Sunday, June 20, 2010

Insider Threats Like … Cyber Armed Robbery? (Part 2 of 2)

Where Cyber Studies Stumble

This is where a look at the evolution of workplace violence studies foreshadows what is happening with cyber treatment of the insider threat.

To those who fear it, experience it, or defend against it, workplace violence is about rampage killings on the job. The agent of destruction, here, is an employee, a former employee, or a raging spouse whose domestic problems have spilled over into the workplace. Efforts to interdict workplace violence and improve defenses against these kinds of attacks, however, suffer when the data on cases extend to armed robberies of convenience store clerks and taxicab drivers. Indeed, when the latter categories enter into the discussion, they soon overtake the study. As a result, statistical compilations of workplace violence from official bodies such as the National Institute for Occupational Safety and Health tell us that key indicators of workplace violence are cash-handling operations at night – something cab drivers and convenience store clerks deal with and armed robbers covet. (This is why handling cash, dealing with the public, and transporting cash-carrying people or goods rate as high risk factors according to NIOSH, as noted in http://www.cdc.gov/niosh/violrisk.html.) However, while armed robberies do produce threats, injuries, and even fatalities, these are not the cases we mean when trying to deal with disgruntled employees driven to homicide. The broad definition, in this case, does a disservice. If you are running an organization that has little to do with cash accessible to an armed robber, developing a security program to counter armed robbers will do nothing to defend against enraged, hostile insiders.

Cyber-centric command of the insider threat performs a similar disservice to serious analysts of the kinds of trust betrayer whose goal it is to carry out an attack fatal to the institution. If most cyber threats indeed represent a former employee slamming the door with a denial-of-service attack, then it is a mistake to crowd the field with them. It is the equivalent of categorizing jaywalkers with mass murderers. Admittedly, both are breaking rules. But if we have to sort through thousands of jaywalkers before getting to see a single murderer, then our focus and resources are diluted by the time we arrive at the more dangerous threat. This is where the cyber world gets it wrong, Y2K-reminiscent predictions of cyber doom notwithstanding.

The insider threat that merits first priority is not the casual hacker or fired system administrator. Nor is it the disgruntled employee bent on harming his boss and co-workers. These people may create problems and even cause personal tragedies. Certainly they deserve some of the organization’s attention. Yet they are seldom able or willing to carry out an attack that will be fatal to the institution. The insider threat of first concern for us is the trust betrayer intent on catastrophic sabotage for reasons beyond narrow personal interest, such as for a terrorist adversary whose aim is our annihilation.

Defending people, assets, and capabilities is all about prioritizing. Let’s isolate the murderers from the jaywalkers, the malcontents from the terrorist assassins, and the opportunistic hackers willing to disrupt from the zealots willing to die in order to devastate. Otherwise, we will find ourselves consumed with investing all our resources on jaywalking, because that is what we are looking for and seeing most of, while murderers skulk in the dark corners of the periphery our blinders will not allow us to view.

--Nick Catrantzos