Michael D. Moberly August 28, 2016 ‘A blog where intangible assets and IP meet business’!
Among information asset protection/safeguard specialists, there is an anecdotally rooted adage referred to as the ’20-60-20 rule’ which caught my attention 25+ years ago and still carries a timely relevance along with absolute (fiduciary) obligation to address it as effectively as possible.
Admittedly, there is nothing particularly scientific or legally defensible about the 20-60-20 rule, other than to note it evolved from experienced mixtures of anecdotal guesstimates that lead to plausible characterization of the persistent challenges posed by ‘insiders’ in a continuum fashion…
Group 1 – 20% of the people we work with…are inherently honest and trustworthy and possess consistently high levels of (personal, professional) integrity. It’s unlikely these individuals would be receptive to any circumstance that could influence them to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information asset safeguard policies or practices.
Research administrators, TTO’s, and security practitioners would have little or no concern regarding these individuals engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP) and other forms of intangible assets (IA’s).
Group 2 – 20% of the people we work with…function at the opposite end of the honesty – integrity continuum. For these individual’s, their thin-shallow veneer of honesty-integrity is very permeable to reveal inherent dishonesty and/or unethical persona and little sense of personal loyalty to their employer or a project in terms of information assets. Even more so perhaps with respect to complying with company policies or government laws/regulations related to obligations to safeguard proprietary information and trade secrets embedded in valuable IP and other forms of intangible assets (IA’s).
Too, individuals functioning-operating at the adverse end of the honesty-integrity continuum will like be more receptive to, if not already possess propensities – proclivities when certain opportunities avail or influencers are present, to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.
Group 3 – then there’s the 60% of the people we work with…who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employer’s proprietary information, trade secrets, or IP at risk or in jeopardy.
There is a frustrating nuance to individuals (subjectively) designated to lie in Group 3 however, which is anecdotal evidence suggests individuals functioning at the adverse fringe, i.e., closest to Group 2 on the continuum, recognize and likely acknowledge opportunities, rationales, and persistent overtures from external entities in the form of solicitation-elicitation to misappropriate or publicly leak their employers’ proprietary information assets.
This reality makes the 20-60-20 notion particularly worrisome…to information asset safeguard-protection specialists on many levels. One of which is that individuals may possess proclivities – propensities unknown – undetectable at the time of hire using conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s whose adverse proclivities may be awakened and/or influenced at some future point relative to how they interpret-assess…
• their employer’s reactions and sanctions imposed on colleagues who violated company information asset
safeguard practices and policies,’
• the degree, level, and consistency of employer monitoring of proprietary information asset safeguard
• the presence-persistence of external advances to engage in proprietary information compromise and the
potential lucrative outcomes for doing so.
I attribute one, rather practical, approach to addressing insider challenges to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who have – can access the proprietary – competitive advantage information that necessitates safeguarding).
There is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts! Too, there certainly is relevance to the hyper-competitive, aggressive, predatorial, and winner-take-all global business transaction environment. In that regard,
While most of my operational familiarity with ‘insiders’ is rooted in personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.