Michael D. Moberly   August 18, 2009

Insider theft of IP and intangible assets will likely continue to rise and become even more irreversably devastating to (victim) companies.  In large part the increase is attributable to two things:

1. the economic fact - business reality that higher percentages (65+%) of company value, sources of revenue, sustainability, and future growth now lie in - evolve from intangible assets such as intellectual property, proprietary know how, and other forms of intellectual capital that are readily available and vulnerable.

2. the category/class of insider thief which Carnegie Mellon’s CERT Program calls ‘the entitled independant’. 

In their recently published report titled ‘Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model’ an entitled independant is described as an ambitious insider, acting alone, who steals information which they have contributed to its development.  They do this in order to take it to a new job or to use in their own side business. 

Of the ’entitled independants’ CERT studied, nearly 75% were actually involved in the development of the (proprietary) information they ultimately stole and came to possess a ’sense of entitlement’ which can manifest itself further in some instances as a ’sense of ownership’.  A correlation exists between the entitled independants’ perception of contribution and the likelilhood they will develop a sense of entitlement (ownership).

Many management teams and decision makers will undoubtedly find these findings interesting.  But, to those who remain dismissive or hesitant to act on CERT’s findings and models, they’re encouraged to also review McAfee’s recent survey titled ’Unsecured Economies: Protecting Vital Information’.  Here, respondents agreed (not surprisingly) that if an employee, perhaps comparable to CERT’s ’entitled independant’ is able to appropriate (steal) valuable information assets it will likely lead to the production of a comparable product or service (albeit it a counterfeit or involving infringement) and win space in the marketplace at a far lower cost.

Preferably though, as more management teams and business decision makers come to recognize just how relevant IP and intangible assets are to their company’s value, revenue, sustainability, and growth, their motivation to seek out and act on the findings of relevant reseach studies, like those produced by CERT and PERSEREC (Personnel Security Research Center) will elevate.  

Be assured though, company management teams will want their awareness to be simultaneously joined by effective and precise strategies to mitigate, counter, and/or combat the findings that resonate (with them) most.  Such strategies should commence with, (1.) purposeful dialogue among a company’s various (turf oriented) professional disciplines and business units, i.e., specialists in information asset protection, HR, IP, IT security, risk management, marketing, R&D, etc., and (2.) disciplined attitudes (among the various disciplines) to reach consensus on what actions are necessary to effectively address (mitigate, counter, prevent) the risks on an enterprise wide basis.

- 36% of the respondents conveying ‘worry about the security threat from financially strapped employees’.

‘With more sophisticated technologies at their fingertips and increased access to data, it has become easier for current employees and other insiders, such as contractors, consultants, suppliers, and vendors, to steal information. Data thefts by insiders tend to have greater financial impact given the higher level of data access, and, when combined with the affect of today’s economic realities on IT security spend, this could mean even greater financial risk to corporations’. (Tim Shimeall, Carnegie Mellon University’s CERT/NetSA)

Ultimately, financial information becomes a recognized and sought after currency for employees. It presents much greater incentives (for employees - insiders of all stripes) to steal valuable, proprietary, competitive advantage information and data for (a.) personal financial gain, (b.) to try to improve their job opportunities by ‘peddling’ it to unscrupulous or naïve competitors, or (c.) to literally start companies of their own by using the knowledge and insight they gained (stole) from their former employer.

In addition, the substantial cutbacks in company travel have, for all practical purposes, significantly curtailed or altogether ended on-site visits, inspections, personnel training, and audits for safeguarding a company’s sensitive information assets. We can assume that in many instances, security practitioners are adapting to those realities by de-centralizing and delegating their ’information asset protection and oversight’ role to on-site personnel.

In a study conducted by Insight Express and Cisco Systems, it was found that almost 20% of users admitted to altering the security settings on company-issued devices so they could access unauthorized websites;

- 24% of these respondents further admitted to sharing sensitive company information with others, and

- 44% admitted to allowing others to use their company-issued devices without supervision.

In yet another new Dark Reading report titled ‘Well Intentioned Employees - And How To Stop Them’ it was revealed that employees can cause breaches (aside from losing laptops) in many different ways, some without realizing it, e.g., insider breaches attributed to common user errors such as falling prey to phishing scams.

The Ponemon Institute, in their recent study, reported that:

- negligence accounts for 88% of insider breaches, and malicious attacks account for only 12%…

Palo Alto Networks (a firewall vendor) conducted an analysis (of insider threats/risks) to find that the source of several recent high-profile (company sensitive data/information) breaches was due to:

- the growing intentional (employee) disregard of company security policies which most larger firms are finding is unauthorized peer-to-peer application traffic!

