Balancing the insider and outsider threat

An oft-quoted statistic nowadays is that 80% (or some similarly high proportion) of the risk to information systems comes from insiders. However the quote is rarely followed up with any advice about what to do, or even any real explanation as to what it means. For example is it good or bad news? What is the ‘right’ proportion? Does it mean we should spend more or less on countering outsider attacks? How do we protect against the insider threat? The purpose of this paper is to shed light on these questions and help security managers to allocate their resources appropriately. In this paper I am solely concerned with the risk arising from deliberate attack. Information systems also suffer damage from accidental abuse by both insiders and outsiders and this is also of concern to organizations. To some extent the defences against deliberate threats also contribute to the defence against accidental threats so what follows is of some more general relevance, but measures aimed solely at the accidental threat are outside the scope of this paper.