This is Part Three of a multi-part series on the Insider Threat. I’m interested in what motivates this type of individual, the patterns of behavior, and what organizations can do to reduce the likelihood that a malicious insider can impact their business. In Part One, I relayed my own story of experience with what was most likely a malicious insider. In Part Two, I reviewed some research that examines the insider threat and the pattern of behavior exhibited by malicious insiders. In Part Three I’ll examine what can be done to mitigate the threat malicious insiders pose to organizations.
I’ll have to ask you to bear with me just a little longer concerning the academic material. I promise that I’ll show you how it can be applied to real life situations.
We talked about the interrelated behavior loops that influence the behavior of the malicious insider and how these behavior loops interact and influence each other. Ironically, the very actions of trust and empowerment that have proven so beneficial to workplace satisfaction and performance appear to be the very things that support the transformation of trusted insiders to malicious insiders (with the appropriate motivation of course). Should we change the way we manage people and reduce the level of employee trust and empowerment in order to combat the insider threat? Of course not but doesn’t mean that we can’t do anything about the malicious insider.
Typically this would be the beginning of a discussion about the technical tools used to monitor and control access to information but I am not going to talk about technical controls. Technical controls only constitute one-third of the information security equation. The other two parts are People and Process. I am of the belief that effective information security is based first on the human element. Successful information security/information risk management programs are build first on understanding the people using the information systems. Then on the processes they use to accomplish their jobs (both manual and electronic). Finally technological controls are chosen as appropriate for both the users and their processes.
Let me start out with saying that there is no way that you will be able to totally eliminate the insider threat. The concepts that I will be addressing are intended to reduce the risk to acceptable levels not eliminate it.
One of the reasons the authors of Preliminary System Dynamics Maps of the Insider Cyber-threat Problem chose not to deal with what motivates a malicious insider is that there can be as many different motivators as there are malicious insiders. If it is not efficient to focus on the individual then we must focus on how individuals act within our organizations. That is the study of Social Cognition.
Much of the understanding we have on this process can be tied to experiments of many psychologists and social scientists starting with the work of psychologist Stanley Milgram in the 1960’s and subsequently built upon over the years. These experiments have lead to the development of five principles of social cognition:
- The Power of the Situation over Behavior,
- Blindness for Situational Influences,
- Social Perception and Self-Perception are Constructive Processes,
- Blindness for the Constructed Nature of Social and Self-Perception, and
- Self-Processes are Social.
I’ll be releasing a white paper shortly that discusses these principles in greater detail however what is important to this discussion is that individuals exhibit a tendency to conform their behavior to that of the groups to which they belong. Another interesting aspect of this principle is that while group dynamics can alter individual reactions, these very same individuals tend to seek other individuals when in need rather than groups (Link A and Link B). What is surprising is that we (as individuals) are largely unaware of the influence that social situations have on their behavior.
The next principles deal with how we interpret the world around us. Studies have shown that our perception of the world is constructed by our understanding of abstract concepts; therefore, their environment is interpreted as direct perceptions of reality. This can be illustrated by the interpersonal misunderstandings that can occur when people from different cultures interact. (This can also be attributed to the “us versus them” attitude that we experience as information security professionals.)
Individuals base their own self-knowledge much the same way they perceive the world around them. In the same way that individuals are unaware that their interpretations of their environment are influenced by how they define abstract principles, these abstract concepts also influence an individual’s perception of self.
So what does all this mean?
The practical application of these principles can increase the level of security or risk awareness within the organization by focusing our efforts on the group (individual behavior tends to conform to that of the larger group) and support this by instituting a mentor program to monitor individual development (individuals tend to seek other individuals when in need rather than groups).
Since perception of the world around us (and of ourselves) is governed by our understanding of abstract concepts, we must institute programs to influence the abstract concepts of risk management within our organizations. This means that we must directly address Corporate Culture.
Each organization has a unique persona. Corporate Culture is a system of shared meaning held by the individuals who make up the corporation. Changing corporate culture can be challenging and can be viewed similarly to product branding. It conveys a sense of identity for its employees and facilitates a commitment to an overall goal or objective rather than individual goals and objectives. You must first accurately gauge what the organizations perceptions of information security are before you can design a program to alter these perceptions.
This program must focus on an organization’s unique perceptions and include reinforcement (both positive and negative) in addition to education. This is where most traditional security awareness and training programs fail. They focus solely on training not on changing behavior. The basic principles of information security have been taught to employees for so many years now that most employees could recite them from memory if asked. The problem is that this knowledge is not translating into behavior.
Using the concepts here we can influence the behavior maps that we discussed in Part Two. We can keep the perception of risk high despite the high level of trust we want to foster in the environment. This in turn helps to maintain adequate levels of funding and detective capability for information security. A corporate culture that is risk-aware is also one that can positively influence a disgruntled insider so that they are less likely to become a malicious insider.
At the end of the day there is no way to totally eliminate the insider threat however if we approach this problem in the right way we can stack the deck in our favor and reduce the risk to acceptable levels.
Entries (RSS)