 ’Houston, we’ve got a problem’!!

And lastly, a survey conducted by Cyber-Ark Software reported that:

- 60% of U.S. workers have (already) downloaded sensitive corporate data in anticipation of (their) future layoff

Interesting, this is approximately the same percentage that terminated employees take (proprietary, sensitive company )data and information with them when they leave as previously reported by the Ponemon Institute study.

Michael D. Moberly   January 31, 2009

It’s a wake-up call for companies globally, that is, it’s essential to ’shift their mindsets in the way they value (their) intellectual property’ and, I might add, that  mindset shift should also include their intangible assets, competitive advantages, and proprietary information.  The fact that 70+% of most company’s value, sources of revenue, and sustainability are directly linked to intangible assets and IP is, slowly being recognized - accepted by c-suites as both an economic fact and business reality.  In other words, information assets are ‘becoming firmly established as an (the) international form of currency’.

But, to exacerbate the situation, ‘traditional operational boundaries of organizations are (literally) disappearing’, that is, ‘information assets are subject to various jurisdictions, infrastructures, and cultures, including those of suppliers and partners’.  These trends are ’making it more difficult to lock down IP in order to ensure its safety’.

Despite these well grounded concerns, as reported in McAfee’s study, but well known among information asset protection professionals, ’many companies continue to leave themselves open to exploitation and attack because they don’t realize (1.) the value, and (2.) location of their IP’.  Let me emphasize to the readers how unfortunate this particular finding really is.  As consistently reported in this blog, it’s an undisputed economic fact - business reality that increasing percentages (ranging from 60% to as high as 90+% depending on the type of company) of (a.) company value, (b.) sources of revenue, and (c.) future wealth creation (sustainability) lie in intangible assets and IP.  For c-suites, not knowing either the value or the location of the dominant sources of their company’s value, revenue sources, or sustainability speaks volumes about what may be in the offing.

Michael D. Moberly      December 12, 2008

Information asset protection is not solely about recognizing and (subjectively) assessing risks and threats anymore.  It’s also about recognizing and distinguishing the value of (targeted, high value. competitive advantage) information assets, which broadly speaking, fall into two categories:

   - Objective value: Information assets that have objective value are often directly linked to business continuity, i.e., legal, financial, etc.

  - Subjective value: Information assets that have subjective value tend to evolve-flow from their nature and/or context, i.e., customer lists, pricing lists, strategic planning documents, new product launches, etc.

Distinguishing informations assets’ subjective - objective value has relevance to the role of information asset protection specialists on two levels, i.e., by providing (1.) context/perspective for identifying what type of safeguards are necessary (suitable) and how to operationally segregate the safeguards, i.e., protection processes, technologies, practices, procedures, etc., and (2.) insight about the expected/anticipated immediacy and criticality of adverse impacts to a company should a particular risk/threat materialize, and/or (b.) information loss occur.

Information asset protection is also about understanding basic methodologies for valuing the information assets, i.e.,

Fair Market Value - The price which property (ala information assets) would exchange hands between a willing buyer and a willing seller with neither being under any compulsion to buy or sell and with both having reasonable knowledge of the relevant facts.

    For example - in instances in which an insider acquires and sells information assets to an information broker, business intelligence operative, competitor, or foreign agent without knowing the ultimate end user, ‘fair market value’ is merely a euphenism for the highest price.

Value-in-Exchange - Considers the action of buyers, sellers, and investors and implies the value at which the asset (proprietary information, trade secret, etc.) would sell on a piecemeal - compartmentalized basis.

    For example - the proprietary information/trade secret sought and acquired by the insider has multiple and/or stand alone elements of value, i.e., a formula, plus the process to operationalize that formula.

Value-in-Use - The value of a piece of proprietary information and/or trade secret that is an on-going contributory element to the business enterprise.

    For example - the asset sought/acquired is integral to a company’s business operations and is necessary to sustain market share, competitive advantages, image, goodwill, etc., i.e., Coca-Cola syrup recipe.

Michael D. Moberly  - November 13, 2008

The findings of several quality studies, most notably those produced by PERSEREC and Carnegie-Mellon’s CERT, convey significant challenges stemming from ’insiders’ relative to the threats-risks they pose to proprietary information, trade secrets, IP, and know how.  Those studies provide us with important insights and perspectives regarding the who, what, how, and even possibly how (information) losses/compromises were detected. 

