Refining Insider Threat Profiles
Insiders are a clear threat to information systems, proprietary information and company property. It is difficult to defend against an insider who is motivated to go after the company. Insiders, by nature of their positions, have intimate knowledge on where, when and how to strike.
Defined as individuals who have legitimate access to a company’s physical and computer systems, insiders may be current employees, contractors, vendors, suppliers or visitors. They also can include individuals who previously had legitimate access, such as former employees and retirees. Insiders know the organization’s vulnerabilities and how to best take advantage of those vulnerabilities to meet their goals.
A defined espionage process has been identified and is described in An Espionage Primer. According to security and counter-terrorism expert Jim Biesterfeld, “Although technical intelligence such as photography or eavesdropping glean a great deal of information, people remain the best source of information.”
Large-scale surveys, such as the PricewaterhouseCoopers (PWC) Global Economic Crime Survey, consistently find that insiders perpetrate at least half of fraud incidents. Many external attacks, especially cyber-attacks, may be detected more easily than insider attacks.
Internal attacks, on the other hand, may not be detected by internal controls or audits. Instead, customers, supervisors or other non-security personnel were found to alert company authorities to insider attacks, according to research conducted jointly by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute (USSS/CMU-SEI).
The popular press often equates insider threat with employees who are either disgruntled or motivated by financial gain. However, a closer examination of the surveys, as well as actual incidents involving insiders, reveals that the idea of disgruntled or greedy employees accounting for insider attacks may be partially myth.
But as with any myth, there is some element of truth. Disgruntled insiders really are behind some attacks. Certain sectors may be more prone to attacks by disgruntled insiders. In the banking and finance sector, only 19 percent of insider perpetrators were seen as disgruntled, although 27 percent had come to the attention of a supervisor or coworker for behavior before the incident. Examples of these behaviors include increasing complaints to the supervisor about salary dissatisfaction, increased cell phone use in the office, refusal to work for new supervisors, increased outbursts directed at coworkers and isolation from coworkers.
In contrast to the banking and finance sector findings, the most frequently reported motive in critical infrastructure sector attacks was revenge. Insider incidents were triggered by a negative work-related event that presumably caused the perpetrator to hold a grievance prior to the incident.
WHY FOCUS ON DISGRUNTLED EMPLOYEES?
The goal of this article is to present initial evidence for a more refined profile (or set of profiles) of types of insider incidents. Taking an inductive approach of moving from a few specific data points to general conclusions, short case studies illustrate the proposed insider incident types. More comprehensive study is needed to confirm the proposed types.
A disgruntled employee is dissatisfied or feels discontent toward his or her employer. Disgruntled employees may attract attention for several reasons. First, when a company reports an insider incident to local police, for the sake of simplicity, it is easy to attribute it to a disgruntled employee. The incident may be less likely to damage the company’s reputation if attributed to a disgruntled employee. Typically, it is only the target organization that incurs loss; disgruntled employees want to harm or embarrass the organization.
Second, cases involving disgruntled employees may be more easily discovered than other types of insider incidents. Warning signs of disgruntlement existed prior to many incidents, so it is possible for companies to prevent, or at least minimize the damage. Research on insider incidents in the USSS/CMU-SEI financial services study shows that in 85 percent of attacks against IT systems, someone — coworkers, friends, or family — had full or partial knowledge of the insider’s plans, intentions or activities. In the USSS/CMU-SEI critical infrastructure study, a similar pattern was found in which there was advance knowledge of the insider incident, in which the incident tended to consist of sabotage to the company or harm to an individual, rather than greed, as in the first report.
Of course, companies may not always be willing to see or act upon the warning signs. With proper training, security protocols and company culture, organizations should be able to prevent or effectively respond to disgruntled employee attacks.
More importantly, there may be other types of insiders besides disgruntled employees that should be of more concern to companies. It is difficult to develop additional insider profiles (i.e., behavioral profiles that describe the perpetrator’s motives and actions) because of the limited number of known incidents and limited information available on many of the known incidents, according to clinical psychologist and security consultant Eric Shaw. Thus one goal is to draw attention to insider incidents that do not involve disgruntled employees by examining a small number of known insider incidents. By identifying a possible new or overlooked motivation, it is hoped that future research efforts will attempt to confirm, disconfirm or refine it.
