Risk of Insider Threats in Information Technology Outsourcing: Can Deceptive Techniques be Applied?

The risks involved in Information Technology Outsourcing has since long been known to affect business decisions of whether to outsource or not. This has lead to numerous research on topics such as: Understanding and Managing Outsourcing Risks, Methodologies to measure Outsourcing Risks, Risk Factors in Information Technology Outsourcing, Assessing the Risk of IT Outsourcing to name a few. But very little research has been conducted on the security aspect of Information Technology Outsourcing. This paper tries to bring the light on security risks in IT Outsourcing, more specifically risk of insider threats. It also tries to bring attention on the fact that security risks can be a lot more damaging and harmful than any other non security threats combined together. After giving a description of different type of security risks, the paper then elaborates on different deceptive and nondeceptive techniques that might be used to mitigate security threats in IT Outsourcing. Finally it is shown that if insider threats are not taken seriously, its consequences can be very damaging. Two recent cases of insider threats in IT Outsourcing have been stated to prove the latter.

[1]  Lily Bi Managing the risks of IT outsourcing , 2007 .

[2]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[3]  Heather A. Smith,et al.  IT outsourcing risk management at British Petroleum , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[4]  Leslie P. Willcocks,et al.  Risk mitigation in IT outsourcing strategy revisited: longitudinal case research at LISA , 1999, J. Strateg. Inf. Syst..

[5]  Suzanne Rivard,et al.  Managing the Risk of IT Outsourcing , 1999, HICSS.

[6]  John L. Clark,et al.  Capture-the-Flag: Learning Computer Security Under Fire , 2004 .

[7]  John McHugh,et al.  Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[8]  Suzanne Rivard,et al.  Assessing the risk of IT outsourcing , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[9]  M. J. Earl,et al.  The Risks of Outsourcing IT , 1996 .

[10]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[11]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[12]  Wonseok Oh,et al.  Why Do Some Firms Outsource IT More Aggressively Than Others? The Effects of Organizational Characteristics on IT Outsourcing Decisions , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[13]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[14]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[15]  N. Venkatraman,et al.  Determinants of Information Technology Outsourcing: A Cross-Sectional Analysis , 2011, J. Manag. Inf. Syst..

[16]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[17]  Roland L. Trope,et al.  Averting Security Missteps in Outsourcing , 2005, IEEE Secur. Priv..

[18]  Cynthia E. Irvine,et al.  Cybersecurity Considerations for Information Systems , 2005 .

[19]  R. Nolan,et al.  How to Manage an IT Outsourcing Alliance , 1995 .