Posted on by Insider Threatin
In parts one, two, and three of this series, the roles held by malicious insiders and their estimated salary were reviewed. In this final post, we see if there is a relationship between an insider's salary and the financial impact of related incidents. Comparing the estimated salary of malicious insiders with impacts self-reported by victim organizations in publicly available sources (i.e., in court filings) may offer analytical insight for quantifying risk.
In the box-and-whisker chart below, the estimated salary ranges of malicious insiders were compared to reports of the financial impact related to those insider threat incidents. This sample of 208 incidents represents approximately 25% of the CERT Insider Threat Incident Corpus.
The financial impacts have been graphed on a logarithmic scale to account for the wide variation of financial impacts within the incidents overall. As a result, financial impact is depicted by an order of magnitude of 10. The number of incidents within each salary grouping is included for reference.
The median financial impact of malicious insiders estimated to earn less than $40,000 a year was $133,586. The middle 50% (or "middle fifty") of incidents within this salary range were associated with a financial impact between $30,000 and $631,000. These incidents were primarily from the banking and finance (46.7%) and healthcare (16.7%) sectors. A majority of these incidents were also classified as fraud (71.1%).
For these incidents where insiders are lower-earning, the insiders were frequently put in positions requiring high levels of trust from victim organizations. As a result, it seems that they were able to cause significant financial impacts.
In our data set, these insiders are associated with the smallest range of financial impacts, with a median financial impact of $100,000 and a middle fifty range from $21,000 to $337,000. The sectors most affected within this sample were banking and finance (31.9%) and information technology (14.5%). These incidents were primarily classified as fraud (40.6%) or sabotage (33.3%).
Malicious insiders earning $90,000 or more account for the greatest proportion of male subjects and the greatest range of financial impacts.
The median financial impact of malicious insiders estimated to earn $90,000 a year or more was $188,000. The middle fifty of incidents within this salary range were associated with a financial impact between $50,000 and $1 million, which is the largest interquartile range among the three salary groupings.
The industries affected in these incidents include information technology (25.0%), banking and finance (15.0%), and communications (15.0%). These incidents were often classified as sabotage (35.0%) or theft of IP (30.0%).
Given the privilege associated with these higher-paying positions, these insiders would have greater access to organizational resources and the ability to potentially bypass otherwise robust security measures given that access.
These findings are consistent with those reported in Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, namely that excessive trust given to managers at higher levels of an organization can inadvertently lead to disabling controls and special privileges that can increase insider threat.
When accounting for potential insider mitigations within your organization, these figures may be helpful in determining risk associated with the different positions held by employees. However, as these figures are self-reported by victim organizations in an effort to secure the greatest restitution possible, they may be somewhat inflated.
The relationships between salary levels and the financial impacts of insider incidents described in this post are not causal and should not be used to justify employee salary levels. Insiders are capable of having significant financial impacts at any level of an organization and, in recognizing that threat, organizations should consider how to plan accordingly.
Refer to the Insider Threat Program Series for more information on how to build an insider threat program at your organization.