True or False: 70% of security incidents are due to insider threats?
Actually, the whole thread was originated with a message at discuss@securitymetrics.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud). It is a good reference. In summary it told us two things that:
1 insider threats is one major security threats
2 most of surveyed parties(52%) believe insider accidents are predominantly accidental.
There are a series of numbers from relatively trustworthy survey. However, we can not get the 60%, 70%, or 80% or somewhat conclusion from that report directly.
By accident, I found another IDC diagram on insider threats published at 2006. I can not find how IDC obtained those data and their methodology to analyze them. From the diagram, when an enterprise grows bigger, they need to pay more attention to insider security threats. However, we still can not get a specific number on security incidents and therefore a more accurate insider threat ratio.
The discussion is very interesting and seems no conclusion can be drawn in short time. You are welcome to contribute your ideas and information.
Anyway, this perspective of Adam is correct: the industry need more solid data to be more convincing. Without adequate public available security data on incidents and loss, it’s almost impossible for security selling to get out of the myth and fog of FUD.
Visit to get the latest updates on high tech machinery. Considering the
variable male cycle, it is 28 days long for a female cycle.
“Study Coach” is an education instructor and entrepreneur.
I visited several sites however the audio feature for audio songs present at this web page is in fact fabulous.
With so much malware around, looking at Firewall and/or IDS logs gives the impression that as on today, outsider threat is more than insider threat.
This type of discussion is useless. None of the surveys are valid representations of the sources of incidents. They are self-selected samples, samples that are too small, or samples that produce inaccurate feedback since the responders too often don’t know the complete and accurate stories. Security incident occurences are open ended, i.e. we don’t know what we don’t know. What is an insider? This is defined differently by different experts — people in positions of trust, employees, employees and cosultants, full or part-time employees, etc.? 36 incidents and broken down by all of those factors to two digits of precision? Statisticly useless.
Donn
Why Measuring the Value of InfoSec is Hard (2)
InfoSec* is inextricably part of the cyber trust “fur ball”, including
Privacy
Digital Rights
Intellectual Property, brands, reputation, trade secrets
Stakeholder disclosure
… and physical security
Historical loss data, even if copious and available, has limited use
The landscape changes too fast
Low frequency / high impact events matter
Unique events matter
The business value of InfoSec isn’t just loss prevention
Value comes from the ability to support profitable risk taking
e.g. Brakes, condoms
Risk balancing is a reflexive process involving perceptions of risk and reward
Varies dramatically by industry and sector
E.g. a bank vs. a rock quarry
By: Russell Cameron Thomas
Principal, Meritology
russell.thomas@meritology.com
Posted by James Shanesy, CISSP
I used to be a salesman of sophisticated, proprietary technology (not IT). I got out of it because I couldn’t stand having to make promises that other people broke. At least now when I make a commitment, it’s me and nobody else who either lives up to it or doesn’t.
And in INFOSEC when you fail to deliver, the results can be catastrophic. I never believe salesmen. Around here we make sure that the commitments and assurances we need are built into the contract. This all gets murkier and murkier as we migrate into “the cloud”.
The below is from LinkedIn CISSP community:
Regardless of internal or external the weakest link in any information processing system from an INFOSEC perspective is the human element. I think that human factors engineering has been grossly overlooked in the IT sector in favor of spending billions on hardware and software solutions that can all be undermined by a basic user making a few keystrokes.
But don’t ask those OEM vendors if their product will protect the system from users doing less than intelligent acts as the answer from the sales rep is generally “sure we can handle that”. I’ve grown cynical after experiencing users time and again showing a complete disregard for even the most basic INFOSEC practices in favor of “Get’r Done”.
Posted by Paul Zedeck, CISSP
RT @zhaol True or False: 70% of security incidents are due to insider threats http://bit.ly/3GL6gR
@Albatross, Thanks. That’s good report. However, its research is on those security incidents that were conducted by insiders. That means we still can not get a estimate on what’s the percentage of the total security incidents are related to insiders.
For convenience of readers, I paste the key findings of that report as below:
This ITS report examines 36 incidents carried out by 38 insiders that occurred in the government sector between 1996 and 2002. Of the 36 incidents:
• 21 involved various types of fraud, to include 13 cases of financial fraud, 7 cases of document and/or ID fraud, and 1 case of computer fraud;
• 9 involved sabotage;
• 3 involved theft of confidential information; and,
• 3 involved both theft of confidential information and sabotage.
Key Findings
• The majority (58%) of insiders were current employees in administrative and support positions that required limited technical skills.
• Nearly half (43%) of insiders exhibited some inappropriate or concerning behavior prior to the incident.
• Financial gain was the motive (54%) for most insiders’ illicit cyber activities.
• In over half the cases (56%), a specific event triggered, or was a contributing factor in, insiders’ decisions to carry out the incidents.
• The majority (88%) of insiders planned their actions.
• Most (85%) of the insiders had authorized access at the time of their malicious activity.
• Access control gaps facilitated most (69%) of the insider incidents.
• Half (50%) of the insiders exploited weaknesses in established business processes or controls such as inadequate or poorly enforced policies and procedures for separation of duties (22%).
• Insiders were detected and identified by a combination of people (65%), processes (15%), and technologies (56%).
• In most (90%) cases, insiders faced criminal charges.
• Most (82%) insiders did not anticipate the consequences of their illicit activities.
• Insider actions affected federal, state, and local government agencies with the major impact to organizations being fraud resulting from damage to information or data (86%)
Statistics on Insider Threats from 2002 CIA/CMU studies:
Exec summary http://bit.ly/1uqKgE
Study page http://bit.ly/3Figiv