Some security articles refer to insiders as potential risks in one paragraph, but further on classify insiders as serious threats. Michael Kassner asks, are you a risk, a threat, or both? What's the difference?
I suspect some of you are wondering where I'm going with this. Well, I'm on a mission to demystify IT security and using words like risk and threat interchangeably sure doesn't help. To prove my point here's what dictionaries have to say about risk and threat:
- Risk: Probability of damage, injury, liability, loss, or other negative occurrence. Caused by external or internal vulnerabilities and may be neutralized through pre-mediated action. Example: It's not worth the risk.
- Threat: Communicated intent to inflict harm or damage to a person or property in order to force someone's compliance or to restrict his or her freedom. Example: His idea to steal your car was not an idle threat.
Before getting too much further into the discussion, I'd like to define insider as well, just to make sure we're all on the same page:
- Insider: Person belonging to a limited circle of people who understand the actual facts in a situation or share private knowledge. Or a person in possession of corporate information not generally available to the public. Example: Insiders knew that the president would veto the bill.
From a security stand point, everyone's a risk. That may seem harsh, but if risk assessment is to be of any use, that's the way it has to be. Quite simply, we all have the potential to negatively impact a company's well being.Who's a threat
Are we all threats as well? Not according to the above definitions and Nicki Wallace, a writer for the RSA Speaking of Security. We all could be threats, but since most of us are nice people, we're considered risks simply because we make mistakes; you know that human error thing.Threats are intentional
It's easy to come up with scenarios where an insider is deliberately causing harm. Security newsletters are full of articles about disgruntled IT workers seeking revenge, or individuals stealing Intellectual Property in hopes of making money or helping a new employer.Mistakes are unintentional
Mistakes are a fact of life in IT, especially if you think about how fast anything to do with IT changes. Wallace refers to a CompTIA report mentioning how companies are becoming increasingly aware of this:
"Human error and negligence are bigger concerns among companies, than deliberate or malicious threats to their information security."
I realize that training organizations tend to promote their agenda, but it seems logical that user mistakes are happening more frequently. Wallace also agrees:
"Organizations cannot afford to turn a blind eye to the wider insider risk from employees who accidentally or negligently cause vulnerabilities to data or system security. When recession leads to cutbacks, organizations need to take special care: layoffs may force employees to take on more work, increasing the chance for mistakes being made or unwise shortcuts taken."Why make the distinction
Even though the results may be the same, reducing the risk from intentional insider misbehavior needs to be handled in a completely different way than risk from accidental insider misbehavior. Threat prevention requires system-wide security measures, similar to those protecting the company's network from external threats. As for accidents, most experts agree that user education (blessed by upper management) is the best solution.Final thoughts
Insider risk may be intuitive to many. But my experience tells me that most organizations do not differentiate between mistakes and threats when instigating security programs. What's your take? Am I wrong?