The Risk of Risk Analysis And its Relation to the Economics of Insider Threats

Conference paper

Abstract

Insider threats to organizational information security are widely viewed as an important concern, but little is understood as to the pattern of their occurrence. We outline an argument for explaining what originally surprised us: that many practitioners report that their organizations take basic steps to prevent insider attacks, but do not attempt to address more serious attacks. We suggest that an understanding of the true cost of additional policies to control insider threats, and the dynamic nature of potential insider threats together help explain why this observed behavior is economically rational. This conclusion also suggests that further work needs to be done to understand how better to change underlying motivations of insiders, rather than simply focus on controlling and monitoring their behavior.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). DOI http://doi.acm.org/10.1145/322796.322806Google Scholar
  2. 2.
    Anderson, R.H.: Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems: Results of a Three- Day Workshop. RAND Corporation, Santa Monica, CA, U.S.A. (1999)Google Scholar
  3. 3.
    Beautement, A., Coles, R., Griffin, J., Monahan, B., Pym, D., Sasse, M., Wonham, M.: Modelling the human and technological costs and benefits of usb memory stick security. In: Proceedings of the Workshop on Economics in Information Security (2008)Google Scholar
  4. 4.
    Beautement, A., Sasse, M., Wonham, M.: The compliance budget: Managing security behaviour in organisations. In: New Security Paradigms Workshop (2008)Google Scholar
  5. 5.
    Binney v. Banner Therapy Products, 631 S.E. 2d 848, 850. North Carolina Court of Appeals (2006)Google Scholar
  6. 6.
    Bishop,M., Engle, S., Peisert, S.,Whalen, T., Gates, C.: Case studies of an insider framework. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS) (2009)Google Scholar
  7. 7.
    Cofta, P.: Trust, Complexity and Control: Confidence in a Convergent World. John Wiley and Sons (2007)Google Scholar
  8. 8.
    Cole, E., Ring, S.: Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft. Elsevier (2006)Google Scholar
  9. 9.
    Computer Crime and Security Survey. Computer Security Institute (2007)Google Scholar
  10. 10.
    Contos, B.T.: Enemy at the Water Cooler. Elsevier (2007)Google Scholar
  11. 11.
    Hunker, J., Bulford, C.: Federal Prosecution of Insider Threats Demonstrates Need for Reform; Analysis based on data base of Federal prosecutions since 1995. Manuscript under review (2009)Google Scholar
  12. 12.
    Hunker, J., Predd, J., Pfleeger, S.L., Bulford, C.: Insiders behaving badly: A taxonomy of bad actors and their actions. Manuscript under review (2008)Google Scholar
  13. 13.
    Jérôme Kerviel. Available from http://en.wikipedia.org/wiki/Jerome\ _Kerviel, last visited February 27, 2009Google Scholar
  14. 14.
    Keating, D.: Tax suspects guidance on software left d.c. at risk. Washington Post (2008)Google Scholar
  15. 15.
    Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires IX (1883)Google Scholar
  16. 16.
    Knight, F.H.: Risk, Uncertainty, and Profit. Hart, Schaffner & Marx; Houghton Mifflin Co. (1921). Library of Economics and Liberty [Online] available from http://www.econlib.org/library/Knight/knRUP.html; accessed 24 May 2009.Google Scholar
  17. 17.
    Michelson, M.: Bank scandal a blow to french pride. In International Herald Tribune (2008)Google Scholar
  18. 18.
    Perrow, C.: Normal Accidents: Living with High-risk Technologies. Princeton University Press (1999)Google Scholar
  19. 19.
    Predd, J., Pfleeger, S.L., Hunker, J., Bulford, C.: Insiders behaving badly. IEEE Security and Privacy 6(4), 66–70 (2008). DOI http://doi.ieeecomputersociety.org/10.1109/MSP.2008.87Google Scholar
  20. 20.
    Probst, C.W., Hunker, J., Bishop,M., Gollmann, D.: Countering insider threats. Dagstuhl Seminar Proceedings (2008). URL http://drops.dagstuhl.de/opus/volltexte/ 2008/1793Google Scholar
  21. 21.
    Schudel, G., Wood, B.: Modeling behavior of the cyber-terroristGoogle Scholar
  22. 22.
    Schultz, E.E.: A framework for understanding and predicting insider attacks. In: Proceedings of CompSec (2002)Google Scholar
  23. 23.
    Stein Bagger. Available from http://en.wikipedia.org/wiki/Stein\_Bagger, last visited February 27, 2009Google Scholar
  24. 24.
    Weirich, D., Sasse, M.A.: Pretty good persuasion: a first step towards effective password security in the real world. In: NSPW ’01: Proceedings of the 2001 workshop on New security paradigms, pp. 137–143. ACM, New York, NY, USA (2001). DOI http://doi.acm.org/10.1145/ 508171.508195Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Technical University of Denmark Denmark
  2. 2.Jeffrey Hunker Associates  

Personalised recommendations