of scope. Robustness
analyses show that the variables do not well explain unautho-
rized attempt behavior of employees who are new to the
systems (i.e., in their first one or two months of using the
system). The analyses suggest that the proposed model may
be a better fit for the behavior of those employees familiar
with the systems who are more likely to make rational,
intentional choices in their system access rather than
unintentional mistakes.
Based on a natural setting in a financial organization, this
study is one of the first to systematically explore how oppor-
tunity contexts drive employee behavior toward information
systems. It provides empirical evidence for the important role
of opportunity contexts in understanding insider threats.
While most studies of insider threats focus either on the
impact of individual characteristics and organizational factors
on insider behavior (Cram et al. 2018; Teodor et al. 2014) or
conceptually discuss the use of situational prevention tech-
niques in mitigating insider threats (Padayachee 2016;
Willison and Siponen 2009), this study bridges the literature
gap by empirically illustrating the effects of opportunity
contexts on insider behavior. From a practical point of view,
our study will enable security managers to understand how
employee behaviors change across access contexts so that
management can create a dynamic risk profile of employees
without relying solely on static attributes, such as demo-
graphics and personality.7 Moreover, nowadays more and
more organizations offer employees flexible work arrange-
ments. Therefore, as the contexts within which employee
access to information systems vary, such a trend brings new
challenges to information security management. A study that
can offer insights on how insider threats have shifted due to
this workspace change can inform the design and implemen-
tation of more effective security management practices at
organizations.
Theory and Hypothesis Development
Multilevel Criminal Opportunity Theory
Stemming from rational choice assumptions, multilevel
criminal opportunity theory (Cohen and Felson 1979; Hinde-
lang et al. 1978; Wilcox et al. 2003) integrates routine activity
and social disorganization theories. The theory is concerned
not with criminals per se (for example, their asocial tenden-
cies) but with how criminal opportunity contexts affect the
occurrence of crime. Its fundamental premise is that oppor-
tunity contexts at both the individual and community level
need to be more or less favorable for offenses to occur
(Wilcox et al. 2003).8
Criminal opportunity exists at the intersection of motivated
offenders, suitable targets, and ineffective guardianship
(Cohen and Felson 1979; Hindelang et al. 1978; Wilcox et al.
7We thank a Vice President and Manager of Information Security at the
financial institution for these comments.
8Multilevel criminal opportunity theory assumes criminal inclination as a
given and downplays individual motivations for crimes (i.e., what drives
some individuals to offend). There are no defining characteristics that distin-
guish those who are highly motivated and those who are not (Wilcox et al
2003). In this paper, we do not assume criminal inclinations to be universal
and constant among all insiders. As reflected in our regression models, we
acknowledge there may be individual differences among potential offenders.
MIS Quarterly Vol. 43 No. 2/June 2019 603
Wang et al./Unauthorized Access Attempts on Information Systems
Criminal Opportunity Criminal Opportunity Criminal Opportunity
Ineffective
guardianship
Ineffective
guardianship
Ineffective
guardianship
Ineffective
guardianship
Ineffective
guardianship
Criminal Opportunity
Criminal Opportunity
Situation 1 Situation 2 Situation 3
Situation 1 Situation 2
Suitable
targets
Suitable
targets
Suitable
targets
Suitable
targets
Suitable
targets
Criminal
inclinations of
a potential
offender
Criminal
inclinations of
a potential
offender
Criminal
inclinations of
a potential
offender
Criminal
inclinations of
a potential
offender
Criminal
inclinations of
a potential
offender
Figure 1. Varying Criminal Opportunity for a Potential Offender (Adapted from Wilcox et al. 2003)
2003). Figure 1 illustrates varying degrees of criminal oppor-
tunity given a potential offender (referred to as situations in
the figure). In situations with a larger size of suitable targets
(Situation 2) or ineffective guardianship (Situation 3), there is
a larger convergence (compared with Situation 1). Even with
the same potential offender, suitable targets, and ineffective
guardianship, the amount of convergence (i.e., opportunity)
may vary in different occasions (Situation 4 versus Situation
5). For instance, the larger overlap in Situation 5 versus Situ-
ation 4 could be a result of inadequate social control at the
community level (Kornhauser 1978). Along these lines,
multilevel criminal opportunity theory seeks to explain the
likelihood of criminal acts as a function of circumstantial
determinants at different levels that influence suitable targets,
ineffective guardianship, and their likelihood of convergence
for a given offender (Wilcox et al. 2003).
