Introduction
This chapter gives an analysis of the results of the study to derive insights on why insider threats remains to be one of the leading and challenging security issues to deal with. The results of the study present a vague picture of what motivates insider threats in private organizations. The questions of why, what and how will be answered with references to the data obtained from the study. This section also demonstrates the actions taken by organizations and tries to link it with theoretical frameworks and pool of knowledge developed by earlier scholars.
Analysis
The belief that insider threats are low-frequency is long overdue. Malicious insider threats according to KPMG 2009 report Data Loss Parameter indicated an increase in data leaks by up to 50% in the first half of 2009. The costs associated with these threats were undeniably high with 2010 Cyber security (e-crime) Watch survey indicating that insider threats are among the most expensive than external threats (Centre, May, 2005). The research conducted by USSS, CERT, Ponemon Institute and Deloitte Centre for Security and Privacy Solutions and titled “The Cost of Cyber Crime” ranked insider threats first among other external threats. Likewise, Association of Certified Fraud Examiners report to the nations in 2010 approximates that a typical organization losses up to 5 percent of its revenue to fraudulent practices. The 2009 Gross World Product report indicates that the loss might be amounting to $2.9 trillion for only two types of malicious insider threats (Magazine, 2011).
It is thus uncontested that the effects of insider activities are unique with one organization or industry. Research conducted by Security Executive Council indicates that while insider activities qualifies as a high-level concern among private organizations, managerial echelons have been slow to responding to it.
Insider threats captured world’s attention in 2008-2009 with major players in technology and leadership noting it as a major security concern. Security was considered as a C-level issue by then, but the perpetrators failed to display on the radars of many organizational security experts. According to an article in Fortune 2008, Warren Buffet was quoted as saying that Chief Executive Officers of companies should double as chief risk officer to stress the importance of insider activities in organizational settings (Centre, May, 2005).
Any organization utilizing a system of computers presents a complex system made up of people and technology. Each employee accesses the network with a unique level of rights and authorized capabilities that are dynamic depending on his role. In order to manage these set of rights for many employees, a policy is enforced to optimize productivity while guaranteeing security. The level of the policy might vary with respect to development and implementation. There are a wide number of systems in private entities and thus the pool of information on common experiences upon which to base learning on developing good quality information systems. It is not automatic that all organizations will manage the development process well.
Details of this research indicate common knowledge among the respondents on existence of security policies in their organizations. While the effectiveness of these systems may be contested owing to their areas of application, the ability to recognize such policies as network access policies, information sharing policy and employee recruitment and termination policy is outstanding.
However, a common trade-off is the effectiveness of the policy in preventing insecurity incidences against capping productivity. The worst case scenario to happen in an organizational setting is implementation of security policies that caps employee’s performance, limiting their imaginations, innovations and creativeness.
Sterman (2006) describes the challenges of implementing a good security policy based on years of interactions with complex systems. First, one cannot draw learned lessons from a system unless there is good data to corroborate it. Second, one cannot derive good practices from experiences unless there are good lessons to learn from that data. Finally, one cannot implement a good policy based on lessons learned unless stakeholder in the system is actively involved in policy development processes. According to Sterman (2006), a complex system has characteristics that tend to hinder with all the three efforts. Unlike controlled experiments in labs, a private organization presents a myriad of parameters which makes it extremely complicated to gather valid, reliable and easily interpretable information upon which one can draw clear instructions from. Unambiguous data are complex to gather and analyze because a complex entity in the magnitude of a private organization with networked resources obeys cause-and-effect interactions across many time scales, specialized areas and venues. Further, complex systems are subject to decisions made by other parties in the system apart from the executor. Finally, one cannot risk making risky decisions that may lead to a good source of data for learning because of legal and ethical considerations.
Sterman’s literature tends to support a model of deriving a good lesson by deriving a hypothesis about the system behaviours upon which data is gathered and used to improve the system by eliminating discrepancies in a double-loo manner.
Insider threats pose serious challenges to an organization whether private or public. From a network of physical sabotage, fraud, espionage, theft and misuse of information and intellectual property, and embezzlement conducted via paper or electronic frameworks, the damage is far beyond the expectations of many. Act of insiders may be aided by external organized crime groups or state-sponsored entities keen on passing a certain message. Likewise, the malicious insider might be from any function in the company, low-level employees, their-party contractors, executive personnel or support staff, provided their objective is well orchestrated to hurt the company or skim off some finances.
The belief in the industry is that insider threats are insignificant compared to external threats. However, as the results from the study illustrate, many of the respondents are aware of the vice in their circles and rely on the managerial dispensation to determine how the practice is handled.
