Did you ever wish to find the names and addresses of any convicted sex offenders living in your area? The author of this book asserts that parents and employers can use information like this to build what she calls a “risk landscape.” As she explains, it is quite easy to obtain such information in the US.
The author has a 20-plus-year career history with the US Coast Guard, so she is well-equipped to help readers identify risks in their professional and personal lives. The introductory chapter asserts that there are four types of organizational insider threats exhibited by employees: virtuous, wicked, malicious, or vengeful. In this context, virtuous insiders are well intended but naive, and may place an organization at risk through risky behavior. Wicked insiders are more likely to knowingly bend rules for mission support or personal interest.
She observes that almost every organization is now heavily reliant on technology, and unintended consequences may result from exploiting such reliance. As an example, she notes that global positioning system (GPS) trackers are often used by transportation systems to manage a fleet of delivery trucks. A driver of such a truck may use a GPS jammer to mask a deviation from his schedule, and that jamming activity can create problems for necessary devices, for example, emergency vehicles reliant on satellite-based signals.
What was described as “a monumental executive shipwreck failure” at the US Office of Personnel Management (OPM) is attributed to a breakdown in cybersecurity hygiene practice. In this instance, there was a weakness in contractor security, which allowed hackers to gain clear access to the sensitive data records of millions of individuals.
The second chapter (“Insider Cybersecurity Threats to Organizations”) notes that, while working as a US Army Intelligence Analyst, Chelsea Manning (formerly known as Bradley Manning) leaked an estimated three-quarters of a million pages of classified government and security documents to WikiLeaks. Manning’s behavior in this instance brands her as both a vengeful insider and a malicious insider.
As an aid to categorizing the controls that organizations might use to mitigate risk elements, the author includes a seven-page table that can be filled out. Major sections in that table relate to things like “employees who might have access to networks,” “persons engaging in risky behavior,” “tangible loss costs,” and “time threats.” A number of items (like “printing work material on home computers”) are included in each major section, and for each item there is a column in which a responsible person may be assigned.
A risk scoring strategy is suggested wherein the benefits of actions are considered against the costs associated therewith. Thus, the benefits of enforcing proper computer system access authentication will be significant, and these can be realized at a comparatively small cost. In particular, the author recommends either two-factor or multi-factor authentication.
Chapter 3 (“Organizational Risk Factors for Unintended Insider Threats”) addresses risk factors that are not commonly understood and/or not usually considered as insider threats. There is another seven-page table that, in this case, contains almost 70 items like “the transporter,” “illusion of privacy and security,” and “enterprise change management.” Many of the items are explained more fully in the chapter text. Thus, a “transporter” might be a commuter who is carrying work documents home in his briefcase and inadvertently leaves them on the train. An employee may accept a phone call in an open-plan office and then, through an “illusion of privacy,” expose classified information to those around him during the ensuing conversation. And “change management procedures” may result in exposed network components while a scheduled change is in progress. One of the most interesting anecdotes concerns an Australian student’s observation of fitness tracker information. A heat map of that information revealed the activities of joggers at locations that may have been Central Intelligence Agency (CIA) black sites.
In chapter 4, the author discusses how insider threat factors relate to vulnerability and consequence. She observes that there is often a time delay before the consequences of a vulnerability (such as using outdated software) are discovered.
As discussed in chapter 5, when evaluating an insider threat risk, one should address the organization’s ability to recover from a possible consequence. For example, a large business that relies on a particular technology to transport a perishable product to its distributors may be able to absorb the financial impact of an insider threat, whereas a smaller business may be destroyed.
The final chapter contains some illustrative examples of how one can build resiliency within an organization. One example reiterates the importance of employee screening and preselection. It is suggested that these procedures should include questions related to information technology (IT) security practices. It is also suggested that efforts be made to identify behavioral traits that are high risk, such as extreme narcissism. Another example suggests that the ongoing monitoring of employees at all levels is necessary to detect the circumstances that may change in their lives over time. In a similar vein, audit control systems should be used for process and function monitoring; auditing can be outsourced where appropriate.
I was surprised that there is no mention in the book of the commercial packages that are now available to assist with insider threat detection (for example, IBM’s QRadar). The author closes with a question: “Have you seen the typical insider threat lately? Answer: Take a look in the mirror, then tilt the mirror toward the person to your right and the person to your left.”
This is not an easy book to read; there are no pictures, the diagrams are confusing, and the tables contain many rows whose labels can only be understood by finding the related explanation somewhere in the corresponding text. But if you’re serious about assessing and mitigating risks, you’ll find the effort worthwhile. You may also wish to read [1] or [2].