At the individual level, from the perspective of potential
offenders, opportunity contexts are the factors defining their
awareness of suitable targets and realization of ineffective
guardianship (Wilcox et al. 2003). Individuals carry out
regular activities in the environment, referred to as action
space, with which they are familiar (Horton and Reynolds
1971). Through their movements and gleaning of knowledge
in the action space, potential offenders develop an awareness
space via a process of cognitive mapping in which they
classify and code the information gathered (Bernard-Butcher
1991). The awareness space includes the surrounding areas
that potential offenders are aware of but are not as familiar
with as the action space (Bernard-Butcher 1991). As they
move in their awareness space, offenders make conscious or
unconscious mental notes on the desirability of certain targets
(Bernard-Butcher 1991). They search their awareness space
to identify criminal opportunity and look for suitable targets
(Brantingham and Brantingham 1991). With more knowledge
of the environment, offenders can better estimate and mini-
mize their risk, find where the most suitable targets are, and
improve their chances of success (Van Daele and Beken
2011). In fact, offenders commit a majority of crimes in areas
they visit during their routine activities (Brantingham and
Brantingham 1991; Van Daele and Beken 2011). An
offenders awareness space may change based on new
information and as a result of searching (Andresen et al.
2016). With a larger awareness space, potential offenders
have a broader target search area and are more likely to find
targets in more places (Canter and Youngs 2008).
At the community level, opportunity contexts refer to the set
of ambient characteristics of a community and include such
constructs as aggregated target suitability (e.g., student enroll-
ment in a school context) and aggregated capable guardian-
ship (e.g., frequency of police patrols in a neighborhood con-
604 MIS Quarterly Vol. 43 No. 2/June 2019
Wang et al./Unauthorized Access Attempts on Information Systems
text) (Wilcox et al. 2003). As cyberspace is a different envi-
ronment (Yar 2005), the opportunity for insider threats on
digital assets resides in the virtual space generated by
insiders interconnection of information system applications
and the traditional organizational environment consisting of
the social situations in groups or departments (Willison
2006b).
Regarding the effects of community contexts, multilevel
criminal opportunity theory largely draws upon social dis-
organization theory; it argues that the ecological character-
istics of community produce social disorganization, which
then gives rise to criminal acts (Kornhauser 1978; Wilcox et
al. 2003). Linked to the effectiveness of social control in a
community, characteristics such as size are often used to
understand crime rate (Wilcox Rountree and Land 1996).
Moreover, community-level factors can moderate the relation-
ship between individual-level factors and crime (Wilcox et al.
2003). Multiple-level analyses of criminal opportunity usu-
ally emerge from the interaction among factors at individual
and community levels. As opportunity contexts at different
levels operate either individually or interactively, the relation-
ship between individual-level factors and crimes is not
uniform across communities. Also, the effect of individual-
level target attractiveness and guardianship on victimization
risk may be correlated with neighborhood socioeconomic
status (Kennedy and Forde 1990).
Research Model and Hypotheses
Multilevel criminal opportunity theory provides a theoretical
lens to investigate how opportunity contexts may affect em-
ployees behavior of making unauthorized access attempts on
IS applications. Following this lens, we consider opportunity
contexts for unauthorized access attempts at both the em-
ployee and department levels (Table 1). Figure 2 presents the
research model and hypotheses.
Employees Behavior of Unauthorized
Access Attempts
Indicators of a potential insider threat can be separated into
four categories: recruitment, information collection, informa-
tion transmittal, and general suspicious behavior (Center for
Development of Security Excellence 2018). For the purposes
of this paper, we focus on the categories of information
collection and general suspicious behavior. Indicators of
information collection include acquiring access to automated
information systems without authorization and seeking to
obtain access to critical assets inconsistent with present duty
requirements. Indicators regarding general suspicious behav-
ior include attempting to expand access to critical assets by
repeatedly volunteering for assignments or duties beyond the
normal scope of responsibilities and performing repeated or
unrequired work outside of normal duty hours, especially
unaccompanied. Recruitment is a human resources issue and
information transmission is in the context of exfiltration of
information from inside the organization to outside; both are
beyond the scope of this paper.
