How Serious Is the Insider Threat to Information Security?

by William G. Perry, Ph.D.

Are insider threats a problem? Many organizations are aware that the information infrastructures they own face threats from cyberspace and purchase software and hardware devices to help. Computer viruses, Trojans, Denial of Service Attacks and other logical threats are fairly well understood. The antivirus software and firewall industry, however, is unable to address one type of risk that is totally outside of information security's logical bounds and represents unique threat vectors. This menace is what is referred to as "insider threat".

Recent computer crime studies have shown that the size of internal risks against a company's digital assets are roughly equal to the size of malicious software attacks from outsiders. The threat from someone with whom your company works closely is very real and just as dangerous as malware. The insider threat is less well understood.

There are a number of different classes of insider threats. One would be disgruntled employees. A person who may have recently faced disciplinary action may retaliate or want to get even. A person of this type could sabotage the information infrastructure in any one of a number of ways (i.e. squirting water onto delicate electronics). Information security crosses over into the human relations function.

Another group of insiders who could pose a threat would be people who have been compromised by money or other factors for the purpose of disrupting or destroying an organization's information system. One example of a malicious insider would be a person who belongs to an extremist organization who has a problem with an business or organization's products or practices. The goal would be to disrupt the organization's on-going operations and cause damage.

An organization might, also, inadvertently hire a cyber terrorist or a person who is committed to commit corporate espionage. A recent new hire, for example, could be working for a competitor and pose a threat. The malevolent employee could gain proximity to valuable information resources and inflict substantial damage to equipment or software. A night-time cleaning crew, for example, could represent a threat to an organization's information infrastructure.

Third party, outsourced agents (i.e. the cleaning crew) must be thoroughly vetted. The hiring or staffing component of your business must include rigid processes to screen the backgrounds of potential employees and their references. The plan to protect the logical and physical assets of your business and organization must be created, implemented and followed through upon. Information assurance must become a business process just like manufacturing, inventory and accounting.

Even an employee who has been loyal for years could be comprised and, for example, grant unauthorized access to nefarious individuals. Part of an information security plan, therefore, must include policies, procedures and controls that protect against insider threats.

You, the information infrastructure owner don't have to re-invent the wheel to implement security best practices for your business. Become aware of information security best practices and adopt those that work for you. There are international standards that can help you establish an information assurance plan. One is ISO 17799 (now evolving into ISO 27000). There are others (i.e. COBIT and FISMA). The important point to remember is that you acknowledge and protect your digital assets.

You can learn more about information security by visiting

© Alliant Digital Services - 2010

Dr. William G. Perry is an information security specialist with significant experience as a university professor, author and service provider to various federal agencies including the Office of the Director of National Intelligence, the Department of Defense and the Federal Bureau of Investigation.

Dr. Perry is the owner of Alliant Digital Services. It provides high quality information security services to individuals, and organizations who must plan for the protection of mission critical information in an asymmetric threat environment while complying with national and international information security standards (i.e. COBIT, ISO 17799, ISO 27000, FISMA, HIPAA, ePHI and the new passed High Tech Act).

Alliant Digital Services also operates a free public web site,, that promotes information security where you can download a FREE copy of Alliant Digital Service's book, How to Secure Your Computer.

Article Source:,_Ph.D.

Return from "How Serious Is the Insider Threat to Information Security?" to Home Page