An Introduction to Information Protection and Employee Behavior

In most organizations, information flows at the heart of workplace activities. The effective management of information requires information technology, and that technology is therefore crucial to organizational success. Information technology comes in many forms — networked personal computers, personal productivity devices, software applications, the Internet, and more — but one thing all types of information technology have in common is that their effective use depends upon human users. People put the technology to work in managing information, and people are ultimately responsible for whether information technology succeeds or fails. Within organizations, these people are the employees who use the technology to get their jobs done, serve the needs of customers, and keep the organization running.

Almost all organizations that use information technology in any substantial way are also struggling to maintain effective information security. In an increasing number of organizations, information is among the most valuable assets they possess. As connectivity among information systems has increased, so has the likelihood of intrusion into the systems, thefts of business information, fraudulent use of information, defacement of organizational Web sites, and other forms of information loss or damage. A worldwide army of hackers, virus writers, and scam artists stands poised to inflict as much damage as possible on the Internet-connected organization. Organizations are always vulnerable to these external security threats to some degree, but industry research by Ernst and Young (2002) suggests that many expensive security breaches in fact result from activity that occurs within organizations: the so-called insider threat posed by employees or contractors who possess trusted access to the company's information and technology. At the low end, losses from security breaches of all types have been estimated at approximately $20 billion per year (counting U.S. organizations only; Security Wire Digest, 2000). Such losses cause organizations to open their wallets: According to a 2002 industry survey by Information Security magazine, very large organizations spend an average of $6 million per year on information security measures; smaller ones spend nearly 20 percent of their overall information technology budgets on security.

Among the various security technologies used in organizations, many provide the means to monitor employee behavior. Organizations deploy these complex and expensive monitoring technologies under the belief that secure management of an organization's information assets depends in part upon the behavior of employees. Employees are the "end-users" of much of the organization's information, and that information is very literally at their disposal. When employees are careful to handle information in a secure way, the organization, its customers, and its shareholders benefit from the protection of this key asset. Alternatively, mismanagement of information or the malfeasance of isolated individuals who "go bad" may have devastating effects on the organization's success.

Organizations possess an increasingly powerful technological toolbox for finding out what people are doing on their computers and on the network. For the many employees who use computers, a detailed electronic trail of communications, software utilization, and network activity now fills the log files of company servers. Almost every organization with business processes that connect it to the Internet uses one type of system or another to assess networked computer usage, track network access, warn about inappropriate behavior on the network, or try to ensure that such behavior cannot occur. Software and hardware vendors provide a huge array of options for collecting, storing, analyzing, and generating reports based on telecommunications records, logs of Web usage, addresses of e-mail recipients, and e-mail message content. A plethora of details about employees' work habits, computer usage, and personal demographics, and a wide range of other potentially sensitive information is collected and stored in organizational information systems. Enterprise computing systems contain centralized work records and other information about job -related activities in huge interlinked databases. Camera surveillance has also become increasingly common, particularly in the public spaces of the organization (e.g., lobbies, parking lots, customer areas of retail stores), but additionally in non-public spaces such as employee break rooms. Smart cards and proximity badges help the organization know where employees are located and what facilities they have used. All of these forms of monitoring and surveillance allow organizations to increase the visibility of employee behavior, analyze typical usage patterns, flag unusual or unauthorized activities, and reduce the lag between the discovery of problems and subsequent action or decision making. Monitoring and surveillance technologies seem to provide a panacea of observation, analysis, prediction, and control for those who wish to reduce the uncertainty, unpredictability, and risks related to the behavior of information systems users.

A series of U.S. industry surveys has shown that employee monitoring and surveillance occur to some degree in the majority of U.S. work organizations (9 to 5, 1990; Orthmann, 1998; Society for Human Resource Management, 1991, 1999, 2001). In their 2004 survey on workplace e-mail and instant messaging, the American Management Association and the ePolicy Institute found that 60 percent of organizations they contacted used software to monitor employees' e-mail correspondence with parties outside the firm (American Management Association & ePolicy Institute, 2004). Although regulatory controls on monitoring and surveillance are sometimes stricter in other locales, such as Canada, Western Europe, Japan, and Australia, the use of electronic monitoring and surveillance of workers and workgroups occurs in those places as well...