Volume 11, Issue 1 (6-2024)
Human Information Interaction 2024, 11(1): 33-57 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
Mabhoot A, Farhadpoor M R, Hoseini E. Identifying and ranking the factors affecting the leakage of organizational information using the analytical hierarchy process. Human Information Interaction 2024; 11 (1)
URL: http://hii.khu.ac.ir/article-1-3142-en.html
URL: http://hii.khu.ac.ir/article-1-3142-en.html
Information and Knowledge Science-Information Management Departement, Ahvaz Branch, Islamic Azad University, Ahvaz, Iran.
Abstract: (663 Views)
One of the most important current debates in organizational information security is information leakage. Information leakage, which refers to the unauthorized sharing of information by one organization with another, is one of the serious problems faced by organizations. Information leakage can cause losses to the company and affect its ability to gain a competitive advantage. Information leakage includes two types of leakage or intentional or unintentional disclosure of data or exclusive content to unauthorized persons. Intentional information leakage includes the intentional disclosure of information by employees to unauthorized persons. Deliberate information leakage is often caused by employee dissatisfaction with the company or a motive for personal gain. The main cause of intentional information leakage is revenge or unethical behavior of employees who are willing to betray their company or disclose sensitive information to competitors. In other words, if employees are not aware of how much information to disclose to outsiders, then unwanted/inadvertent information leakage may occur. These cases damage the reputation of the organization, its income and business. As a result, the pervasiveness of this uncertainty about information security in the work environment puts the organization's information assets at risk. In order to minimize or prevent information leakage, it is important to investigate and identify the factors that lead to this happening.
Regardless of the type of information leakage and the related motives, the impact of these actions in itself can lead to financial losses, disruption of the organization, loss of reputation and long-term impact on the organizational culture. Although the phenomenon of information leakage may happen in any organization; But considering the opportunities and values that every organization loses as a result, its importance can be understood. For this reason, the consequences of information leakage will be different from one organization to another, and accordingly, its degree of importance will also be different. The study and identification of factors affecting the phenomenon of information leakage is interesting from several aspects. First, the airport environment with the presence of various airlines is an example of a highly competitive market where the actions and operations of the airport are exposed to the customers. The second point is that the customers of the airport system are heterogeneous and may be people of different nationalities. Third point, the issue of security in airport systems is a complex and interesting phenomenon that is provided by the participation of different organizations. The fourth point is that the flow of information in the airport system is intense, intra-organizational and trans-organizational/cross-border. The fifth point is that the occurrence of an error in the flow of information in airport systems can have unfortunate human, financial, and other consequences. Considering these points, the present study was conducted at Ahvaz International Airport. Preventing information leakage is one of the most important security issues at Ahvaz International Airport. Because with the loss of data, the reputation of the airport is damaged and it loses its customers, it has to pay a high cost to fix the damages, and this will sometimes lead to the destruction of the organization. According to the mentioned contents, this research seeks to answer the question, what are the factors affecting organizational information leakage in Ahvaz International Airport? How are they ranked? Hence, the purpose of this study was to identify and rank the factors affecting organizational information leakage in Ahvaz International Airport using the Hierarchical Analysis Process.
Methods
Since the ultimate goal of the current research was to improve the understanding of the problem of information leakage as an important concern for the organization and to find a practical solution to reduce it, it is practical research in terms of the goal. Also, from the point of view of nature, the current research is descriptive-exploratory; Because what follows the data follower approach to "describe" and "interpret" the factors affecting organizational information leakage as it is. The research community was all information security experts in different parts of Ahvaz Airport; that by the snowball method (because it was difficult to identify the experts and the possibility of contacting and accessing them) 15 experts in the information security field of Ahvaz Airport (having relevant work experience of more than 15 years, a master's degree or higher and familiar with security issue and information leakage). In this study, the library method was used to compile the theoretical foundations of the research, the background of the research and the design of the decision tree. Then, the field method was used to distribute the five-point paired comparison questionnaire to collect data. The first questionnaire was taken from the research literature and was distributed among 15 experts using the Delphi technique. Opinions were sought from the expert group of the Delphi study, in the form of sending a structured questionnaire with a 5-point Likert scale, consisting of 22 questions, in two rounds with the participation of 15 people, in such a way that first, the first questionnaire consisting of 22 questions was sent to the members of the Delphi group. After distributing and collecting completed questionnaires and evaluating the results of this Delphi round, 5 main factors and 21 important sub-factors were identified (laws and regulations sub-factor with an average of 2.87±83 and a t value of 0.61 was not recognized as significant and was excluded from the questionnaire for the second round) and after twenty days, from the initial opinion poll, the important factors were re-evaluated in order to conduct the next round of Delphi in the form of a questionnaire with 21 questions related to the important sub-factors, the collected data It showed the confirmation of all subfactors. Finally, the data was analyzed using the hierarchical analysis method and using Expert Choice software.