Thus, being able to track insiders to understand their levels of
individual risk would help in risk assessment across each
insiders activities. The solution is user activity monitoring
(Velez 2015), which looks at behavior and spots trends. This
allows an analyst to cut through the large number of alerts,
determine the situation, and take action to stop an insider
threat. In this study, we track employees unauthorized at-
tempts to access applications or web resources without the
appropriate privileges (e.g., read, write/modify, and execu-
tion). These are captured by the management consoles of the
security logs that watch for failed use of privileges, failed
attempts to access and modify files that an employee should
not have access to, unauthorized attempts to upload files to a
directory containing executable files, etc.9 For an insider,
unauthorized computer access is usually a process of trial and
error (Dunne 1994).
We consider insiders behavior of repeated attempts to access
information for which they do not have authorization as the
outcome variable. This behavior has been seen to be in-
herently destructive and wasteful (Dunne 1994). Information
security managers often hope that effective deterrents for such
behavior are in place. We anticipate that the results will help
to develop antidotal deterrent mechanisms that can be used by
information security managers in the context of discouraging
unauthorized access of information assets as well as assisting
them with designing response mechanisms to mitigate risks
from such attempts. The findings could be used to develop
effective ways of reducing unauthorized access to critical
digital assets.
While unauthorized access attempts cannot be labeled as
offenses or crimes in a rigorous sense, in the words of the IT
security manager of the financial institution, they are symp-
toms of noncompliance with rules and signals of potential
crimes. We believe such behavior is consistent with the
assumptions needed for the theory. First, employees in
organizations such as financial institutions rely on information
systems to carry out tasks on a daily basis. In other words,
accessing information systems is part of their daily routine
activities. Second, like traditional crimes and offenses that
deviate from ones normal activities, unauthorized access at-
9http://www.nsi.bg/nrnm/Help/iisHelp/iis/htm/core/iidetsc.htm
MIS Quarterly Vol. 43 No. 2/June 2019 605
Wang et al./Unauthorized Access Attempts on Information Systems
Figure 2. Research Model and Hypotheses
tempts deviate from ones daily job routines in which only
authorized applications are needed to execute job tasks (Cum-
mings et al. 2012). Because unauthorized access attempts
pose significant threats to information security, they are
regarded as red flags and prohibited by organizational policies
(Davis 2010, 2011). Third, while unintentional attempts may
not be a result of rational choices, intentional attempts,
whether malicious or not, are based on an insiders rational
consideration of the tradeoff between risks and benefits (Loch
et al. 1992; Willison and Warkentin 2013); that is, being
caught may lead to serious consequences and/or punishment,
yet successful access could be rewarded with immediate
gratification (e.g., satisfying ones curiosity) or potential long-
term benefits (e.g., financial gains or competitive advantages)
(Shaw et al. 1999).
In other words, intentional unauthorized access attempts could
be the result of insiders rational choices, as multilevel
criminal opportunity theory assumes offenses or crimes to be.
In fact, Silowash et al. (2012) define a malicious insider as
someone who
has or had authorized access to an organizations
network, system, or data [and] has intentionally
exceeded or intentionally used that access in a man-
ner that negatively affected the organizations
information or information systems (p. 3; emphasis
added).
Further, Costa et al. (2016, p. 1) have pointed out that once
suspected malicious activity has been identified, organizations
perform forensic investigations of affected assets.10 We
reached out to an IT security manager in the financial institu-
tion who confirmed that when there is suspicion of nefarious
activity, the application access logs are examined and unauth-
orized access attempts are given close attention. Employees
system access logs are retained for an extensive time period
for the purposes of regulation compliance, forensics examin-
ation, and internal investigations. In addition, such logs are
used by a centralized log management system as a major data
source for investigation of potential malicious activities.
From Opportunity Contexts to Unauthorized
Access Attempts
As suggested by criminal opportunity theory, at the employee
level, we focus on the opportunity contexts that capture
employees awareness of targets and their realization of
ineffective guardianship. We capture employees knowledge
and awareness space of the existence and whereabouts of
applications in terms of two dimensions: scope and data
value of accessed applications. Scope of accessed applica-
tions refers to the range of IS applications that are legitimately
executed by an employee. Data value of accessed applica-
tions refers to the worth of the data possessed by the IS
applications that are legitimately executed by an employee.
