Michael D. Moberly June 1, 2015 A blog where attention span really matters!
In the information asset protection community, there’s an adage, or perhaps more aptly characterized as an anecdotally rooted ‘rule of thumb’, the ’20-60-20 rule’ that still carries a timely relevance since it initially caught my attention some 25+ years ago. Through my lens, this represents a reasonable and plausible characterization of the persistent ‘insider threat’ which I endeavor to explain below.
Group 1 – 20% of the people we work with…are inherently honest and possess consistently high levels of (personal, professional) integrity. It’s quite unlikely individuals in this initial 20% would be influenced, inclined, or could be persuaded to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information safeguard policies or practices.
In other words, for these individuals there would be little or no concern they would be engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP)..
Group 2 – another 20% of the people we work with…function at the opposite end of this continuum of honesty – integrity. For these individuals, when their already thin sociological – psychological veneer is peeled back, it’s likely to reveal an inherently dishonest, unethical, and misguided persona with little, if any, sense of personal – professional integrity, or employer loyalty with respect to complying with company policies or government laws/regulations related to obligations for safeguarding proprietary information, trade secrets, or IP.
Too, these individuals would likely be receptive (have the internal propensity, proclivity) when certain opportunities avail or influencers are present to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.
Group 3 – then there’s the 60% of the people we work with who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk or in jeopardy. In other words, these individuals are likely to be honest and ethical.
There is a disappointing and frustrating nuance to Group 3 however. That is, anecdotal evidence which suggests individuals functioning at the fringe of this group, i.e., closest to Group 2 on the continuum, are recognizing the persistent overtures from external entities engaged in solicitation-elicitation initiatives to misappropriate or publicly leak their employers’ proprietary information assets.
This phenomenon is particularly worrisome…to information safeguard specialists on many levels, one of which is that such (highly personal and embedded) proclivities – propensities may be unknown at the time of hire, i.e., go undetected – unobserved in conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s who’s adverse proclivities may be awakened and influenced at some future point by the employee’s interpretation-assessment of…
- their employer’s reactions and sanctions imposed on those caught violating company information safeguard practices and policies.
- the degree, level, and consistency of monitoring which their employer engages relative to safeguarding its proprietary information, IP, and trade secrets.
- the persistence of external advances and their potential lucrative outcomes.
Admittedly, there is nothing particularly scientific or legally defensible…regarding the 20-60-20 perspective, other than to say it probably evolved from well intentioned ‘anecdotal guesstimates’ and observed incidents. Regardless, those finding relevance in this phenomenon, does draw, and properly so, our attention to the persistent and very costly challenges presented by ‘insiders’, whomever they may be, and the necessity for more effective pre-employment screening and regular monitoring.
One rather practical approach to addressing such insider challenges can be attributed to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary – competitive advantage information that necessitates safeguarding).
I suspect Ms. Dyson may not be familiar with the ’20-60-20 adage described here and its relevance to the hyper-competitive, aggressively predatorial, entrepreneurial spirited, and winner-take-all global business transaction environment.
But, there is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts!
While most of my operational familiarity with ‘insiders’ is a direct result of personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.