Resultss and Discussion
Based on the results, 5 main factors and 21 sub-factors affecting organizational information leakage were identified. The weighting and prioritization of indicators showed that intentional individual factors (0.277) ranked first, unintentional individual factors (0.235) ranked second, organizational factors (0.188) ranked third, infrastructural factors (0.167) ranked fourth and environmental factors (0.133) ranked fifth.
Conclusion
The results showed that information leakage is a complex phenomenon that various individual, organizational, infrastructural and environmental factors are involved in its occurrence. However, the first and second rank of the intentional and unintentional dimensions of information leakage by individuals, on the one hand, indicate the complexity of the information leakage phenomenon, and on the other hand, require a review in the strategies related to human resources management in Ahvaz International Airport.
Based on the results, intentional individual factors with a weight of 0.277 were the first effective factors on information leakage in Ahvaz International Airport. Also, among intentional individual sub-factors, personal greed with a weight of 0.232 was the most important sub-factor and the experience of invasion of privacy with a weight of 0.078 was the least important sub-factor. The findings confirmed that intentional information leakage due to human factors should still be of concern to managers. Since it is not possible to abandon human factors in the organizational life cycle of information, managers should accept this challenge and look for appropriate mechanisms. In other words, despite human factors, organizations face the challenge of intentional or unintentional information leakage. Intentional leakage of information in the organization may have happened due to personal greed against organizational interests, where employees are willing to sell the organization's information to competitors for material reasons and prefer their interests over the interests of the organization. Jealousy of a company employee to colleagues or employees of competing companies, being dissatisfied with the company or feeling a grudge for any reason also causes the intentional leakage of information. Disgruntled employees may also intentionally disclose important information to unauthorized parties. Unintentional individual factors with a weight of 0.235 were the second most effective factors on information leakage in Ahvaz International Airport. Also, among unintentional individual sub-factors, negligence with a weight of 0.283 was the most important sub-factor and the use of contract and temporary employees with a weight of 0.133 was the least important sub-factor. An inadvertent leak occurs when an insider inadvertently discloses business-critical information that is not intended to be shared with third parties. Unintentional individual threat is the potential behavior of an individual who has access to the network, system or data of an organization through an accidental act or action, without malicious intent, and causes damage or significantly increases the likelihood of serious damage in the future to confidentiality, integrity Or the value of the organization's information.
Organizational factors with a weight of 0.188 were the third most effective factors on information leakage in Ahvaz International Airport. Also, among the organizational sub-factors, lack of understanding the value of information with a weight of 0.392 was the most important sub-factor and lack of proper intra-organizational communication with a weight of 0.262 was the least important sub-factor. The first is a lack of understanding of the value of information. Employees evaluate information differently depending on the hierarchical level, the type of information and the type of organizational structure. Employees' perception of the value of information is described by various researchers as an important aspect. This lack of awareness leads to the fact that the value of information is not clear, so the negative consequences of information leakage are not taken seriously by them. The second case is inappropriate organizational structure. Large companies are sensitive to data protection in the long term. Smaller companies do not have such extensive awareness. In general, organizational structure in terms of formality and existing control mechanisms may affect information leakage. The third case is the lack of proper communication within the organization. To achieve shared understanding, communication is required to convey a set of necessary values and norms that define the rules or context of interaction. Infrastructural factors with a weight of 0.167 were the fourth most effective factor on information leakage in Ahvaz International Airport. Similarly, among the infrastructure sub-factors, the weakness of information systems with a weight of 0.418 was the most important sub-factor and the presence of security holes in the network infrastructure with a weight of 0.258 was the least important sub-factor. The first is the weakness of information systems. Buying an incomplete information system and weak design of information systems may cause serious problems for organizations. Mechanisms that insiders use to perform business tasks based on their usual information systems can also be used to steal information assets. To prevent leakage and theft of information, mechanisms and protective measures against these methods should be used. The second case is improper use of physical means of data storage (hard drives, USB, CD, etc.). These days, most of the information inside the organization is stored electronically, the media of this information are hard drives, C drives. D. and U. S. etc.) are physical tools that are likely to be physically stolen. Preventing leakage with these devices requires implementing physical security measures. The third thing is the presence of security holes in the network infrastructure. The organization's networks are one of the essential parts of the organization's information technology infrastructure. There are several types of communication in the network. Internal-to-external communication includes any communication that is initiated within the boundaries of the organization and whose destination is outside the organization.
