Using Continuous Evaluation to Thwart Insider Threats
Before November 2009 little attention was paid to the silent threat cultivating inside of the U.S. Army. That all changed when a common U.S. Army officer, Major Nidal Hasan, killed 13 soldiers and injured 30 others during a shooting spree in the morning hours of November 5, 2009, at Fort Hood, Texas. The significance of insider threats has been reiterated with the shooting at the Washington, D.C., Navy Yard, and the intentional crashing of a Germanwings jet into the French Alps.
These events are significant in that they tragically ended in the death of innocent victims at the hands of those they placed trust in – fellow workers and service providers. In addition to the human cost, we must not lose track of the enormous cost associated with economic espionage, fraud and other deceptive behaviors that – through the appropriate use of technology and legal oversight – could have been detected and potentially prevented.
Most organizations believe that “insider threat” events are too rare to occur at small and medium-size businesses. The challenge is in understanding that over 70 percent of the losses are associated with events with an impact of less than $50,000, according to Computer World. The analytical risk model tells us that (Risk = Threat x Probability x Consequence). This is useful for analyzing a single event, but people are “continuous” and should therefore be evaluated continuously. As a result, the model should be (Risk = Threat x Probability x Consequence x Exposure x Employees). In this model, exposure is the factor associated with an event horizon that spans the average length of an employment period. While there are far more sophisticated models, the point is that organizations must consider the totality of events over time to derive the overall risk associated with insider threats.
In addition, organizations must understand the consequences in terms of physical damage, human loss, legal liability, revenue loss, brand reputation, etc. These factors are necessary to dispel the notion that insider threats are limited to big business and government concern only.
Once an organization understands its own risk profile, then the emergence of continuous evaluation tools that leverage big data analytics, case management, open source intelligence, social media, etc. can assist with managing insider threats. In the age of expanding surveillance capabilities, our ability to collect, analyze and correlate data gives us a tremendous capability to gain insight into events to prevent tragedies. While some argue the moral justification of that capability, others in the wake of a tragedy demand to know why efforts were not taken to prevent it. There is an old saying that with great knowledge comes great responsibility. Our capabilities must be balanced with the wisdom of knowing how to use that great power for good.
First, establishing policies that protect both employees and employers are critical. Understanding employment contracts and employment laws is necessary to ensure that information obtained from continuous evaluation is accurate, complete and sufficiently supports corporate decisions regarding an employee. Each organization must understand its risk profile and adopt role-based risk assessment engines that look at an employee in accordance to the risk profile associated with his or her specific function in the organization.
Typically, government agencies perform fitness evaluations that span 13 various areas of a person’s background: allegiance to the U.S., foreign influence, foreign preference, sexual behavior, personal conduct, financial consideration, alcohol consumption, drug involvement, emotional, mental and personality disorders, criminal conduct, outside activities and misuse of information technology. Certainly, many private companies would initially shy away from sensitive factors like sexual behavior and personality disorders. They should, however, look at the intent of these factors and adjust them accordingly. For example, while a small business may not be concerned about an employee selling national security secrets to other countries, they might be interested in corporate preference and the flow of sensitive corporate information to employees’ past firms.
Other challenges arise during continuous evaluation when a “hit” is discovered about an employee. It’s not uncommon for booking information to be coded incorrectly or incomplete from third-party criminal data providers. When this occurs, companies must apply rigorous processes and compliance checks to ensure that the data is accurate, complete and relevant. Then companies must consider what resulting actions can come from this data. If an employee’s continuous evaluation check reported that the employee had been booked for a felony crime, then that company must consider the ramification associated with that data. Terminating an employee for a charged offense without a conviction could result in legal liability, and it might draw the scrutiny of other employees.
As surveillance technologies converge, what is physically observed with analysis and judgment that aids decision making, transparency and oversight are key to making supportable and just decisions. Technology can empower an organization to be highly efficient and effectively run, or it can it highlight the management and organizational deficiencies that could create greater liabilities than they hope to prevent. The question isn’t whether organizations will adopt technologies that give them greater power, but will those organizations adopt the practices that enable them to use that power responsibly.