{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T14:29:06Z","timestamp":1781101746284,"version":"3.54.1"},"reference-count":82,"publisher":"IGI Global Scientific Publishing","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,10,1]]},"abstract":"<p>Companies are increasingly engaging in complex inter-organisational networks of business and trading partners, service and managed security providers to run their operations. Therefore, it is now common to outsource critical business processes and to completely move IT resources to the custody of third parties. Such extended enterprises create individuals who are neither completely insiders nor outsiders of a company, requiring new solutions to mitigate the security threat they cause. This paper improves the method introduced in Franqueira et al. (2012) for the analysis of such threat to support negotiation of security agreements in B2B contracts. The method, illustrated via a manufacturer-retailer example, has three main ingredients: modelling to scope the analysis and to identify external insider roles, access matrix to obtain need-to-know requirements, and reverse-engineering of security best practices to analyse both pose-threat and enforce-security perspectives of external insider roles. The paper also proposes future research directions to overcome challenges identified.<\/p>","DOI":"10.4018\/irmj.2013100104","type":"journal-article","created":{"date-parts":[[2014,1,20]],"date-time":"2014-01-20T14:27:25Z","timestamp":1390228045000},"page":"66-91","source":"Crossref","is-referenced-by-count":1,"title":["Engineering Security Agreements Against External Insider Threat"],"prefix":"10.4018","volume":"26","author":[{"given":"Virginia N. L.","family":"Franqueira","sequence":"first","affiliation":[{"name":"Department of Computing, University of Central Lancashire, Preston, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Andr\u00e9","family":"van Cleeff","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Twente, Enschede, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Pascal","family":"van Eck","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Twente, Enschede, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Roel J.","family":"Wieringa","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Twente, Enschede, The Netherlands"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"irmj.2013100104-0","unstructured":"AS2. (n.d.). AS2 processing for EDI. Retrieved March 2010, from http:\/\/www.dcs-is-edi.com\/AS2.html"},{"key":"irmj.2013100104-1","volume":"Vol. 1","year":"2000","journal-title":"Auditing standards board. Statement on Auditing Standards No. 70, Service Organizations. Professional Standards"},{"key":"irmj.2013100104-2","author":"C.Alberts","year":"2002","journal-title":"Managing information security risks: The OCTAVE approach"},{"key":"irmj.2013100104-3","unstructured":"Aljafari, R., & Sarnikar, S. (2009). A framework for assessing knowledge sharing risks in inter-organizational networks. In Proceedings of the AIS Americas Conference on Information Systems (AMCIS 2009). AIS Electronic Library (AISeL)."},{"key":"irmj.2013100104-4","author":"J. P.Anderson","year":"1980","journal-title":"Computer security threat monitoring and surveillance"},{"key":"irmj.2013100104-5","unstructured":"Baker, W. H., Hutton, A., Hylender, C. D., Novak, C., Porter, C., Sartin, B., et al. (2009). 2009 data breach investigations report. Verizon Business Security Solutions. Retrieved September 2009, from http:\/\/www.verizonbusiness.com\/resources\/security\/reports\/2009_databreach_rp .pdf"},{"key":"irmj.2013100104-6","unstructured":"Baker, W. H., Hylender, C. D., & Valentine, J. A. (2008). Data breach investigations report. Verizon Business Security Solutions. Retrieved September 2008, from www.verizonbusiness.com\/resources\/security\/databreachreport.pdf"},{"key":"irmj.2013100104-7","author":"A.