The Risk of Risk Analysis-And its relation to the Economics of Insider Threats

Insider threats to organizational information security are widely viewed as an important concern, but little is understood as to the pattern of their occurrence. We outline an argument for explaining what originally surprised us: that many practitioners report that their organizations take basic steps to prevent insider attacks, but do not attempt to address more serious attacks. We suggest that an understanding of the true cost of additional policies to control insider threats, and the dynamic nature of potential insider threats together help explain why this observed behavior is economically rational. This conclusion also suggests that further work needs to be done to understand how better to change underlying motivations of insiders, rather than simply focus on controlling and monitoring their behavior.

[1]  Distinguished Member of the Technical Staff , 2022 .

[2]  Christian W. Probst,et al.  Countering Insider Threats , 2008 .

[3]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[4]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[5]  Robert H. Anderson Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. , 1999 .

[6]  F. Knight The economic nature of the firm: From Risk, Uncertainty, and Profit , 2009 .

[7]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[8]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly , 2008, IEEE Security & Privacy.

[9]  Carrie Gates,et al.  Case Studies of an Insider Framework , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[10]  E. Cole,et al.  Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft , 2005 .

[11]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[12]  J. E. Groves,et al.  Made in America: Science, Technology and American Modernist Poets , 1989 .

[13]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[14]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.