The application of Malaysian cyber security laws in regulating cyber insider threats in Malaysian organisations

The data security of an organisation is not only susceptible to malicious outsiders and exploitative attackers but also to insider threats. Preventing insider threats is particularly challenging, especially when they originate from seemingly trusted and authorised insiders. Currently, in Malaysia there are several legislation touch upon cyber security. Nevertheless, the regulation of cyber insider threats remain severely limited and inadequate. Organisations respond to insider threats risks by implementing their own cyber insider threat programmes. However, the extensive scrutiny and monitoring of employees that these programmes entail, may lead to dissatisfaction among employees or even a potential breach of their privacy rights. Hence, this thesis aims to study the concepts of cyber security and cyber insider threats in organisations; analyse the existing Malaysian cyber security laws related to cyber insider threats; examine the application of these laws in regulating cyber insider threats and study the strategies to balance employees’ right to privacy with the potential intrusion posed by insider threats programmes. Employing a qualitative research approach, nine professionals from different backgrounds in Malaysia were interviewed using a semi-structured approach. Data was collected on the applications of existing cyber security laws in regulating cyber insider threats and cyber insider threats programmes. The study found that there is a need to revise existing cyber security provisions to better regulate cyber insider threats. In many cases, individuals involved in insider threats face legal consequences, however, there are instances where they may evade charges or receive lesser penalties. Furthermore, cyber insider threats programmes have been found to prevent incidents by implementing strategies to detect, deter, and respond to potential threats within an organisation, demonstrating their effectiveness in combating cyber threats. Nonetheless, striking a balance between the right to monitor employees against insiders’ threats and the right to privacy of employees remains a critical challenge. The findings of the study are expected to contribute to the body of knowledge on cyber insider threats in Malaysia and assist the policy makers in improving the legal framework surrounding cyber insider threats and related programs.