-L.Barab\u00e1si","year":"2002","journal-title":"Linked: How everything is connected to everything else and what it means for business and everyday life"},{"key":"irmj.2013100104-8","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbusres.2011.05.010"},{"key":"irmj.2013100104-9","doi-asserted-by":"crossref","unstructured":"Bernsmed, K., Jaatun, M. G., Meland, P. H., & Undheim, A. (2011). Security SLAs for federated cloud services, In Proc. of the Sixth International Conference on Availability, Reliability and Security (ARES'2011) (pp. 202-209). IEEE Press.","DOI":"10.1109\/ARES.2011.34"},{"key":"irmj.2013100104-10","doi-asserted-by":"crossref","DOI":"10.4324\/9780203018460","author":"E.Beulen","year":"2006","journal-title":"Managing IT outsourcing, governance in global partnerships"},{"key":"irmj.2013100104-11","unstructured":"Bhala, S., Christodoulides, M., Cornwell, L., Jones, R., & Morris, B. (2010). UK security breach investigation report - An analysis of data compromise cases. 7Safe Limited. Retrieved March 2010, from http:\/\/7safe.com\/breach_report\/Breach_report_2010.pdf"},{"key":"irmj.2013100104-12","author":"M.Bishop","year":"2003","journal-title":"Computer security: Art and science"},{"key":"irmj.2013100104-13","doi-asserted-by":"crossref","unstructured":"Bishop, M. (2005). Position: Insider is relative. In Proceedings of the 2005 New Security Paradigms Workshop (NSPW\u201905) (pp. 77\u201378). ACM Press.","DOI":"10.1145\/1146269.1146288"},{"key":"irmj.2013100104-14","doi-asserted-by":"publisher","DOI":"10.1287\/orsc.1100.0641"},{"key":"irmj.2013100104-15","unstructured":"Brackney, R. C., & Anderson, R. H. (2004). Understanding the insider threat: Proceedings of a March 2004 workshop. Retrieved March 2010, from www.rand.org\/pubs\/conf_proceedings\/2005\/RAND_CF196.pdf"},{"key":"irmj.2013100104-16","author":"W. E.Burr","year":"2006","journal-title":"NIST special publication 800-63: Information security. Version 1.0.2"},{"key":"irmj.2013100104-17","doi-asserted-by":"crossref","unstructured":"Casey, T., Koeberl, P., & Vishik, C. (2010). Threat agents: A necessary component of threat analysis. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (pp. 56:1-56:4). ACM Press.","DOI":"10.1145\/1852666.1852728"},{"key":"irmj.2013100104-18","year":"2012","journal-title":"Control objectives for information and related technology - version 5"},{"key":"irmj.2013100104-19","year":"2012","journal-title":"COBIT 5 for information security"},{"key":"irmj.2013100104-20","unstructured":"COSO. (1994). Internal control - Integrated framework by committee on sponsoring organizations of the treadway commission."},{"key":"irmj.2013100104-21","doi-asserted-by":"publisher","DOI":"10.1108\/09574090310806512"},{"issue":"3","key":"irmj.2013100104-22","doi-asserted-by":"crossref","first-page":"491","DOI":"10.2307\/259291","article-title":"Between trust and control: Developing confidence in partner cooperation in alliances.","volume":"23","author":"T.Das","year":"1998","journal-title":"Academy of Management Review"},{"key":"irmj.2013100104-23","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(10)70057-X"},{"key":"irmj.2013100104-24","doi-asserted-by":"publisher","DOI":"10.1007\/s10550-007-0013-9"},{"key":"irmj.2013100104-25","author":"H.Dikow","year":"2013","journal-title":"Improving the accuracy of business-to-business (B2B) reputation systems through rater expertise prediction (Tech Report)"},{"key":"irmj.2013100104-26","unstructured":"ETSI-TS-102-165-1. (2011). Part 1: Method and proforma for threat, risk, vulnerability analysis. European Telecommunications Standardisation Institute (ETSI), v 4.2.3."