INFORMATION SECURITY : THREAT FROM EMPLOYEES

Information security inside the organization is becoming a major issue in the modern and global world. Information accessibility and security are a major issue where user behaviour plays an important role. Information security user behaviour is becoming an increasing threat to their organization information security. Since the organization is investing in and implementing information security systems, the issue of employees’ behaviour has become increasingly important. This paper aims to show how workers treat information security and is looking upon so called “people problem”. In the research, the personal behaviour of health care professionals and workers in a Croatian production company in relation to information security was tested. Results have shown that the overall behaviour of respondents in production company is more responsible and security awareness with proper use of passwords is associated with knowledge about the importance of security application in their work. Further research is recommended.


INTRODUCTION
Information security involves people and technology.Up to 90% of companies and organizations encounter at least one information security incident during the business year [1].In the last several years, there has been a significantly rising concern about information security and behaviour of people which is simply described by Schneier [2, p. 256] who stated to "tell prospective clients that the mathematics are impeccable, the computers are evincible, the networks are lousy, and the people are abysmal.I have learned a lot about the problems of securing computers and networks, but none that really helps solve the people problem." Stanton et.al. [3] stated that although organizations tend to be concerned about external threats, the recent situation is showing that a substantial part of incidents is coming from inside of the organization.Today many believe that promotion of end user good behaviour is important to model for effective information security policies inside organizations.End user and their information security related behaviour can influence a total information security and therefore they can be of great benefit for managers, information technologists and others connected to assessing and/or influencing end user behaviour.
In this paper, the so called "people problem" will be examined and how employees threat potential information risks by sharing their passwords, making backups, etc., and how this can influence organization information security.The paper is divided into several parts.In the first part, the literature overview is given.In the second, the methodology is presented followed by data analysis and a discussion section where findings are shown.The last part contains the brief conclusion of the paper and implications for further research are provided.

INFORMATION SECURITY
Information is the most valuable asset an organization (private, public, government, nongovernment) can have.Therefore, it is of utmost importance to develop a combination of systems, operation and internal procedures for ensuring the integrity and secrecy of data and operational procedures in the organization [4].Benefits of computerization are numerous both in health and in the business sector.The development of communication networks in the global communications area has destroyed all classic protection systems of information and communication, ranging from the protection system from the so-called "viruses" to unauthorized access to information.Information security is influenced by the environment in which information is exchanged and communicated.The rapid development of information and communication technology has further increased the complexity of the security environment over the past two decades [5].Information security represents the protection of information systems and information from potential unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.Thus, the information security becomes part of our lives.Information security is influenced by the people who use them and the same technologies that enable these processes in accordance with which it takes place.The increasing influence of thinking about information security policies indicates the width and complexity of the content that is being covered.Information security can be defined as a state of condition of confidentiality, integrity, and availability of data, which is achieved by applying certain standards and measures, and organizational support for business planning, implementation, verification, and updating of standards and measures [6].The aim of information security activities is the detection and prevention of non-authorized information technology user activities [7].Chang and Lin [8,p. 7] stated that information security is a social and organizational problem since technical systems must be operated and used by people.
Information and communication technologies users can significantly affect the information system security [9] and are still considered the weakest link of information security [8], [10].A significant influence on the development of information security policies has additional factors that so far have not been considered, such as the structure of the organization and its culture [5].Kaushal and Khan [10] proposed an information security life cycle.(Fig. 1) The previous figure presents information security life cycle with several important phases and it is necessary for successful management of information security programs.Every step shows the importance of the approach to information security.It is of utmost significance for the organization to recognize that this process is never-ending, and that organization needs to improve its behaviour during every cycle.
Information security is needed because the technology applied to information creates risks.In cases when information security risk is recognized and is stable, it is necessary to create a policy for information security.These policies can be divided into four categories: protection measures, detection measures, consequences response measures and measures to ensure the effectiveness of the consequences response.