Key findings from insider research studies point to sophisticated attacks perpetrated to result in substantial damage to organizations. CERT/USSS conducted a research in which it analyzed 49 cases of insider attacks. The key aspect in all this research is the financial losses which ranged from $500 to tens of millions of dollars. Seventy five percent of organizations sampled experience disrupted business operations while 28% reported negative impact on their reputations. Of these findings, the following was aspects can be linked with the results of this research (Centre, May, 2005):
- EMPLOYER-EMPLOYEE RELATIONSHIP: DISGRUNTLEMENT
Insiders were disgruntled and motivated by revenge attitudes for work related phenomenon. This assertion parallel with the findings of our research. Tandem with the results, 50% of employees in the private sector responded that management efficiencies are to blame for insider activities within organizations. In fact, one respondent indicated that if an organization cannot keep its employees satisfied with their job specifications, there is a higher probability that they will be disloyal and hence inhibit the fight against insiders. Employee satisfaction is a factor of the following parameters:
Internal and external factors that impact employment relationship
Internal factors
- Leadership
Leadership plays an important role in setting the tone of the company. It has been found that good leadership influences employee behaviour in a good way. When employees view their leadership as full of integrity, trustworthiness and professionalism, they tend to be motivated to be more productive. The activities of the organization as a whole reflect those of its leaders. In this environment, dissatisfaction and disgruntlement are not evident.
- Organizational structure
Organizational structure is the formal system of tasks and reporting that controls motivates and coordinate employees to achieve a common defined objective. Organizational structure involves such things as policies, expectations and procedures. A good organizational structure aids employees in attaining their objectives while a bad one deter employees from attaining their full potential (Zaman, 2013). A restrictive and unfulfilling organizational culture will ultimately lead to disgruntlement while an employee-centric culture will lead to more satisfaction and good relationships.
- Corporate culture
Organizations build their corporate culture in the course of their operations. The culture of an organization influences how it approach and manage their employees and partners as well as customers. Some organizations have a flexible working culture that accords their employees flexible working hours and offs at particular times of the week while others treat their customers in a friendly way. One respondent indicated that the key to eliminating insider activities and fostering loyalty is by keeping employees as happy as possible. If they cannot derive happiness, they are more likely to divulge into unfavourable practices including spying for competitors and revealing unauthorized information.
- Personal/family life
Family life of an employee affects the behaviour of employees and consequently their work and productivity. If there is harmony at home, the employee might respond positively to constructive criticism but if there are conflicts, employees tend to respond more negatively to constructive criticisms. The behaviour of an employee of an employee with respect to correction and criticism is the leading factor in monitoring for suspicious behaviour. If an employee cannot recognize their mistakes and responsibilities under any circumstance, they are more likely to display rivalry when corrected and more likely to engage in insider acts.
- Business relationships
Companies that have business relationships with other companies affect the behaviour of employees. If the other company has high expectations, employees may respond to those demands and manifest them in their performances even if their company does not demand so.
Importance of work life balance within the employment relationship and how legislation influence it
Numerous studies were done document the effects of work life balance programs have shown that employees experience the highest level of family work conflict due to work-to-family interference and the strain of care-giving. If role overhead is summed, then over 70% of employees report having experienced work-family conflict.
Of all the factors that affect work-life conflict, the time spent at work is the most pronounced and consistent. It is why the higher levels of work-family conflicts reported by managers are attributed to their long working hours. Consequently, this long working relationships does not work for organizations, rather, they impact employees ability to cope with dynamic working environments.
Longer working hours and highly demanding jobs hamper employee’s ability to balance work and family life. In addition, it is a health risk as employees lack time to socialize and conduct physical exercises. This lead to a life of increased smoking increased alcohol consumption, depression and weight gain. The impact of these consequences on employee’s capability to cope with organizational rules and regulations alters such that some employees may find insider activities as appealing.
The importance of work life balance programs cannot be underestimated. Whatever happens at work affects what happens at home and vice versa? Work life balance programs open up a greater range of choices about work and careers to reduce the need to sacrifice one for the other. It enables employees to have a quality life while increasing productivity for employers (Dicker, 2003).
Companies participate in work life balance programs benefit themselves and their employees through the following:
- Return on investment since employee turnover will be low and productivity will be increased and sustained
- Recruitment and retention of employees
- Costs associated with training and maintaining employees will go down
- A good life style among employees will mean increased productivity and decreased work absenteeism
- Job satisfaction is guaranteed since employees experience fewer conflicts. According to one respondent, corporate wage slavery is the reason for increased insider activities. If the organization regards the person as a resource who works to feed profit margins of shareholders rather than a human being with roles, responsibilities and privileges, rivalry is likely to emerge. Also, since employees cannot find another way to redeem their frustrations, they succumb to social engineering and competitor manoeuvres.
Legal support given to employees as a family member
There are legal provisions that specify the type of benefits to accord employees who are difficulty at striking work life balance. There are provisions for the duration of annual leave; shutdown leaves during festive seasons, parental leave, religious and cultural leave, blood donors leave, long service leave, sick leave, study leave and leadership development leave. The amount of duration granted for each leave varies according to the country to country but is mandatory for all employees.
Reasons for treating employees fairly in relation to pay
Monetary gain is one of the highlighted motivations for insider threats. Treating employees fairly in terms of pay creates a better and stronger relationship based on trust and team work. Employees who know that they are treated equally in terms of their earnings cultivate a healthy relationship with their managers. Studies have shown that the relationship between employees and their managers is crucial for high retention rates. Obviously no one desire to work with a manager or organization that practices favouritism on the basis of their pay for the same work.
It is understood that everyone’s management style is different, but the one unifying factor that should play across the board is treating employees fairly. There is a difference between treating employees fairly and equally. Fairness should take precedence over anything else.