By all accounts, the challenges of safeguarding valuable/sensitive information assets in globally operating companies and the losses attributed to insiders, is on the rise.  The precise number of (insider theft-compromise of information asset) incidents companies’ experience, the dollar amount of those losses, and/or the end-use beneficiaries of the stolen-compromised assets is often blurred or incomplete because, among other things, (a.) evidence is largely anecdotal and/or company specific, (b.) victim companies are frequently predisposed to assume the culprit is foreign national or economic-defense adversary, (c.)instructive evidentiary-investigatory elements of the incident(s) become classified, and/or (d.) facts about an incident are considered reputationally proprietary by the victim company.

Carnegie-Mellon University’s CERT research unit identified the following attributes of an insider, albeit with respect to a study regarding ‘IT sabotage’:

1. Access - an insider can target a company from behind it’s perimeter defenses and not cause suspicion…

2. Knowledge, trust, familiarity - of both the IT system and the target and permits insiders’ to perform discovery without arousing suspicion…

3. Privileges - an insider can readily obtain the necessary privileges necessary to conduct an attack…

4. Skills - insiders can mount an attack and can work within the target’s domain expertise…

5. Risk - insiders tend to be very risk averse in preparing for and conducting the attack…

6. Method - insiders are likely to work alone, but may recruit and/or co-op a trusted colleague for facilitation and/or enabling purposes…

7. Tactics - may include either (a.) plant, hit, and run, (b.) attack and eventually run, (c.) attack until caught, and/or (d.) espionage…

8.  Motivation - an insider may engage in an act for (a.) profit, (b.) getting paid to disrupt the target, (c.) provoke change in the company/target, (d.) blackmail, (e.) subvert the mission of the target, (f.) personal motive, or (g.) revenge…\

9. Predictable Processes - the motivation for an attack by an insider can evolve from (a.) a particular event, (b.) sense of discontent, (c.) being ‘planted’ to conduct the attack, (d.) adversary identifies a target and mission that meets their (or, another parties’) needs…

From these nine attributes of insiders who engage in ‘IT sabotage’ three important questions arise:

First - with respect to the attributes, can they be extrapolated - are they applicable to the risks/threats presented by insiders to a company’s information assets, in addition to IT system sabotage?

Second - if so, can these attributes (relevant to ‘insiders’) be consistently identified and assessed (legally) using existing pre-employment screening tools?

Third - if the above attributes are not found to be present (in an applicant) at the time of hire, should companies, given the enormous stakes, invest in post-hire (periodic honesty, integrity, attitudinal) screening of employees to detect the acquisition/presence of certain proclivities, propensities, and/or an overall receptivity to engage in adverse acts or policy violations affecting the security (control, use, ownership, and value) of their employer’s information assets, e.g., theft, infringment, compromise, etc.?

Michael D. Moberly   September 19, 2008

Studies and experiential evidence continue to mount insofar as identifying new twists, nuances, and motives regarding insiders’ inclination to engage in theft, misappropriation, leakage, and/or compromise their employer’s proprietary information, know how, intellectual property, and/or trade secrets which, when it occurs, will, with increasing certainty, have costly and often times irreversible consequences.

In my judgment, companies are now obliged, perhaps more than ever before, to literally re-think those elements of their (enterprise-wide) information security policies that address risks - threats posed by insiders that unfortunately, and all-too-frequently, begin and end shortly after an employee is hired.  Companies are further obliged to recognize that periodic (post hiring) monitoring of employees, not solely focused on their IT - computer (system) usage and/or access, but also include their psychological - behavioral (a.) propensity, (b.) proclivity, and/or (c.) receptivity to engage in adverse acts and/or policy violations that expose a company’s extraordinarily valuable and revenue producing information-intangible assets to compromise, theft, misappropriation, or infringement, etc.  Of course, any such initiatives must be (d.) respectful, (e.) legally defensible, and (f.) culturally compatible with the increasingly diverse work force which is the norm for globally operating companies.

The importance of addressing the risks - threats presented by insiders is elevated, again, in my judgment, due to the economic fact - business reality that today, increasing percentages, as much as 75+%, of most company’s value, sources of revenue, and future wealth creation lie in - are directly linked to intangible assets, that is, its IP, proprietary information and know how, etc., each of which are knowledge based, originated, and built.

As a company’s (g.) profitability, (h.) sustainability, (i.) global market position, and (j.) future wealth creation are increasingly and inextricably linked to those information (intangible) assets, the will and resources necessary to appropriately and effectively address the significant and persistent challenges presented by insiders should become a routinely visited - monitored fixture on every security managers’ dashboard and every company’s c-suite agenda!