},{"key":"irmj.2013100104-27","author":"D. F.Ferraiolo","year":"2003","journal-title":"Role-based access control"},{"key":"irmj.2013100104-28","doi-asserted-by":"crossref","unstructured":"Franqueira, V. N. L., Houmb, S. H., & Daneva, M. (2010b). Using real option thinking to improve decision making in security investment. In Proceedings of the 2010 International Conference on On the Move to Meaningful Internet Systems (OTM'10) (pp. 619\u2212638). Springer Press.","DOI":"10.1007\/978-3-642-16934-2_46"},{"key":"irmj.2013100104-29","doi-asserted-by":"crossref","unstructured":"Franqueira, V. N. L., van Cleeff, A., van Eck, P. A. T., & Wieringa, R. J. (2010a). External insider threat: A real security challenge in enterprise value webs. In Proceedings of the Fifth International Conference on Availability, Reliability and Security (ARES\u20192010) (pp. 446\u2013453). IEEE Press.","DOI":"10.1109\/ARES.2010.40"},{"key":"irmj.2013100104-30","doi-asserted-by":"crossref","unstructured":"Franqueira, V. N. L., van Cleeff, A., van Eck, P. A. T., & Wieringa, R. J. (2012). Securing the extended enterprise: A method for analyzing external insider threat. In Gupta, M., Walp, J., Sharman, R. (Eds.), Strategic and practical approaches for information security governance: Technologies and applied solutions (pp. 195-222). Hershey, PA: Information Science Publishing (IGI Global). ISBN 978-1-46660-197-0.","DOI":"10.4018\/978-1-4666-0197-0.ch012"},{"key":"irmj.2013100104-31","doi-asserted-by":"crossref","unstructured":"Gordijn, J., Akkermanns, J. M., & van Vliet, J. C. (2000). Business modelling is not process modelling. In Conceptual modeling for e-business and the web (pp. 40\u201351), LNCS 1921. Springer Press.","DOI":"10.1007\/3-540-45394-6_5"},{"key":"irmj.2013100104-32","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-003-0169-x"},{"key":"irmj.2013100104-33","doi-asserted-by":"publisher","DOI":"10.1086\/225469"},{"key":"irmj.2013100104-34","unstructured":"Gupta, A., & Zhdanov, D. (2007). Growth and sustainability of managed security services networks: An economic perspective. In Proceedings of the 7th Workshop on the Economics of Information Security (WEIS\u201907). Retrieved March 2010, from http:\/\/weis07.infosecon.net\/papers\/65.pdf"},{"key":"irmj.2013100104-35","doi-asserted-by":"publisher","DOI":"10.1016\/S0148-2963(00)00148-X"},{"key":"irmj.2013100104-36","unstructured":"Hayden, M. V. (1999). The insider threat to U.S. government information systems. Advisory Memoranda NSTISSAM INFOSEC 1-99."},{"key":"irmj.2013100104-37","doi-asserted-by":"crossref","unstructured":"Henning, R. R. (2000). Security service level agreements: Quantifiable security for the enterprise? In Proc. of the 1999 Workshop on New Security Paradigms (NSPW'99) (pp. 54-60). ACM Press.","DOI":"10.1145\/335169.335194"},{"key":"irmj.2013100104-38","unstructured":"HIPAA. (2003). HIPAA security rule. Retrieved June 2013 from http:\/\/www.hhs.gov\/ocr\/privacy\/hipaa\/understanding\/srsummary.html"},{"key":"irmj.2013100104-39","doi-asserted-by":"publisher","DOI":"10.1109\/MITP.2008.90"},{"key":"irmj.2013100104-40","unstructured":"Insight Consulting. (2005). CRAMM user guide. Risk analysis and management method. Version 5.1."},{"key":"irmj.2013100104-41","unstructured":"ISO\/IEC-27001. (2005). Information technology. Security techniques. Information security management systems. Requirements."},{"key":"irmj.2013100104-42","unstructured":"ISO\/IEC-27002. (2005). Information technology. Security techniques. Code of practice for information security management."},{"key":"irmj.2013100104-43","unstructured":"ISO\/IEC-27005. (2011). Information technology. Security techniques. Information security risk management."