Finally, environmental factors with a weight of 0.133 were the fifth most effective factors on information leakage in Ahvaz International Airport. Also, among the environmental sub-factors, the stakeholders' request for information about security incidents with a weight of 0.416 was the most important sub-factor and the requirements of business partners with a weight of 0.259 was the least important sub-factor. One of the input sources that shape the behavior of people in an organization is the organizational environment. Employee decisions are influenced by environmental structure, the availability of environmental information, and the relevant meaning that employees assign to environmental information. The first case is the request of stakeholders to inform about security incidents. In the recent era, the demand for the type of information leakage events for companies is more intense, external and internal stakeholders are constantly concerned about maintaining a good public image of the organization. Overall, public interest in data breach incidents appears to exert pressure on organizations, while organizational responses are dynamic and appear to change over time. If stakeholder expectations are ignored and social influence is allowed to run its course, political and legal pressure will build, often leading to negative corporate outcomes. Stakeholder dissatisfaction arises when corporate actions do not meet societal expectations, and the gap between corporate actions and stakeholder expectations widens as public trust declines. Therefore, the greater the employees' understanding of information protection as a social expectation, the greater the perception of public leakage events as a threat to the company's image.
In general, the results show that information leakage is a major concern for organizations. In this context, the more the organization depends on information assets, the more relevant the concern of information leakage becomes. In such a situation, the taste of the competitors is stimulated more and more to think of the necessary mechanism to deal with it by getting the information of the organization, while being aware of the related organization's plans. Therefore, the identification of factors affecting information leakage in the form of 21 sub-factors in 5 groups provided the necessary insight to the managers of Ahvaz airport to strengthen the vulnerable points by adopting the necessary measures such as building trust, strengthening the sense of cooperation, observing professional ethics. , using motivational measures, raising awareness of the value of information, proper training of employees regarding information security, redesigning information systems, and designing targeted programs regarding information storage, sharing, and transfer.
Regardless of the type of information leakage and the related motives, the impact of these actions in itself can lead to financial losses, disruption of the organization, loss of reputation and long-term impact on the organizational culture. Although the phenomenon of information leakage may happen in any organization; But considering the opportunities and values that every organization loses as a result, its importance can be understood. For this reason, the consequences of information leakage will be different from one organization to another, and accordingly, its degree of importance will also be different. The study and identification of factors affecting the phenomenon of information leakage is interesting from several aspects. First, the airport environment with the presence of various airlines is an example of a highly competitive market where the actions and operations of the airport are exposed to the customers. The second point is that the customers of the airport system are heterogeneous and may be people of different nationalities. Third point, the issue of security in airport systems is a complex and interesting phenomenon that is provided by the participation of different organizations. The fourth point is that the flow of information in the airport system is intense, intra-organizational and trans-organizational/cross-border. The fifth point is that the occurrence of an error in the flow of information in airport systems can have unfortunate human, financial, and other consequences. Considering these points, the present study was conducted at Ahvaz International Airport. Preventing information leakage is one of the most important security issues at Ahvaz International Airport. Because with the loss of data, the reputation of the airport is damaged and it loses its customers, it has to pay a high cost to fix the damages, and this will sometimes lead to the destruction of the organization. According to the mentioned contents, this research seeks to answer the question, what are the factors affecting organizational information leakage in Ahvaz International Airport? How are they ranked? Hence, the purpose of this study was to identify and rank the factors affecting organizational information leakage in Ahvaz International Airport using the Hierarchical Analysis Process.