BEYOND DISGRUNTLEMENT: ADDITIONAL INSIDER MOTIVES
A range of motives besides disgruntlement exist. These additional insider types were developed inductively through review of insider attacks, attempting to generalize from a few limited data points to general categories of motivation. Additional motives include the desire to harm the company by taking revenge or embarrassing the company, nationalistic reasons, ideological motives and refined forms of individual benefit.
Insider status allows the perpetrator advantages to pursuing acts to achieve these motives. Employees, especially those who wear a badge or employee ID are often overlooked by security, according to Tomer Benito, a principal at Synergy, a security and training firm that focuses on the human element of threat. Insider threat is difficult to address for several reasons. Security personnel often work under the implicit assumption that employees do not pose a threat to the company, Benito stated.
Some perpetrators may seek employment with the intent to do harm after they get the job. An aggressor who seeks company resources or information places him/herself at risk when going through the application process, Benito further explained. Breaking in to the company is one option presented to the aggressor, but limits the time available for locating and stealing the desired property or information. However, an inside position increases the odds that the aggressor reaches his goals—a terrorist can be sure to select an optimal target and a thief can easily access company resources.
Below are additional types of insider threats that may be overlooked by security and organizations.
Harm to the company via revenge or embarrassment — This motive is demonstrated by an insider seeking revenge on the company, such as by publicly embarrassing the company or causing it financial harm. Some key triggers include:
- A career or salary setback. For example not getting a promotion, being laid off, being reassigned to a lower-level position, or not getting an expected raise or bonus may prompt an insider to seek retribution. Neal Cotton, an employee of computer consulting company , was told by management that he would be fired. Cotton admitted to perpetrating a computer intrusion attack against the company the same night. In a similar attack, Patrick Angle allegedly became disgruntled when he was told by Varian Semiconductor Equipment that his contract would be terminated. He logged onto Varian’s computer server and intentionally deleted the source code for the e-commerce software that he had been developing for the company, taking steps to cover his tracks and make it difficult to repair the damage.
- Conflict with a supervisor. Steven Davis, employed by a subcontractor working for Gillette, attempted to pass Gillette trade secrets about the Mach 3 razor to its competitors because he was mad at his boss.
- Concern over company practices. Justen Deal, a Kaiser Permanente project supervisor, sent an e-mail to 180,000 employees detailing his frustration with the company’s electronic health record system. The e-mail resulted in uncovering Kaiser’s projections that it would stand to lose as much as $7 billion over two years. Deal explained, “What I’m doing is working to ensure the waste and abuse stops.” He was fired for sending the e-mail.
Foreign insiders may feel a sense of loyalty to their home country. They may believe that companies there face an unfair competitive playing field. companies are often perceived as having vast research and development budgets as well as resources to obtain and enforce patents. Further, cultural differences regarding the legitimacy of theft may play a role in justifying the theft. Some countries expect their citizens to help their home country when working or studying in the laws and ethics, while at the country level, government-coordinated efforts have been underway for decades.
Espionage is sometimes sanctioned — or even carried out — by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy. Over the years, , , Latin America and the former have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. Many other countries are worse. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions index published each year by Transparency International.
These types of insiders may not necessarily aim to harm the company but instead seek to help their foreign counterparts get an advantage in the marketplace. For example, in the oft-cited Avery Dennison case, a Taiwanese competitor, Four Pillars Enterprises, recruited Avery employee Ten Hong Lee. It is believed that Four Pillars’ executive Pin Yen Yang, his wife and daughter specifically targeted an individual, with whom they could relate on an ethnic basis, leveraging Lee’s desire to help his fellow countryman and playing to his ego by giving him “recognition” for his intellect. Four Pillars also paid him $150,000 over several years, depositing the money with Lee’s relatives in
Research and development (R&D) units may be particularly vulnerable, as R&D is the starting point of a product’s lifecycle. Reverse engineering is another, albeit legal, form of benefiting from investment in R&D and product design. Obtaining R&D plans, however, give the foreign competitor the ability to shortcut the design process.
Jungsheng Wang, for example, was accused of copying the architecture for an ultrasound machine developed by Acuson Corporation. Wang’s wife worked as an engineer at Acuson. She brought the architecture document home, and he copied it, taking it with him on business trips to the People’s Republic of for Bell Imaging, a based company that was involved in a manufacturing partnership with a Chinese company.
In at least one instance, scientists’ sense of loyalty was leveraged in an attempt to circumvent costly R&D investment:
Immigrant scientists from who were working on an American defense project kept getting unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientists — they wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.