},{"key":"irmj.2013100104-44","year":"2011","journal-title":"ITIL service design"},{"key":"irmj.2013100104-45","year":"2011","journal-title":"ITIL service transition"},{"key":"irmj.2013100104-46","doi-asserted-by":"crossref","unstructured":"Jaatun, M. G., Bernsmed, K., & Undheim, A. (2012). Security SLAs \u2013 An idea whose time has come? In Proc. International Cross-Domain Conference and Workshop (CD-ARES'2012) (pp. 123-130). Springer Press.","DOI":"10.1007\/978-3-642-32498-7_10"},{"key":"irmj.2013100104-47","doi-asserted-by":"publisher","DOI":"10.1080\/09537280110042675"},{"key":"irmj.2013100104-48","unstructured":"Jericho-Forum. (n.d.). The what & why of de-perimeterization. Retrieved from http:\/\/www.opengroup.org\/jericho\/deperim.htm"},{"key":"irmj.2013100104-49","article-title":"Managing knowledge leakage in strategic alliances: The effects of trust and formal contracts.","author":"X.Jiang","journal-title":"Industrial Marketing Management"},{"key":"irmj.2013100104-50","doi-asserted-by":"publisher","DOI":"10.1016\/j.entcs.2006.08.030"},{"issue":"4","key":"irmj.2013100104-51","first-page":"22","article-title":"From ABAC to ZBAC: The evolution of access control models. ISSA (Information Systems Security Association)","volume":"8","author":"A. H.Karp","year":"2010","journal-title":"Journal"},{"key":"irmj.2013100104-52","doi-asserted-by":"publisher","DOI":"10.2307\/249657"},{"issue":"2","key":"irmj.2013100104-53","first-page":"511","article-title":"The economics of computer hacking. Journal of Law","volume":"1","author":"P. T.Leeson","year":"2006","journal-title":"Economic Policy"},{"key":"irmj.2013100104-54","unstructured":"Microsoft. (2002). The STRIDE threat model. Retrieved August 2013, from http:\/\/msdn.microsoft.com\/en-us\/library\/ee823878%28v=cs.20%29.aspx"},{"key":"irmj.2013100104-55","doi-asserted-by":"crossref","unstructured":"Morali, A., & Wieringa, R. J. (2010). Risk-based confidentiality requirements specification for outsourced IT systems. In Proc. of the 18th IEEE Int. Requirements Engineering Conference (RE\u201910) (pp. 199-208). IEEE Press.","DOI":"10.1109\/RE.2010.30"},{"key":"irmj.2013100104-56","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbusres.2006.10.001"},{"key":"irmj.2013100104-57","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbusres.2011.05.015"},{"key":"irmj.2013100104-58","year":"2006","journal-title":"Glossary of key information security terms"},{"key":"irmj.2013100104-59","unstructured":"Payment Card Industry Security Standards Council. (2010). PCI quick reference guide to the payment card industry (PCI) data security standard (DSS), version 2.0. Retrieved June 2013, from https:\/\/www.pcisecuritystandards.org\/documents\/PCI SSC Quick Reference Guide.pdf."},{"key":"irmj.2013100104-60","doi-asserted-by":"publisher","DOI":"10.1108\/eb039075"},{"key":"irmj.2013100104-61","doi-asserted-by":"crossref","unstructured":"Rossebo, J. E. Y., Cadzow, S., & Sijben, P. (2007). eTVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In Proceedings of the 2nd International Conference on Availability, Reliability and Security (pp. 467-471). IEEE Press.","DOI":"10.1007\/11755593_38"},{"key":"irmj.2013100104-62","doi-asserted-by":"crossref","unstructured":"Salem, M. B., Hershkop, S., & Stolfo, S. J. (2008). A survey of insider attack detection research. In Advances in information security: Vol. 39. Insider attack and cyber security (pp. 69\u201390). Springer Press.","DOI":"10.1007\/978-0-387-77322-3_5"},{"key":"irmj.2013100104-63","unstructured":"Sarbanes, P. S., & Oxley, M. (2002). U.S. public law 107-204. 30 July 2002."},{"key":"irmj.2013100104-64","doi-asserted-by":"publisher","DOI":"10.1080\/1366987032000105315"},{"key":"irmj.2013100104-65","doi-asserted-by":"crossref","unstructured":"Smith, K. T. (2012). Mitigating risks associated with transitive trust in service-based identity propagation. Information Security Journal: A Global Perspective, 21(2), 71-78.","DOI":"10.1080\/19393555.2011.642064"},{"key":"irmj.2013100104-66","unstructured":"Solhaug, B., Elgesem, D., & Stolen, K. (2007). Why trust is not proportional to risk. In Proceedings of the The Second International Conference on Availability, Reliability and Security (ARES\u201907) (pp. 11\u201318). IEEE Press."