The Norwegian Downsizing Approach in Terms of the Insider Threat - An interpretive study

Benjaminsen, Terje

Benjaminsen, Terje

Master thesis

View/Open

17974_FULLTEXT.pdf (851.9Kb)

17974_COVER.pdf (1.639Mb)

URI

http://hdl.handle.net/11250/2448947

Date

2017

Metadata

Show full item record

Collections

Institutt for informasjonssikkerhet og kommunikasjonsteknologi [1646]

Abstract

This research examined how the Norwegian organizations approach a downsizing in terms of the insider threat. Ten subject matter experts in large Norwegian enterprises were interviewed. These subject matter experts serve in various industry sectors such as; petroleum and energy, climate and environment, agriculture and food, defense, finance, and maritime. The size of the organizations varies from around 400 to more than 10,000 employees. The results of these interviews have been discussed and partially compared with international practice. Then, authorities within the field of security management have commented on the findings and the suggested improvements. This is a qualitative study that describes and interprets the Norwegian approach, which provides strong rights for the employees, and does not examine cause and effect relationships.

The analysis has identified management as a key element to mitigate the insider threat in downsizing processes. Starting with top management in the planning phase, then transferring more responsibility on the middle management in the execution phase. Managers might not be aware of having such responsibility concerning the insider threat. The managers are additionally key players in building a healthy security culture. Given this important role, there seem to be a surprisingly low level of education and training aimed at personnel security management. Additionally, one must consider both the dismissed and the remaining employees. As a foundation, enterprises should have established policies, procedures, and holistic risk management, including the insider threat. Further, some enterprises could transform their approach from reactive towards proactive, and mitigate the insider threat by combined social and technical controls throughout the employment life-cycle. However, with adherence to rules and regulations, such as the EU General Data Protection Regulation (GDPR) concerning privacy.

Neither the Norwegian National Security Authority (NSM), the Norwegian Center for Information Security (NorSIS), or the Norwegian Business and Industry Security Council (NSR), with their background and expertise, question the findings.

To the authors knowledge, there have not been similar previous research, on how Norwegian organizations approach a downsizing in terms of the insider threat.

Publisher

NTNU