CERT (at Carnegie Mellon) just released a study on insider threats. They analyze 49 insider attacks between 1996 and 2002, and draw some conclusions about the attacks and attackers. Nothing about the prevalence of these attacks, and more about the particulars of them.
The report is mostly obvious, and isn’t worth more than a skim. But the particular methodology only tells part of the story.
Because the study focuses on insider attacks on information systems rather than attacks using information systems, it’s primarily about destructive acts. Of course the major motive is going to be revenge against the employer.
Near as I can tell, the report ignores attacks that use information systems to otherwise benefit the attacker. These attacks would include embezzlement—which at a guess is much more common than revenge.
The report also doesn’t seem to acknowledge that the researchers are only looking at attacks that were noticed. I’m not impressed by the fact that most of the attackers got caught, since those are the ones that were noticed. This reinforces the same bias: network disruption is far more noticeable than theft.
These are worrisome threats, but I’d be more concerned about insider attacks that aren’t nearly so obvious.
Still, there are some interesting statistics about those who use information systems to get back at their employers.
For example of the latter, the study’s “executive summary” notes that in 62 percent of the cases, “a negative work-related event triggered most of the insiders’ actions.” The study also found that 82 percent of the time the people who hacked their company “exhibited unusual behavior in the workplace prior to carrying out their activities.” The survey surmises that’s probably because the insiders were angry at someone they worked with or for: 84 percent of attacks were motivated by a desire to seek revenge, and in 85 percent of the cases the insider had a documented grievance against their employer or a co-worker….
Some other interesting (although not particularly surprising) tidbits: Almost all—96 percent—of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).