Insider Threats – Risks To Information Assets: The 20-60-20 Rule

March 14th, 2012. Published under Insider Theft of IP and Intangible Assets, Insider Threats. No Comments.

Michael D. Moberly    March 14, 2012

Among information asset protection professionals, there’s an adage or as some refer to it, a ‘rule of thumb’ that remains relevant at least since I initially read about it 25+ years ago. It’s euphemistically referred to as the ’20-60-20 rule’ and many, myself included, believe it constitutes a fairly realistic characterization of the persistent ‘insider threat’.

The following represents my perspective (definition) of the ‘20-60-20’ adage:

One - 20% of the people we work with are inherently honest, and possess consistently high levels of (personal, professional) integrity.  These individuals are not likely to be inclined or receptive to engage in risky, unethical, or dishonest behaviors, acts, or violations of company (information security/protection) policies.  Consequently, they’re much less likely to be the type of individual whom there would be much concern insofar as stealing or misappropriating proprietary information, trade secrets, intellectual property (IP), other information-based intangible assets or become the target of an Economic Espionage Act investigation.

Two – Then, there’s 20% of the people we work with who, for all practical purposes, reside on the opposite end of the spectrum.  For these individuals, when their seemingly thin social-psychological veneer is grazed, it’s likely one would find an inherently dishonest and unethical individual who possesses misguided, or little, if any, sense of professional/personal integrity and particularly loyalty with respect to complying with company policies or government laws/regulations related to protecting proprietary information, trade secrets, or IP.  These individuals, for example, would likely be receptive to and possess the propensity, when certain opportunities or influencers exist, to engage in risky, unethical, and/or illegal acts such as theft or compromise of valuable and mission critical information assets.

An exacerbating and distressing variable to this segment of the people we work with, is the increasing number of instances in which the ‘outer fringes’ of this segment are inclined (self-motivated) to become an initiator of sorts, by engaging in external solicitation-elicitation initiatives to sell or distribute any information assets they have misappropriated or stolen from their employer. Translated, this means they may contact competitors or other (global) economic-competitive advantage adversaries to leak and/or offer for sale their employer’s proprietary information, trade secrets, or IP for personal profit-gain or various other reasons.

Three - Lastly, there’s the 60% of the people we work with who are essentially ’in the middle’, so to speak. These individuals typically do not (overtly) demonstrate any particular receptivity or proclivity, to engage in dishonest, unethical, or illegal acts that would purposefully put their employers proprietary information, trade secrets, or IP at risk.

However, and it’s a big however, the outer fringes of this segment, closest to the 20% characterized in #2 above, are observant!  That is, their future actions and behaviors may be variously dependent on or influenced by their interpretation-assessment of:

  • employer reactions and sanctions imposed on fellow employees who are caught violating company information protection-security policies
  • the degree, level, and consistency of monitoring which their employer engages relative to safeguarding, overseeing, and managing its proprietary information, IP, and trade secrets.

Admittedly, there’s nothing particularly scientific or legally defensible about the 20-60-20 perspective, other than to say it probably evolved from ‘anecdotal guesstimates’. But, the percentages do draw, and properly so, our attention to the persistent challenges presented by ‘insiders’ and the absolute need for effective pre-employment screening.

One approach to addressing the insider challenge attributed to the always forward looking Esther Dyson was when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary information we endeavor to safeguard).

Perhaps Ms. Dyson is not familiar with the ’20-60-20? adage described here, or fully appreciates the ‘insider’ threat as the persistently problematic issue (risk, threat) it has become in today’s hyper-competitive, predatorial, and winner-take-all global business environment.

But, there is some reality to Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in acts that result in the theft, compromise, misappropriation, and/or infringement of proprietary information, IP, and trade secrets!

While most of my familiarity with ‘insiders’ is a direct result of personal experience, I respectfully attribute much of my current thinking and approaches for addressing this extraordinary challenge to the fine work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.

Leave a Comment