LITERATURE OVERVIEW
In the previous ten years, research in the field of security technology has been increased.Most of these studies were focused on the impact of human factors and questions the usefulness of security mechanisms in information and communication technologies.Previous studies [11], [12] investigated the impact of human behaviour on information security in companies.Their results, among other things, pointed out the everyday behaviour of employees in relation to the use of information and communication technologies and the possibility of preventive behaviours to avoid problems.Research conducted in Germany [13] indicated that security measures whose aim is information security are necessary.These measures should be designed to address the key risks and their consequences.While organizations today rely significantly on information technology and information security is of increasing attention, today there are only a few strategies for information security practitioners [4].
Due to the increasing need for data protection that is mostly present and developed in the banking and financial sector, management of companies is increasingly considering information security management as their direct responsibility and that because of information security ignorance significant personal, financial and legal responsibility can occur.It is important to state that Gaunt [14] proposed information security awareness programs for improving information security behaviour in healthcare contexts.For this reason, we should not neglect the role of the user that can affect the level of system security with its risk behaviour [9] -according to statistical data it is proved that most of the security breaches in business organizations are caused unintentionally [15].Therefore, the information security and its management have become an important business responsibility of the top-level company's management boards [16].Almost 75% of big corporations have suffered security breaches because of staff related activities and 50% of the worst breaches were caused by human error [17].Those security breaches were the result of unwitting security compromises.
The most common form of business communication is email, with the recommendation of using a business address that is controlled by the institution and where all security requirements are met.According to Cyber security survey in 2017, more than 70% of security breaches were the result of staff receiving the fraudulent e-mail.The survey revealed that only 20% of staff attended information security training [18].
In addition to the e-mail communication security, it is necessary to reduce medical data security vulnerabilities, which may have a negative impact on health care data protection [19].Research about the role of users related to information security is still rare, while previous studies usually focus on the password as the first line of defence in most information systems.Studies have shown that despite the recommendations on the password selection, users still tend to select those passwords that are simple and easy to remember or those concerning their personal data [20].Despite the training, users still have the habit to share their passwords with their colleagues, write them in a visible place, or do not change them for a long time, which confirms that the user behaviour is a very common problem in the field of security and that education is still necessary [21].Different techniques for estimation of user's risk behaviour have been developed, and one of the latest is the algorithm for evidential reasoning that is used to assess and compare the status of multiple systems [9].
But it seems that the awareness among users about the importance of the health care system (which in Croatia is the public service) may be worse in relation to the average user in the business sector.Although financial damage can be large-scale, security incidents with data from the electronic health record can cause long-term much higher, even material, damage to the individual person.Similar previous research on the awareness of ICT users in terms of safety and their behaviour are very scared and particularly on the issue of health care professionals.
Several researchers started with the development of different concepts and theories relevant to the influence of user behaviour to organization information security.Among them, Stanton et al. [3] in their research catalogued and analysed a range of end user security behaviour in organizations (Fig. 2).The previous figure shows categories of possible user security behaviour in organizations that are arranged in two dimensions.This taxonomy can help with tasks in examining and controlling user information security behaviour in organizations.Siponen et al. [22] in their research confirm that major threats to information security are careless employees and they not only have to be aware of information security policies and procedures but also must comply with them.To influence information security related behaviour top management and information security staff should clearly state the importance of complying with organization information security policy.Ajzen [23] found that the intention to comply with information security policies can significantly impact behaviour; the stronger an intention to engage in behaviour is, it is more likely to be performed.

MATERIAL AND METHODS
The aim of this research was to determine whether there were differences in user information security behaviour among health care workers and workers in the private company situated in the same Croatian town.
The research was conducted by a certified survey of risk behaviour -Users' Information Security Awareness Questionnaire (UISAQ) which measures the level of information system's users' awareness on security matters, as general as possible.The UISAQ questionnaire has two main scales and six subscales: Potentially Risky Behaviour, Usual Behaviour, Personal Computer Maintenance, Borrowing Accessing Data, Knowledge and Awareness, Security in Communications, Secured Data, Backup Quality.These subscales describe user's behaviour, knowledge, and awareness [24].
UISAQ allows IT professionals' better analyses of information systems users and it helps them in identifying issues with the low security level.On the other side, UISAQ can help researchers in the better categorization of users in relation to their security awareness.This tool can be helpful in gaining a conclusion about user's risky behaviour, making correlations with security awareness level and potential identification of unsecure users.
A survey in this paper was used to determine user impact on the overall system security in hospital and in private company.The study was conducted on 152 respondents, of whom 88 (57.9%) were health care professionals (nurses/technicians, physicians) employed in Healthcare institution (hospital respondents) and 64 (42.1%) of respondents were employed in a Croatian production company (private company respondents).