This type of motive is especially difficult to identify and prevent. Some perpetrators of foreign economic espionage have been reported to be outstanding, even “star” performers, giving their employers’ no reason to suspect illicit activity. To illustrate, two former distinguished members of Lucent Technologies’ staff — Hai Lin and Kai Xu, legal — along with an unnamed third perpetrator were indicted for stealing trade secrets for transfer to a joint venture with a Chinese telecommunications company.
Professional and corporate ethics as well as discrimination laws prohibit companies from treating workers differently based on their national origin or other protected class. Instead, indicators of observable behavior that are linked to specific attack methods must be developed by companies. In some instances, the foreign perpetrator may be genuinely unaware of Jiangyu Zhu and Kayoko Kimbara were conducting post-doctoral research at the . When they left to take jobs at the , allegedly taking over 20 cartons of materials with them, they were charged with trade secret theft in the form of stolen property from They fully cooperated with the investigation and the charges were dropped as long as the couple did not break any more laws.
In some instances, individual gain can be seen as interacting with nationalistic motives. Two incidents appear to illustrate this:
- Takashi Okamoto was accused of stealing genetic research materials from the Cleveland Clinic Foundation, providing the material to the Japanese Institute of Physical and Chemical Research (RIKEN). The U.S. Department of Justice is still unsuccessfully seeking extradition of Okamoto from It is not known whether Okamoto sent the materials to RIKEN to help it start up its research efforts on Alzheimer’s disease or for more self-interested reasons in order to propel himself to the forefront of the Japanese research community.
- Qingqiang Lin, a researcher with ’s animal science department, was arrested in 2002 at the after security officers found more than 100 vials and other laboratory equipment inside six pieces of luggage belonging to him and his wife. The material was identified as bacteria and yeast cultures used to produce the enzyme phytase, which the university was developing and licensing the patent to a company in Lin was convicted of stealing the material and giving a false statement to the FBI after he was stopped at the airport. In a letter to his former supervisor at Cornell, Yin had promised to bring bacteria, genes, and other material for commercial phytase production with him if he were offered a job in.
Ideology, although related to nationalist reasons, can be considered a distinct form of insider motivation. Insiders may act against the company to further their own ideological goals. For example, an insider could engage in a terrorist act that targets the company in order to harm others who do not believe in the same ideology.
In ongoing investigations, suspected plots have been broken up domestically and
- Amin Asmin Tariq, arrested as part of the Fall 2006 liquid explosives plot uncovered in the , worked as a security guard at Heathrow airport.
- In 2004, terrorists reportedly planned to poison the drinking water of a major city during the chlorinating process by recruiting insiders to work with them, according to the Associated Press.
- A de Gaulle Airport employee was arrested with explosives and guns in his car. He worked for an airport contracting company for three years, never drawing attention to himself.
- Two British terror suspects planned to bomb a nightclub by getting a job there. The club was seen as a softer target for attack.
- In early 2002, suspects linked to an al Qaeda plot to bomb the U.S. Embassy in through their jobs and badges.
- An Egyptian-born Canadian citizen was arrested in 2001 when Italian police discovered him stowed away in a container on a ship. In his possession was a security pass for a Thai airport and a certificate indicating he was an aircraft mechanic.
A third motive is the time-old individual benefit. Whereas most previous research identifies monetary gain as a primary motivator, other means exist to advancing one’s position. Three variations of the individual benefit motive can be identified — monetary gain and financial need, career benefit and starting one’s own company.
Greed is often cited as motivation for theft, especially of proprietary information. Although greed, a personal characteristic in which one desires more money for its own sake, is no doubt a factor; the perpetrator’s lifestyle and financial situation also play a role. The PWC survey identified the desire to maintain an expensive lifestyle as a specific motive. Being in debt also may play a role.
Xingkun Wu was accused of taking trade secrets with him when he left for a job at a competing fiber-optics maker. Wu allegedly admitted to taking secrets with him when FBI agents interviewed him at his home. According to special agent Paul Moskul, “We would characterize this as a case of somebody out for personal economic gain, as opposed to the traditional foreign intelligence kind of investigation or an espionage case.”
Greed is a slightly different motive from financial need. In the latter instance, the individual finds him/herself in debt that cannot be repaid. Personal debt may be incurred or in some instances, the debt may be owed to the company, as in the case of insider stock trading.
