The sixth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 6: Consider threats from insiders and business partners in enterprise-wide risk assessments. In this post, I discuss the importance of developing a comprehensive, risk-based security strategy to prevent, detect, and respond to insider threats, including those caused by business partners that are given authorized access.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The sixth of the 20 best practices follows.

Practice 6: Consider threats from insiders and business partners in enterprise-wide risk assessments.

To develop a comprehensive and well-balanced defense, organizations should conduct enterprise-wide risk assessments that consider the risk due to both insider and outsider threats. Although an organization cannot protect against every possible threat, it should have a clear understanding of which of its assets are most critical and ensure their protection against the full range of threat actors.

Threats can originate from

• insiders who are provided authorized access and can cause harm with or without malicious intent, including employees, contractors, consultants, outsourced service providers, and other trusted business partners
• outsiders who might gain unauthorized privileged access to internal processes

Organizations are especially vulnerable during mergers and acquisitions, when insiders--both new and old--may not be accustomed to or even happy with their new situation.

The CERT empirical approach to insider threat analyzes previous insider compromises to identify insider behaviors (technical and non-technical) that organizations should watch for and avenues of attack where organizations are vulnerable. Our research makes it clear that organizations need to consider vulnerabilities in business processes as well as technologies.

Business processes--including background investigations, confidentiality agreements, and security education and training--should apply to the full range of insider threat actors at a level commensurate with those applied to employees.

Since writing the Common Sense Guide, research shows how the organization's processes may create a situation that is conducive to insider threats. (See the reports The Critical Role of Positive Incentives for Reducing Insider Threat and Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls.)

These findings do not imply that the organization is at fault in insider compromise; most insider incidents are violations of law or agreements with the organization that are prosecutable in court. Nevertheless, organizations may reduce the frequency of insider misbehavior and its associated costs by instituting practices that reduce insider disgruntlement. Without properly dealing with the context in which insider threats occur, insider misbehaviors may simply be repeated as natural responses to existing counterproductive practices.

Just as organizations can prevent, detect, and respond to insider behaviors that indicate increased threat, they can prevent, detect, and respond to organizational conditions that are conducive to the threat. CERT insider threat research shows that as an employee feels more supported by an organization, they are less inclined to engage in behaviors counter to the organization. Perceived organizational support involves the extent to which employees believe their organization values their contributions, cares about their well-being, supports their socio-emotional needs, and treats them fairly.

Social exchange theory and associated research establishes that individuals reciprocate their employer's treatment of them, whether that treatment is perceived as good or bad. With these basic concepts, it is not difficult to see how perceptions of organizational support can influence insider-threat-related behaviors. But how can organizations promote these perceptions? Perceptions of organizational support can be encouraged by the organization establishing the following:

• organizational justice (fairness) (e.g., compensation aligned internally among employees and externally with industry standards)
• performance-based rewards and recognition (e.g., transparent criteria for promotions, and discretionary rewards and recognition based on project performance)
• transparent and respectful communication (e.g., regular employee orientation, mentoring, and expectation setting)
• personal and professional supportiveness (e.g., employee assistance programs and professional development for furthering employee careers and sense of mastery)

We call workforce management practices that increase perceived organizational support positive incentives because they attempt to attract (rather than force) an employee to act in the interests of the organization. For an elaboration of positive incentives, see Section 5 of The Critical Role of Positive Incentives for Reducing Insider Threat.

Recent CERT research provides a business justification for considering positive incentives when formulating an insider threat defense strategy. A comprehensive enterprise-wide risk assessment approach that evaluates organizational factors, such as perceived organizational support, and promotes a balanced combination of positive incentives and traditional security practices can create a program that is a net positive for both the employee and the organization. As insider threat programs become known as advocates for the workforce and means for improving employee work life, we can expect a substantial reduction of the risk of insider threat and the associated investigative costs.

Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats and the SEI Technical Report The Critical Role of Positive Incentives for Reducing Insider Threat for a comprehensive description of the issues and recommendations mentioned.

Check back next week to read Practice 7: Be especially vigilant regarding social media, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see www.cert.org/insider-threat, or contact info@sei.cmu.edu.