RESULTS AND DISCUSSION
The average age of respondents working in hospital was 40 (IQR 30 -48) years, without significant differences in relation to respondents from production company whose average age iwass 43 years (37 -47).Women are more represented in the hospital (Fisher's exact test, p = 0.003), and there are significantly more employees with university degrees employed in production company (χ 2 test, p < 0.001).According to the educational program a total of 66 (43.7%) respondents completed graduate study, more are non-hospital employees (Fisher's exact test, p < 0.001).Although in both institutions in a time of employment, employees, when given username and password, signed the rules they need to comply, only 82 (55%) of respondents recalled having signed the document, significantly more from production company (Fisher's exact test, p < 0.001).When asked to write their password for analyses and assessment of the password quality, as many as 79 (52%) respondents wrote theirs, significantly more from production company (Fisher exact test, p < 0,001).Although production company employees have written their "passwords", it was impossible to check if the passwords were true.(Tab. 1) Respondent's behaviour was rated over 17 questions in three areas: lending, behaviour, and confidence.Sometimes 15 (9.9%) respondents lend official access data (username and password) to fellow work colleagues, who find themselves in need.Different passwords for different systems are always used by 35 (23.3%) respondents (i.e. for Facebook one, for e-mail another, for business system third password, etc.), 48 of respondents (32%) never used more than one e-mail address (i.e.private and official e-mail), and 97 (63.8%) never locked business computer during brief departure from the office, classroom, working place.90 (59.6%) respondents never install various programs of unknown and less known manufacturers, which may be interesting but not necessary for work (i.e.different video players, multimedia accessories, web browsers).On social networks, 25 (16.4%) of respondents rarely leave personal information (i.e.private address, cell phone number, the message that they are on holiday, etc.).(Fig. 3) Communication over social networks is considered as totally insecure by 47 (30.9%) respondents, and 64 (42.1%) respondents stated mobile phone communication as quite insecure (talking and SMS).Correspondence over e-mail is considered quite insecure by 43 (28.3%)respondents.(Fig. 4) Figure 4 The distribution of answers according to the security level According to the belief level, most respondents 59 (39.3%) are not convinced that someone will take money from their bank account, while 19 (12.6%) are convinced that someone will steal their identity on the internet (e-mail, ebanking, Facebook, etc.).(Fig. 5) Figure 5 The distribution of answers according to the belief level Unconditionally maintenance of their passwords is totally unimportant for 13 (8.6%)respondents and extremely important 66 (43.7%) respondents.Periodical replacement of their passwords with new ones, at least for important systems is quite important for 73 (48.3%) respondents, and 72 (47.7%) respondents stated that is extremely important to separate business from private computing resources (i.e.USB memory, e-mail, phone).(Fig. 6) Figure 6 The distribution of answers according to the importance level Behaviour scale means score 2 (interquartile range 1.8 -2.2) is significantly worse with hospital respondents (Mann Whitney test, p = 0.038).Significant are differences in behaviour subscale where respondents from production company are acting as more responsible (Mann Whitney test, p = 0.011), with scale mean score 3 (interquartile range 2.3 -3.6).With security and importance scale there is no significant difference between the mean scale score between the two groups.Belief scale mean score of 4 (3.3 -4.4), is significantly higher with production company employees (Mann Whitney test, p = 0.027).(Tab.2) Personal data security has been determined by the time when the last backups of personal data and documents have been made and with the number of persons that know the respondent's password.Out of survey respondents, 28 of them (18.55%), of which 10 (11.5%) from hospital and 18 (28.1%)from production company, never made a backup of their documents.30 (20%) participants stated that besides them two more people knew their password, of whom significantly more, 17 (26.6%),from the production company.26 (30.2%) participants from hospital stated that they were the only ones who knew their password, which is significantly less in relation to the participants from production company (Fisher exact test, p = 0.020).While comparing personal data security with those respondents who wrote their password in the survey there is significantly more respondents from production company -20 (44.4%) and at the same time, they stated that they were the only ones that knew their password (Fisher exact test, p = 0.046).(Tab.3) Through the research, it has been shown that the overall behaviour of respondents in production company (p = 0.011) is more responsible, which confirms previous research on the use of e-mail addresses according to which the respondents from technical scientific fields use more secure official email addresses, as opposed to biomedical researchers.Different passwords for different systems are used by 23.3% of respondents, which is slightly less than it was found in research on 836 subjects [25], of whom 31% always use different passwords.The introduction of "single sign-on" (SSO) i.e. single logging into the system, which institutions began to implement [26], would reduce the burden on employees about remembering multiple passwords.Analyses [27] showed that the awareness of users toward to the information system security and proper use of passwords is associated with knowledge about the importance of security application in their work.The ratio of respondents to the question of personal data security proved to be very weak -18.5% of respondents had never made a backup of their data, and 39.1% could not remember when they had done it the last time, where the distribution frequency of making backups among medical and electrical engineering students is very low.
Among all respondents, 28, of whom 10 (12%) are from the hospital and 18 (28%) are from the production company, have never made a copy of their documents.To question about password sharing, 30 (20%) respondents stated that two more people knew their password, of which significantly more, 17 (27%) from production company, while 26 (30%) of hospital respondents stated that they didn't share their password, which is significantly less than those not working in hospital (Fisher's exact test, p = 0.020).Comparing the security of personal data from those respondents who wrote their password in questionnaire there are significantly more respondents from production company -20 of them (44%), while at the same time they claim that they are the only one which knows their password (Fisher's exact test, p = 0.046).

FINAL REMARKS AND CONCLUSION
Most research agrees that almost highest threat to an organization's information security comes from employees who do not follow set information security procedures.Employees must be aware of and follow information policies and procedures.Entire company (hospital, government, private) plays important role in presenting policies and procedures for user information security behaviour.Education of employees should be a major task in today's information era where everything is available to everyone; also, information must be treated as secure as possible when it is necessary.
Although user information security behaviour in different industrial sectors was compared in the research, there are similarities in the user behaviour.In both examined companies there are users that care about information security but also many of them do not think that information security is important for a company's efficiency.Research results have shown that employees in a private company behave better in relation to information security.They are more responsible and security aware regarding password usage and have better knowledge about the importance of security application in their work.
To conclude, it is appropriate to propose further research on information security behaviour and to check relation between different production companies in Croatia and their approach in solving so called "people problem" in dealing with information security since it was found in research that although employees signed a statement about information security, not many of them remembered it and some of them did not comply with it.

Figure 3
Figure 3 Respondents according to the behaviour scale

Table 1
Groups scale mean scores

Table 2
Groups scale mean scores

Table 3
Respondents according to answers about data security and groups