icon-carat-right menu search cmu-wordmark

Instructional Case of Insider Threat in the SDLC: The Case of InsureACure, Inc.

White Paper
In this paper, the authors provide an instructional case of insider threat in the systems development lifecycle.
Publisher

Software Engineering Institute

Topic or Tag

Abstract

Introduction

An irate Oliver bounded into the plush office of Hugh, the director of HR, and demanded an immediate investigation of the Development Team's personnel for fraud. Their company, InsureACure, is responsible for processing medical health insurance claims by government workers.

"Someone on Danielle's team has corrupted our databases and allowed payment of thousands of dollars in false claims," complained Oliver.

"Calm down, calm down," said Hugh cautiously. "Tell me what has happened."

Trying to calm down, Oliver explained that somebody had changed the address of a legitimate medical service provider (MSP) and had been sending reimbursements for false claims to that address. "The total losses are in the thousands of dollars," explained Oliver. "No one in my department knows anything about it, but I'll bet one of those geeks in Danielle's group does!"

"Have you talked to Danielle?" queried Hugh.

"You bet I have, but she's just stonewalling, claiming that it had to be somebody in my group who made the change. She won't even consider the possibility!" Just then Oliver's cell phone went off. Looking at the number of the incoming call, Oliver said, "Oh, this is IT, just a second …"

Oliver listened as the IT staff member reported that they had found an additional nine incidents in the audit logs of MSPs that had been inactive for more than two years followed by a change of address and frequent claims for reimbursement. In addition they discovered that the address changes in all of the cases were made by the Director of Operations.

"The Director of Operations," exclaimed Oliver incredulously. "But that's me!"

Background

InsureACure was established in 1993 to provide information and computing services to the burgeoning health care services community. Its first big contract was to process the medical health insurance claims of government employees. InsureACure submitted
checks for validated claims paid out of the government coffers.

InsureACure hired an experienced management team to support the business (see org
chart at end of case). Critical support for InsureACure business processes was provided by the Health Insurance Claims Processing System (HICPS). The company’s managers included:

  • Oliver – the Director of the Operations Department, responsible for validating, entering, and managing claims using the HICPS application
  • Danielle – the Director of the Development Department, responsible for the developing and maintaining the HICPS application
  • Hugh – the Human Resources representative

Frank was hired in January 1994 by Danielle as a lead application designer and
programmer for HICPS. Although Frank started a side business in 1998 selling custom configured computer systems, he was a dedicated employee, proficient and productive
developer, and personal friend of Danielle’s.