Michael D. Moberly March 27, 2012
The findings of numerous well researched studies, most notably those produced by DoD’s Personnel Security Research Center (PERSEREC) and Carnegie-Mellon University’s CERT unit, describe significant and persistent challenges (risks, threats) posed by insiders, primarily employees, to company’s intangible (information, IP) based assets.
The risks ‘insiders’ pose to a company’s intangible assets, i.e., trade secrets, intellectual property, and proprietary know how, reputation, goodwill, etc., are most troubling and challenging too me, because of their persistence, stealthy ingenuity, and non-reaction to conventional (general and/or specific) deterrents. Therefore, companies should not be too celebratory when a single insider is apprehended and the risk/threat they posed is neutralized or mitigated. The reason, it’s highly probable numerous other insiders are already engaged in comparable or more detrimental acts which merely have yet to surface.
Both PERSEREC’s and Carnegie-Mellon’s published research on insider risk/threat matters brings much needed clarity and understanding about who, what, how, and the various influences and circumstances which information asset compromises and/or losses occur. Most importantly too me however, are insights the research sheds on the proverbial and sometimes not-so-obvious why insiders engage in the illegal acts, i.e., their rationale and/or motives.
The research clearly suggests that (a.) the challenges associated with effectively safeguarding the increasing amounts of valuable proprietary information-based intangible assets, e.g., IP, trade secrets, and know how, etc., and (b.) the losses-compromises attributed to insiders, is on the rise.
However, the insider threat-risk findings revealed by PERSEREC, Carnegie-Mellon, and others, indicate there are three aspects that remain somewhat blurred or perhaps incomplete, i.e., the
- precise number of insider executed incidents
- actual value of those losses measured in dollars, competitive advantages, reputation, goodwill, etc., and
- who the real end user – beneficiary of the information loss and/or compromise is, i.e., a state sponsored entity, an industry/sector competitor, or one of a myriad of legacy free players or brokers.
Some key reasons such revelations are not as clear and/or complete as needed is the:
- evidence of insider executed threats/risks is largely anecdotal and/or company specific
- victim companies/organizations are occasionally predisposed to assume the culprit is a foreign national, i.e., an economic or national security adversary
- instructive evidentiary-investigatory elements of an unknown number of incident(s) are classified because the victim – target is a government agency, thus there is no public report of the incident
- self (public) admission of a successful insider attack can rapidly diminish a victim company’s reputation, goodwill, image, etc., therefore companies seldom find it in their interest to report such events unless mandated by state/federal law.
Every company – organization today should be vigilant about the risks-threats posed by insiders. The actual level of vigilance that’s necessary today largely lies, in my judgment, in the nine attributes of insiders who engage in ‘IT sabotage’ which Carnegie-Mellon researchers identified. Vigilance should ultimately be operationalized (translated) into effective practices, policies, and procedures to address, mitigate and/or counter the following:
- Access – an insider can target a company from behind its primary defensive wall, i.e., perimeter and may not arouse suspicion…
- Knowledge, trust, familiarity – of both a company’s IT system and the targeted assets within that system permits insiders’ to engage in acts of discovery, again, frequently without arousing suspicion…
- Privileges – an insider (employee) often can obtain the privileges necessary to conduct their attack…
- Skills – insiders can engage in an attack by working within a target’s (company’s existing) domain of expertise…
- Risk – insiders tend to be risk averse in preparing for and conducting their attack…
- Method – insiders are likely to work alone, but may recruit and/or co-op a trusted colleague for facilitation and/or enabling purposes…
- Tactics – the attack tactics applied by an insider are various and can include (a.) an attack, hit and run, (b.) attack, and eventually run, (c.) attack until caught, and/or (d.) economic/industrial espionage…
- Motivation – an insider may engage in an act for (a.) profit, (b.) getting paid to disrupt the target, (c.) provoke change in a/their company and/or target, (d.) blackmail, (e.) subvert/undermine the mission of the target, (f.) a personal motive, or (g.) revenge…
- Predictable Processes – the motivation for an attack by an insider can evolve from (a.) a particular, usually adverse, event, (b.) personal sense of discontent, (c.) being ‘planted’ in a company to conduct an attack at some future time, (d.) adversary identifies a target and mission that meets their (or, another parties’) needs…
These nine attributes still give rise to three important questions:
First – with respect to the nine attributes above, can they be extrapolated – are they applicable to the risks/threats presented by insiders to a company’s information assets, in addition to IT system sabotage?
Second – if so, can these attributes be consistently identified and assessed (legally) using existing pre-employment screening – interviewing techniques?
Third – presumably, while each attribute need not be present in every incident, can each attribute be validly translated (converted) into pre-employment screening processes?
What’s at stake for companies when insider threats – risks materialize is substantial financial losses, civil actions, and diminished reputation etc. Management teams who remain dismissive about their asset protection fiduciary responsibilities and elect to either not put in place safeguards to prevent and/or mitigate insider threats-risks do so at their own peril.
On the other hand, it would again seem useful if CERT’s nine attributes associated with IT sabotage could be validly translated-converted into pre-employment screening practices. Presumably then, the presence of certain proclivities, propensities, and/or an applicant’s overall receptivity to engage in such adverse acts or policy violations could be revealed in advance.
But perhaps, that’s too much to ask or expect at this point!
While visiting my blog, you are respectfully encouraged to browse other topics/subjects (left column, below photograph) . Should you find particular topics of interest or relevant to your circumstance, I would welcome your inquiry at 314-440-3593 or [email protected]