Unfair treatment leads to feelings of resentment and loss of motivation among hardworking employees. For an industrious employee to be paid the same as one who works just to meet the quota, feeling of resentment builds up and hard work slowly fades away as the extra effort is not appreciated. Productivity is lost in the end, and the organization stands to suffer. Thoughts of punishing the organization for failing to recognize their efforts emerge and one of the ways of accomplishing it is by divulging trade secrets to competitors.
Legislation promoting acceptable behaviour
Regulations have been formulated to guard employees against excessive working in a bid to balance work-life relations and improve the affairs of both parties. Canadian legislation mandate employers to grant employees longer vacation times than the ordinary two weeks. Additionally, companies have started introducing work out sessions in their day to day programs, and it is amazing that adopters have reported significant reduction in sick days and insider activities. Labour laws are also effective in accommodating workers needs for work life balance.
A number of legislators are entrenched in corporate management frameworks. For instance, Sarbanes-Oxley Act (SOX, 2002) –SOX 404 AND Health Insurance and Accountability Act HIPAA (1996) are integrated with corporate management perspectives. What is required is a review of these two federal statutes with focus on insider activities. By doing so, a framework will be developed for determining the liabilities that companies will face for the actions of their employees.
According to SOX 404 and HIPAA, a statement of management responsibility is required for developing and sustaining adequate internal controls over financial aspects of the company. It also requires a statement highlighting the company’s framework for evaluating the effectiveness of internal controls. SOX 404 require companies to exercise assessments on their internal controls at the end of every fiscal year. These assessments should include a disclosure of material weakness or deficiency that illustrates the likelihood of a misstatement that cannot be prevented or detected.
Under HIPAA, individuals posses the rights to ask for their health records and have corrections added to them. They also has the right to demand notices on how their health information is used and shared and determine whether to permit sharing or use for some purposes.
In some instances, employers are civilly bound to liabilities caused by insider actions of their subordinates. Though employees are criminally liable, companies may be required to take responsibility for the consequences of their associates because of the relationship between the two parties.
Discrimination legislation are laws that are intended to prevent discrimination. Discrimination in various parts of life includes employment, provision of services and goods, education, administration, health and disability. Employment Equity Act, Equal Pay Act, Race Relation Act, Fair Employment Act, and Equal Remuneration Convention are the laws that are related to discrimination and equality in employment (Zaman, 2013).
Practices underpinning organisational policies and contributing to psychological contract among employees
In an organization, there are the expectations of the treatment of employees by employers and the inputs employees put into the job. These form the foundation for the relationship between employers and employees. Organizational policies have been crafted to manage the behaviour of employers while working. The fundamental principles behind those policies include respect, compassion, trust, empathy, objectivity and fairness. These are the qualities that form the basis for best employer-employee relationship and characterizes psychological contract.
- ABNORMAL BEHAVIOUR PRIOR TO ATTACKS
Insiders exhibited abnormal behaviour prior to the attack. This behaviour included the truancy, arguments with co-workers, poor job performance, expressed dissatisfaction in the job and tardiness.
The role of management in monitoring and alleviating sudden disgruntlement cannot be underestimated. Management should carefully evaluate concerned behaviour displayed by an employee as a result of negative work-related incident. For an instance, surveillance of employee’s online presents should be increased. It is also notable that organizations cannot practically monitor all online interactions of its employees at all times. Finding a balance between proactive system monitoring and review with other essential IT processes, though difficult, should be established. Almost all insider described in Insider Threat case studies have one thing in common – concerning social behaviour prior to an attack. Therefore, an important lesson to be learned by private organizations is to develop a framework to measure satisfaction levels of employees at regular intervals. Any deviation from the norm should be a cause of worry. Targeted online monitoring of online activity can aid in preventing insider sabotage via timely detection of technical precursor activity.
Sterman (2009) proposed a model for insider activity analysis referred as system dynamics. System dynamics is a method of modelling and analysing holistic behaviour of complex situations whose attempt to give a solution may exacerbate the damage. For instance, while an organization can act swiftly due to behaviour change exhibited by a disgruntled system administrator by imposing system access control audits, it might be too late to detect backdoor accounts created for sabotage purposes. According to system dynamic theories, insights can be gained in such challenging situations leading to a sustainable solution. In the case of the system administrator, intuitive solutions drafted by the company can lead to worsening of the problem since the administrator will surely strike once his access credentials are revoked.
Employees will fall in one or more of the classes highlighted in the previous section. They include citizens, delinquents, renegade, or rogue. They can also change the class according to personal or employment changes. In order to entice citizens to entice citizens in different classes to become citizens, a number of motivators have been identified. This includes respect, love, duty, fear and force. Employees guided by love; respect and duty are less likely to deviate to other behaviour classes because their actions are based on strong personal core values.
People who rely on contract to manage personal behaviour ensure that acceptable user policies are well defined and heeded to the later. While legal frameworks can protect the company, it does nothing to modify behaviour and optimize productivity. Policy language implemented in an organization should be easy to understand and clearly demonstrate its stand on punishment and prosecution.
Those relying on fear to moderate personal behaviour should be managed by the long-standing and relentless tradition of the company in effectively dealing with problematic employees. Organizations should have a track record of dealing with rogue employees and in serious cases they should pursue criminal charges relentlessly. People motivated by fear are managed by the risk of enforcement.
