Full Text

Introduction

Insiders continue to pose a great threat to the security of an organization’s sensitive and critical information resources (Liang et al., 2016). Insider threats are the actions perpetrated by the employees or contractors which can put an organization or its resources at risk (Predd et al., 2008). Employees are given legitimate rights and privileges to access the organization’s information resources (Bishop et al., 2008). Because they have enough knowledge and access to organizational information resources, malicious employees pose a more severe threat to information assets as compared with the outsiders (Liang et al., 2016). Threats emanating from the employees and contractors have always been difficult for organizations to detect (Ahmad et al., 2014). However, detecting the threats before a catastrophic event occurs is important (Branker et al., 2016). In an attempt to mitigate the threats, concerns are being raised regarding how these malicious individuals get employed into organizations, how they are managed during their period of employment and how employment termination processes are managed (Ford et al., 2015; Hu et al., 2012; Sarode and Deore, 2017). Organizations ought to employ human resource security measures to protect information resources. Human resource security measures encompass safeguards involved in hiring and maintaining employees’:

• background checks, terms and conditions of employment (pre-employment processes);

• management responsibilities, training and disciplinary process (during-employment processes); and

• termination of employment (post-employment processes) (ISO/IEC 27002, 2013).

Attention is currently being focused on managing the human aspects of information security (Singh et al., 2014). Human resource security management is a system of policies and procedures which seek to mitigate the risk of employees and contractors exploiting their legitimate access to an organization’s information resources for unauthorized purposes (CPNI, 2017). The objective of human resource security management is to ensure that employees and contractors are:

• suitable for the roles for which they are considered for employment;

• aware of and complying with their information security responsibilities; and

• the organization puts processes in place to protect its interest during changing or termination of employees’ employment contracts (ISO/IEC 27002, 2013).

Human resource security measures reduce the risks that are inherent in human interactions with the organizational information resources by using security controls such as screening employees, defining their roles and...