Methods
Since the ultimate goal of the current research was to improve the understanding of the problem of information leakage as an important concern for the organization and to find a practical solution to reduce it, it is practical research in terms of the goal. Also, from the point of view of nature, the current research is descriptive-exploratory; Because what follows the data follower approach to "describe" and "interpret" the factors affecting organizational information leakage as it is. The research community was all information security experts in different parts of Ahvaz Airport; that by the snowball method (because it was difficult to identify the experts and the possibility of contacting and accessing them) 15 experts in the information security field of Ahvaz Airport (having relevant work experience of more than 15 years, a master's degree or higher and familiar with security issue and information leakage). In this study, the library method was used to compile the theoretical foundations of the research, the background of the research and the design of the decision tree. Then, the field method was used to distribute the five-point paired comparison questionnaire to collect data. The first questionnaire was taken from the research literature and was distributed among 15 experts using the Delphi technique. Opinions were sought from the expert group of the Delphi study, in the form of sending a structured questionnaire with a 5-point Likert scale, consisting of 22 questions, in two rounds with the participation of 15 people, in such a way that first, the first questionnaire consisting of 22 questions was sent to the members of the Delphi group. After distributing and collecting completed questionnaires and evaluating the results of this Delphi round, 5 main factors and 21 important sub-factors were identified (laws and regulations sub-factor with an average of 2.87±83 and a t value of 0.61 was not recognized as significant and was excluded from the questionnaire for the second round) and after twenty days, from the initial opinion poll, the important factors were re-evaluated in order to conduct the next round of Delphi in the form of a questionnaire with 21 questions related to the important sub-factors, the collected data It showed the confirmation of all subfactors. Finally, the data was analyzed using the hierarchical analysis method and using Expert Choice software.
Resultss and Discussion
Based on the results, 5 main factors and 21 sub-factors affecting organizational information leakage were identified. The weighting and prioritization of indicators showed that intentional individual factors (0.277) ranked first, unintentional individual factors (0.235) ranked second, organizational factors (0.188) ranked third, infrastructural factors (0.167) ranked fourth and environmental factors (0.133) ranked fifth.
Conclusion
The results showed that information leakage is a complex phenomenon that various individual, organizational, infrastructural and environmental factors are involved in its occurrence. However, the first and second rank of the intentional and unintentional dimensions of information leakage by individuals, on the one hand, indicate the complexity of the information leakage phenomenon, and on the other hand, require a review in the strategies related to human resources management in Ahvaz International Airport.
Based on the results, intentional individual factors with a weight of 0.277 were the first effective factors on information leakage in Ahvaz International Airport. Also, among intentional individual sub-factors, personal greed with a weight of 0.232 was the most important sub-factor and the experience of invasion of privacy with a weight of 0.078 was the least important sub-factor. The findings confirmed that intentional information leakage due to human factors should still be of concern to managers. Since it is not possible to abandon human factors in the organizational life cycle of information, managers should accept this challenge and look for appropriate mechanisms. In other words, despite human factors, organizations face the challenge of intentional or unintentional information leakage. Intentional leakage of information in the organization may have happened due to personal greed against organizational interests, where employees are willing to sell the organization's information to competitors for material reasons and prefer their interests over the interests of the organization. Jealousy of a company employee to colleagues or employees of competing companies, being dissatisfied with the company or feeling a grudge for any reason also causes the intentional leakage of information. Disgruntled employees may also intentionally disclose important information to unauthorized parties. Unintentional individual factors with a weight of 0.235 were the second most effective factors on information leakage in Ahvaz International Airport. Also, among unintentional individual sub-factors, negligence with a weight of 0.283 was the most important sub-factor and the use of contract and temporary employees with a weight of 0.133 was the least important sub-factor. An inadvertent leak occurs when an insider inadvertently discloses business-critical information that is not intended to be shared with third parties. Unintentional individual threat is the potential behavior of an individual who has access to the network, system or data of an organization through an accidental act or action, without malicious intent, and causes damage or significantly increases the likelihood of serious damage in the future to confidentiality, integrity Or the value of the organization's information.