},{"key":"irmj.2013100104-67","doi-asserted-by":"crossref","unstructured":"Spitzner, L. (2003). Honeypots: Catching the insider threat. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC\u201903) (pp. 170\u2013179). IEEE Press.","DOI":"10.1109\/CSAC.2003.1254322"},{"key":"irmj.2013100104-68","unstructured":"Starr, R., Newfrock, J, & Delurey, M. (2003). Enterprise resilience: Managing risk in the networked economy. Strategy+Business, 2003(30), 1-10."},{"key":"irmj.2013100104-69","doi-asserted-by":"crossref","unstructured":"Steen, M. W. A., Akehurst, D. H., ter Doest, H. W. L., & Lankhorst, M. M. (2004). Supporting viewpoint-oriented enterprise architecture. In Proceedings of the Eighth International Enterprise Distributed Object Computing Conference (EDOC'2004) (pp. 201-211). IEEE Press.","DOI":"10.1109\/EDOC.2004.1342516"},{"key":"irmj.2013100104-70","doi-asserted-by":"publisher","DOI":"10.1108\/17410390610636904"},{"key":"irmj.2013100104-71","unstructured":"The Open Group. (n.d.). ArchiMate. Retrieved from http:\/\/www.opengroup.org\/subjectareas\/enterprise\/archimate"},{"key":"irmj.2013100104-72","doi-asserted-by":"publisher","DOI":"10.1080\/09537280110042666"},{"key":"irmj.2013100104-73","doi-asserted-by":"publisher","DOI":"10.1016\/j.jengtecman.2009.06.006"},{"key":"irmj.2013100104-74","doi-asserted-by":"publisher","DOI":"10.1016\/j.istr.2011.02.002"},{"key":"irmj.2013100104-75","first-page":"105","article-title":"Rethinking de-perimeterisation: Problem analysis and solutions. In Proc. of the IADIS Int. Conf.","volume":"2009","author":"A.van Cleeff","year":"2009","journal-title":"Information Systems"},{"key":"irmj.2013100104-76","unstructured":"Verizon (2012). 2012 data breach investigations report. Retrieved from http:\/\/www.verizonenterprise.com\/resources\/reports\/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf."},{"key":"irmj.2013100104-77","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2010.04.015"},{"key":"irmj.2013100104-78","unstructured":"Weiland, R. M., Moore, A. P., Cappelli, D. M., Trzeciak, R. F., & Spooner, D. (2010). Spotlight on: Insider threat from trusted business partners. Carnegie Mellon University: Software Engineering Institute. Retrieved from http:\/\/www.cert.org\/archive\/pdf\/TrustedBusinessPartners0210.pdf"},{"key":"irmj.2013100104-79","doi-asserted-by":"crossref","unstructured":"Wiendahl, H.-P., & Lutz, S. (2002). Production in networks. CIRP Annals - Manufacturing Technology, 51(2), 573\u2013586.","DOI":"10.1016\/S0007-8506(07)61701-6"},{"key":"irmj.2013100104-80","doi-asserted-by":"crossref","unstructured":"Wieringa, R., Pijpers, V., Bodenstaff, L., & Gordijn, J. (2008). Value-driven coordination process design using physical delivery models. In Proc. of the 27th Int. Conference on Conceptual Modeling (pp. 216\u2013231). LNCS, Springer Verlag.","DOI":"10.1007\/978-3-540-87877-3_17"},{"key":"irmj.2013100104-81","author":"P. J.Windley","year":"2005","journal-title":"Digital identity"}],"container-title":["Information Resources Management Journal"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=99713","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T11:53:51Z","timestamp":1654084431000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/irmj.2013100104"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2013,10,1]]},"references-count":82,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2013,10]]}},"URL":"https:\/\/doi.org\/10.4018\/irmj.2013100104","relation":{},"ISSN":["1040-1628","1533-7979"],"issn-type":[{"value":"1040-1628","type":"print"},{"value":"1533-7979","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,10,1]]}}}