Michael D. Moberly August 7, 2008
Among information asset protection professionals, there’s an adage or ‘rule of thumb’ which many still believe constitutes a fairly realistic, but admittedly broad characterization of people we work with which is euphemistically referred to as the ’20-60-20 rule’!
One – 20% of the people we work with are inherently honest and possess consistently high levels of integrity with virtually no proclivities, propensities, or receptivity to engaging in risky, unethical, or dishonest behaviors, acts, or violations of company information security policy. In other words, they’re typically not the individuals whom security professionals express much concern about (them) stealing, misappropriating, or infringing proprietary information, trade secrets, IP, or other information-based intangible assets.
Two – Then, there’s 20% of the people we work with who are on the opposite end of the spectrum. When their sometimes relatively thin social-psychological veneer is scratched, we may find inherently dishonest and unethical individuals possessing mis-guided, or little, if any, sense of integrity or loyalty with respect to complying with company policies or government laws/regulations related to protecting proprietary information, trade secrets, or IP. This group, for example would likely be receptive too – possess the proclivity and/or propensity, when certain opportunities or influencers’ are present, to engage in risky, unethical, and/or illegal acts and behaviors that result in the loss or compromise of valuable knowledge-based assets.
What may be worse, is the alarming number of instances – circumstances which the outer fringes of this group are inclined to become actual initiators’ of external solicitation/elicitation initiatives. Translated, this means they may contact competitors or other (global) economic-competitive advantage adversaries to leak and/or offer for sale their employer’s proprietary information, trade secrets, or IP for personal profit-gain or various other reasons.
Three – Lastly, there’s the 60% of the people we work with that are ‘in the middle’, so to speak. These individuals typically do not (overtly) demonstrate any particular receptivity, proclivity, or propsensity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk to theft, misappropriation, infringement, or compromise. However, and its a big however, the outer fringes of this group, closest to the 20% characterized in #2 above, are observant! That is, their future actions and behaviors may be variously dependant on or influenced by (a.) their interpretation of employers’ reactions to sanctions on fellow employees who are caught violating company information protection-security policies, and (b.) their assessment of the degree, level, and consistency of monitoring which their employer engages relative to safeguarding, overseeing, and managing its proprietary information, IP, and trade secrets.
Admittedly, there’s nothing particularly scientific or defensible about these percentages, other than to say they probably evolved from ‘anecdotal guesstimates’. But, they do draw, and properly so, our attention to the persistent challenges presented by ‘insiders’!
One, very distilled approach to addressing the insider challenge attributed several years ago to the always forward looking Esther Dyson when she remarked, ‘it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary information we endeavor to safeguard). Perhaps Ms. Dyson was (is) not familiar with the ’20-60-20′ adage described here, or fully appreciates the ‘insider’ threat as the persistently problematic economic-competitive advantage adversary it has become in today’s hyper-competitive, predatorial, and winner-take-all global business environment. But, there is some reality to Ms. Dyson’s admonition, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career with a particular company (government or institution) not just their first week of employment, but, after undergoing various ‘snap-shot-in-time’ pre-employment screenings, to engage in acts that result in the theft, compromise, misappropriation, and/or infringement of proprietary information, IP, and trade secrets!
While most of my familiarity with ‘insiders’ is a direct result of personal experience, I respectfully attribute much of my current thinking and approaches for addressing this extraordinary challenge to the fine work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.