Michael D. Moberly  – November 13, 2008

The findings of several quality studies, most notably those produced by PERSEREC and Carnegie-Mellon’s CERT, convey significant challenges stemming from ‘insiders’ relative to the threats-risks they pose to proprietary information, trade secrets, IP, and know how.  Those studies provide us with important insights and perspectives regarding the who, what, how, and even possibly how (information) losses/compromises were detected. 

By all accounts, the challenges of safeguarding valuable/sensitive information assets in globally operating companies and the losses attributed to insiders, is on the rise.  The precise number of (insider theft-compromise of information asset) incidents companies’ experience, the dollar amount of those losses, and/or the end-use beneficiaries of the stolen-compromised assets is often blurred or incomplete because, among other things, (a.) evidence is largely anecdotal and/or company specific, (b.) victim companies are frequently predisposed to assume the culprit is foreign national or economic-defense adversary, (c.)instructive evidentiary-investigatory elements of the incident(s) become classified, and/or (d.) facts about an incident are considered reputationally proprietary by the victim company.

Carnegie-Mellon University’s CERT research unit identified the following attributes of an insider, albeit with respect to a study regarding ‘IT sabotage’:

1. Access – an insider can target a company from behind it’s perimeter defenses and not cause suspicion…

2. Knowledge, trust, familiarity – of both the IT system and the target and permits insiders’ to perform discovery without arousing suspicion…

3. Privileges – an insider can readily obtain the necessary privileges necessary to conduct an attack…

4. Skills – insiders can mount an attack and can work within the target’s domain expertise…

5. Risk – insiders tend to be very risk averse in preparing for and conducting the attack…

6. Method – insiders are likely to work alone, but may recruit and/or co-op a trusted colleague for facilitation and/or enabling purposes…

7. Tactics – may include either (a.) plant, hit, and run, (b.) attack and eventually run, (c.) attack until caught, and/or (d.) espionage…

8.  Motivation – an insider may engage in an act for (a.) profit, (b.) getting paid to disrupt the target, (c.) provoke change in the company/target, (d.) blackmail, (e.) subvert the mission of the target, (f.) personal motive, or (g.) revenge…\

9. Predictable Processes – the motivation for an attack by an insider can evolve from (a.) a particular event, (b.) sense of discontent, (c.) being ‘planted’ to conduct the attack, (d.) adversary identifies a target and mission that meets their (or, another parties’) needs…

From these nine attributes of insiders who engage in ‘IT sabotage’ three important questions arise:

First – with respect to the attributes, can they be extrapolated – are they applicable to the risks/threats presented by insiders to a company’s information assets, in addition to IT system sabotage?

Second – if so, can these attributes (relevant to ‘insiders’) be consistently identified and assessed (legally) using existing pre-employment screening tools?

Third – if the above attributes are not found to be present (in an applicant) at the time of hire, should companies, given the enormous stakes, invest in post-hire (periodic honesty, integrity, attitudinal) screening of employees to detect the acquisition/presence of certain proclivities, propensities, and/or an overall receptivity to engage in adverse acts or policy violations affecting the security (control, use, ownership, and value) of their employer’s information assets, e.g., theft, infringment, compromise, etc.?