Organizational factors with a weight of 0.188 were the third most effective factors on information leakage in Ahvaz International Airport. Also, among the organizational sub-factors, lack of understanding the value of information with a weight of 0.392 was the most important sub-factor and lack of proper intra-organizational communication with a weight of 0.262 was the least important sub-factor. The first is a lack of understanding of the value of information. Employees evaluate information differently depending on the hierarchical level, the type of information and the type of organizational structure. Employees' perception of the value of information is described by various researchers as an important aspect. This lack of awareness leads to the fact that the value of information is not clear, so the negative consequences of information leakage are not taken seriously by them. The second case is inappropriate organizational structure. Large companies are sensitive to data protection in the long term. Smaller companies do not have such extensive awareness. In general, organizational structure in terms of formality and existing control mechanisms may affect information leakage. The third case is the lack of proper communication within the organization. To achieve shared understanding, communication is required to convey a set of necessary values and norms that define the rules or context of interaction. Infrastructural factors with a weight of 0.167 were the fourth most effective factor on information leakage in Ahvaz International Airport. Similarly, among the infrastructure sub-factors, the weakness of information systems with a weight of 0.418 was the most important sub-factor and the presence of security holes in the network infrastructure with a weight of 0.258 was the least important sub-factor. The first is the weakness of information systems. Buying an incomplete information system and weak design of information systems may cause serious problems for organizations. Mechanisms that insiders use to perform business tasks based on their usual information systems can also be used to steal information assets. To prevent leakage and theft of information, mechanisms and protective measures against these methods should be used. The second case is improper use of physical means of data storage (hard drives, USB, CD, etc.). These days, most of the information inside the organization is stored electronically, the media of this information are hard drives, C drives. D. and U. S. etc.) are physical tools that are likely to be physically stolen. Preventing leakage with these devices requires implementing physical security measures. The third thing is the presence of security holes in the network infrastructure. The organization's networks are one of the essential parts of the organization's information technology infrastructure. There are several types of communication in the network. Internal-to-external communication includes any communication that is initiated within the boundaries of the organization and whose destination is outside the organization.
Finally, environmental factors with a weight of 0.133 were the fifth most effective factors on information leakage in Ahvaz International Airport. Also, among the environmental sub-factors, the stakeholders' request for information about security incidents with a weight of 0.416 was the most important sub-factor and the requirements of business partners with a weight of 0.259 was the least important sub-factor. One of the input sources that shape the behavior of people in an organization is the organizational environment. Employee decisions are influenced by environmental structure, the availability of environmental information, and the relevant meaning that employees assign to environmental information. The first case is the request of stakeholders to inform about security incidents. In the recent era, the demand for the type of information leakage events for companies is more intense, external and internal stakeholders are constantly concerned about maintaining a good public image of the organization. Overall, public interest in data breach incidents appears to exert pressure on organizations, while organizational responses are dynamic and appear to change over time. If stakeholder expectations are ignored and social influence is allowed to run its course, political and legal pressure will build, often leading to negative corporate outcomes. Stakeholder dissatisfaction arises when corporate actions do not meet societal expectations, and the gap between corporate actions and stakeholder expectations widens as public trust declines. Therefore, the greater the employees' understanding of information protection as a social expectation, the greater the perception of public leakage events as a threat to the company's image.
In general, the results show that information leakage is a major concern for organizations. In this context, the more the organization depends on information assets, the more relevant the concern of information leakage becomes. In such a situation, the taste of the competitors is stimulated more and more to think of the necessary mechanism to deal with it by getting the information of the organization, while being aware of the related organization's plans. Therefore, the identification of factors affecting information leakage in the form of 21 sub-factors in 5 groups provided the necessary insight to the managers of Ahvaz airport to strengthen the vulnerable points by adopting the necessary measures such as building trust, strengthening the sense of cooperation, observing professional ethics. , using motivational measures, raising awareness of the value of information, proper training of employees regarding information security, redesigning information systems, and designing targeted programs regarding information storage, sharing, and transfer.
Keywords: Leakage of Organizational Information, Information Security, Information Confidentiality, Information Flow, Information Policies of the Organization.
Send email to the article author
| Rights and permissions | |
 | This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
