Impact of Excessive Access Permissions and Insider Threat Opportunity in the Financial Industry: A Qualitative Stud

The purpose of this qualitative, exploratory research study was to gain insights into the correlations between (a) security threats related to the dangers of excessive access permissions in information systems (IS) and (b) the potential risk exposure to insider threat in the financial sector. The study examined the vulnerability risk to insider threat from the view of the possible connection to excessive access permissions which represent a gap in the literature. The central research question of the study was What are the determinants that influence the applicability of internal security controls such as segregation of duties (SoD), the least privilege principle, the need-to-know concept and the relationship between access permissions and insider threat in IS? A sample of 15 financial sector professionals that included business users, IT personnel, and certified fraud examiners was interviewed to answer the central research question. Each of these participants works with information systems that are classified as restricted, confidential, or Sarbanes-Oxley Act (SOX) critical. Transcribed data from interviews were analyzed using theme analysis and the qualitative analytical software NVivo 11. The findings from the study revealed a relationship between excessive access permission and insider threats. Regulation and policy along with a prevention mentality were identified as the primary determinants of access control management. This study is beneficial to scholars and practitioners by offering a better understanding of the increased risk of data loss due to the excessive access permissions phenomenon and the factors that influence the use of security controls in the access management.