Insider threats among Dutch SMEs: Nature and extent of incidents, and cyber security measures

Abstract

Insider threats represent a latent risk to all organisations, whether they are large companies or Small or Medium-sized Enterprises (SMEs). Insiders, the individuals with privileged access to the assets of organisations, can compromise their proper functioning and cause serious consequences that can be direct—such as financial—or indirect—such as reputational. Insider incidents can have a negative impact on SMEs, as their resources are often limited, making it paramount to implement adequate cyber security measures. Despite its indisputable relevance, the empirical study of insider incidents from a criminological point of view has received little attention. This paper presents the results of an exploratory study that aims to understand the nature and extent of three types of insider incidents—malicious, negligent, and well-meaning—and how they are related to the adoption of cyber security measures. To that end, we administered a questionnaire among a panel of 496 Dutch SME entrepreneurs and managers and analysed the results quantitatively and qualitatively. The results show that although the prevalence of insider incidents is relatively low among Dutch SMEs, few organisations report a disproportionate number of incidents that often entail serious consequences. A regression model shows that there are cyber security measures related to both higher and lower incident likelihood. The implications of these findings for the cyber security policies of SMEs are discussed.