Impact of Excessive Access Permissions and Insider Threat Opportunity in the Financial Industry: A Qualitative Study

Abstract

The purpose of this qualitative, exploratory research study was to gain insights into the correlations between: (a) security threats related to the dangers of excessive access permissions in information systems (IS); and (b) the potential risk exposure to insider threat in the financial sector. The study examined the vulnerability risk to insider threats from the view of the possible connection to excessive access permissions which represent a gap in the literature. The central research question of the study was: What are the determinants that influence the applicability of internal security controls such as segregation of duties (SoD), the least privilege principle, the need-to-know concept and the relationship between access permissions and insider threat in IS? A sample of 15 financial sector professionals that included business users, IT personnel, and certified fraud examiners were interviewed to answer the central research question.