For example, Nicholas Leeson, a futures market trader for Barings Bank in the mid 1990s, ran up over £200 million in debt, hiding the losses in a secret account. When he attempted to recoup his losses by making a series of risky trades, increasing the debt to over £800 million, twice the bank’s available trading capital, it led to the bank’s collapse. His insider trading was facilitated by serving as chief trader and having the authority to settle his own trades, jobs usually performed by two people. Leeson’s initial motivation may have been greed, but his later actions were prompted by a desire to erase his losses and avoid detection.
CAREER STEPPING STONE
The desire to obtain a better job or advance one’s career is another way in which the individual perpetrator attempts to benefit from the incident. This type of perpetrator may desire monetary benefit, but only indirectly through a job with a different employer or by pursuing a different career. In this case, the incident, which often involves proprietary information theft, is aimed at “earning” a position with the new employer.
Caryn Camp was unhappy with her employer Idexx Laboratories, a producer of animal vaccines. Camp met Stephen Martin on the Internet and passed along Idexx secrets to him in the hope of obtaining a new job with his company in Although other motives were also involved (e.g., she claims to have fallen in love with Martin), she also was seeking a chance to improve her career.
A related motivation is to benefit by starting one’s own company. The perpetrator may not be satisfied with the target company’s management or policies. The perpetrator may feel that he or she can do a better job providing the product or service or treating employees fairly. Although some element of harming the target company may be at play, the perpetrator may intend to do so through the marketplace by competing directly against it.
Harold Worden, a retired Kodak manager, pleaded guilty in 1997 to stealing formulas, drawings, and blueprints. After retiring, he retained drawings, plans, and manuals and set up his own business as a front for selling stolen Kodak documents to Worden recruited more than 60 Kodak retirees who had access to trade secrets.
As noted, these types of motivations are not mutually exclusive. While one type may be at the forefront, the other motivations may also be operating more indirectly.
Motives are complex. The PWC survey describes the intersection of three underlying reasons for committing fraud — incentive, opportunity, and ability to rationalize. The cases described also illustrate the several motives can be operating at the same time.
Motives are also difficult to infer. It is hoped that this article can influence chief security officers as well as company and law enforcement authorities whose job it is to gather information on insider incidents. Without more detailed information on motives and reasoning behind attacks, it will be difficult to improve our understanding, and thus our ability to prevent and respond to insider attacks. For security professionals, it also is hoped that an awareness of additional possible motives can be translated into improved security.
By increasing awareness that numerous types of insider threats exist, practitioners and researchers can begin to identify indicators or “red flags” of each type. Examples of new indicators of potential threats may include an awareness of employees’ whose career aspirations have not been met, frequent trips to foreign countries, and requests to work late shifts. Companies need to reconsider their pre-employment screening practices and managerial awareness training practices as well as how their human resources, legal and security functions can best work together to effectively address insider threats.
SIDEBAR: An Espionage Primer
Espionage is defined as the act or practice of spying or of using spies to obtain secret information about another government or a business competitor. The two main methods of conducting espionage — human intelligence and technical intelligence — have remained fairly consistent throughout the centuries.
In order to get into a denied area, the Collector (sometimes referred to as the “spy,” case officer, or agent handler) must have two attributes to be successful — Placement and Access. Placement is proximity to the information or technology desired. Access is the ability to obtain and move that information or technology,
The information can be obtained by Infiltration or Subornation. The advantage of Infiltration is that the Collector will attempt to obtain information personally by becoming a part of the target organization. The problem with Infiltration is that there is no guarantee that the Collector will achieve the placement and access necessary to retrieve the information or technology.
Subornation, on the other hand, allows the Collector to identify and recruit as many insiders as deemed necessary to obtain the desired information or technology. The recruitment of such insiders follows a basic method:
- Identify. The Collector identifies insiders with placement and access to the desired information. Typically, several insiders will meet these requirements.
- Assess. The Collector meets each potential insider. Both a professional and personal, or social, relationship may occur, allowing the Collector the chance to ascertain the character of the insider — including political views, social consciousness, finances, weaknesses (e.g., drugs, sex), ego and religious conscience — and decide how to exploit the insider’s character weaknesses.
- Recruit. The Collector informs the insider about his true motives. The Collector promises to compensate the insider with money, drugs, sex or other material objects in return for the desired information.
- Run (Collect). The Collector tasks the insider with very specific requirements, often “easing” the insider into the job with initial requests for less sensitive information and building up to the desired information.
Source: Jim Biesterfeld, a retired counter-intelligence special agent who now provides security consulting, provided input into this section.