Those who need to be controlled by force to moderate personal behaviour are hopeless in regards to organizational progress. Such kind of employees should be replaced immediately to avert a future crisis.
- TECHNICAL VERSUS NON-TECHNICAL INSIDERS
Insiders who undertook IT sabotage had technical positions synonymous with IT aspects such as system analysts, designers, programmers and system engineers. Respondents in the research indicated their fair knowledge of technical controls utilized by organizations to combat insider threats. In fact, the only widely recognized concept applied by organizations is firewalls and log monitoring procedures. For technical staff, their understanding of aspects such as intrusion and detection systems is way beyond the grasp of middle-level and low-level employees. Thus, in effect, they cannot undertake IT sabotage since they require the technical know-how to execute it. As a result, only those employees privacy with technical aspects of the organizations are eligible to conduct IT sabotage. Middle and low-level employees were attributed to insider practices that do not require much technical know-how or knowledge to do so. For instance, disclosure of financial systems, customer’s private data and company’s confidential trade secrets and intellectual property do not require advanced design, programming and networking skills. As long has perpetrators have authorization or acquire authorization to such data, they can be shared equally. However, practices such as fraud and embezzling required advanced skills to manipulate inflation expenses and domain names to effect the operation. Likewise, locking network administrators out of organizations computer systems for avenging disciplinary action require advanced networking skills including those for rigging the network so that other parties could access it.
In general, technical IT sabotage required advanced hacking and network manoeuvring skills that are beyond the understanding of non-IT personnel. For instance, system administrators could create backdoor accounts with provided system privileges knowing that their accounts were not subjected to scrutiny and audits, hence facilitating attacks after they left the company or are terminated. Others planted logic bombs that executed on the occurrence of a specific event such as account deactivation or after a specific time. Often the insider configured the logic bomb to execute after exiting the organization leveraging the fact that no management configuration and characterization could detect their practices.
- MANAGEMENT INEFFICIENCY
Majority of the insiders attacked after termination. Attackers were found to be former employees who had seized the opportunity to survey the system and recognize loopholes and vulnerabilities. They attacked using other employee’s credentials or utilized privileged rights to set up an attack plan using technical steps or attacked . Finally, they attacked remotely having accumulated remote access rights. For instances, attackers installed a password cracker created a backdoor account or exploited access control vulnerabilities to launch an attack.
The results of the study tally with this phenomenon as employees responded to lose organizational policies and job un-satisfaction as the first and the second factors influencing insider threats in the organization. Weak organizational policies imply that private company employees can access the network way after being laid off either through remote access or immediately after. If access control privileges are not stripped of employees before termination letters are handed out, they are more probably to look for a way to avenge the company and its employees. Inefficient organizational policies are blamed for security vulnerabilities and loopholes that occur after employees are laid off. These vulnerabilities and loopholes can even occur before employees are laid off or voluntarily leave the company. Upon investigations, it is usually found that former employees had a hand in aiding the attacks due to their knowledge of the network and operational happenings.
According to Bob Hayes, (2011) organizations that employ enterprise security risk management stand a chance to a higher level of protection especially if the financial executive is a team player in consideration for insider threats. Naturally, numerous teams are involved in insider threat risk analysis including Business Conduct and Ethics, compliance, legal, audit, and corporate security. Each of these entities involves in monitoring or detection of malicious insiders within the organization.
Discussions have emerged as to whether insider risks can be managed separately from overall organizational risk management. It is important to recognize that while insider threats can be managed as a subset of other organizational risks, it must be recognized as a unique risk category. Many organizational executives spent considerable amounts of time enterprise risks management processes, actively identifying the risks to the organization, but spent little time pondering about the insider. It has been found that mitigating insider risks involve a set of specific strategies that focuses on the nature of the perpetrator.
Keeping malicious individuals out of the company
Malicious individuals can be kept out of private companies by conducting comprehensive reviews that seek to establish their past behaviour. Some employees have been found to seek employment out of motivation of acts such as Dodd-Frank Wall Street Reform and Consumer Protection Act. Malicious insiders will use a variety of ways to cause damage, misuse of information or disclosure of confidential data to Damage Company’s reputation and elicit public uproar. They potentially plant evidence of wrongdoing in organizations out of a desire to profit from 10-30% of monetary provisions granted by the law to whistle blowers under the law.
Second, private organizations should keep a baseline of security provisions that ensure strong access controls, asset and information privacy and maintenance of ethical practices in the workplace.
Third, security education and awareness cannot be underestimated with respect to insider attacks. Security training and awareness should be fostered through training, reporting mechanisms such as anonymous tip hotlines, clear reporting mechanisms and protections against retaliation. As one respondent noted, their company has implemented double password for mobile devices such that even if the device is lost, it is still protected using multiple passwords.
Finally, technical controls cannot be eliminated when it comes to detection of insider attacks. Security incident and event monitoring tools as well as regular audits is essential in ensuring compliance with access policies.
INSIDER THREAT EDUCATION AND AWARENESS
Over half of the respondents interviewed reported having a formal insider threat mitigation program in their organizations. The programs are quite diverse highlighting the need for a broader and universal definition of an insider threat analysis.
