Self-canceling phrases like this sometimes highlight a contradiction smothered under the page count of arcane studies. Two cases in point illustrate a shared phenomenon afflicting the insider threat: the peril of defining a threat either too broadly or of tailoring it to a particular agenda.
Cyber aficionados today dominate insider threat studies. Perform a Google search on insider threat with the current year, and the first several pages will demonstrate this dominance. Cyber-centric observers argue that information technology is not only important but, increasingly, the axis around which the rest of our world revolves. Accordingly, any disruption to the flow of data through a network or processor must necessarily foreshadow dire consequences. Therefore, when such disruption traces to access made possible by someone from within the firewall rather than an outside stranger, cyber defenders raise the alarm and fire their fusillades in the name of insider threat defense. Fine, up to a point.
But what is an insider threat? Who defines it, and how broadly? Here the defender’s perspective begins to vary widely, often in proportion to narrow expertise, agenda, or comfort zone. Ask Carnegie Mellon’s cyber-centric analysts, and they will inundate you with tales of breaches of networks and firewalls, of employees abusing system administrator privileges, of hackers socially engineering their way into unauthorized access to sensitive electronic files, and of petty thieves turned cyber crooks who carry out schemes for personal enrichment at an institution’s expense or infect their employer’s system with virus or Trojan horse after severing employment. That Google search string with “insider threat” and “2010” unearths an overwhelming salvo of cyber-centric articles on the topic, crowding out other treatments of trust betrayers.
What is missing? Even informed cyber observers themselves point out that the majority of cyber insider attacks are by former employees after they have departed, in effect an electronic slamming of the door in a less than graceful leave-taking (Band, et al, 2006, pp. 40, 52). This data point finds little welcome in the cyber acolyte’s taking command of today’s insider threat studies.
Another little-advertised data point is that some cyber security rules comprising accepted wisdom in the name of insider threat defense are gradually being exposed as ham-handed or over-the-top reactions that are out of proportion to the object sought. In a 2009 Oxford workshop of cyber minds, a Microsoft engineer presented a detailed analysis of the rational rejection of security advice – by and for cyber security – because rules are unduly burdensome and often unthinkingly imposed(Herley, 2009, pp. 1-12). If one is worried about passwords being compromised from the outside, Herley argued, it makes little sense to compel users to create new and difficult passwords every 60-90 days. A user can create a hard-to-crack password and remember and safeguard it for years. But if the same user must repeatedly do this time and time again, the attending burden encourages shortcuts, like writing the password down where it can be exposed or using a simpler, less secure password because it is easier to remember. This is only one example of how cyber security practitioners are no more immune to the afflictions of specialist myopia that their brethren from other security disciplines. The alarm and surveillance specialist sees no problem that cannot be mitigated by the installation of yet one more intrusion alarm or monitoring point. Similarly, the response force commander reflexively asks for more trained sentries or security patrols to solve whatever security problem comes along. None of these specialists need be evil to be wrong. All are proceeding as if doing more of the same will somehow produce results that have eluded them so far. Thus, absent a change in perspective and the taking of soundings of their ambient conditions and larger objectives, security specialists eventually become prisoners of their predilections.
In a certain way, the result of the cyber world’s present efforts to claim the insider threat as its exclusive province creates precisely the kind of distortion that the world of workplace violence has come to experience by allowing its definitions to stretch too broadly.
(To be continued.)
-- Nick Catrantzos
References
Band, S., Cappelli, D., Fischer, L., Moore, A., Shaw, E., & Trzeciak, R., Carnegie Mellon University Software Engineering Institute (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. PA: Carnegie Mellon University. Retrieved March 20, 2010 from www.cert.org/archive/pdf/06tr026.pdf
Herley, C. (2009, September). So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the New Security Paradigms Workshop, Oxford, United Kingdom. September 8-11, 2009.