From Insider Threats to Business Processes that are Secure-by-Design

We argue that insider threat is a placeholder term that accompanies the transition from securing IT infrastructures to securing the socio-technical systems made possible by these IT infrastructures. The term insider in its literal interpretation loses meaning in a context where there are no stable perimeters one can refer to. Business practices such as outsourcing, employing temporary contractors, and the very use of IT, have removed security perimeters in the search for short-term efficiency gains, which may result in mid-term losses due to increased vulnerabilities. We conclude that securing socio-technical systems calls for the design of organisational (business) processes that remain viable once inside information about their implementation becomes available to potential attackers rather than for the deployment of secure IT infrastructures.

[1]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[2]  Karen Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[3]  Louis Anthony Tony Cox What's wrong with hazard-ranking systems? An expository note. , 2009, Risk analysis : an official publication of the Society for Risk Analysis.

[4]  Donn B. Parker,et al.  Risks of risk-based security , 2007, Commun. ACM.

[5]  Dieter Gollmann,et al.  Why Trust is Bad for Security , 2006, Electron. Notes Theor. Comput. Sci..

[6]  Michael Aylward Computer insecurity. , 2006, Minnesota medicine.

[7]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[8]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[9]  I. Greener,et al.  Nick Leeson and the Collapse of Barings Bank: Socio-Technical Networks and the ‘Rogue Trader’ , 2006 .

[10]  Jeremy Epstein,et al.  Security Lessons Learned from Société Générale , 2008, IEEE Security & Privacy.

[11]  Salvatore J. Stolfo,et al.  Addressing the Insider Threat , 2009, IEEE Security & Privacy Magazine.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Dieter Gollmann,et al.  Insider Threats in Cyber Security , 2010, Insider Threats in Cyber Security.

[14]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[15]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[16]  Helga Drummond,et al.  Did Nick Leeson have an accomplice? The role of information technology in the collapse of Barings Bank , 2003, J. Inf. Technol..

[17]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[18]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..