29% respondents indicated strict security policies while 35% cited insider monitoring and reporting tools and used of audit and log monitoring procedures. One respondent commented that human resource and general management awareness processes are required to combat insider threats since technological solutions are reactionary. Formal insider mitigation strategies commented by respondents include incident response programs, counterintelligence activities and department-specific programs.
Incident response programs
An insider threat management procedure is integrated with incident response and contingency program. The plan when harmonized and integrated effectively, it serves to detect incidences of suspicious activity, prevention in case of occurrences, and mitigation. Quoting what one respondent said “human resource and general management awareness processes are required to combat insider threats since technological solutions are reactionary.” It is realized that a well-grafted insider response and contingency plan when combined with insider detection and monitoring program leads to enhanced security status.
Counterintelligence
Counterintelligence programs employed by organizations always rest with the chief information security officer. Most of the programs are tailored for employee monitoring, awareness training, identification and risk analysis of critical assets and intellectual property. Technologies applied include remote and host-based monitoring, access control and data loss prevention. For instance, a respondent in the telecommunication sector indicated that the mobile devices are controlled by two passwords in case they get lost.
Security departments maintain formal programs that facilitate detection and prevention of insider threats. These programs and technologies include web and email filtering, data discovery and searches forensic tools, malware analysis and mitigation and passive monitoring among others. However, there was little indication to show use of detection programs that focuses on suspicious non-technical behaviours such as alarming psychosocial behaviours.
Insider threat awareness and education
Half of the organizations sampled reported to engaging in security awareness practices. These organizations conduct security awareness training programs that include malicious and illegal behaviour by employees, right and responsibilities of employees on reporting insider threats, handling of sensitive information, separation of duties, roles, responsibilities, consequences, of reporting insider activities.
During the employment, employees are taken through an information security procedure that includes education and information security policy sensitization on applicable principles. For instance, the organization’s policy may be as follows:
Company X required as part of its security management procedure that all employees must attend an information security awareness program either on-line or in person each year. This training provides information security literacy skills and other basic knowledge.
Company X provides a prompt update of all changes to its security policies including how the changes can affect their work procedures and relationships.These sample policies are essential to reduce risks and liability in the event that a security breach happens. The defence that an employee was ignorant of the rules in the first place has been unsuccessful in several cases. Failure to establish and make known of the awareness programs is a sign of an organization giving up its enforcement rights.
There is a correlation between security awareness and incidences of insider attacks in an organization. Organizations that reported having no security education and awareness procedures have higher rates of associated insider incidences, KSA respondents indicated that they acknowledged insider activities and believed that they were motivated by factors such as greed, monetary gains and sabotage.
Consequently, the frequency of updating security programs and communicating them to employee's matters. Respondents who indicated that their organizations update security parameters and conduct security awareness on an annual basis and below were less likely to indicate organizational inefficiency and loose security policies when asked about impediments of security.
According to S.M.Furnell, (2012), multinationals engaging in insider threat awareness are less likely to report instances of security breaches than those who do not. Insider threat awareness can be conducted using a number of channels including web-based training courses, presentation by outsiders, social engineering and unintentional insider activities education, printed and electronic newsletters, and mandatory annual security courses. Some companies have gone deeper and introduceds trainings meant to neutralize potential foreign intelligence and competitor elicitations. Others offer financial incentives for those who report suspicious actions while others hold contests for spam catchers. For instance, employees provide free meals and coffee for those who identify and challenge people walking around the orgabization without identity badges. Another company award points and certificates for employees who complete and pass security exams conducted yearly. Fot this company, it is mandatory to undergo online security training and pass examinations. An employee will accommodate a total of forty points in a year by engaging in different activities including security conferences, online learning, table top exercises, and road shows. Failure to accumulate this points within a year leads subjects them to human resource review for suitability in the company. These periodic awareness programs proved effective in combating dangerous activities that are usually taken for granted.
Conclusion
Insider activities have always been a threat in an organization. Today’s dynamic environment has served to bring it to the fore. It is worrying that insider incidences have increased in the past few years highlighting the ineffectiveness of the approaches used to combat it. Because these threats are complex and facilitated by a number of factors, they can be difficult to deal with. They are based upon multiple motives and are perpetrated using multiple channels to achieve multiple ends by attacking multiple occasions. Because they are not mediated by the same methods used to dispel external threats, an attempt to apply the same approach as external threats will ultimately bring the organization to its knees. For instance, applying strict technical controls that inhibit creativity and innovation impedes productivity affecting the overall picture of the organization.
Despite the challenges posed by complexities of insider threats, removing the chances of threat occurrence and mitigating it is a fairly easy business process. Insider threats require a comprehensive business plan tailored to meet the needs of a specific organization. The plan should be budgeted for, implemented, managed, measured for effectiveness and audited to achieve the best. Some level of commitment is requited on the part of the implementers from security experts, employees to executive management echelons.
