Track 2: Cybersecurity and Information Assurance (CS)

Session CS-2: Overcoming Policy, Legal and Privacy Issues in the Fight Against Insider Threats

March 23, 2010

2:30 PM - 3:45 PM

Prerequisite: None

Dawn Cappelli

Howard Cox

John Kropf

Howard Timm

Malicious insiders are current or former employees, contractors, or trusted business partners who have or had authorized access to their organization's systems and information. They are familiar with internal policies, procedures, and technology and exploit that knowledge to facilitate attacks and even collude with external attackers. Research by CERT since 2001 has focused on hundreds of insider crimes, including espionage, IT sabotage, fraud, theft of confidential or proprietary information, and threats to our nation's critical infrastructures.

The research focuses on the "big picture" - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, psychological issues, and organizational culture over time. We have developed profiles for each type of crime which describe who, what, when, and how, as well as patterns of behaviors, organizational issues, and technical actions over time. While the research suggests definitive countermeasures, policy, legal, and employee privacy issues present challenges which must be overcome in order to effectively mitigate this threat to our nation’s critical infrastructure. This presentation describes each crime profile, proposed countermeasures, and policy, legal, and privacy obstacles to implementing those countermeasures.

Learning Objectives:

  • Ability to make informed, risk-based decisions regarding implementation of practices, technologies, and policies for insider threat risk mitigation
  • Communicate the importance of the collective efforts of IT/information security, human resources, physical security, software engineering, legal, and data owners in insider threat risk mitigation
  • Recognize practices that could have mitigated insider threats in hundreds of cases, as well as policies, technologies, business process details, and management issues that influence an insider’s decision to act
  • Understand the differences between insider theft of information for business advantage (e.g. intellectual property/trade secrets), IT sabotage, and theft or modification of information (e.g. personally identifiable information) for financial gain.