practical skills and applied knowledge in Security, defense, and risk management

 

Insider threats

How can you manage them?

Insider threats are personnel who are employed, authorized, or granted privileges by the organization but who harm the organization in some way. 

Insider hazards are inherent, but insiders have increasingly technical capacity as threats. For instance, Dongfan Chung, an engineer who transferred secrets to China, mostly relating to military aircraft and the Space Shuttle, had hidden 250,000 pages of paper documents with sensitive information under his home by the time he was arrested in 2006. Almost twice as much information would fit on one compact disc.

In January 2010, Bradley Manning, then a soldier of Private rank in the U.S. Army, assigned as an intelligence analyst to a base in Iraq, stole the largest amount of restricted data ever leaked from one source—more than 260,000 U.S. diplomatic cables and more than 500,000 military reports about or from Iraq and Afghanistan. He downloaded all the information on to digital media, which he carried out of the secure facility. In March 2010, he started to leak documents to the website Wikileaks.

Although leaking of information is deliberate, most insider threats who release sensitive information are carelessly rather than maliciously noncompliant with the access or transfer controls. Even the most senior employees can be noncompliant. For instance, on November 9, 2012, General David Petraeus resigned as U.S. Director of Central Intelligence after revelations of his affair with Paula Broadwell, a former U.S. Army intelligence officer (and his biographer). Her harassing e-mails to another woman prompted a criminal investigation that unearthed her privileged access to Petraeus’ private and classified information, partly through a web-based e-mail account that they had shared in an attempt to communicate privately.

Insiders could be intrinsically inspired or directed by external actors, perhaps unknowingly (the external actor could trick the internal threat into thinking that they are acting on behalf of the same employer) or knowingly (the insider could accept a bribe to traffic information).


Information security experts prescribe more monitoring and training of compliance, but also suggest that about 5% of employees will not comply despite the training. 

Most training is formal, but most people are better at recalling than applying formally trained knowledge. More experiential training would help the employee to become more self-aware of their noncompliance, but even so, some people are not inherently compliant or attentive.

In order to catch the very few people who are chronically noncompliant, the organization might like to monitor them increasingly obtrusively, but this is restricted by ethical and legal obligations and the material challenges—in a large organization, monitoring most people most of the time would be prohibitively expensive, legally risky, and would raise the employees’ distrust and stress.

​In many jurisdictions, dismissal of employees is difficult. At the same time, the risks of an insider threat are increasingly great. By 2010, some companies had added noncompliance as a dismissable offense (after two or three breaches) to employment contracts. Nondisclosure agreements (in which the employee promises not to release sensitive information, even after separation) became commonplace in the 1990s.

​The U.S. Office of the National Counterintelligence Executive suggests the following cycle for managing insider risks:

1. Assure insider security, by for instance, checking the backgrounds of new hires and reaching nondisclosure agreements.


2. Assure information security, by for instance, imposing controls on the insider’s access to and transfer of information, particularly around the time when the employee separates.


3. Control external travel or contacts with external hazards.


4. Train insiders in secure behaviors and promote awareness of their behaviors.


5. Analyze insider behaviors and respond to issues.


6. Audit and monitor insider behaviors and their management.