Organizations use myriad of techniques in fighting insider activities. However, employee behaviour modification proves more efficient than application of other mitigating procedures. As one respondent noted, the cardinal rule lies in changing the relationship between employer and employee. An amicable relationship is far much effective than technical and policy controls since employees understand what is required of them. This chapter has explored concepts behind employee satisfaction in organizations including internal and external factors. Four factors came to play with respect to insider attacks: employer-employee relationships, technical versus non-technical insiders, management inefficiency and insider behaviour prior to attacks. The following has been identified as effective strategies for minimizing and eliminating insider activities in organizations;
- Comprehensive employee reviews which seek to establish their past behaviour through pre-employment screening
- Private organizations should keep a baseline of security provisions that ensure strong access controls, asset and information privacy and maintenance
- Continuous security education and awareness
- A set of technical controls for monitoring, preventing and maintaining high-security levels
Experimentation & Evaluation
Introduction
In this section, an investigation into employee behaviour that facilitates insider activities is undertaken. Apart from deliberate motives such as sabotage, blackmail, fraud and information theft, there are other avenues upon which employees can unconsciously promote insider attacks. For instance, an employee who deliberately or innocently inserts flash drives to company’s computing system, or circumvents security rules to find a way of bypassing security protocols that restrict the use of such devices, out of curiosity might end up infecting the systems if the drives were infected with malware. In this approach, we would like to investigate how such instances compounds security threats and additionally explore the magnitude of such threats.
This experimental procedure is intended to test the effectiveness of education and awareness programs in private organizations. Data was collected prior to and after conducting education and awareness programs. The success of this exercise is dependent on collaboration of security heads, systems administrators and analysts, employees and other stakeholders in a chosen private organization. Data will be captured using a number of ways including video surveillance to study the behaviour of users before and after sensitization.
Experimentation
In this research, I consider conducting a simple experiment that illustrates the behaviour of a typical employee in respect to handling and using external unauthorized/personal devices on the company’s network.
The experiment will involve an office setting with computing resources and employees carrying out their normal daily activities. Pen drives and memory cards will be planted at strategic locations on one early morning before employees arrive for work. The locations include pathways, parking lots, on top of their workstations, on the floor and among other employee-prone places. It is to create the impression that somebody lost his device and out of curiosity, employees might be tempted to check what is inside the drive by inserting into the company’s network or their own portable devices such as laptops which connects to the company’s Wi-Fi.
The control variable for the experiment will be determined, and the results analyzed to reach a conclusion. At one instance, company-wide sensitization on the importance of adhering to the laid down security policies is conducted and on another, no sensitization is conducted before taking the results. Results obtained will be analyzed, and a conclusion drawn to that effect.
Evaluation
- Results from the experiment are as follows:
Prior to insider security sensitization, users were found to be unconscious of their actions no matter the security policies in place. For instance, out of curiosity, employees could insert flash drives planted in the surroundings into computing systems even if they are not allowed in the workplace. For organizations that remotely disable USB ports, the devices could not be assessed and hence not harmful to the network. However, for those whose ports were not expressly disabled, they could see the contents of the drives. If botnets were planted in these devices, a major security breach could be introduced. With mobile devices such as laptops, users were able to view the contents of the devices successfully. Though the devices had no malicious applications, conduct, and curiosity of employees against organizational rules and policies were tested.
Second, after security education and sensitization of what constitutes insider threats, employee perception and response drastically changed. Employees were taught and sensitized on various security aspects including:
- Malicious programs and spam
- Intentional and unintentional insider activities
- Social engineering
They were found to disregard any device they believed did not belong to them. For instance, after sensitization, employees did not find it necessary to insert flash drives in organizational computing systems because they could recognize the dangers. When asked what might have influenced their changed attitude, one respondent replied that gaining knowledge on how external attackers could gain control of your device by using malwares and spamming programs were sufficient to change their perspectives.
Conclusion
This small experiment illustrates the effect of education on the behaviour of users. Without sufficient knowledge on how to act in various circumstances, employees are disempowered to fight recognize and prevent internal and external threats. However, insider threat awareness and education qualifies as the lead factor in fighting against it. An effective insider threat mitigation approach should be proactive in nature recognizing the role that humans play. It has been argued that even with the strictest technical controls and security policies, uncooperative employees will find a way of circumventing it since they are working from within. Handling insider activities not only involve technical IT personnel. Rather, personnel from HR department, security, legal, incidence response and public relations act together to develop a comprehensive plan that is near fool-proof. Whenever possible, staff on insider threat management team should involve experienced members especially behaviour experts and counterintelligence specialists. It is essential in companies where mishandling of trade secrets, proprietary information and intellectual property would lead to severe damage spanning from financial, legal, reputational and business wise.
This chapter gives a summary of what has been undertaken in the whole paper and seeks to answer the question of whether the goals and objectives of research have been achieved.
Defending insider threats as can be argued, is a complex venture which is viewed as impossible in some circumstances. It is because the threat is emanating from within and can adopt the best conciliation strategies. However, by looking at world class scenarios, it is possible to argue for some common patterns that could aid in the identification of mitigating strategies. In this paper, an analysis of employee knowledge and readiness to identifying, reporting and preventing insider activities has been conducted. Results indicate that changing employee attitudes are the first step towards winning the war against the insider agent. It can be achieved through a number of methods such as enterprise-wide education and awareness, exploring ways of achieving job satisfaction, offering incentives for acceptable behaviour and eliminating rogue employees identified by screening processes. Other strategies like technical controls cannot be ignored but are used for complementary purposes.
