A case study approach will be used because the focus will be on the Healthcare organization in which the researcher is employer.
Stephenson (2006) explains that there are various types of computer crimes and different categories of cybercriminals. The employee, or insider category of cybercriminals "tend to be disgruntled employees" who express their anger towards the company through cyber-vandalism (1). Their motive for cracking into the organisation's network, destroying data or vandalizing the corporate website invariably stem from their feelings of mistreatment or the assumption that they have not received their due appreciation and recognition. While as Stephenson (2006) asserts, it is not at all common from disgruntled employees to express their anger/dissatisfaction through acts of vandalism and cybercrime, it cannot be discounted either. The implication here is that employees are a potential threat to an organisation's network security and security mechanisms need to account for this threat through the adoption of safeguards designed to minimize, ideally eliminate, the opportunities available to employees for the engagement in cyber-attacks against their organization.
While Stephenson (2006) tended towards the minimization of the threat posed by employees to the computer and network security of their organization, numerous other sources argue that the threat is substantial. As early as 1991, Gilman indicated that the facts and figures on network security violations indicated that employees were often identified as the culprits, or as having, even unwittingly, acted as enablers. They do so through the misuse of the company's computer network and, more specifically, through the downloading of files which may contain viruses, worms and Trojan Horses (Gilman, 1991). Gilman's (1991) were confirmed more than a decade later by the FBI. A joint report issued by the FBI and the Computer security Institute indicated that the majority of network security violations suffered by U.S, corporations were either knowingly, or unknowingly, caused by insider misuse of the corporate IT system (Rola, 2002). Similarly, Symantec (2003) issued a report which stated that insider incidents accounted for over 40% of all computer and network security violations suffered by US companies and that while the majority of these incidents involved the unintentional compromising of the corporate network through system misuse, at least one-fifth of all incidents were deliberate (Symantec, 2003). On the basis of these studies, therefore, it appears that the prevalence of insider incidents makes it imperative that organizations institute mechanisms designed to control the employee-threat.
2.2 Internal Investigations
Most organizations have investigative procedures which are launched in the wake of a proven attack, or attempted attack. Kizza (2005) explains that upon the initial detection of an attack/attempted attack, it is difficult to organizations to immediately identify the source. They need to engage in trackback procedures to identify the source. Once they do, the IT department can begin to draw up conclusions regarding whether the attack was deliberate or random; how it was enabled; and whether the attacker was an insider or not. If their digital investigations reveal that the attack was enabled by employee misuse of the