Given that the basic access control policy is on a need-to-
know basis, these two dimensions characterize an employees
legitimate systems behavior confined within his or her daily
tasks (that may change from time to time). As discussed in
detail in the following subsection, we hypothesize that when
employees have broader accesses to information applications,
it is more likely for them to make unauthorized access at-
tempts (H1); and that when employees have accesses to more
valuable data, it is more likely for them to make unauthorized
access attempts (H2).10We thank an anonymous referee for alerting us to this citation.
606 MIS Quarterly Vol. 43 No. 2/June 2019
Wang et al./Unauthorized Access Attempts on Information Systems
Table 1. An Extension of Multilevel Criminal Opportunity Theory to Insider Threats
Theoretical Framework Construct Definition
Offenses (DV)
Unauthorized access
attempts
The likelihood of an employee making repeated access
attempts on an application for which he or she has no
privileges.
Employee Level
Awareness of
Targets
Scope of accessed
applications
The range of information systems applications that are
legitimately executed by an employee.
Data value of
accessed applications
The worth of the data possessed by the information
systems applications that are legitimately executed by an
employee.
Realization of
Ineffective
Guardianship
Temporal realization
The likelihood of having ineffective guardianship at the
times when an employee initiates access.
Spatial realization
The likelihood of having ineffective guardianship at the
locations where an employee initiates access.
Department Level
Community
Context
Department size The size of the department that an employee belongs to.
We capture employees realization of the absence or presence
of effective guardianship via two key aspects of access con-
texts: the temporal characteristic of when (termed as temporal
realization) and the spatial characteristic of where (termed as
spatial realization) an employee has initiated his or her appli-
cation access. Temporal realization of ineffective guardian-
ship refers to the likelihood of having ineffective guardianship
at the times when an employee initiates access. Spatial reali-
zation of ineffective guardianship refers to the likelihood of
having ineffective guardianship at the locations where an
employee initiates access. We hypothesize that (1) when
employees access at a time when there is more likely to be
ineffective guardianship, they are more likely to make unau-
thorized attempts (H3); (2) when employees access from
locations where there is more likely to be ineffective guar-
dianship, they are more likely to make unauthorized attempts
(H4); (3) temporal and spatial realization of ineffective guar-
dianship reinforces each others impact on unauthorized
access attempts (H5).
At the community level, we focus on the effect of department
size. In the pursuit of IS security, departments typically
develop and implement plans, policies, etc., to ensure the
security of information resources, along with user training
programs and governance structures to promote compliance
(Warkentin and Johnston 2008). As each department has
unique characteristics beyond individual characteristics of
group members, group characteristics need to be examined
independently (Suleiman and Watson 2008). In particular,
group size has been used to explain different social phenom-
ena in technology (Alnuaimi et al. 2010; Suleiman and
Watson 2008), for example, social loafing in technology-
supported teams. Similarly, in the management and psych-
ology literature, unit size has been one of the most studied
group characteristics (Thomas and Fink 1963). Larger unit
size has been found to be associated with lower levels of job
satisfaction and group cohesiveness (Muchinsky and Tuttle
1979; Shaw 1981). However, this attribute has been mea-
sured in different ways, such as the number of employees,
sales, market cap, and the number of installed IT platforms
(Kotulic and Clark 2004), among which the number of em-
ployees, as operationalized in this paper, is the most popular
(Raymond 1990; Thomas and Fink 1963). We hypothesize
that department size is positively correlated to unauthorized
access attempts (H6a). Moreover, it reinforces the effects of
employee-level contextual variables (H6bH6f).
Awareness of Target: Scope and Data
Value of Accessed Applications
While knowledge about applications could be beneficial to
performing daily duties, it may also enable potential offenders
to become aware of the existence and whereabouts of poten-
tial targets (Willison 2000,2002). Indeed, through legitimate
system activities, potential offenders develop an awareness
space that they can explore and examine to gather information
about risk factors as well as which applications may possibly
be exploited (Willison 2006b). According to a CERT report
on insider theft in the United States (Spooner et al. 2013),
those who committed insider theft crimes often had some
level of authorized access to the information they stole.
Most applications connect with each other in various ways.
When employees have greater scope of access to several
applications, they may have more knowledge about the
systems as a whole. In other words, insiders would develop
a larger awareness space and cognitive map with broader
MIS Quarterly Vol. 43 No. 2/June 2019 607
Wang et al./Unauthorized Access Attempts on Information Systems
access to applications within the organization. A larger
awareness space and cognitive map facilitates a broader
search that may help identify more suitable application targets
for unauthorize
