12 October 2014

Unintentional Insider Threat (UIT): Human Factors Risk...

Operational Risk Management (ORM) is a discipline that encompasses several facets of science and art. The human factors will continue to challenge the people who are tasked with mitigating risks in the face of a Republic with constitutional rights.  The United States is one of the many countries in the world, where employees of governments and private sector institutions, must comply with a myriad of laws pertaining to the privacy of the work force.

The behavioral aspect of humans operating day-to-day in the workplace, whether inside the R & D department at Google or the 7th Floor at DARPA have many of the same set of risks.  When you put an information storage and computing device in their hands, the likelihood of encountering a potential operational loss or failure increases dramatically.

For the past several years, there has been a significant amount of attention devoted to the topic of "Insider Threat."  In light of the Edward Snowden and "The Fifth Estate" events, many government and private sector organizations have been revisiting their employees security clearances and backgrounds.  A reaction-based effort that would not be out of the ordinary, for most organizations who are protecting national secrets or substantial intellectual property.

This however, is a small percentage of the overall risk that the organization is being exposed to every day, when that digitally enabled-human goes to work.  The reason is that the lense that is currently being focused on "Insider Threat," is looking for the next Edward Snowden.  This kind of insider will forever continue to amaze and surprise you, just like the people who may now be in legal proceedings, for collaborating with Bernie Madoff.  You see, not every human will show the behaviors, that all of a sudden look out of the ordinary.  The person stealing information or manipulating the books, will continue to operate within your organization without disclosure.

There is a foundational study completed by the CERT Insider Threat team at Carnegie Mellon University that highlights even a greater potential loss or failure.  "A significant proportion of computer and organizational security professionals believe insider threat is the greatest risk to their enterprise, and more than 40% report that their greatest security concern is employees accidentally jeopardizing security through data leaks or similar errors."

Unintentional Insider Threat Definition 
We recommend the following working definition of UIT:  An unintentional insider threat is: 
(1) a current or former employee, contractor, or business partner 
(2) who has or had authorized access to an organization’s network, system, or data and who, 
(3) through action or inaction without malicious intent, 
(4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.  
       SEI  Insider Threat Team, CERT; Unintentional Insider Threats: A Foundational Study (CMU/SEI-2013-TN-022). Software Engineering Institute, Carnegie Mellon University, 2013.
Abstract
This report examines the problem of unintentional insider threat (UIT) by developing an operational definition of UIT, reviewing relevant research to gain a better understanding of its causes and contributing factors, providing examples of UIT cases and the frequencies of UIT occurrences across several categories, and presenting initial thinking on potential mitigation strategies and countermeasures. Because this research topic has largely been unrecognized, a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide research and development (R&D) investments toward the highest priority R&D requirements for countering UIT.
Operational Risk Management is a 24 x 7 x 365 day process, that is focused on all humans operating in the ecosystem of the enterprise.  The Edward Snowden's are coming to work today along with their friend Bernie Madoff.  Hiding in plain sight.  Operational Risk Management professionals understand this and operate with the focus on the unintentional consequences of their behavior.

The enterprise that is solely focused on finding the one or two people in several decades of operations will overlook the dozens or hundreds who contribute to a loss of Intellectual Property or a breach. Believe us when we say that indeed the "Spy" and "Fraudster" will have a much harder time, operating each day in an organizational environment that is focused on the UIT.

Countering UIT, may seem like it is something that is already being accomplished, in the new hire orientation class or the remedial training that is mandated each year on information security for example.  Those who perceive it this way are again, only human.  The behaviors that we bring to work each day about how we treat and handle information, is not learned in a single session or a single annual workshop. Learning to behave consistently with sensitive or classified information on a daily basis, requires a discipline that few really understand right now.  This is especially true in the Defense and Intelligence Community supply chain.

Your goal is to get that UIT awareness inside every one of your employees, partners and suppliers.  To instill inside them the same diligence in their work processes to Deter, Detect, Defend and Document.  UIT is a major percentage of the answer to mitigating the risk of another Edward Snowden or Bernie Madoff incident in your organization.  More importantly, it is the answer to the other 98% of the losses you will incur this next calendar year.  Think about "Achieving a Defensible Standard of Care."