True or False: 70% of security incidents are due to insider threats?
Actually, the whole thread was originated with a message at firstname.lastname@example.org “Request for ideas” by Dimitrios Stergiou. Dimitrios likes to have some recommendations for his master program. By a sudden idea, I dropped him a message to recommend him to work on this true or false problem at security metrics.
It’s true or false: 70% of security incidents are due to insider threats?
I just read one book, “The New School of Information Security”, by Adam Shostack, Andrew Stewart, Addison-Wesley, 2008, where I found one interesting argument by the authors. The authors doubt the statement that 70% of security incidents are due to insider threats. You know, many consultants and books, articles regard this statement as one basic hypothesis at security. What’s your idea about it?
Completely a surprise, I found Adam, Andew, Dan and many experts jumped in to this discussion thereafter. A lot of fresh ideas emerged at discussion threads. In order to get more experts into this topic, I submitted a discussion at SecurityMetrics group, LinkedIn.
This RSA/IDC report has some information related to this topic – Insider Risk Management: A Framework Approach to Internal Security(Thanks to Hammud). It is a good reference. In summary it told us two things that:
1 insider threats is one major security threats
2 most of surveyed parties(52%) believe insider accidents are predominantly accidental.
There are a series of numbers from relatively trustworthy survey. However, we can not get the 60%, 70%, or 80% or somewhat conclusion from that report directly.
By accident, I found another IDC diagram on insider threats published at 2006. I can not find how IDC obtained those data and their methodology to analyze them. From the diagram, when an enterprise grows bigger, they need to pay more attention to insider security threats. However, we still can not get a specific number on security incidents and therefore a more accurate insider threat ratio.
The discussion is very interesting and seems no conclusion can be drawn in short time. You are welcome to contribute your ideas and information.
Anyway, this perspective of Adam is correct: the industry need more solid data to be more convincing. Without adequate public available security data on incidents and loss, it’s almost impossible for security selling to get out of the myth and fog of FUD.