Michael D. Moberly   August 8, 2008

It’s an unfortunate reality, but one that company’s must face in respectful, practical, and legally defensible ways, that is, ’insiders’ (employees) are, with growing frequency, a company’s most consistent, aggressive, and successful competitor! 

Insiders are stealing, misappropriating, infringing, and selling their employer’s proprietary - competitive advantage information, trade secrets, and intellectual property (IP) at a pace that’s not fully conveyed by merely counting the number of (state, federal) criminal or civil charges filed or terminations executed. 

So, why am I suggesting the probability that the insider issue be ratcheted up to become a higher priority for companies?  Well, there are four credible answers to that question:

1. It’s an indisputable economic fact - business reality that today 75+% of most companies’ value, sources of revenue and future wealth creation evolve directly from its intangible assets which include IP, proprietary know how, trade secrets, competitive advantages, strategic plans, etc.!

2. The time frames (windows) when companies’ can effectively extract - exploit value from those assets is routinely being compressed do, in large part, to the hyper-competitive, predatorial, winner-take-all global business environment!

3. Stealing proprietary information is unfortunately, still relatively easy to accomplish, and the probability of an employee getting caught ‘in the act’ so to speak, or the loss being noticed in reasonably close time proximity, while becoming more favorable, seldom compares to the immediacy of the considerable economic-competitive advantage pain the loss can cause!

4.  The ASIS Trends In Proprietary Information Loss Survey, the Annual Report To the President on Economic Espionage by the National Counterintelligence Executive, the FBI Director, and various other national voices and credible studies find that U.S. companies lose between $50 billion and perhaps as much as $200 billion annually from theft and misappropriation of trade secrets, proprietary information, and intellectual property!

There are two conceptual starting points, in my judgment, for addressing this phenomena:

1. Coming to grips with the reality that stealing a company’s proprietary information is seldom the product of the ’one bad apple’ theory!  Rather, as learned from my own experiences and from numerous current studies, particularly those conducted by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit, insider theft represents a persistent problem that literally permeates companies’ ranks of employees.

2. The focus (for addressing insider issues) shouldn’t always be on who’s doing it, because we already know it’s very likely to be an ‘insider’ in some form or fashion, rather companies’ must focus on their vulnerabilities and the fact that it can and will occur!

One thing remains clear in my judgment, continuing to rely on snap-shot-in-time honesty-integrity (types of) pre-employment screeing assessments that are oriented more toward projecting an employee’s proclivity for stealing tangible-physical assets, i.e., desk staplers, rather than ultra-valuable proprietary information are unacceptable and no match for the stealthy practices of insiders’ bent on doing their company economic harm!

Michael D. Moberly   August 7, 2008

Among information asset protection professionals, there’s an adage or ‘rule of thumb’ which many still believe constitutes a fairly realistic, but admittedly broad characterization of people we work with which is euphemistically referred to as the ‘20-60-20 rule’!

One -  20% of the people we work with are inherently honest and possess consistently high levels of integrity with virtually no proclivities, propensities, or receptivity to engaging in risky, unethical, or dishonest behaviors, acts, or violations of company information security policy.  In other words, they’re typically not the  individuals whom security professionals express much concern about (them) stealing, misappropriating, or infringing proprietary information, trade secrets, IP, or other information-based intangible assets.

Two - Then, there’s 20% of the people we work with who are on the opposite end of the spectrum.  When their sometimes relatively thin social-psychological veneer is scratched, we may find inherently dishonest and unethical individuals possessing mis-guided, or little, if any, sense of integrity or loyalty with respect to complying with company policies or government laws/regulations related to protecting proprietary information, trade secrets, or IP.  This group, for example would likely be receptive too - possess the proclivity and/or propensity, when certain opportunities or influencers’ are present, to engage in risky, unethical, and/or illegal acts and behaviors that result in the loss or compromise of valuable knowledge-based assets. 

What may be worse, is the alarming number of instances - circumstances which the outer fringes of this group are inclined to become actual initiators’ of external solicitation/elicitation initiatives.  Translated, this means they may contact competitors or other (global) economic-competitive advantage adversaries to leak and/or offer for sale their employer’s proprietary information, trade secrets, or IP for personal profit-gain or various other reasons.

Three - Lastly, there’s the 60% of the people we work with that are ’in the middle’, so to speak.  These individuals typically do not (overtly) demonstrate any particular receptivity, proclivity, or propsensity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk to theft, misappropriation, infringement, or compromise.  However, and its a big however, the outer fringes of this group, closest to the 20% characterized in #2 above, are observant!  That is, their future actions and behaviors may be variously dependant on or influenced by (a.) their interpretation of employers’ reactions to sanctions on fellow employees who are caught violating company information protection-security policies, and (b.) their assessment of the degree, level, and consistency of monitoring which their employer engages relative to safeguarding, overseeing, and managing its proprietary information, IP, and trade secrets. 