The components of an insider mitigation strategy should include employee monitoring, awareness, training and identification and monitoring of critical resources. These components should be synchronized with existing technical controls for practical security program.
Research Definition & Research Overview
This research seeks to establish the role of readiness and awareness in combating insider threats in private organizations. Private organizations are the subject of focus because of a lack of a common a framework just like public companies who are managed by the 2012 White House Presidential Memorandum tilted Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Program.
Insider threat is defined in this paper as “actions of employees/contractors or other privileged parties with access to sensitive data which create security incidents either unintentionally or maliciously”.
Contributions to the Body of Knowledge
Most of research studies conducted have concentrated on the application of technical controls for prevention and mitigation of insider threats in an organization. Technical controls are common among private and public organizations and without them they rarely can survive. In fact, insider threats for specific categories of offenses have increased over time and most of existing approaches for mitigation and prevention are less effective. Given the complexity of the threat, a different approach must be explored. This line of though motivated this research. In spite of the complexity, dissecting the problem into smaller components and studying each individually will prove feasible for development of a sustainable solution. This research builds upon the human aspects of insider activities in an organization. The author beliefs that it serves to add a valuable source of knowledge to existing
Experimentation, Evaluation and Limitation
Experimental section of this paper highlights a real life situation happening in many organizations. Out of curiosity, employees are acting in a manner that jeopardizes the overall security context of the organization. The assertion that lack of knowledge can be a defence to committing a wrong is contested, but for organizations to be on the safe side, employee education and awareness should take the priority.
Future Work & Research
The research limits itself to the role of education, awareness and sensitization as well as organizational readiness in combating insider threats in an organization. The human element in insider security management is a relatively new phenomenon that is intertwined with other fields such as organizational management, psychology, behaviour studies among others. Currently, there is no available data that link employee satisfaction with reduced insider threats. Education and awareness may not automatically translate to improve or eliminate the threat. There should be more studies focusing on the relationship between insider activities and phenomenon such as employee motivation, remuneration and long term benefits. It is an opportunity for future research.
Conclusion
This paper has managed to achieve the motives of the research by exploring the relationship between employee/organizational readiness and the risk of insider attack occurrence. It has been determined that private organizations conduct security awareness and training programs that include malicious and illegal behaviour, right and responsibilities and knowledge of common security threats such as social engineering. For such programs to be effective, employee’s attitudes and their well beings should be gathered for. Generally, giving an employee a sense of security changes their attitudes towards reporting and management of insiders.
Bibliography
BIBLIOGRAPHY Alliance, I. a. N. S., September 2013. A preliminary examination of insider threat programs in the U.S.Cyber Council: Insider ThreaT Task Force, s.l.: s.n.
Bandyopathyay, S., 2010. Implementing Intrusion Detection System by Considering Insider Threats. Journal of Security Engineering. .
Bishop, M. E. S. P. S. W. S. &. G. C., 2009. We have met the enemy and he is us.Proceedings of the 2008 Workshop on New Security Paradigms, 1-12.. s.l., s.n.
Bob Hayes, K. K. a. R. L., 2011. ERM myths and truths:The Threat of the Malicious Insider: What Is the CFO's Responsibility?. Security Executive Council .
Centre, U. S. S. a. C. C., May, 2005. Insider Threat Study: Computer System Sabotage in Critical InfrastructureSectors, s.l.: http://www.cert.org/archive/pdf/insidercross051105.pdf.
Clark, D. L., 2012. Enterprise Security: The Manager's Defense Guide, s.l.: Addison-Wesley Professional.
Colwill, C., 2009. Human factors in information security: The insider threat – Who can you trust these days, s.l.: Information Security Technical Report, 14(4), 186-196. doi:10.1016/j.istr.2010.04.004.
Eberle, W. H. L. H. G. J., 2010. Detecting Insider Threats Using a Graph–Based Approach, s.l.: [Online] Available at: http://www.eecs.wsu.edu/~holder/pubs/EberleCAEWIT10.pdf[Accessed 10 March 2014.
Hong, J. K. J. &. C. J., 2010. The trend of the security research for the insider cyber threat.. International Journal of Security & its Applications, 4(3), pp. 55-63..
Infrastructure, C. f. t. P. o. N., 2013. CPNI INSIDER DATA COLLECTION STUDY, s.l.: CPNI.
John Sherwood, A. C. D. L., 2006. Enterprise Security Architecture: A Business-Driven Approach, s.l.: Taylor & Francis.
Learning, J. &. B., 2011. Lab Manual to Accompany Fundamentals of Information Systems Security. s.l.:Jones & Bartlett Publishers.
Magazine, C., 2011. 2011 Cybersecurity watch survey. Retrieved from https://www.cert.org/insider-threat/research/cybersecurity-watch-survey.cfm. CSO Magazine.
Micki Krause Nozaki, H. F. T., 2011. Information Security Management Handbook, Sixth Edition, Volume 5, s.l.: CRC Press.
Mitnick, K., 2010. Google Hacked, Says it Will Stop Censoring Chinese Search Results. KrebOn security, 12 January.
P., S., 2007. Research Methods: Integrating Theory with Practise. International Journal of Contemporary Hospitality Management, Vol. 19 Iss: 1,, p. 95 – 96.