Admittedly, there’s nothing particularly scientific or defensible about these percentages, other than to say they probably evolved from ‘anecdotal guesstimates’.  But, they do draw, and properly so, our attention to the persistent challenges presented by ‘insiders’!

One, very distilled approach to addressing the insider challenge attributed several years ago to the always forward looking Esther Dyson when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary information we endeavor to safeguard).  Perhaps Ms. Dyson was (is) not familiar with the ‘20-60-20′ adage described here, or fully appreciates the ‘insider’ threat as the persistently problematic economic-competitive advantage adversary it has become in today’s hyper-competitive, predatorial, and winner-take-all global business environment.  But, there is some reality to Ms. Dyson’s admonition, at least in terms of ‘people we work with’ and their propensity - receptivity, at some point in their career with a particular company (government or institution) not just their first week of employment, but, after undergoing various ’snap-shot-in-time’ pre-employment screenings, to engage in acts that result in the theft, compromise, misappropriation, and/or infringement of proprietary information, IP, and trade secrets!

While most of my familiarity with ‘insiders’ is a direct result of personal experience, I respectfully attribute much of my current thinking and approaches for addressing this extraordinary challenge to the fine work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.

Michael D. Moberly    May 12, 2008

The findings of this study produced by the Defense Personnel Security Research Center (PERSEREC) has, in my judgement, strong implications to the U.S. private sector insofar as contemplating - executing more effective and proper strategies (methods, policies, practices) for protecting a company’s information assets, i.e., its intellectual property, trade secrets, proprietary information, intangibles, and competitive advantages!

On two occasions (November, 2007, April, 2008) I met with PERSEREC researchers to discuss their ‘ahead of the curve’ work related to ‘insiders’; more specifically, the findings of their May, 2005 study titled ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerabiliy to Insider Espionage’.  The principle investigators for this study were Lisa A. Kramer, Richard J. Heuer, Jr., and Kent S. Crawford.

The thrust of our discussions - my questions to PERSEREC researchers focused on, what I believe to be is the immediate relevance of this study’s findings to U.S. companies.  The findings convey a series of strong indicators (below) that insider problems - challenges are not likely to diminish for the foreseeable future because…

1. The Internet has created a large and efficient marketplace for bringing sellers, seekers, and buyers of information together to exchange information in relative immunity…

2. Employee awareness about the value of protected information assets has elevated insofar as recognizing it can be sold for a profit…

3. There is an expanded global marketplace for protected-proprietary (U.S.) information assets…

4. Fewer employees are deterred by a traditional sense of loyalty…

5. There is a growing number of employees who retain emotional, ethnic, and financial ties to other countries coupled with less inclination to seek U.S. citizenship which is fostered by technologies that allow global communication)…

6. Employees are less inclined to view espionage - theft of information assets to be morally wrong and (they) may view such acts as being morally justifiable if they feel that sharing information will benefit the world community or prevent armed conflict…

7. Internationalization of science and commerce is placing more employees in positions to establish and maintain contact with foreigners interested in exploiting their knowledge…

8. There is an inclination of those engaged in multinational trade/transactions to regard unauthorized transfer of information assets or technology as a business matter rather than an act of betrayal or treason…

9. There is a growing allegiance to a global community, i.e., increasing acceptace of global as well as national values.  Tendency to view human society as an evolving system of ethnically and ideologically diverse and interdependent persons and groups which make illicit acts easier to rationalize…

These findings, in my judgement, prompt many additional questions about ‘insider threats’ specifically applicable to the private sector.  For example, there is an imminent need to identify and assess the following factors especially…

1. Employee reactions to the elevated intensity and frequency which external entities are targeting (soliciting) their company and their knowledge…

2. Employee propensity - proclivity to (a.) convey receptivity to external solicitors - buyers of a companies’ information assets, and/or (b.) actively seek prospective buyers on their own.

3.  Also, if such proclivities - propensities exist do they coincide with or become exacerbated by the conventional precursors - motivators (of insider theft), i.e., disgruntlement, unmet expectations, personnal predispositions, financial stress, etc.

Ultimately, the challenges presented by these findings to U.S. companies have, and in all likelihood, will become more acute, requiring specialized familiarity, experiences, and skill sets to effectively address.  This is especially critical given the economic - business reality that today, 75+% of most companies’ value, sources of revenue and future wealth creation lie directly in intangible assets and intellectual property!