Peltier., T., 2005.. Information security risk analysis.. 2nd edition ed. Boca Raton, FL: CRC Press.
Perlow, L., 003. When silence spells trouble at work. Harvard Business School Working Knowledge, s.l.: Retrieved September 20, 2007 from :http://hbswk.hbs.edu/item/3494.html.
Pfleeger, S. L. P. J. B. H. J. &. B. C., 2010. Insiders behaving badly: Addressing bad actors and their actions.. Information Forensics and Security, IEEE Transactions on , 5(1), pp. 169-179.
Ramachandran, J., 2012. Designing Security Architecture Solutions, s.l.: John Wiley & Sons.
Roy Sarkar, K., 2010. Assessing insider threats to information security using technical, behavioural and organisational measures.. Information Security Technical Report, 15(3), pp. 112-133.
S.M.Furnell, G. a., 2012. The Insider Misuse Threat Survey: Investigating IT misuse from legitimate users, s.l.: University of Plymouth.
Schultz, E. E. .., 2002. A framework for understanding and predicting insider attacks. Computers & Security, 21(6),(doi:10.1016/S0167-4048(02)01009-X), pp. 526-531. .
Steele, S. &. W. C., 2007. An introduction to insider threat management. Information Systems Security, s.l.: s.n.
Theoharidou, M. K. S. K. M. &. K. E., 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), pp. 472-484..
Tuglular, T. &. S. E., 1997. A framework for characterization of Insider Computer Misuse, s.l.: Purdue University (Unpublished).
Walliman, N., 2006. Social research methods. London:: Sage.
Willig, C., 2008. Introducing qualitative research in psychology: Adventures in theory and method.. London:: Open University Press.
Woody, A., 2013. Enterprise Security: A Data-Centric Approach to Securing the Enterprise, s.l.: Packt Publishing Ltd.
enting Intrusion Detection System by Considering Insider Threats. Journal of Security Engineering. .
Bishop, M. E. S. P. S. W. S. &. G. C., 2009. We have met the enemy and he is us.Proceedings of the 2008 Workshop on New Security Paradigms, 1-12.. s.l., s.n.
Bob Hayes, K. K. a. R. L., 2011. ERM myths and truths:The Threat of the Malicious Insider: What Is the CFO's Responsibility?. Security Executive Council .
Centre, U. S. S. a. C. C., May, 2005. Insider Threat Study: Computer System Sabotage in Critical InfrastructureSectors, s.l.: http://www.cert.org/archive/pdf/insidercross051105.pdf.
Colwill, C., 2009. Human factors in information security: The insider threat – Who can you trust these days, s.l.: Information Security Technical Report, 14(4), 186-196. doi:10.1016/j.istr.2010.04.004.
Eberle, W. H. L. H. G. J., 2010. Detecting Insider Threats Using a Graph–Based Approach, s.l.: [Online] Available at: http://www.eecs.wsu.edu/~holder/pubs/EberleCAEWIT10.pdf[Accessed 10 March 2014.
Hong, J. K. J. &. C. J., 2010. The trend of the security research for the insider cyber threat.. International Journal of Security & its Applications, 4(3), pp. 55-63..
Infrastructure, C. f. t. P. o. N., 2013. CPNI INSIDER DATA COLLECTION STUDY, s.l.: CPNI.
Magazine, C., 2011. 2011 Cybersecurity watch survey. Retrieved from https://www.cert.org/insider-threat/research/cybersecurity-watch-survey.cfm. CSO Magazine.
P., S., 2007. Research Methods: Integrating Theory with Practise. International Journal of Contemporary Hospitality Management, Vol. 19 Iss: 1,, p. 95 – 96.
Peltier., T., 2005.. Information security risk analysis.. 2nd edition ed. Boca Raton, FL: CRC Press.
Perlow, L., 003. When silence spells trouble at work. Harvard Business School Working Knowledge, s.l.: Retrieved September 20, 2007 from :http://hbswk.hbs.edu/item/3494.html.
Pfleeger, S. L. P. J. B. H. J. &. B. C., 2010. Insiders behaving badly: Addressing bad actors and their actions.. Information Forensics and Security, IEEE Transactions on , 5(1), pp. 169-179.
Roy Sarkar, K., 2010. Assessing insider threats to information security using technical, behavioural and organisational measures.. Information Security Technical Report, 15(3), pp. 112-133.
S.M.Furnell, G. a., 2012. The Insider Misuse Threat Survey: Investigating IT misuse from legitimate users, s.l.: University of Plymouth.
Schultz, E. E. .., 2002. A framework for understanding and predicting insider attacks. Computers & Security, 21(6),(doi:10.1016/S0167-4048(02)01009-X), pp. 526-531. .
Steele, S. &. W. C., 2007. An introduction to insider threat management. Information Systems Security, s.l.: s.n.
Theoharidou, M. K. S. K. M. &. K. E., 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), pp. 472-484..
Tuglular, T. &. S. E., 1997. A framework for characterization of Insider Computer Misuse, s.l.: Purdue University (Unpublished).
Walliman, N., 2006. Social research methods. London:: Sage.
Willig, C., 2008. Introducing qualitative research in psychology: Adventures in theory and method.. London:: Open University Press.
Appendix A
